PRIVACY POLICY OF PERSONAL DATA WHEN USING E-STORE WWW.KPNC-STONE.com. INFORMATION REGARDING THE COMPANY’S HANDLING OF USERS’ PERSONAL DATA

“KPNC” LTD, EIK 207354765, with headquarters and address of management 4, “Hristo Botev”, str. Asenovgrad 4230, Bulgaria, office@KPNC-STONE.com or phone 0888 934 011 (hereinafter referred to as below for short “Administrator”), ensures the free movement of this data.

— Basis for collection, processing and storage of personal data

The administrator collects and processes personal data related to the use of the electronic store www.KPNC-STONE.com and the conclusion of a contract with the company under Art. 6, para. 1, Regulation (EU) 2016/679 (GDPR), specifically based on:

• Received explicit consent from the Users;

• Fulfillment of contractual obligations with the Users;

• Compliance with applicable legal obligations;

• Pursuit of the legitimate interests of the Administrator or a third party.

— Purposes and principles of collection, processing and storage of personal data

The administrator collects and processes personal data provided by Users in connection with the use of the electronic store www.KPNC-STONE.com and the conclusion of a contract with the company for purposes including:

• Create a profile and full functionality of the online store;

• Conclusion and execution of purchase contracts – distance selling;

• Individualization of the contracting parties;

• Accounting and statistical purposes;

• Information security and performance of the contract;

• Processing claims and complaints of users;

• Implementation of post-warranty service.

The administrator adheres to principles such as legality, good faith, transparency, purpose limitation, relevance and data minimization, accuracy, timeliness, storage limitation, integrity, confidentiality and ensuring adequate security of personal data.

In the processing and storage of personal data, the Administrator may protect legitimate interests such as the fulfillment of obligations to national authorities such as the National Revenue Agency and the Ministry of Internal Affairs.

— Types of personal data collected, processed and stored by the Administrator

The administrator processes the provided personal data for operations, including:

• User registration and conclusion of a remote purchase contract – to create an e-store profile and facilitate online purchases;

• Conclusion and execution of purchase contracts – for contract administration;

• Consideration of complaints of Users and exercise of the right of refusal;

• Warranty and out-of-warranty service of goods;

• Sending regular online store newsletters.

• The administrator processes various categories of personal data and information for specific purposes and on specific grounds:

• Personalized data (e-mail, full name, address, etc.)

◦ Purpose of collecting personalized data: Registering the user in the online store, communicating and sending information.

◦ Basis for processing personal data: With the acceptance of the General Terms and Conditions and the registration or order in the electronic store, a contractual relationship arises, which enables the Administrator to process the User’s personal data.

• Delivery data (the three names, phone number, address, etc.)

◦ Purpose of collection of delivery data: Fulfillment of obligations under a contract for the sale and delivery of goods.

◦ Basis for processing personal data: With the acceptance of the General Terms and Conditions and the registration or the order without registration or the conclusion of a written contract, a contractual relationship arises, which allows the Administrator to process the User’s personal data. Delivery-related data is used for delivery purposes (e.g. sending delivery notifications via text message) and shared with third parties (courier companies) for delivery logistics.

Users voluntarily agree to have their personal data processed by the Administrator for the conclusion and execution of purchase and sale contracts when placing orders from the online store. Consent is provided by ticking a specific box. Lack of consent may limit users’ ability to place orders through the online store.

The administrator does not collect or process personal data revealing racial or ethnic origin; political, religious or philosophical beliefs; union membership; genetic and biometric data; health data; or data about sex life or sexual orientation.

• Data related to receiving newsletters from the online store

Users can opt-in to receive the online store’s periodic newsletter by providing their email addresses. The newsletter includes product/service updates, promotional offers, marketing, advertising, etc. The administrator uses the e-mail addresses provided solely for the distribution of the newsletter, with the aim of better understanding the needs of users through pseudonymized marketing research and to improve the positioning and offers of the store. Subscription to the newsletter is voluntary and users can unsubscribe at any time without explanation through a specified option in each newsletter.

• Personal data is collected directly by the Administrator from the relevant persons.

• The administrator processes personal data of legal representatives or proxies of legal entities for specific purposes:

• For the conclusion and execution of distance contracts with commercial entities, the Administrator processes only the three names of legal representatives or authorized persons.

• Users’ personal data is collected directly by the Administrator from the interested parties and/or from the Commercial Register at the Registration Agency.

• Automated data decision making is not performed by the Company.

The www.KPNC-STONE.com website can be accessed through search engines such as Google and others, as well as through social media platforms such as Facebook, Instagram, etc. Social media related services (eg social media messaging) may be integrated. on the website to interact with the user. The Website manages social media accounts and may provide applications on various social media platforms. When a User accesses the Website through social media, the relevant social media provider may allow the User to share information with the Website. Users are informed by the social media provider about the information shared with the website. For example, certain details (as permitted by the social media provider) may be shared with the Website when accessed through a social media profile, including the user’s address, age or profile pictures saved in the user’s profile.

