PERSONAL DATA SECURITY POLICY

This Personal Data Security Policy for Individuals ("Policy") and is linked to the General Terms and Conditions, but is not an integral part of them, as it does not regulate rights and obligations, but aims to explain to users of http://www.brilliancehair.eu/ what personal data we process, in what way, for what purpose, as well as what measures we apply to secure their data. Furthermore, it provides information about the rights that our customers have in relation to the processing of their personal data by New Wave Trade Ltd, UIC 204632558. 
Any changes to the Policy will be published on http://www.brilliancehair.eu/, respectively - with details of the date of its update.
This policy has an update date: 05.06.2023.
         Ensuring the privacy of our customers' personal data is of utmost importance to us. Under what conditions we collect personal data and how it will be used can be found in this Policy.    
                                PERSONAL DATA CONTROLLER
The company "New Wave Trade" Ltd, UIC 204632558, with registered office and registered address. 1836, Poduyane district, Sofia, g.k. "+359 890554664 (..........................) and email address newwavetradeltd@gmail.com is the data controller, including personal data, with respect to the information collected or provided when browsing the website http://www.brilliancehair.eu/ or making a purchase through it, as well as when browsing or purchasing goods or services through our Facebook page (collectively referred to as the "Site", "Website").
This Policy also applies where you, as individuals ("Subjects" for short), voluntarily provide us with personal data electronically (by email), by telephone or by other means, including at our business premises or office. The http://www.brilliancehair.eu/ website also processes personal data from enquiries you make to us and for marketing and advertising purposes, profiling, participation in games, promotions and sweepstakes organised by us and for any other purposes not prohibited by law. In processing personal data, our website http://www.brilliancehair.eu/ ensures compliance with all data protection legislation applicable to its activities, including but not limited to Regulation (EU) 2016/679 ("Regulation") and the Data Protection Act, because the security of our customers' personal data is of paramount importance to us. Therefore, this Policy shall also apply in this case.
           POLICY RELEVANCE
This Policy is applicable to all our customers - individuals who use our services by ordering products on the website of New Wave Trade Ltd. or expressing interest in the same by sending inquiries (hereinafter referred to as "data subjects", "users").
Our partners and/or third parties who work with or for http://www.brilliancehair.eu/, and who have or may have access to personal data, will be expected to read, understand and comply with this policy. No third party may have access to personal data held by http://www.brilliancehair.eu/ without the company having first entered into a data privacy agreement which imposes on the third party obligations no less onerous than those which http://www.brilliancehair.eu/ has undertaken and which entitles http://www.brilliancehair.eu/ to carry out checks on compliance with the obligations imposed by the agreement.
This Policy applies to all employees/workers (and stakeholders) of http://www.brilliancehair.eu/, as well as external product and service providers with whom http://www.brilliancehair.eu/ has contracts. Any violation of the General Regulation will be treated as a violation of labor discipline, respectively as a failure to fulfill contracts with partners, and in the event that there is an allegation of a crime, the matter will be submitted to the relevant government authorities for consideration as soon as possible.
Visitors to the Site who do not place orders or send inquiries, but only browse our website, are subject to the cookies policy adopted and published on the Site.

DEFINITIONS USED
           "Regulation" - General Data Protection Regulation 2016/679 of 27 April 2016, hereinafter referred to as GDPR. The purpose of this piece of European legislation is to protect the "rights and freedoms" of individuals and to ensure that personal data is not processed without their knowledge and, where possible, that it is processed with their consent.
           'Personal data' means any information relating to an identified natural person or an identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, psychological, economic, cultural or social identity of that natural person.
           "Special categories of personal data" - personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data uniquely identifying an individual, data concerning health or data concerning an individual's sex life or sexual orientation.
'Processing' means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
           'controller' means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the controller or the specific criteria for its determination may be laid down in Union or Member State law;
           "Data Subject" - any living natural person who is the subject of personal data stored by the Controller.
           "Consent of the data subject" - any freely given, specific, informed and unambiguous indication of the data subject's wishes, by means of a statement or a clear affirmative action, which signifies the data subject's agreement to personal data relating to him or her being processed;
           "Child" - The General Regulations define a child as anyone under the age of 16. The processing of a child's personal data is only lawful if a parent or guardian has given consent. The data controller shall make reasonable efforts to verify in such cases that the holder of parental responsibility for the child has given, or is authorised to give, consent.
"Profiling" - any form of automated processing of personal data consisting in the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of that natural person's professional duties, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
           "Personal data breach" means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is transmitted, stored or otherwise processed;
           "Recipient" - the natural or legal person, public authority, agency or other body to whom the personal data is disclosed, whether or not a third party. At the same time, public authorities which may receive personal data in the framework of a specific investigation in accordance with Union or Member State law shall not be considered as 'recipients'; the processing of those data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing;
           'Third party' means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and those persons who, under the direct authority of the controller or the processor, are entitled to process the personal data.
