Privacy Policy

and data protection policy

As of 25.05.2018, the “General Data Protection Regulation” – GDPR and the changes to our privacy administration policy related to it came into force.

This Privacy Policy has been developed in accordance with European and Bulgarian legislation, in direct commitment to the changes and requirements regarding personal data. This document sets out how BULREA 28 Ltd collects, uses, discloses and protects the personal data of users and customers of the Website.

We would like to assure you that it is our concern and commitment to maintain your trust, therefore the protection of personal data is a responsibility to which we pay special attention. Efforts will be made on our part against unlawful processing of personal data of individuals.

This document contains information regarding how personal data is processed, the types of personal data collected, the purpose of the use of the personal data collected, third party access to that data, and the options you have in relation to the use of the personal data you have provided. BULREA 28 Ltd collects certain information through the Website, the Dermamedicalae Facebook page and through Google Analytics. This document (“Privacy Policy”) describes our policies and procedures governing the collection and processing of this information that identifies an individual user and may be used to contact that user.

The following administrative authority exercises control over the activities carried out by us relating to personal data:

Commission for Personal Data Protection (CPDP)

Address. 1431 Sofia, “Acad. Ivan Evstratiev Geshov 15

Tel: + 359 2 915 35 18

Fax: + 359 2 915 35 25



Terms used:

“Personal data” means any information relating to an identified natural person or an identifiable natural person;

“Data subject” means an identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Processing” may be a single operation or a set of operations performed on personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage or alteration, retrieval, consultation, disclosure by transmission or dissemination, making available, alignment, restriction, erasure or destruction.

“Controller”  means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the present case, the data controller is BULREA 28 Ltd.

“Processor” means a natural or legal person, agency or other entity which processes personal data on behalf of the controller. In the present case, an employee of BULREA 28 Ltd. is taken as such.

General conditions:

As a personal data controller, BULREA 28 EOOD has the right to collect and process the personal data provided by the users of the Website, subject to the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and the Personal Data Protection Act (PDPA).

The Regulation governs the use and security of your personal data to better protect individuals. The collection of personal data by BULREA 28 Ltd will be carried out in a transparent and secure manner, allowing us to offer you products and services according to your specific needs.

The personal data that is processed by BULREA 28 Ltd is provided directly by you or collected automatically. The legal basis on which BULREA 28 Ltd processes personal data is the voluntary consent given by you.

Personal data you provide:

The personal data you provide directly is processed and used for the purposes set out in this Privacy and Data Protection Policy. Providing your personal data when using the Sites is optional unless you wish to voluntarily register.

The personal data that we collect when you voluntarily register are: first and last name, email address, telephone number, location, address and a password for access that the Customer generates themselves.

This is information that you must provide in order to be able to register in the online shop and by which you can be personally identified.

The purposes of the collection of said personal data are described below in this Privacy and Data Protection Policy.

BULREA 28 Ltd processes your personal data only for the purposes described below:

– To register and manage your account, including to use services requiring registration in the online store, and to communicate with you, resolve disputes and troubleshoot problems;

– The personal information you provide is used to manage orders for delivery of products and services, to process payments, to communicate with you about orders, products, services and promotional offers, product and service recommendations;

– The Website uses this data and information only to improve the online commerce platform, to avoid or prevent fraud or abuse to the detriment of the Website, and to enable third parties to perform logistics and other services for the Website.

– The website uses your information to inform you about news and other similar information about products and campaigns;

– To measure and track statistical dependencies about user behavior on the site in order to improve our products;

– To send you a regular newsletter to which you have expressly subscribed;

– For marketing purposes related to activities on the relevant website;

– To send you marketing messages and information to third parties where we have expressly obtained your consent to do so.

To make an online order, you need to provide us with your first and last name, e-mail, address and contact telephone number, as well as payment information (in case you have chosen a payment method other than cash on delivery). The basic personal data voluntarily provided by you will only be used for the processing, confirmation, fulfilment and delivery of the goods purchased by you.


What are your rights after you have provided your personal data to BULREA 28 Ltd.

Users subscribed to our newsletter can cancel their subscription at any time, if they wish.


Trademarks used that are not owned by the online store are protected by copyright and are the property of their respective owners.

