Personal Data Policy
With this in mind, data security is important to the success of our business and to our public image as a first-class clinic.
Therefore, we strive to protect your data by applying all appropriate technical and organizational means at our disposal to prevent unauthorized access, unauthorized or malicious use, loss or premature deletion of information.
How and why do we use your personal data?
The methods and purposes for using your personal data by Ayurveda Clinic Sofia are as follows:
1. To fulfill statutory and contractual obligations
We collect and process your personal data and other personal data in order to fulfill obligations assigned to us by virtue of a statutory act such as the Tourism Act.
We collect and process your personal data and other personal data in order to fully provide the services that you have requested and that you want to use with us, as well as to fulfill our contractual obligations to you.
The data we collect includes:
- Names and mobile number.
- Email address, letters, information about your troubleshooting requests, complaints, requests, complaints;
- Other feedback we receive from you;
- Video recordings made to improve security;
- Preferences for the services we provide to you;
- Data provided through the clinic’s website;
- IP address when visiting our website;
- Demographic data, household information when you agree to participate in our surveys, prize draws or other feedback you provide us in connection with the services you use.
2. Online payment information
In connection with payments made to the clinic – when paying for a product or service in the reservation system of the clinic site – you will need to enter credit or debit card information, bank account number or other banking and payment information.
- The user does not provide Ayurveda Clinic Sofia with bank or credit card details. Payment by bank card is made through the Bank’s Virtual POS terminal, where the bank card data is entered directly into the Bank’s Secure platform. In this way, the data from the User’s bank card are maximally protected and do not become available to Ayurveda Clinic Sofia.
- To protect against abuse when paying with your Visa or MasterCard, we apply the best practices recommended by international card organizations;
- Security when entering and transferring card data is ensured by using the SSL protocol to encrypt the connection between our server and the payment page of our serving bank;
- The authenticity of your card is verified by entering a security code (CVV2);
- In addition, to identify you as a cardholder, the e-commerce payment server of our servicing bank supports the authentication schemes of international card organizations – Verified by VISA and MasterCard SecureCode, in case you are registered to use them.
3. Purposes of data processing
The processing of your personal data and other data is carried out for the purpose of:
- Establishing the client’s identity upon check-in at the clinic;
- Management and fulfillment of your requests for services;
- Preparing and sending a bill/invoice for the services you use with us;
- Providing the necessary overall service and collecting the amounts due for the services used;
- Analysis of customer history and preparation of a user profile with a view to determining a suitable offer for you;
- Research and analyze customer consumption of our services, based on anonymous or personalized information, to identify key trends, improve our understanding of our customers’ behavior and collaborate with third parties to develop new services for our customers;
- Processing by the data processor when concluding a contract, assignment, reporting, acceptance, payment.
4. With your consent
In some cases, we process your personal data only after your prior written consent.
Consent is a separate basis for processing your personal data. The purpose of the processing is stated therein and is covered by the purposes listed in this policy.
If you give us the relevant consent and until it is withdrawn, we prepare offers suitable for you for programs and services offered by the clinic.
Consents may be withdrawn at any time. Withdrawal of consent will be reflected in the offer of the respective services in the provision of the respective programs.
We have a large portfolio of programs and services offered. When you give us consent to process data, that consent applies to all programs and services you use.
To withdraw the given consent, you only need to use our site or simply our contact details.
Who do we share your personal data with?
We process your identification data and other personal data to comply with legal obligations, such as:
- Provision of information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act;
- Provision of information to the Commission for the Protection of Personal Data in connection with obligations provided for in the normative framework for the protection of personal data – Personal Data Protection Act, Regulation (EU) 2016/679 of April 27, 2016, etc.;
- Obligations provided for in the Accounting Act and the Tax-Insurance Procedure Code and other related legal acts, in connection with keeping correct and lawful accounting;
- Provision of information to the court and third parties, within the framework of proceedings before a court, in accordance with the requirements of the procedural and substantive legal acts applicable to the proceedings;
Payment authentication for online registrations.