PRINCIPLES WE FOLLOW
When collecting and processing personal data, we are guided by the following principles: lawfulness, fairness, transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability.
SUBJECTS WHOSE DATA WE PROCESS
          In connection with its activities, our website http://www.brilliancehair.eu/ concludes and executes purchase contracts from a distance, examines job applications and proposals, forms for the exercise of rights of users-buyers, as well as requests of data subjects, responds to inquiries, issues and receives invoices, processes statistical data, manages the user panel on the site, carries out advertising activities through advertising campaigns. In the course of these activities, http://www.brilliancehair.eu/ processes personal information concerning the following groups of subjects (natural persons):
(a) individuals using the site without registration, without leaving any data (in this case we process data, but not personal data) and individuals using the site without registration who have provided a limited number of personal data voluntarily (in the most common cases - phone number and or e-mail address);
         (b) natural persons, users of the site with registration as registered users - in respect of this group of persons we process user data that they themselves have entered when registering on the site - e-mail address, delivery address, names, billing data, order details, other data entered by the user.
          (c) individuals who have made enquiries (including by call), requests, initiatives, signals, complaints or other correspondence to us, including via the website, telephone, email or otherwise;
          (d) individuals whose information is contained in enquiries (including by call), requests, initiatives, signals, complaints or other correspondence addressed to us;
          (e) natural persons with whom we enter into contracts (civil, including commercial or employment, especially distance contracts) electronically (via the website or social networks, as well as via electronic correspondence) or on site at our office or business premises;
           (f) individuals whose data we have obtained by providing it to them from third parties (e.g. in the case of an order intended as a gift).
PERSONAL DATA WE PROCESS
           Depending on the reason that necessitated the processing of personal data, the type of personal data may differ. The functionalities provided on the Site are not intended for the storage and processing of special categories of data within the meaning of Article 9 and Article 10 of the Regulation (Read Article 9 and Article 10 - of the Regulation here). We only require such personal data as is necessary for us to provide the activity/service/product requested of us. In the course of use of the website by individuals, we may also process other data that does not contain personal data but also relates to the subject, such as their IP address, data about their activity on the website, etc. similar.
Data provided when placing an order
        In order to execute a distance contract (order) between the customer and http://www.brilliancehair.eu/, we require certain information. The customer is free to decide whether and how to use the distance sales contract options provided via the Site or the Facebook page. In the forms through which personal data is entered, we clearly indicate the mandatory or voluntary nature of the data provision. The data that is mandatory to fill in are those without which it is impossible to conclude the respective contract. Such data are: names, email address, delivery address, contact telephone number, payment information (e.g. bank card), billing data, of which the personal identification number if the customer wishes to be invoiced as an individual. If the customer provides data to third parties who will receive the order (e.g. in the case of orders for the purpose of a gift or other type of donation) the customer is responsible for providing the data to these third parties.
          Data provided when registering on the Site
        If the customer has chosen to store information on the Site by registering an account, we store the above data as well as a history of orders placed by each account registered on the Site. The data required matches that required at checkout. Along with these, we also process IP address, activity data (time and date of registration, acceptance of the Security Policy and General Terms and Conditions, account login, etc.).
Data provided when concluding other contracts
           In cases where http://www.brilliancehair.eu/ enters into contracts with individuals other than distance sales, we require three names, a personal identification number, an address, and an e-mail address.
Data provided by, through and on other websites and applications, referred to as third parties
           In certain cases, customers have the option to share information with social networks or use their sites to create their own profile or link their account on our website to the relevant social network. In this case, the social network may provide us with automatic access to certain personal information they have collected about customers (e.g., the content they have viewed, the content they want, and information about the ads they have been shown or clicked on, etc.). By linking their social network profile to their account on our website, they authorise us to access their personal data processed by the relevant social network and to collect, use and retain this information in accordance with this Security Policy. This linking of a social network account to a registration on our website is made in the event that they click on a link provided to create a Registration on our website by joining the social media, thereby voluntarily establishing a link with the relevant social media site. In the event that they chose to register on our website through any social media network, we may process their data such as name, phone, email, gender, marital status, age, photo, education, location, residence and other data that they have provided on these platforms and which is visible to us in the event that they sign in with them on our website.
In the event that customers provide their personal data to our website http://www.brilliancehair.eu/ via Viber, Skype, Facebook or any other platform/social network, we inform you that these platforms/websites/social networks have their own privacy policies and that we do not accept any responsibility or liability for these policies insofar as their processing cannot be controlled by http://www.brilliancehair.eu/. In this regard, we recommend that customers check these policies before sending us their personal data via these websites/applications.
