Privacy policy

1. Introduction

   In order to provide the services of the billbox.bg website, MIXO APPS Ltd, UIC: 203732032 processes data of individuals ("Data Subject"/"You"/"Your") in accordance with this Privacy Policy.

   When processing personal data, billbox.bg complies with all applicable data protection regulations, including but not limited to Regulation (EU) 2016/679 ("Regulation").

   This "Privacy Policy", in conjunction with the "Cookie Policy" and any other documents that are referred to on the Site, sets out the rules that MIXO APPS Ltd will follow when processing personal data that we collect from or about you, or that you provide to us.

   By using the website, you declare that you agree to this Privacy Policy.

   If you have any questions or comments about this Privacy Policy, please contact us at the following email address: contacts@billbox.bg

   Please read this "Privacy Policy" carefully before using the Site or submitting your personal information, whether electronically on the Site or on paper, as by submitting your personal information you agree to its terms. If you do not wish us to process your personal data in the manner described in this Privacy Policy, we ask that you do not provide it to us. Your provision of personal data is voluntary in order to use certain services provided by us and to use and/or access the Site. Please note that in some cases we will not be able to provide you with the service you have requested if you do not provide us with the necessary information. Please also note that in certain cases your consent to the processing of personal data may not be necessary if MIXO APPS Ltd has another legal basis, e.g. compliance with statutory obligations.

   Personal Data Controller
   Means a body which, alone or jointly with other bodies, determines the purposes and means of the processing of personal data.

   "MIXO APPS" EOOD (hereinafter referred to as the "Administrator") is a legal entity, a commercial company established under Bulgarian law, registered in the Commercial Register with its registered office and registered office address. Sofia, g.k. "421, Str. 0876 098 293, email: contacts@billbox.bg website: billbox.bg

   Supervisory authority
   is an independent public authority from a Member State of the European Union responsible for monitoring the application of the rules on the protection of personal data.

   For the Republic of Bulgaria, the Supervisory Authority is the Commission for Personal Data Protection.
   Address. Sofia, p.k. 1592, Sofia Blvd. "1592, Proff. No.: 2, 1592, 1592, 1592, No.: 2, 1592, 1592, 1592, No.: Tsvetan Lazarov
   Contact details: 02/915 35 18; 02/915 35 15; 02/915 35 19; kzld@cpdp.bg, www.cpdp.bg

2. Concepts

   Personal data
   is any data that contains identifying information about an individual ( e.g. name, address, telephone number, email, etc.).

   Data processing
   means any operation which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

   Restriction of processing
   means the marking of stored personal data in order to restrict its processing in the future.

   Profiling
   is any form of automated processing of personal data consisting in the use of personal data to evaluate certain aspects relating to an individual, such as his or her economic situation, health, personal preferences, interests, reliability, behaviour, location, movement.

   Pseudonymization
   means the processing of personal data in such a way that the personal data can no longer be associated with a specific data subject without the use of additional information, provided that it is kept separately and is subject to technical and organisational measures to ensure that the personal data are not linked to an identified natural person or to an identifiable natural person.

   Register of personal data
   is the set of data that is maintained and stored by the controller, regardless of its material medium.

   Processor of personal data
   is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

   Third country
   means a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and those persons who, under the direct authority of the controller or the processor, are entitled to process personal data.

   Recipient
   is the natural or legal person, public authority, agency or other body to whom the personal data is disclosed, whether or not a third party. There is a broader meaning than 'third party'.

   Consent of the data subject
   means any freely given, specific, informed and unambiguous indication of the data subject's wishes, by means of a statement or a clear affirmative action, which indicates his or her consent to the processing of personal data concerning him or her.

   Personal data breach
   means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is transmitted, stored or otherwise processed.

3. Principles of personal data processing

   "MIXO APPS Ltd will process your personal data in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.