The data controller is aware of and follows the principles set out in the GDPR:

– Personal data are processed lawfully, fairly and transparently;

– Personal data are collected for specified, explicit and legitimate purposes and are not further processed in a way incompatible with those purposes;

 The personal data is relevant, related to and limited to what is necessary in relation to the purposes for which it is processed;

– Personal data is accurate and kept up to date where necessary;

 The personal data are kept in a form which permits identification of the persons concerned for no longer than is necessary for the purposes for which the personal data are processed;

– The personal data are processed in a manner which ensures an adequate level of security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organisational measures.

We carry out the activities related to the processing of your personal data:

1) after we have obtained your consent;

2) in order to legitimately carry out business activities and provide seamless customer service;

3) in order to fulfil our obligations to you.

Access to data:

We provide you with access and the opportunity to review, correct, supplement or delete your personal data that you have shared with us.

Personal data that is collected automatically:

When you visit our pages, our web server automatically recognizes and collects your IP address, which is assigned by your Internet service provider and does not personally identify you.

Aggregate Information – Log Files – Like many other sites, we obtain information from log files (a collection of system information about the user): the IP address; the ISP (Internet Service Provider); the browser you use when you visit a site in the group (such as Google Chrome, Internet Explorer and Mozilla Firefox ); the time you spent on a site and which pages on the site you visited. The information contained in these files includes:

“Cookie”: is a data file placed on your device when you visit, browse and use our Website and Online Shop. They allow your actions and preferences to be saved for a certain period of time so that you do not have to re-enter them each time you visit the Website or move from one page to another. “Cookies” can be disabled from your browser settings. Please note, however, that some features of the Website may not work properly if you disable them.

Web analysis

We use Google Analytics and Yandex Metrica to collect statistical information about eShop Users – for example, the website you come to our eShop from; the country you are in; your language; your online behaviour; the browser you use, etc. We collect the above data to analyse what type of Users and how they use the eShop, which helps us to improve the user experience. This information cannot lead to your identification.

You can opt-out of the use of your data by Google Analytics and Yandex Metrica by downloading and installing the following plug-ins: the Google Analytics opt-out browser add-on for Google Analytics and the Yandex Metrica opt-out add-on for Yandex Metrica.

By agreeing to use the Service, you expressly consent to our use of Google Analytics on the Website, including that you have been given the opportunity to opt-out of Google Analytics.


Our web page uses FACEBOOK-pixel.

The FACEBOOK- pixel is the HTML code on our web page that allows us to set, measure and optimize audiences when running marketing campaigns.

The Facebook-pixel measures conversions across devices, allows for automatic targeting of site visitors, as well as retargeting and creating dynamic ads.

With the Facebook- pixel, we do not collect personal information directly, but instead use the information available about the user in order to retarget them to our web page as they browse the web. However, in this action we do not know personal information about the specific user – for example, who the user is.

What we do to protect your privacy:

To prevent unauthorized access or disclosure and to ensure the proper use of your data, we implement appropriate technical and organizational measures to protect the data we collect and process.

When processing payment information, in order to make the shopping and payment process as safe and secure as possible for you, we use Secure Sockets Layer (SSL). Secure Sockets Layer or SSL is a special cryptographic Internet protocol for client-server communication that protects data transmission from malicious interference.

The password you provide when registering on the Website is encrypted to protect against unauthorized access to your personal information.

Maintaining the confidentiality and security of your personal information is of the highest priority to us, and we make every effort to limit access to it to only those employees of BULREA 28 Ltd who need to come into contact with it in order to perform their role and enable our products and services to be provided to you. We will keep your information confidential except where disclosure is required by law or for technical purposes.

We retain your personal information for as long as necessary to ensure the effective operation of our website. In general, we retain your personal data for as long as your profile exists on the Website or until you specifically request that the data be deleted. The information provided and collected by you will not be sold or made available for use in return to anyone without your personal consent.

Information may be provided if requested by the relevant state authorities and institutions, in the order and in the cases specified in the Bulgarian legislation in force.

We make every effort to protect your personal information, however, when sharing information on the Internet you should be aware that the transmission of information over the Internet can never be completely secure and that security cannot be completely guaranteed.

Duration of storage of personal data

As our customer, we store some of your basic personal data (name, address, telephone and email) in our business management system for a period regulated by law.