When Users use the website www.KPNC-STONE.com, the Administrator collects information from log files (user system information): IP address, ISP (Internet Service Provider), user browser (e.g. Google Chrome, Internet Explorer, Mozilla Firefox ), the duration of the user’s website visit and the website pages visited.

Google Analytics, a web service provided by Google, is used by the website to collect detailed statistics about website visitors. These statistics are collected on Google servers and used by the administrator to analyze traffic and improve the website’s performance. The Website may also use information from social media, in particular Facebook, about a given user for certain purposes on the Website, as well as for advertising and promotion of the Website. Users agree to provide this information to the relevant social media platforms.

The administrator also uses cookies. Cookies are small pieces of information sent by a web server to a web browser that allow the server to collect feedback from the browser. Detailed information on the types and purposes of cookies used by the Administrator can be found in the Cookie Policy.

— Period of storage of personal data

Personal data is stored by the Administrator for a period no longer than the existence of the User’s profile in the online store. When deleting the profile, the Administrator ensures the quick deletion or anonymization (which makes them unidentifiable) of all the User’s personal data.

In all cases, the personal data provided for online orders are stored by the Administrator for 5 years to protect the legitimate interests of the Administrator in legal or administrative disputes with the users of the online store. The Administrator notifies the relevant persons in the event that the data storage period requires an extension to fulfill legal obligations or legal interests of the Administrator.

Personal data, which are stored according to the current legislation, are stored by the Administrator for the specified period, which may exceed the duration of the User’s profile in the online store.

— Transmission of personal data for processing

The Administrator may, at its discretion, transfer some or all of the Users’ personal data to personal data processors for processing purposes agreed by the Users in accordance with Regulation (EU) 2016/679 (GDPR). Users are notified if the Administrator intends to transfer part or all of their personal data to third countries.

— Users’ rights regarding the collection, processing and storage of personal data

• Withdrawal of consent to the processing of personal data

Users can withdraw their consent to the processing of personal data at any time by sending a request in free text to the Administrator by email.

Upon receipt of the request, the Administrator sends detailed instructions for verifying the User as a subject of personal data of the email used to register or place orders in the online store.

After verification, the Administrator deletes the User’s personal data and confirms the deletion electronically. Deleting personal data can have consequences.

— Right to correction or addition

Users may at any time correct or supplement inaccurate or incomplete personal data relating to them by making a request by email to the Administrator.

— Right to erasure (“Right to be forgotten”)

Users have the right to ask the Administrator to delete part or all of their personal data, and the Administrator must promptly delete them under certain circumstances:

• Personal data are no longer necessary for the purposes for which they were collected or processed;

• The user has withdrawn his consent to data processing and there is no other legal basis for processing;

• The user objects to the processing and there are no more important legal grounds;

• Personal data processed unlawfully;

• Compliance with legal obligations under EU law or the law of a Member State;

• Data collected in connection with information society services.

The administrator is not obliged to delete personal data if they are stored for:

• Freedom of expression and information;

• Legal obligations under EU or Member State legislation;

• Public interest in public health;

• Archiving, scientific research, historical research or statistical purposes;

• Establishing, exercising or defending legal claims.

Users must send an email request to delete data. Upon verification, the Administrator deletes all relevant user data.

— Right of limitation

Users can ask the Administrator to restrict the processing of personal data by sending a request by email under certain circumstances:

• The user disputes the accuracy of the data;

• The user requests restriction of data processing instead of deletion;

• The administrator no longer needs the data, but the user requires it for legal claims;

• User objects to processing pending verification.

After verification, the processing of personal data is suspended and the User is notified by email.

— Right of portability

Users may request the Administrator to provide personal data in a readable format and transfer it to another Administrator if consent to processing is given or if processing is necessary for the conclusion of a contract. Users can also request the direct transfer of personal data to another controller if this is technically feasible.

Users can exercise this right by sending a request by email. After verification, detailed instructions are sent to the email used for registration or ordering.

— Right to receive information

After verification, the Administrator sends the processed data for the relevant person in a readable format to the email specified by the User.

— Right to be informed

Users may request the Administrator to inform them of all recipients to whom personal data has been disclosed, for which correction, deletion or restriction of processing has been requested.

— Right to object

Users may object at any time to the Administrator’s processing of their personal data, including processing for profiling or direct marketing.

— User rights in the event of a breach of personal data security

If the Administrator detects a violation of the security of the Users’ personal data, representing a high risk for their rights and freedoms, the Users are promptly notified of the violation and the measures that have been taken or are about to be taken.

The Administrator is not obliged to notify the Users if appropriate technical and organizational measures have been taken to protect the affected data or if the subsequent measures prevent high-risk situations, or if the notification would require a disproportionate effort.

— Recipients of personal data

The administrator does not provide personal data of the Users to third parties, except in cases where this is provided by law.

Personal data is not transferred to third parties by the Administrator.

In cases of violation of the rights of the Users, specified above or according to the current legislation for the protection of personal data, the Users can submit a complaint to the Commission for the protection of personal data at the address: Sofia 1592, Blvd. “Prof. Tsvetan Lazarov” No. 2, phone: 02 915 3 518, website: www.cpdb.bg