Data provided when posting a comment, review, publication
       If you leave a post or comment on this website, your IP address will be saved, along with your name if you have entered this information. This is for the safety of the website operator. If your text breaks the law, it would like to be able to trace your identity. Separately, http://www.brilliancehair.eu/ has an obligation to retain this data (referred to as "traffic data") for certain periods and for certain purposes set out below. Due to the fact that sending comments, inquiries and other messages to the website, Facebook page or their administrators, constitutes sending an electronic statement, under the Electronic Document and Electronic Certification Services Act ("EDCSA") the administrator has an obligation to maintain logs of the fact of sending the statement for a period of 1 year. The log shall contain the date of the statement, the name and email address of the sender.
Employee data and data collected when processing job applications
We process data when entering into employment contracts and when assessing and processing a job application. When concluding employment contracts, we require three names, ID number, address, age, gender, education data, work experience, bank details, and subsequently we also process health data. When processing CVs, we process name, address, email address, age, gender, education, work experience, photo, data voluntarily provided by the candidate during the interview or in the CV.
Data provided on correspondence, complaints and signals
For the purpose of resolving complaints, signals, disputes, inquiries, requests or other matters made in communication to http://www.brilliancehair.eu/ received through electronic forms on the Site, through calls to http://www.brilliancehair.eu/, by sending regular or electronic mail, http://www.brilliancehair.eu/ stores and processes this information and the result of this processing. This information may include names, email address, telephone number, address. 
Furthermore, due to the fact that sending comments, inquiries and other messages to the website, Facebook page or their administrators, constitutes sending an electronic statement, under the Electronic Document and Electronic Certification Services Act ("EDCSA") we have an obligation to maintain a log of the fact of sending the statement (without its content) for a period of 1 /one/ year. The log contains the date of the statement, the sender's name and email address, and the sender's identification.
If our customers provide us with personal information about someone else, they must only do so with that person's permission. You must inform them how we collect, use, disclose and store personal information in accordance with this Personal Information Security Policy.
Technical data collected in the course of using the Site
      In addition to the information already listed here, we collect information from our customers about their computer, phone, tablet or other device they use. This information may include the following:
the identifier of the device they are using, the type of that device and a unique token for that device, "log data" or "log data", including information that their browser automatically sends us when they visit a website; this log data includes the Internet Protocol address, the address and activity of the websites they visit, searches, browser type and settings, the date and time of their request, how they used the site, cookie data and device data; if they want to get more details about the information they
location information transmitted by the device, in case our customers have set the same to display location data - it is necessary to bear in mind that mobile devices allow the use of location services to be controlled or disabled from any application on the mobile device in the settings menu of the device;
computer and connection information, such as page view statistics, IP address, site browsing history, language settings, date and time;
Search Ease Logs - quick links to repeat previous searches, enabling customers to repeat their searches instead of typing them in each time. The functionality can be used with or without registration. When using the Site, a cookie with a randomly generated number is stored in their browser, enabling the Site to show the customer quick links to repeat previous searches. The Site stores and displays the last 10 searches associated with that browser, and you can save and use that search when you log into your browser account. In the event that customers use the Service with registration (a currently inactive feature), the last 10 searches are stored in his account;
logs related to security, technical support, development, etc.:
To ensure the reliable functioning of the services and identify technical problems;
To secure services and detect malicious activity;
To develop and improve the services on the site;
To measure site traffic and usability;
Logs where required by law (such as logs of electronic wills);
User account login log - this log allows unauthorized attempts to access accounts to be detected and automatically blocked; it is maintained for a period of up to 1 /one/ year and contains the date and time of login, status, whether the login is via mobile version, application or desktop browser, IP address;
Server logs, security logs (Web Application Firewalls) and other devices that fall into this category. These logs are necessary for the detection of technical problems, detection of malicious activities, etc. for the above purposes; they are kept for a period of up to 1 /one/ year. The logs may contain the following information: date and time, IP address, URL, browser and device information. In addition, some devices may use cookie-based security technology;
cookies - the use of cookies is necessary for the functioning of the Site. In this regard, a Cookie Policy has been adopted; please refer to the Policy for more details on: the type of cookies we use, their storage and use period, etc. 
       We may choose to reduce the amount of data that we store and process according to the purposes of the processing.
We ensure that we do not require and will not collect or process personal data that reveals: racial or ethnic origin; political, religious or philosophical beliefs; trade union membership; genetic and biometric data; health data; or data about sex life or sexual orientation. If a subject provides such categories of data on his/her own initiative and at his/her own request, http://www.brilliancehair.eu/ is not responsible for the provision, but only undertakes to provide the same protection measures in relation to them as are provided for the personal data requested. We do not transfer data to third countries. Also, we do not make automated decisions in relation to personal data and do not process data of persons under the age of 16. If you are under 16 years of age, you should not provide us with personal data about yourself.
FOR WHAT PURPOSES WE PROCESS YOUR DATA
           The main purpose for which WE process personal data of our customers is related to the provision of services through the Site and social networks, namely the conclusion of a distance sales contract and the delivery of the goods ordered by them to the Publishing House "Library Bulgaria", of course for the purpose of accounting for sales revenue. We also use their personal information to provide and improve our Services, to provide a personalized experience on our site, to contact our customers through their profile, to provide them with customer service, to provide personalized advertising and marketing according to their interests, to run sweepstakes and games organized by us, and in certain cases to detect and investigate fraudulent or illegal activities.
