Privacy and Cookie Policy

Last updated: 27 April 2026

This Policy explains how Yachts Bulgaria 21 EOOD ("Yachts Bulgaria", "we") collects, uses and protects your personal data when you visit yachtsbulgaria.com, register an account, order magazines or subscriptions, or get in touch with us. It also describes how we use cookies and similar technologies.

1. Who controls your data

Company Yachts Bulgaria 21 EOOD (Яхтс България 21 ЕООД) Company ID (ЕИК) 207865261 VAT registration Not VAT-registered Registered address 4 Akad. Vera Mutafchieva Str., Sofia, Bulgaria Manager Hristina Aleksandrova Lozanska Contact email contact@yachtsbulgaria.com

We are not required to appoint a Data Protection Officer (DPO) under Art. 37 GDPR. For any questions about your personal data, please contact us at the email above.

2. What data we collect and why

We only collect data we actually need to deliver the service you've asked for — nothing more.

2.1. Visiting the site

When you browse yachtsbulgaria.com, our servers (Google Firebase App Hosting, EU region) automatically log technical data: IP address, browser type and version, operating system, date and time of request, pages visited, referrer.

Purpose: site security, error diagnostics, abuse prevention. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Retention: 90 days.

2.2. Account registration and management

When you create an account, we collect name, email address and password (stored only in encrypted form).

Purpose: to let you place orders, view order history and manage your subscription. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). Retention: while your account is active, plus 30 days after deletion. Order-related data is retained longer per section 2.4.

2.3. Orders

When you order, we collect first and last name, email address, billing address, shipping address, phone number (required by the courier) and order details.

Purpose: order processing, delivery, invoicing, communication about the order. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

2.4. Accounting and tax records

For each order we generate an accounting document.

Retention: 10 years from the end of the financial year in which the transaction took place, under Art. 38 of the Tax-Insurance Procedure Code and Art. 12 of the Bulgarian Accountancy Act. Legal basis: legal obligation (Art. 6(1)(c) GDPR).

This retention period overrides the right to erasure — we cannot delete data on issued invoices before the 10-year period expires.

2.5. Payments

Card payments are processed by myPOS Limited (United Kingdom). Your card details (number, CVV, expiry) are entered directly on a secure myPOS page — we never see and never store your card details.

From myPOS we receive only: confirmation of successful/failed payment, amount and currency, unique transaction reference, last 4 digits of the card.

myPOS Privacy Policy: https://www.mypos.com/legal

For cash on delivery, the courier (Econt) collects payment when the order is delivered.

2.6. Delivery via Econt

When you choose delivery, we share the following with Econt Express Ltd. (ЕИК 117047646): recipient's first and last name, delivery address (or selected Econt office), phone number, cash-on-delivery amount (where applicable).

Purpose: delivery of your order. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Econt processes this data as an independent controller for courier services. Their policy: https://www.econt.com/privacy-policy

2.7. Subscriptions

For subscriptions we collect the same data as for a normal order (section 2.3) plus delivery frequency information.

Subscriptions currently do not auto-renew. If we introduce auto-renewal, we will request your separate consent at checkout. You will be able to cancel your subscription at any time through your account or by writing to contact@yachtsbulgaria.com.

2.8. Newsletter

This service is not yet active but will be soon.

If you sign up for our newsletter, we collect email address and the time and source of consent.

Purpose: to send you information about new issues, articles and upcoming events. Legal basis: your consent (Art. 6(1)(a) GDPR). Retention: until unsubscription + 30 days.

You can unsubscribe at any time via the link at the bottom of every email or by writing to contact@yachtsbulgaria.com.

2.9. Correspondence with us

When you write to contact@yachtsbulgaria.com, we keep the message content and your email address.

Legal basis: legitimate interest (Art. 6(1)(f)) — to respond and keep a record of communication. Retention: 12 months after the matter is resolved, unless connected to an order (then per section 2.4).

3. Who we share your data with

We do not sell your data. We share it only with processors or controllers who help us deliver the service:

Recipient Role Country Purpose Google Ireland Ltd. (Firebase App Hosting, Cloud Storage, Authentication, Firestore) Processor EU Hosting, storage, authentication myPOS Limited Independent controller United Kingdom Card payment processing (integration planned) Econt Express Ltd. Independent controller Bulgaria Courier delivery Meta Platforms Ireland Ltd. Independent controller Ireland Marketing via Facebook Pixel — only with consent Accounting firm Processor Bulgaria Accounting services

Each of these recipients has signed contractual data-protection commitments.