   Personal data are processed:

   1. lawful, fair and transparent in relation to the data subject /"lawfulness, fairness and transparency"/.
   2. Personal data shall be collected for specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those purposes /"purpose limitation"/.
   3. The personal data shall be relevant, related to and limited to what is necessary in relation to the purposes for which they are processed /"data minimisation"/.
   4. Personal data is accurate and, where necessary, maintained in an accurate form /"accuracy"/.
   5. Personal data shall be kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the personal data are processed /"storage limitation"/.
   6. Personal data are processed in a manner that ensures an adequate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organisational measures /"integrity and confidentiality"/.
4. Personal data subject to processing by the controller
   1. Processing of personal data that is provided directly by an individual /"data subject"/ when he/she contacts the Controller via the contact form for contacting the Controller; when he/she registers his/her user profile on the website and when he/she enters into a contract with the Controller for the use of any of the services offered by the Controller.
      1. When an individual contacts the Administrator via the contact form to contact the Administrator, the Administrator only collects and processes names, email address and communication with you.

         The processing of this data is necessary in order to:

         - Implementing the legitimate interests of the Controller, which legitimate interests are sending a reply to received messages and saving received messages.
         - For pre-contractual actions taken at the request of the individual, namely providing more information about the services offered by the Controller in connection with the possible conclusion of a contract with an individual.
      2. When an individual contacts the Administrator by making a user profile (creating an account) on the website, the Administrator collects and processes only three names, an email address and a password. In addition, information about the registration and the acceptance of the Terms (date, time, IP address) is stored.

         The processing of this data is necessary for the purpose of:

         - The realisation of the legitimate interests of the controller, which legitimate interests are the creation of a user profile of the natural person/legal entity, including the processing of data necessary for this purpose when carrying out registration and creating an account for the purpose of any subsequent conclusion of a contract with the "data subject" for the provision of the relevant services offered by the Controller
      3. When an individual contacts the Data Controller by entering into a contract with the Data Controller to use a service, the Data Controller shall only collect and process: three names of the natural person, ID number, or ID number of a foreigner, permanent address, ID card number; respectively name, Income Tax, registered office and registered office for the legal entity, MOL; telephone number to contact you regarding the services you have ordered; e-mail address; financial information (credit or debit card data - in the case of payment by card, bank account number or other banking and payment information in connection with the payments made), as well as any other information that is necessary for the conclusion of a contract for the provision of the relevant service and for its performance, without which the service could not be performed.

         The processing of this data is necessary in order to:

         - To implement the legitimate interests of the Controller, which legitimate interests are the conclusion and performance of a contract for the provision of the relevant service and to be able to exercise its rights under the contract.
   2. Personal data collected and processed automatically when you use our website
      - The IP address from which you visit
      - Your browser identifier
      - Your mobile device identifier
      - Type of operating system
      - History of your behaviour - pages visited, date and time spent, frequency and duration of website visits, products purchased, etc.
      - The type of device from which you access the platform
      - Your comments

      The administrator does not "profile" individuals when using the information collected.

      We use cookies and similar technologies to make browsing the website more secure, fast and enjoyable. The information that is collected from cookies and similar technologies is statistical and is used to ensure your security, to troubleshoot browsing issues and perform diagnostics, and to analyze website activity. See "Cookie Policy."

   3. Processing of special categories of personal data

      "MIXO APPS Ltd. does not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biological data for the sole purpose of identifying an individual, data on the health or data on the sex life or sexual orientation of the individual. In the event that the individual provides such data to the Data Controller, the Data Controller undertakes to delete them immediately.

   4. Processing of personal data provided by third parties

      The controller does not normally receive personal data about individuals from third parties. In some cases, we need to process personal data that is not provided by you or collected by us, but that we have received from third parties.

      - Data from our partners - in the performance of a contractual obligation or among explicit consent. - Data from our service users - providing data about parties to a contract, testimonials; - Data from Public Registers, such as the Trade Register and similar - in order to satisfy the legitimate interests of the controller, expressed in the interest of bringing an action for infringement of an intellectual property right against the suspect where there is reason to believe that it has been infringed, and also on a statutory basis.
5. Purposes and legal bases of processing

   "MIXO APPS Ltd. processes personal data of individuals on the following grounds:

   1. Processing of personal data that is necessary for the conclusion and/or performance of contracts with you or in connection with the preparation for the conclusion of contracts with you.