           Our website http://www.brilliancehair.eu/ collects, uses and processes the information described above for the purposes set out in this Policy, which may relate to:
  - the conclusion of a contract for the purchase of goods/services remotely between customers and http://www.brilliancehair.eu/ via the Site or social networks - we require their identification, contact and payment details in order to conclude a contract, respectively to send them the order;
           - processing payments and preventing fraudulent transactions (we may pass their data to a third party to perform these functions);
           - the conclusion of employment contracts and the processing and evaluation of submitted CVs;
           - protecting and enforcing the legitimate interests of other users of the Services, third parties and the Site - the legitimate interest pursues objectives related to the legitimate interests of http://www.brilliancehair.eu/ and/or third parties. These purposes include:
detecting and resolving technical or functionality problems, developing and improving the purpose of the Site;
communicating with clients, including electronically, on important issues related to the services we provide and the performance of contracts;
targeting our marketing, updating services and offering customers promotional offers based on their preferences.
receiving and processing signals, complaints, requests and other correspondence;
enforce and protect the rights and legitimate interests of the Site, including in court, and assist in enforcing and protecting the rights and legitimate interests of other users of the Site and/or affected third parties;
administering the website and app and keeping them secure and safe;
analyze and improve your use of our website, App and retail, (including using information about how you navigate our website, App and/or stores;
measuring and analysing our advertising and making suggestions and recommendations to customers based on the information they share with us;
communicating with customers about their account or troubleshooting problems with their account. When we contact them by phone, we may use automated or prerecorded calls and text messages to ensure efficiency;
informing customers about products and services they want us to send them information about by email, post, mobile phone and/or other digital means (depending on your stated preferences), including social media platforms - only where we have received their explicit consent to do so.
           - the registration of customers on the website (in which case We will also use their personal information to maintain and update their account (for example, as a change of address or change in marketing preferences);
  - administering all competitions/draws/games run by http://www.brilliancehair.eu/;
           - provide location-based services (such as advertising, search results and other personalised content) to our customers;
           - the performance of http://www.brilliancehair.eu/'s legal obligations, which includes:
fulfilling statutory obligations to retain or provide information in order to fulfil our obligations under the country's tax laws (e.g. on the basis of the Accounting Act and other tax laws - VAT Act, Personal Income Tax Act, Income Tax Act, Income Tax Act, etc.);
fulfillment of statutory obligations provided for in the Labour Code, the Commercial Register Act and the Register of Non-Profit Legal Entities and other regulations;
the execution of an order received by us from competent state or judicial authorities (e.g. on the basis of the MIAA, the Criminal Procedure Code, the EUA);
fulfillment of obligations under the Data Protection Regulation related to notifying our customers of various circumstances related to the exercise or protection of their rights, the Services provided or the protection of their data, etc. similar;
fulfilling obligations under the Consumer Protection Act such as ensuring the right of withdrawal, the right to a statutory guarantee;
in the case of exercising the protection of the rights and legitimate interests of http://www.brilliancehair.eu in court.
           Our customers' personal data may be processed on the basis of their explicit consent, in which case the processing shall be specific and to the extent and scope provided for in the relevant consent. In practice, we require such consent where we wish to process their personal data without a legal obligation or legitimate interest for http://www.brilliancehair.eu/. Typically, we require such consent when we wish to offer information about new promotions, products, etc.
STORAGE PERIOD OF PERSONAL DATA OF CUSTOMERS
When storing data, WE apply the general principle of storing data in the minimum volume and for no longer than necessary to provide the Services and perform the contracts, ensuring their security and reliability and the requirements of the law.
We will retain personal information relating to our for the period necessary to fulfil the purposes set out in this "Privacy Policy", unless we are required by law or legitimate interest to retain it for a longer period. Depending on the type of data and the purposes for which it was collected, there is a retention period after which the information is deleted.
1.Registration data (first name, last name, email address, phone number and address) and information about the registration and agreement to the Terms and Conditions (date, part, IP address) - stored for the entire period of maintaining the account on the site and up to 5 years from the termination of registration.
Grounds for storage: performance of contractual relations; performance of legal obligations; protection of a legitimate interest.
Explanation: The data identifies our customers as a registered user on the Site. In order to resolve possible disputes that arise or become known after termination of the Site Use Agreement and in connection with the WEEDUU (see below), this data is retained for up to 5 /five/ years after termination of the account. 
Important! On the basis of the ECDEA, some of this data must be stored by the administrator (activity, IP address) for a period of up to 1 /one/ year from the termination of the account. The extension of the storage period is due to the protection of the legitimate interests of the administrator.

2.Personal data from orders and from invoices, payment documents (orders, statements), reports and other accounting, reporting and payment documents issued or received by the administrator; personal data from employment records of employees - shall be stored for the period during which the rights and obligations of the parties to the legal relationship under which the accounting, reporting or payment document was issued exist, up to 5 years from the termination of the legal relationship.
