Privacy Policy

Contents

Privacy Policy and Personal Data Protection

In compliance with Regulation (EU) 2016/679 (GDPR) and applicable data protection laws

1. Introduction

Welcome to Numismart. We are committed to protecting your privacy and personal data. This policy describes how we collect, use, store, and protect your personal information in accordance with the European Union's General Data Protection Regulation (GDPR) and Bulgarian legislation.

Please read this policy carefully. By using our website and services, you acknowledge that you have read and understood this privacy policy.

2. Data Controller

Name: Numismart

Address: Bulgaria

Data Protection Email: privacy@numismart.bg

Phone: +359 XXX XXX XXX

As a data controller, we determine the purposes and means of processing your personal data and are responsible for their protection.

3. Data We Collect

We collect the following categories of personal data:

3.1. Identity Data

  • First and last name
  • Username
  • Date of birth (if provided)

3.2. Contact Data

  • Email address
  • Phone number
  • Shipping address
  • Billing address

3.3. Transaction Data

  • Order history
  • Payment details (last 4 digits of card, payment type)
  • Delivery details
  • Invoices and receipts

3.4. Technical Data

  • IP address
  • Browser type and version
  • Operating system
  • Time zone and location
  • Device information

3.5. Usage Data

  • Pages visited
  • Time of visit
  • Site interaction
  • Searches and preferences

3.6. Marketing Data

  • Communication preferences
  • Newsletter subscription
  • Consent for marketing messages

We process your personal data on the following legal bases under Article 6 of GDPR:

Purpose Legal Basis
Order fulfillment and delivery Performance of contract (Art. 6(1)(b))
Payment processing Performance of contract (Art. 6(1)(b))
Invoice issuance Legal obligation (Art. 6(1)(c))
Accounting and tax purposes Legal obligation (Art. 6(1)(c))
Marketing communications Consent (Art. 6(1)(a))
Service improvement Legitimate interest (Art. 6(1)(f))
Fraud prevention Legitimate interest (Art. 6(1)(f))

5. How We Use Your Data

We use the collected data for:

  • Order processing: Registration, confirmation, fulfillment, and delivery of your orders
  • Account management: Creating and maintaining your user profile
  • Communication: Sending confirmations, order updates, and responding to inquiries
  • Marketing: Sending promotional materials and newsletters (only with your consent)
  • Service improvement: Usage analysis to improve the website and services
  • Security: Protection against fraud and unauthorized access
  • Legal requirements: Compliance with accounting, tax, and other legal obligations

6. Data Sharing with Third Parties

We may share your data with the following categories of recipients:

6.1. Service Providers

  • Courier companies: Econt, Speedy, and others - for order delivery
  • Payment providers: Banks, Stripe, PayPal - for payment processing
  • Hosting services: Server providers for data storage
  • Email services: For sending transactional messages

6.2. Government Authorities

  • National Revenue Agency (NRA)
  • Commission for Personal Data Protection (CPDP)
  • Judicial authorities when legally required

Important: All our service providers are bound by data processing agreements that ensure the protection of your personal data in accordance with GDPR.

7. International Data Transfer

Your data is primarily stored on servers in the European Union. If we need to transfer data outside the EEA (European Economic Area), we will ensure an adequate level of protection through:

  • Standard contractual clauses approved by the European Commission
  • Transfer to countries with adequacy decisions
  • Binding corporate rules

8. Data Retention Period

We retain your data for the following periods:

Data Category Retention Period Basis
Account data Until account deletion + 30 days Contract
Order data 10 years Commercial Law, VAT Act
Invoices 10 years Tax Procedure Code, VAT Act
Marketing consents Until consent withdrawal GDPR Art. 7
Technical logs 6 months Legitimate interest

9. Your Rights Under GDPR

As a data subject, you have the following rights:

You have the right to obtain confirmation as to whether your personal data is being processed and to access that data, as well as information about the purposes of processing.

You have the right to request the correction of inaccurate personal data or the completion of incomplete data.

You have the right to request the deletion of your personal data when it is no longer necessary, you have withdrawn consent, or the data has been processed unlawfully. This right may be limited by legal retention obligations.

You have the right to request restriction of processing of your data under certain circumstances, such as contesting accuracy or unlawful processing.

You have the right to receive your personal data in a structured, commonly used and machine-readable format, as well as to transfer that data to another controller.

You have the right to object to the processing of your data for direct marketing purposes or when processing is based on legitimate interest.

When processing is based on consent, you have the right to withdraw it at any time, without affecting the lawfulness of processing before the withdrawal.

You have the right to lodge a complaint with the Commission for Personal Data Protection (CPDP):

  • Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
  • Phone: +359 2/915 35 18
  • Email: kzld@cpdp.bg
  • Website: www.cpdp.bg

How to exercise your rights: You can exercise your rights through the "Account Settings" section or by sending us an email at privacy@numismart.bg. We will respond to your request within 30 days.

10. Data Security

We implement the following technical and organizational measures to protect your data:

  • Encryption: SSL/TLS encryption of all data in transit
  • Secure passwords: Password hashing with bcrypt algorithm
  • Access: Limited access to personal data only for authorized personnel
  • Backups: Regular encrypted backups
  • Monitoring: 24/7 monitoring for unauthorized access
  • CSRF protection: Protection against Cross-Site Request Forgery attacks
  • Firewall: Firewall and intrusion detection systems

In case of a personal data breach, we will notify affected individuals and the CPDP within 72 hours, as required by GDPR.

11. Children's Privacy

Our services are not intended for persons under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete it immediately.

12. Changes to the Privacy Policy

We may update this policy periodically. For significant changes, we will notify you through:

  • Publishing the new policy on the website
  • Email notification (if you have an account)
  • Banner on the website

The date of the last update is always indicated at the end of this document.

13. Contact

For questions about this policy or your personal data, please contact us:

  • Data Protection Email: privacy@numismart.bg
  • General Email: info@numismart.bg
  • Postal Address: Numismart, Bulgaria
Your rights are important to us. We are committed to protecting your personal data and ensuring full transparency regarding how we process it.

Last updated: Jan 30, 2026

Content Help

No specific help content available for this page.

Need more help?

Contact support at: Contact Form