      The Controller collects and processes the data that is provided directly by you when you make an enquiry via the contact form to contact the Controller; when you register your user profile on the website and when you enter into a contract with the Controller to use any of the services offered by the Controller, to fulfil its pre-contractual and contractual obligations towards you and to be able to exercise your rights under the contract. Purposes of processing:

      - Establishing your identity and identifying individuals (prospective and current customers)
      - Providing services offered by the Controller
      - Managing and fulfilling service requests and executing a contract
      - To receive payment for services ordered and to exercise our other rights under the contract
      - To prepare and send you a bill/invoice for the services you use with us
      - Preparing a contract proposal, including electronically, sending pre-contractual information and a draft contract
      - For the performance of an obligation under a contract to which the data subject is a party and for pre-contractual actions taken at his or her request
      - Creating a user profile and maintaining a customer history
      - storing correspondence relating to the order placed
      - Processing requests, reporting problems
      - Managing and administering online shopping activities, managing payments
      - To contact the individual by phone and/or email in order to respond to enquiries received
      - To provide the comprehensive service you require and to collect amounts due for services used
      - To administer and respond to customer complaints/inquiries/complaints/complaints etc.
      - Identifying and/or preventing unlawful acts or acts contrary to our terms and conditions for the relevant services
      - For statistical purposes
   2. When we fulfil our legal obligations

      The controller processes personal data in cases where the law imposes this obligation, such as:

      - Anti-Money Laundering Act obligations
      - Performance of obligations in relation to distance selling, off-sales provided for in the Consumer Protection Act
      - Provision of information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act
      - Obligations provided for in the Accounting Act and the CPC and other related legislation in relation to the keeping of lawful accounts
      - Provision of information to the court and third parties, in the context of court proceedings, in accordance with the requirements of the regulations applicable to the proceedings
      - Verification of age when shopping online
      - Provision of information to the Personal Data Protection Commission in relation to obligations under the data protection legislation - Personal Data Protection Act, Regulation (EU)2016/679 of 27 April 2016, etc.

      The controller processes the data that is automatically collected when you visit the website for the following purposes:

      - Statistical purposes about the way the website has been used in order to improve its effectiveness. This means for analyses in which the results are only aggregated and the data is therefore anonymous. It is impossible to identify a specific person from this information.
   3. Based on your explicit consent

      "MIXO APPS Ltd. processes personal data on this basis only after explicit, unambiguous and voluntary consent and after we have informed you of the purpose and category of personal data to be processed on this basis and the legitimate interests pursued by the controller at the time we request your consent. No adverse consequences are foreseen in case you refuse to provide it. Consent is a separate basis for processing your personal data and the purpose of processing is set out in it, and does not overlap with the purposes listed in this policy.

      Data we process on this basis:

      On this basis, we only process the data for which you have given us your explicit consent. The specific data is determined on a case-by-case basis. Typically, these data are names, telephone number and email address.

      Withdrawal of consent

      Consents granted may be withdrawn at any time. Withdrawal of consent shall have no effect on the performance of contractual obligations. Withdrawal of consent shall not affect the lawfulness of processing based on consent given prior to its withdrawal.

      The controller will not process personal data for purposes other than those specified.

6. Compulsory and voluntary provision of personal data

   The processing of personal data that is provided directly by an individual /"data subject"/ when he contacts the Administrator through the contact form or when he registers his user profile on the website or when he enters into a contract with the Administrator for the use of any of the services offered by him is mandatory for us to be able to respond to the inquiries made, to register the user profile, to enter into a contract with "you" and to perform it. For "you", providing this data appears to be voluntary, but in the event that you do not provide it, the controller will not be able to fulfil its pre-contractual and contractual obligations towards you and provide the relevant services.

   The processing of personal data that is provided on the basis of explicit consent for "you" appears to be voluntary and no adverse consequences are foreseen in case you refuse to provide it. Consent may be withdrawn at any time.