How do we protect your personal data?
To ensure adequate data protection of the company and its customers, we implement all necessary organizational and technical measures provided for in the Personal Data Protection Act and the by-laws on its implementation.
The company has appointed a Data Protection Officer who supports the processes of protecting and ensuring the security of your data.
In order to ensure maximum security when processing, transferring and storing your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.
When do we delete your personal data?
As a rule, we terminate the use of your personal data, for the purposes related to the contractual relationship, after the termination of the contract, but we do not delete them before the expiration of one year from the termination of the contract or until the final settlement of all financial obligations and expiration of the legally defined obligations to store the data, such as:
- Obligations under the Accounting Act for storage and processing of accounting data (5 years);
- Expiration of the statute of limitations for filing claims (5 years);
- Obligations to provide information to the court, competent state authorities, etc. grounds provided for in the current legislation (5 years).
Please note that we will not delete or anonymize your personal data if it is necessary for pending legal, administrative or complaint proceedings before us.
Your data can also be anonymized. Anonymization is an alternative to data deletion. Upon anonymization, all personally identifiable elements /elements allowing your identification/ are irreversibly deleted.
For anonymized data, there is no legal obligation to delete it, as it does not constitute personal data.
Your rights in relation to the processing of your personal data
In connection with the processing of personal data, each user is guaranteed the following rights:
Right to information
You have the right to request:
- Information on whether data relating to you is processed, information on the purposes of this processing, on the categories of data and on the recipients or categories of recipients to whom the data is disclosed;
- A message in an understandable form containing your personal data that is being processed, as well as any available information about its source;
- Information about the logic of any automated processing of personal data concerning you, at least in the case of automated decisions.
Right to correction
In the event that we process incomplete or wrong data, you have the right, at any time, to request:
- To delete, correct or block your personal data, the processing of which does not meet the requirements of the law;
- To notify the third parties to whom your personal data has been disclosed of any deletion, correction or blocking, except in cases where this is impossible or involves excessive efforts.
Right to erasure / the right “to be forgotten”/
At any time, you have the right to request the erasure of personal data processed by us if:
- Personal data are not necessary for the purposes for which they were collected and processed;
- You withdraw your consent and there is no other legal basis for their processing;
- Personal data has been processed unlawfully.
Right to object
At any time you have the right to:
- Objections to the processing of your personal data if there is a legal basis for this; when the objection is justified, the personal data of the individual concerned can no longer be processed;
- Objections to the processing of your personal data for direct marketing purposes.
Right to restriction of processing*
You can request the restriction of personal data being processed if:
- You dispute the accuracy of the data, for the period in which we have to verify its accuracy; or
- The processing of the data is without legal basis, but instead of deleting them, you want their limited processing; or
- We no longer need this data (for the specified purpose), but you need it for the establishment, exercise or defense of legal claims; or
- You have lodged an objection to the processing of the data, pending verification of whether the controller’s grounds are lawful.
Right to data portability*
You can ask us to provide the personal data you have entrusted to our care in an organized, orderly, structured, generally accepted electronic format if:
- We process the data according to the contract and based on the declaration of consent which can be withdrawn or on a contractual obligation and
- Processing is done automatically.
Right of appeal
In the event that you believe that we are violating applicable regulations, please contact us to clarify the matter.
Of course, you have the right to file a complaint with the Commission for Personal Data Protection. After May 25, 2018, you will also be able to file a complaint with a regulatory authority within the EU.
Requests for access to information or for correction are submitted in person or by a person expressly authorized by you, through a notarized power of attorney. An application can also be submitted electronically, in accordance with the Law on Electronic Documents and Electronic Signatures.
We rule on your request within 14 days of its submission. If a longer period is objectively necessary – in order to collect all the requested data and this seriously complicates our activity, this period can be extended up to 30 days.
With our decision, we grant or deny access and/or the information requested by the requester, but we always give reasons for our response.
Updates and policy changes