Data from participation in sweepstakes, games, promotions or surveys is stored for a period of 1 year.

The data you provide via the contact form in connection with enquiries is stored for a period of 1 year after the processing is completed.

Data from statistical analyses are stored for a period of up to 1 year. These data are of a non-personal nature and cannot be linked to you or lead to your identification.

After the expiry of the above periods, your data will be destroyed.

We may share your personal data in the following cases:

-In connection with arranging the delivery or transport of goods purchased by you;

-To ensure compliance with a legal obligation;

-To prevent fraud or to provide network and information security for our systems.

Violations. Notification of violations.


A data breach occurs when personal data for which BULREA 28 Ltd is responsible is affected by a security incident that results in a breach of the confidentiality, availability or integrity of the personal data. In this sense, a data breach occurs when there is a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of data that is transmitted, stored or otherwise processed.

Assessment of violations

Once the relevant Data Controller of BULREA 28 Ltd receives information about a breach, it must determine whether the specific event constitutes a personal data breach and notify the Controller’s managers of the event (in case they are unaware).

In case of a personal data breach that is likely to pose a risk to the rights and freedoms of individuals, the Data Controller shall, without undue delay and where practicable no later than 72 hours after becoming aware of it, notify the Personal Data Protection Commission of the breach.

Where and to the extent that it is not possible to submit the information simultaneously, the information may be submitted in stages without further undue delay.

Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall, without undue delay, notify the subject of the breach.

The Controller shall document each personal data breach, including the facts relating to the breach, its consequences and the action taken to deal with it.

Your rights and options in relation to the processing of your personal data:

With regard to the processing of your personal data, you have the following rights:

  1. You are entitled to request access to and obtain information regarding the personal data held about you, as well as information regarding the purposes of the processing, the categories of personal data, the recipients to whom your personal data may be disclosed;
  2. You have the right at any time to request the correction of inaccurate data relating to you, as well as the completion of incomplete data, if this is appropriate and/or necessary in view of the purpose for which the data are processed;
  3. File a complaint with the Personal Data Protection Commission in case of violation of your rights or unlawful processing of your personal data;
  4. At any time you may withdraw your consent to the use of your personal data that you have previously provided. In this case, withdrawing your consent to the use or processing of your personal data may result in your inability to benefit from certain products or services provided by our Website;
  5.     If you decide that you do not want BULREA 28 EOOD to process your personal data, you have the right to be “forgotten”, i.e. you can at any time request that your personal data be deleted on any of the following grounds:

              5.1. your personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

     case that you have withdrawn your consent to the processing of your personal data;

              5.3.if your personal data is unlawfully processed;

              5.4. if you have objected to the processing of your personal data;

              5.5. other cases provided for in the legislation governing the protection of personal data;If a subject wishes to be “forgotten” and his or her personal data are erased, this is an irreversible process and cannot be subsequently restored!

In the case of exercising the rights under Article 17 of the GDPR, the BULREA 28 Ltd shall erase only the personal data of the data subject, but not publicly accessible posts that the data subject has made in forums, comments to posts and articles on the Website;

You may exercise all of the following rights by submitting a written request to the following email address: or by using the contact form, your request must contain the following information:

  1. username, email and other identifying information of the individual concerned;
  2. a description of the request;
  3. the form preferred for providing the information.

The application is free of charge. The time limit for processing the application is one month from the date of receipt of the application.

Contact details of the Administrator:

Company: ‘BULREА 28’ Ltd.

Town. Burgas  8000

51, Trayko Kitanchev Str.

Tel: +359882068371


If you have any inquiries regarding the processing of personal data or the exercise of your rights, you can contact our Data Protection Officer: Milena Stoyanova.

Amendment of this privacy policy

This Privacy Policy may be amended unilaterally by BULREA 28 Ltd, of which we will notify all Users of the Service accordingly.

You agree that any amendment or modification to this Policy will be effective as to you upon notice from BULREA 28 Ltd and unless you state within 7 days that you reject it.

You agree that any notices from BULREA 28 Ltd in relation to any amendment to this Policy will be sent to your e-mail address used to register for the Service or by posting in an appropriate place on the Website.

Tuesday-Saturday- 10:00- 19:00