7. Category of recipients of personal data

   Your personal data may only be disclosed to third parties and intermediary parties where it is necessary for the performance of a contract, on the basis of a legitimate interest or if you have given your prior consent to do so.

   The categories of recipients to whom your personal data may be provided are:

   - Accountants - in order to carry out company accounting.
   - Transport/courier companies (in particular, Econt Express and Speedy plc), postal operators - in order to send correspondence and communications in connection with the contract between us. We only provide the necessary personal data in order to provide the respective services. They are obliged to ensure the confidentiality of the information and may not use it for any other purpose.
   - Public authorities, if provided for in a legal act - e.g. NRA, Trade Register, etc.
   - Persons who, on behalf of MIXO APPS Ltd, maintain equipment and software used to process your personal data.
   - Debt collection service providers, notaries, solicitors, bailiffs or any other third party in the event that the customer has breached an obligation arising from the contract with you.
   - The banks servicing payments made by and to you.
   - Persons providing consultancy services in various fields - lawyers, accountants, marketing agencies, etc.
8. Data retention period

   The duration of storage of your personal data depends on the purposes of the processing for which it was collected:

   - Personal data processed for the purpose of conclusion/amendment and performance of a contract between MIXO APPS Ltd. and you or the company you represent shall be stored for a period of 5 years after termination of the contractual relationship with you.
   - Personal data processed for the purpose of issuing accounting/financial documents for tax and social security control, such as but not limited to invoices, debit, credit notes, acceptance reports, contracts for the provision of services/goods shall be kept for at least 11 years after the expiry of the limitation period for the repayment of the public claim, unless the applicable legislation provides for a longer period.
   - The personal data of persons who have made an enquiry via the contact form on the website and have not become customers of the controller shall be deleted within 3 months of the enquiry being sent.
   - We delete personal data processed on the basis of explicit consent upon your request.
   - Personal data processed on the basis of the fulfilment of legal obligations we delete after the obligation to collect and store is fulfilled or ceases.
9. Protection of personal data

   In order to ensure an adequate level of protection of personal data, the controller implements reasonable technical and organizational measures designed to protect the personal information you provide against accidental, unlawful and unauthorized destruction, loss, alteration, access, disclosure or use. We use an SSL certificate for this purpose. The data we collect is stored in secure servers and cloud space, and we have ensured that only authorized individuals have access to it.

   In order to maximize the security of the processing, transmission and storage of your personal data, we may use additional protection mechanisms such as encryption, pseudonymization and others.

10. Rights of natural persons /"data subjects"/

    Right to information. This policy aims to inform you in detail in clear, accessible and understandable language about the processing of your personal data in relation to the goods/services provided.

    Right of access. The data subject has the right to obtain confirmation from the controller as to whether personal data relating to him or her is being processed and, if so, to obtain access to it and information about the processing and your rights in relation to it.

    Right to rectification. The data subject shall have the right to have inaccurate personal data concerning him or her rectified by the controller without undue delay. Having regard to the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by adding a declaration.

    Right to erasure / Right to be forgotten /. The data subject shall have the right to have personal data concerning him or her erased by the controller without undue delay where one of the grounds set out in Article 17 of Regulation 2016/679 applies.

    Right to restriction of processing. The data subject shall have the right to require the controller to restrict the processing where one of the grounds set out in Article 18 of Regulation 2016/679 applies.

    Right to data portability. The data subject shall have the right to obtain personal data which he or she has provided to a controller in a structured, commonly used and machine-readable format and shall have the right to transfer that data to another controller without hindrance from the controller at your discretion.

    Right to object. The data subject shall have the right at any time and on grounds relating to his or her particular situation to object to processing of personal data concerning him or her where the processing is based on Article 6(1)(e) or (f) of Regulation 2016/679, including profiling based on those provisions.
    Pursuant to Article 6, Paragraph 4 of Regulation 2016/679, the right to object shall be made available to the data subject in a clear manner separate from any other information./ see paragraph 10 of this policy - "Right to object".