Certain data is retained for a longer statutory period than the above, as it is accounting information - transaction data, billing data - for between 5 and 50 years.
  Reason for storage: to comply with legal obligations and to protect the legitimate interests of the controller.  
Explanation: the data serves to identify the person as a party to the distance selling contract and is stored in order to ensure your rights or to fulfil our legal obligations as taxable persons. The storage is also necessary in order to ensure the rights of buyers (natural persons) when a time limit is provided for the same (e.g. 2-year warranty). Legal obligations also require the storage period to be determined as described. Pursuant to Article 38 of the Tax and Social Security Procedural Code (TSSC), accounting and commercial information, as well as all other information and documents relevant for taxation and compulsory social security contributions, shall be kept by the obliged person in accordance with the procedure laid down in the National Archive Fund Act, for the following periods: payrolls - 50 years; accounting registers and financial statements - 10 years; documents for tax and social security control - 5 years after the expiry of the limitation period for the repayment of the public obligation to which they relate. Pursuant to Article 38, paragraph 2 of the Tax Procedure Code, after the expiry of the period for their storage, the information carriers referred to in para. 1 (paper or technical) which are not subject to transfer to the National Archive Fund may be destroyed.

  1. Personal data from correspondence, complaints and signals, requests, initiatives - stored for up to 5 /five/ years on the basis of the Law on Obligations and Contracts (limitation periods for claims).
    Reason for storage: protection of the legitimate interests of the controller.
    Clarification: for the purposes of resolving the issues contained in complaints, alerts, disputes, inquiries, requests or other matters addressed to Us in communications received via electronic forms on the Site, by sending regular or electronic mail, We store and process this information and the result of this processing. Given the limitation periods under Bulgarian law for the purpose of resolving disputes, this information is stored for a period of up to 5 /five/ years.

4.Log certifying the sending of a comment, request, order or other statement (contains sender, recipient, date and time of the statement) - kept for a period of 1 /one/ to 5 years.   
Reason for storage: to comply with legal obligations and to protect the legitimate interests of the controller
Clarification: because the sending of a comment, review, inquiry, other statement constitutes the sending of an electronic statement by the customer to the site under the UEPA, the company is required to maintain a log of the fact of sending the statement for a period of 1 /one/ year. The legitimate interest of the controller allows in certain cases to extend the retention period of this data up to 5 years from the statement.

  1. Quick searches do not contain personal data - they are stored until they are deleted by the customer, until his registration is terminated or up to 6 /six/ months if he uses this functionality without registration.
    Grounds for storage: subject consent and protection of the legitimate interests of the controller
    Clarification: this option allows searches to be repeated rather than entered each time. The functionality can be used with or without registration. Quick links to repeat the last 10 searches are stored. Customers can change the setting from the browser they are using.
    6.Settings and System Logs (do not contain personal data, may contain information such as: date and time, IP address, URL, browser version and device information) - stored until deleted by the customer or until the customer's registration is terminated. In case they are stored in a cookie - between 6 /six/ and 12 /twelve/ months from the last use.
    Basis for storage: subject consent. Performance of legal obligations and protection of the legitimate interests of the controller.
    Clarifications: settings such as language selection and similar fall under this category. The control over the settings is with the client, who has the ability to change them via their browser. Server logs, security device logs (Web Application Firewalls) and other devices fall under this category. These logs are necessary to detect technical problems and/or detect malicious activity.
    7.Information stored in a mobile application - stored for the period of its use (until uninstalled).

8.Information necessary for the technical provision of the Services (such as settings, etc.)

9.Cookies - stored for a period between 6 and 12 months - depending on the type of cookie and the settings of the client's browser.
Ground for storage: subject's consent and protection of the legitimate interests of the controller.
Important!
For a description of the cookies used, see "Cookie Policy".

Exceptions to the rules on storage periods 
It is necessary to bear in mind that on our website the personal data of customers will not be deleted or anonymised if they are necessary for pending judicial, administrative, arbitration, enforcement or complaint proceedings before us. Erasure will be carried out once the need for the data no longer exists, and it is not excluded that this will be carried out after the expiry of the time limits mentioned above.
Our customers can always ask us to delete certain information or close their account, and we will respond to this request by retaining certain information even after the account is closed where applicable law or legitimate interests require it. If we are subject to a legal obligation, or if reasonably necessary to comply with regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions, we may also retain some personal information for a limited period of time, even after customers have deleted their account on our site.  
In order to ensure the reliability of the services and to prevent data loss due to technical reasons, the Site applies a data redundancy policy. The maximum period for updating (deleting data) from all backups is 30 days.  