4. Transfers outside the EU/EEA

• Firebase / Google Cloud — your data is stored in European Google Cloud regions.

• Meta (Facebook Pixel) — Meta Platforms Ireland is an EU-based controller but transfers data to the U.S. The transfer is covered by the EU–U.S. Data Privacy Framework and Standard Contractual Clauses.

• myPOS Limited — processing in the United Kingdom, which has an adequacy decision from the European Commission.

5. Data security

We apply technical and organisational measures to protect your data: HTTPS encryption of all site communication, encrypted password storage (bcrypt), two-factor authentication for admin panel access, regular backups, restricted database access, Data Processing Agreements (DPAs) with all sub-processors.

6. Your rights

Under the GDPR you have the right:

• To information and access (Art. 15) — to receive a copy of the data we hold about you.

• To rectification (Art. 16) — to ask us to correct inaccurate data. You can also do this yourself from your account.

• To erasure ("the right to be forgotten", Art. 17) — to ask us to delete your data. Note that accounting data (section 2.4) is retained by law.

• To restriction of processing (Art. 18) — for example while we verify the accuracy of data.

• To data portability (Art. 20) — to receive the data you've provided in a machine-readable format.

• To object (Art. 21) — to processing based on legitimate interest.

• To withdraw consent at any time, where we process based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise these rights, write to contact@yachtsbulgaria.com. We will respond within one month. We may first ask for reasonable identification.

7. Right to lodge a complaint

If you believe we've violated your rights, you can lodge a complaint with:

Commission for Personal Data Protection (CPDP)

• Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria

• Phone: +359 2 91 53 518

• Email: kzld@cpdp.bg

• Website: https://www.cpdp.bg

8. Is providing your data mandatory

You are not required to give us any data. But without certain data we cannot provide certain services: without email and password — you cannot create an account; without an address and name — we cannot ship your order; without consent to the newsletter — we cannot send you a newsletter.

9. Automated decision-making

We do not make automated decisions with legal effect for you within the meaning of Art. 22 GDPR. We do not perform profiling for marketing purposes beyond what is described in the cookies section below.

10. Children

Our services are not directed at persons under 16. We do not knowingly collect data from children. If a parent or guardian becomes aware that a child has provided data without their knowledge, please contact us so we can delete it.

11. Cookies

Cookies are small text files that a website stores in your browser when you visit. They help us keep your session alive, remember your preferences and — with your consent — measure how the site is performing.

Alongside cookies we use similar technologies (local storage, pixel tags) which are subject to the same rules.

11.1. Strictly necessary (always on)

Without these the site simply doesn't work: account login, cart, abuse prevention.

Cookie Provider Purpose Duration firebaseLocalStorageDb, __session Google Firebase Authentication Maintains the session of logged-in users Until logout / 14 days __cfduid, cf_clearance Google Cloud (Firebase) Abuse and DDoS protection Session / 30 days cart, currencyyachtsbulgaria.com Remembers cart contents and currency choice Session / 30 days cookie_consentyachtsbulgaria.com Stores the cookie choice you've made 12 months

Legal basis: legitimate interest and contract performance. No consent required for these.

11.2. Marketing (consent required)

Help us measure ad campaigns and show you relevant ads on Facebook and Instagram.

Cookie Provider Purpose Duration _fbp Meta Platforms Ireland Ltd. Identifies browsers for advertising 90 days fr Meta Platforms Ireland Ltd. Ad delivery and measurement 90 days _fbc Meta Platforms Ireland Ltd. Tracks clicks from ads 90 days

Legal basis: your consent (Art. 6(1)(a) GDPR). Transfer outside the EU: Meta transfers data to the US under the EU–U.S. Data Privacy Framework.

These cookies load only if you've clicked "Accept all" or selected "Marketing" in the consent banner. If you've declined — Facebook Pixel does not load at all.

11.3. Analytics

We currently do not use analytics tools such as Google Analytics, Hotjar, Matomo or similar. If we introduce any in the future, we will update this policy and ask for your separate consent.

11.4. Managing cookies

You can change your choice at any time via the "Cookie settings" link at the bottom of every page.

All modern browsers let you delete existing cookies or block new ones. Note that blocking strictly necessary cookies may break the site:

• Chrome

• Firefox

• Safari

• Edge

You can manage what Meta receives about you off-Facebook here: https://www.facebook.com/off_facebook_activity

12. Changes to this policy

We may update this policy to reflect changes in our services or in legislation. The latest update date will always be at the top of this document. If the changes are substantial, we will notify you by email or via a visible notice on the site.

Questions? Write to us at contact@yachtsbulgaria.com.