    Right to withdraw consent. The data subject shall have the right at any time to withdraw his or her consent to the processing of personal data which is carried out on the basis of an explicit consent. Such withdrawal shall not affect the lawfulness of the processing based on the consent given up to the time of withdrawal.

    The right not to be subject to a decision based solely on automated processing. The data subject has the right not to be the subject of a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects the data subject, unless the grounds for doing so are provided for in the applicable data protection legislation and safeguards are in place to protect your rights, freedoms and legitimate interests.

    Right to notification in the event of a personal data breach. Where a personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, the natural person must be notified without undue delay of the personal data breach.

    Right of appeal to a Supervisory Authority. The data subject has the right to lodge a complaint with a supervisory authority if he or she considers that the processing of his or her personal data infringes applicable data protection law.

    Right to judicial protection against a Supervisory Authority. Any natural or legal person shall have the right to an effective judicial remedy against a binding decision of a Supervisory Authority. Proceedings against a Supervisory Authority shall be brought before the courts of the Member State in which the Supervisory Authority is established.

    Right to judicial redress against a controller or processor. Any natural or legal person shall have the right to an effective judicial remedy where they consider that their rights under Regulation 2016/679 have been infringed as a result of the processing of their personal data which was not in accordance with Regulation 2016/679.
    Proceedings shall be brought before the courts of the Member State in which the controller or processor is established. Alternatively, such proceedings may also be brought before the courts of the Member State in which the data subject is habitually resident, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

    Right to compensation. If the data subject has suffered material or non-material damage as a result of the breach of the rules and principles on the processing of personal data, he or she shall be entitled to compensation from the controller or the processor.

11. Right to object to the processing of personal data. The data subject shall have the unconditional right, at any time and at his or her own discretion, to object to processing of personal data concerning him or her where: - the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller/
    - the processing is based on a legitimate interest of the controller or of a third party.

    The controller shall terminate the processing unless it demonstrates that there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or that it is necessary for the establishment, exercise or defence of legal claims.

    The data subject shall have the right to object at any time to processing concerning him or her for direct marketing purposes, which shall include profiling insofar as it relates to direct marketing.

    Where the data subject objects to processing for direct marketing purposes, the processing of personal data for those purposes shall cease.

12. Procedure for exercising rights

    The right of access, the right to rectification, the right to erasure, the right to withdraw consent, the right to restriction of processing, the right to portability, the right not to be subject to a decision based solely on automated processing, the right to object may be exercised at any time and free of charge. For this purpose, it is necessary to send a written request to the Controller at the e-mail address indicated above in this "Privacy Policy". We undertake to respond to any legitimate request originating from an entitled party within 1 month of receipt. If necessary, this period may be extended by a further two months taking into account the complexity and number of requests.

    The controller shall inform the natural person of any such extension within one month of receipt of the request, stating the reasons for the delay.

    Where you have made a request by electronic means, the information will, where possible, be provided to you by electronic means unless you have requested otherwise.

    If the controller does not act on the data subject's request, the controller shall inform the data subject without delay and at the latest within 1 month of receipt of the request of the reasons for not acting and of the possibility of lodging a complaint with a supervisory authority and seeking judicial redress.

    In the event that the controller has reasonable concerns about the identity of the natural person making the request, the controller may request additional information /such as an identity card, driver's license or other identifiable documents/ necessary to confirm the identity of the data subject.

    The controller shall communicate any rectification, erasure or restriction of processing carried out in accordance with Articles 16, 17(1) and 18 of Regulation 2016/679 to any recipient to whom the personal data have been disclosed, unless this is impossible or requires a disproportionate effort. The controller shall inform the data subject about these recipients if the data subject so requests.

    For further questions regarding this Privacy Policy, you may contact us using the contact details provided.

Last modified 07 April 2021

This Privacy Policy may be updated and amended without notice to reflect changes in our privacy practices. The new update will be effective from the date of the last change set out at the top of the Privacy Policy. Your use of the website after the update is posted means that you agree to the changes.

This "Privacy Policy" has been prepared by LegalAdvice.bg