DO WE SHARE YOUR PERSONAL DATA WITH THIRD PARTIES
           Our website http://www.brilliancehair.eu/ does not provide personal data of its customers to third parties unless there is a lawful basis for doing so - an obligation under law or contract, a legitimate or vital interest or their consent. We endeavour to minimise the personal data we disclose, as this is always directly relevant and necessary to achieve the stated purpose. We do not sell, rent or otherwise disclose our customers' personal information to third parties for their marketing and advertising purposes without your consent. We ensure that access to their personal data by private third party entities is carried out in accordance with the legal provisions in the field of data protection and confidentiality of information, based on contracts concluded with them.
           We may disclose personal data to our customers where we are subject to a legal obligation. 
In certain cases, http://www.brilliancehair.eu/ is obliged to disclose their data to public authorities such as the police, prosecutors, courts, in connection with the prevention or detection of crime. This also includes sharing information with other companies and organisations in order to protect fraud and reduce credit risk. Our customers should be aware that if we are asked by the police or any other regulatory or governmental authority investigating suspected illegal activities to provide their personal information or other information we obtain about them, we are entitled to do so after we have satisfied ourselves as to the validity of the governmental authorities' request. Where we receive revenue from sales, we may be required by revenue authorities to provide sales data containing customer order data, including personal data. In this regard, we provide personal customer data to the accounting firms with which we work. It is the legal obligation of the Site and http://www.brilliancehair.eu/ to protect the security of the networks and data processed by the Company. In this regard, we apply a number of measures, the implementation of which may necessitate the processing of customer data by IT companies taking care of security in our company.
We may have a contractual obligation to provide personal data in the case of a distance selling contract with a customer, under which we are obliged to provide the goods requested by the customer by courier. The same applies if the customer has chosen to purchase, pay for a product from our Site through payment, credit or banking services to whose providers he personally shares his data or entrusts this to us.
           Our legitimate interest justifies the provision of personal data to third parties in certain cases. This would be the case in proceedings before the Data Protection Commission, the Consumer Protection Commission and other public authorities. A legitimate interest also exists for http://www.brilliancehair.eu/ when we engage other companies and individuals to perform certain tasks on our behalf, complementary to our services, within the framework of data processing contracts. We would like our customers to always be aware of the best offers for the products they are interested in. In this regard, we may provide certain of their personal data - only with their explicit consent - to marketing/telemarketing service providers and other companies with whom we may develop joint programs to market our goods.
Our website http://www.brilliancehair.eu/ may also contain links to and from third-party websites now or at a later date. If our customers follow a link to any of these websites, they need to be aware that these websites have their own privacy policies and that we accept no responsibility or liability for these policies. In this regard, it is necessary to check these rules before information is sent to these websites.
Our site uses YouTube LLC, represented by Google Inc. to integrate videos. Typically, when customers visit our embedded video page, their IP address will be sent to YouTube and cookies will be installed on their device. However, our YouTube videos are integrated in an extended privacy mode (in this case, YouTube is still in contact with the DoubleClick service from Google, but personal data in accordance with Google's privacy policy is not used). As a result, YouTube does not store any visitor information unless you watch the video itself. If you click on the video, your IP address will be sent to YouTube and YouTube will know that you watched the video. If you are logged into YouTube through your user profile, this information will also be associated with your user profile (you can prevent this by logging out of YouTube before clicking on the video to view it). We have no information about the possible collection and use of the data by YouTube.
For more information, see the YouTube Privacy Statement at www.google.com/intl/bg/policies/privacy/.
TO WHICH COUNTRIES WE TRANSFER PERSONAL DATA
           We currently store and process personal data on the territory of the Republic of Bulgaria.
We will always take steps to ensure that any international transfer of personal data is carefully managed to protect the rights and interests of our customers. Transfers of data to service providers and other third parties will always be protected by contractual obligations and, where appropriate, other safeguards such as standard contractual clauses issued by the European Commission or certification schemes such as the Privacy Shield for data transferred from the EU to the United States of America.
           Any of our customers may contact us at any time, through the stated means of contact set out at the end of the Policy, to obtain information about the countries to which we transfer data and the safeguards we apply in relation to those data transfers.
YOUR RIGHTS IN RELATION TO PERSONAL DATA
           Under the General Data Protection Regulation you have the following rights:
Right to information
This Policy is intended to inform in detail about the processing of personal data by the site. Where there is a risk of a personal data breach, the controller is required to notify the individual concerned of the nature of the breach and what measures have been taken to remedy it, and whether the supervisory authority has been notified of the breach. The data subject may also request information concerning all recipients to whom the personal data for which rectification, erasure or restriction of processing has been requested have been disclosed.
Right of access
         Every data subject shall have the right to obtain confirmation of whether his or her personal data are being processed, access to them and information on how they are being processed and his or her rights in relation thereto. Requests for access must be made in writing/electronically and addressed to the controller. In this case, we provide a copy of the personal data processed in electronic or other appropriate form.
