FREE SHIPPING over 80 €

1. Data controller

The controller within the meaning of Art. 4(7) of Regulation (EU) 2016/679 ("GDPR") is:

  • GPI Lazer EOOD
  • Unique Identification Code (UIC): 202340345
  • Registered office and address of management: Plovdiv, Severen District, 9 "Georgi Baydanov" Str., floor 1, Bulgaria
  • Privacy email: hello@kafetama.com

The company is not required to appoint a Data Protection Officer under Art. 37 GDPR. For all matters concerning the processing of your personal data, please contact the email above.

2. Categories of personal data we process

  • Identification data: first and last name, delivery address, phone number, email
  • Order data: order contents, purchase history, chosen delivery and payment method, customer service correspondence
  • Payment data: handled directly by the registered payment provider. The Store does not store card numbers, CVV codes, or other sensitive payment data
  • Technical data: IP address, browser type and language, operating system, pages visited, access timestamp, referrer
  • Account data: email, password hash, registration date, order history (only if you create an account)

3. Purposes and legal bases

  • Performance of a sales and delivery contract — Art. 6(1)(b) GDPR
  • Issuance and storage of accounting and fiscal documents — Art. 6(1)(c) GDPR (Accountancy Act, VAT Act)
  • Handling complaints and exercising the right of withdrawal — Art. 6(1)(b) and (c) GDPR (Consumer Protection Act)
  • Site security, fraud prevention, infrastructure maintenance — Art. 6(1)(f) GDPR (legitimate interest)
  • Sending marketing communications (newsletter) — Art. 6(1)(a) GDPR (explicit consent, withdrawable at any time)

4. Retention periods

  • Accounting and fiscal documents (including order and invoice data) — 10 years (Art. 38 of the Bulgarian Accountancy Act)
  • Account data — until the account is deleted by the user, or 24 months of inactivity, whichever comes first
  • Customer-service correspondence — 24 months from the closure of the case
  • Marketing consents and related data — until consent is withdrawn
  • Technical and security logs — up to 12 months

5. Recipients and processors

Personal data is shared only with the following categories of processors (Art. 28 GDPR), on a contractual basis with strict confidentiality:

  • Courier operators: Speedy AD and Econt Express OOD — for delivery fulfilment
  • Payment providers: bank and card processors — for online payment processing
  • Hosting and infrastructure provider — for the technical operation of the site
  • Email service provider — for sending order confirmations and system notifications
  • Accounting processor — for the preparation of accounting and tax documents
  • Umami (self-hosted in the EU) — for anonymous traffic analytics, without cookies or personal data

Where required by law, we may disclose data to competent state authorities (NRA, CPC, Ministry of Interior, court).

6. Transfers outside the EU

As a rule, we do not transfer personal data outside the European Economic Area (EEA). Where such a transfer is necessary, it is carried out only with safeguards under Art. 46 GDPR (European Commission Standard Contractual Clauses) or based on an adequacy decision under Art. 45 GDPR.

7. Your rights as a data subject

As a data subject you have the following rights under GDPR:

  • Right of access to your personal data (Art. 15)
  • Right to rectification of inaccurate or incomplete data (Art. 16)
  • Right to erasure ("right to be forgotten") (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object to processing based on legitimate interest (Art. 21)
  • Right to withdraw consent at any time, where processing is based on consent (Art. 7(3))
  • Right not to be subject to a decision based solely on automated processing (Art. 22)

To exercise your rights, send a written request to hello@kafetama.com. We will respond within one month pursuant to Art. 12(3) GDPR.

8. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP):

  • Address: 2 "Prof. Tsvetan Lazarov" Blvd., 1592 Sofia, Bulgaria
  • Email: kzld@cpdp.bg
  • Website: https://www.cpdp.bg

9. Data security

We apply appropriate technical and organisational measures to protect your personal data — connection encryption (HTTPS/TLS), access controls, regular backups, and storage in certified EU data centres.

10. Amendments

This Policy may be updated. The current version is always published on this page with the date of last revision shown.

Last updated: 30 April 2026

Privacy policy — Kafetama