Right of rectification
Each data subject shall have the right to rectify and supplement his or her personal data in case they are incomplete or inaccurate. For registered users, this option is also valid in the user panel on the Site. Non-registered users can obtain this information by making a request to the controller. As a data subject, you have the right to request the rectification or completion of your personal data that is inaccurate/outdated or incomplete. You must submit a separate request for this purpose. Your request will be answered by the controller in writing at the e-mail address you have provided.
Right to erasure (right to be forgotten) and account closure
          Each data subject has the right to "be forgotten", i.e. to request that the Controller erase his/her personal data without undue delay, i.e. that the Controller erase your personal data from all systems and records where they are stored, including notifying any third parties/processors to whom he/she has provided the data.
           If you wish, you have the option to close your account on the site at any time. This option is also valid in the user panel on the Site. After closing the account, all or part of the data is deleted. In connection with our obligations, responsibilities and the requirements of the law (e.g. the EULA or the WEEDU Act), we may retain certain data for a certain period (see section above).
In order to ensure the reliability of the services and to prevent data loss due to technical reasons, the Site applies a data redundancy policy. The maximum period for updating (deleting data) from all backups is 30 days.
           A request for erasure may be made on the grounds set out in the Regulation, including on any of the following grounds:
- the personal data are no longer necessary for the purposes for which they were collected;
- when you have withdrawn your consent;
- where you have objected to the processing of personal data and there are no legitimate grounds for the processing which override;
- where the processing is unlawful;
- where personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
- where the personal data have been collected in connection with the provision of information society services.
  Data subjects should be aware that we may refuse to erase some or all of their personal data where there is a substantial ground for processing and/or a legal obligation. You will be explicitly informed about these situations in due time. The controller may refuse to erase personal data on the grounds set out in the Regulation - where the processing of the specific data is for a purpose:
           - to exercise the right to freedom of expression and the right to information;
           - to comply with a legal obligation requiring processing under EU or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
           - for public health reasons;
           - for archiving purposes in the public interest, for scientific or historical research or for statistical purposes;
           - for the establishment, exercise or defence of legal claims.

Right to restriction in relation to data processing
The General Data Protection Regulation provides for the possibility to restrict the processing of personal data if there are grounds for doing so provided for therein. Restriction is allowed in the following cases:
           - where the subject considers that the personal data are not accurate, in which case the restriction shall be for the period necessary for the controller to verify the accuracy;
           - where the processing of personal data is unlawful but the subject does not wish it to be erased, but only wishes to restrict its use;
           - where the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims;
- where the data subject has objected to the processing pending verification whether the controller's legitimate grounds override his or her interests.

Right to notify third parties
         Where applicable, each data subject shall have the right to request the Data Controller to notify third parties, where he or she has provided his or her data, regarding the rectification, erasure or restriction of the processing of his or her personal data.
Right to data portability
           Each data subject shall have the right to obtain the personal data concerning him or her which he or she has provided in a structured, commonly used and machine-readable format and shall have the right to transfer such data to another controller without hindrance from us, where the processing is based on consent or a contractual obligation or the processing is carried out by automated means.
           Important: The responsibility for the storage of data exported from the Site, as well as for any consequences of their provision to other controllers, lies entirely with the data subject.
The right of the data subject not to be subject to a decision based solely on automated processing
Each data subject shall have the right not to be subject to such automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the grounds for doing so are laid down in the applicable data protection legislation and appropriate safeguards are provided for the protection of his or her rights, freedoms and legitimate interests.
Right to withdraw consent
        Each data subject shall have the right, at any time, to withdraw the consent he or she has given in relation to the processing of personal data on the basis of his or her prior consent. Such withdrawal shall not affect the lawfulness of the processing on the basis of the consent given up to the time of withdrawal. In the case of services such as the subscription to email advertisements, the subscription to which is based on his/her wish (consent), the possibility to terminate the subscription at any time (withdrawal of consent) is provided for. In the event of withdrawal of consent, we have the right to request that the identity of the applicant be verified in order to establish identity with the person to whom the data relates.
Right to object
Each data subject shall have the right to object to data processed on the basis of legitimate interest. In the event that such an objection is received, We will consider that request and, if justified, comply with it. If we believe that compelling legitimate grounds exist for the processing or that it is necessary for the establishment, exercise or defence of legal claims, the data subject will be informed accordingly.
Right of appeal to a supervisory authority
        Any data subject has the right to lodge a complaint against our company (data controller) with the supervisory authority if he or she considers that processing of personal data concerning him or her violates applicable data protection law. The supervisory authority in the Republic of Bulgaria is the Commission for Personal Data Protection with the address. The Data Protection Authority of the Republic of Bulgaria has its registered office at 1592 Sofia Blvd. "1595 Prof. 02 915 3 518.

            HOW YOU CAN EXERCISE YOUR RIGHTS. TIME LIMITS FOR A RULING
    The aforementioned rights may be exercised by any data subject free of charge at any time, by email or by request, sent to the addresses indicated in the contact form on the Site or at the end of this Security Policy, addressing their requests both to the controller and directly to the Data Protection Officer. Requests shall be made in a manner that permits the identification of the requester. With respect to certain rights, technical options for exercising them may be applicable, for example an unsubscribe button. In any event, the controller shall respond to the request or make a ruling with respect to the exercised right at the address provided in the request, including electronically, within one month of receipt.
           Where these rights are exercised manifestly unreasonably or excessively, in particular because of their repetitive nature, we reserve the right to charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or to refuse to act on the request. We will inform you of our fees, if applicable, before acting on your request.
ACCURACY OF INFORMATION
         We are not responsible for the accuracy of the data provided by the data subject, nor do we carry out any checks to this effect, nor do we guarantee the actual identity of the individuals who have provided the data. In all cases of suspected fraud and/or abuse, please notify us immediately. Each data subject undertakes, when providing any information on the Site, not to violate the rights of others in relation to the protection of their personal data or their other rights.
GENERAL POLICY INFORMATION
This Privacy Policy may be amended or supplemented due to changes in applicable Bulgarian or European legislation, on the initiative of http://www.brilliancehair.eu/ or a competent authority.
Our website http://www.brilliancehair.eu/ will inform users of changes or additions to this Privacy Policy by posting the updated Privacy Policy on our website.
         Users are advised to periodically check the most up-to-date version of this Privacy Policy on our website.
            HOW WE PROTECT YOUR RIGHTS
           SECURITY MEASURES
  In order to ensure the best possible protection of the data of the company and our customers/users/contractors/visitors on the Site, WE apply all necessary organizational and technical measures provided for in the General Data Protection Regulation and the Data Protection Act, as well as best practices of international standards. We apply the appropriate and necessary level of protection and to this end have developed efficient physical, electronic and administrative procedures to safeguard the data we collect from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed.
           We store personal data on secure servers using the latest encryption algorithms and ensure backups are kept.
           Our company "New Wave Trade" Ltd. has adopted the necessary rules and procedures related to the lawful processing of personal data and has appointed a Data Protection Officer who assists in the processes of lawful processing, protection and security of personal data.
           Access to personal data shall only be granted to those employees, service providers or related persons on a need-to-know basis for business purposes or who require it for the performance of their official duties. All employees/workers are required to be trained and accept the relevant contractual clauses/declarations/rules to comply with organisational and technical access measures before being granted access to information of any kind.
           It is a principle of our structure that all employees/workers are responsible for ensuring the security of the storage of the data for which they are responsible and which we process, and that data is stored securely and not disclosed under any circumstances to third parties unless we have granted such rights to that third party by entering into a confidentiality agreement/clause. In this regard, all personal data is only accessible to those who need it, and access can only be granted in accordance with established access control policies.
All personal data is treated with the utmost security and stored:
in a private room with controlled access; and/or
in a locked cabinet accessible to authorised persons; and/or
a password-protected computerised system in accordance with the internal requirements set out in the organisational and technical arrangements for controlling access; and/or
computer media that are protected in accordance with organisational and technical measures to control access to information;
           Personal data shall only be erased or destroyed in accordance with internal data retention and destruction procedures.
           For maximum security when processing, transferring and storing personal data, we may use additional protection mechanisms such as encryption, pseudonymisation, back up technology for backup copies.
           We use a payment service to process payments. All payment information is encrypted using SSL technology.
           When you post in forums, chat rooms or social networking services, the personal information you share is visible to other users and may be read, collected or used by them. In these cases, you are responsible for the personal information you choose to provide.
Despite the measures we implement to protect personal data, we are aware that, in general, the transmission of information over the Internet or other public networks is not completely secure, and there is a risk that data may be viewed and used by unauthorized third parties. We cannot accept responsibility for these vulnerabilities on systems not under our control. In the event of a data leak containing personal data, we guarantee to comply with all applicable notification standards in such cases.
COOKIE POLICY
       As an integral part of this Personal Data Security Policy http://www.brilliancehair.eu/ has adopted a Cookie Policy, published and available both on the Site and on our Facebook page.
CONTACT US
DATA PROTECTION OFFICER
           Questions and requests relating to the exercise of your data protection rights may be directed to http://www.brilliancehair.eu/ , through the contact form available on the Site or through any of the contact forms provided:
"New Wave Trade" Ltd, UIC 204632558, with registered office and registered address. Sofia 1836, "Poduyane" district, zh.k. "5, app. 188.
E-mail address: newwavetradeltd@gmail.com
Tel: +359 890554664
Contact person and address for correspondence: ............................................................ - gr. Sofia 1836, "Poduyane" district, zh.k. "Levski G", bl. 5, app. 188.
                DATA PROTECTION OFFICER
Data Protection Officer is ANNA EMILOVA GRIGOROVA
    Address for correspondence. Sofia 1836, Poduyane district, g.k. "5, app. 188.
E-mail address: ANNA.GRIGOROVA7@gmail.com
Contact phone +359 898307633

X