Privacy policy

Privacy Policy of "KUPI BILETI BG" Ltd.

INTRODUCTORY CLAUSES

We take necessary care of your personal data. With this policy, we aim to inform you about the personal data we collect, how we use it, and how we keep it safe.

We are "KUPI BILETI BG" Ltd., Unified Identification Code (EIK) 205210570, with registered office and management address in Bulgaria, Sofia City Province, Sofia City Municipality, Sofia, Triaditsa district, Postal Code 1414, Bulgaria Square 1, National Palace of Culture, entrance A3/referred to as "BUYTICKETS.BG" in this Policy.

We are the administrator of your personal data and are responsible for processing and storing your data in a fair, transparent, and secure manner, guided by your best interests.

The Commission for Personal Data Protection (CPDP) monitors how we handle your personal data. CPDP is an independent state body overseeing the compliance of data processing activities. All data subjects have the right to lodge a complaint with CPDP regarding the processing of their personal data - contact details and more about the procedure can be found at the internet address: https://www.cpdp.bg/.

This version of the Privacy Policy of BUYTICKETS.BG has been expanded and modified in accordance with the requirements of the General Data Protection Regulation (GDPR).

Section 1

PERSONAL DATA WE COLLECT

When you buy a ticket from us, you provide us with the following personal data:
• Name;
• Delivery address;
• Phone number;
• Email.

We need this information to carry out the sale and deliver the ordered ticket to you. In other words, personal data is necessary for the conclusion and performance of the contract for the sale of tickets between you and KUPIBILETI.BG.

If you decide to collect the ticket from a physical location (for example, from our office or a partner company's premises), the physical location may be subject to video surveillance to ensure the security of the premises.

Section 2

INFORMATION FOR PEOPLE WITH DISABILITIES

Some events may provide specialized accommodation for wheelchairs.

If you need such specialized accommodation, you can contact our team at office@kupibileti.bg or call 0884040400 to provide you with the necessary information and guidance.

We assure you that all information shared regarding health conditions and disabilities will be treated confidentially. Such information can be accessed by BUYTICKETS.BG only if it is sent at the initiative of the end customer who wishes to purchase the special ticket.

Section 3
DATA PROCESSING PURPOSES

When you purchase a ticket through www.kupibileti.bg, we enter into a contract with you for the sale of tickets. The main purpose for which we collect and use the personal data mentioned above is to make the execution of this contract possible - including sending the tickets to you or organizing their pickup at our partner network locations.

Your contact information may be used by our team in case of changes in certain events or their cancellation. Your payment-related data, apart from its processing, may also be used by KUPIBILETI.BG in cases of refunding.

The email address and phone number provided to us in the context of purchasing the ticket through your account may be used for direct marketing purposes, in which case the legal basis for processing would be a legitimate interest according to Article 6, paragraph 1, letter "e" of the General Data Protection Regulation (GDPR).

Your personal data may also be processed if a government authority requires collaboration from KUPIBILETI.BG in various official proceedings, including pre-trial, judicial, and administrative proceedings related to user claims, ticket fraud, and others.

Section 4
PERIOD FOR WHICH PERSONAL DATA ARE RETAINED

The provided personal data will be stored in our company's archive for potential legal claims or administrative procedures for a period of 5 years from the date of the event for which you purchased the last ticket through your account.

Section 5
AUTOMATED DATA PROCESSING THROUGH COOKIES

We may collect your personal data through cookies. For more information, please refer to our Cookie Policy.

Section 6
LEGAL BASIS FOR PROCESSING

We collect your data based on the permissions allowed by European and Bulgarian legislation (especially Regulation 2016/679, also known as the General Data Protection Regulation or GDPR, and the Personal Data Protection Act adopted and amended by the Bulgarian National Assembly). We collect your data on the following grounds:

1. Contractual Performance
We collect your personal data to deliver or hand over your tickets, inform you of any changes in upcoming events, cancellations, or claims based on our refund rules.

We also process your payment information to confirm your payment, enabling you to receive your ticket. For the purpose of fulfilling our obligations to you, we may transfer your personal data to courier companies and financial institutions/payment processing entities (such as banks, payment service providers, etc.).

2. Legitimate Interest
We retain information provided by you in your account within the context of purchasing tickets, believing it's both your and our legitimate interest. We have a legitimate interest in using this information for future marketing campaigns and to inform you about exciting upcoming projects.

Additionally, we will retain data related to your payments and purchases to ensure this information is available in case of official proceedings such as civil cases (e.g., if we are sued for damages), administrative and criminal investigations (e.g., audits or checks by the Revenue Agency), consumer claims and disputes, ticket fraud, and others.

The video surveillance in our commercial premises is conducted to ensure our security against theft and other potential crimes.

3. Consent
If you haven't purchased a ticket from us but subscribed to our newsletters or other informational messages, the necessary personal data will be processed based on your consent, which you can withdraw at any time by writing a brief letter to office@kupibileti.bg or by clicking the "I don’t want to receive further emails from KUPIBILETI.BG" button in any email you receive from us.

Section 7
OTHER INDIVIDUALS AND LEGAL ENTITIES RECEIVING YOUR INFORMATION

1. Payments
To process your payment, your payment-related data is shared with our payment service providers ("Econt Express" LTD).

* When entering your payment card details on the KUPIBILETI.BG webshop, this information is obtained directly from the payment service providers. Employees at KUPIBILETI.BG do not have access to complete payment information used in these payment transactions – only limited and partial information is visible to them for your protection.

2. Ticket Delivery / Pick-up on Site
We will share the personal data related to your order with the courier company responsible for delivering your ticket or with our partners facilitating ticket collection at specific counters/locations.

3. Official Authorities and Legal Consultation. Supervisory Bodies:

(1) Commission for Personal Data Protection
Address: Sofia, Prof. Tsvetan Lazarov Str. № 2,
Tel: (02) 940 20 46
Fax: (02) 940 36 40
Email: kzld@government.bg, kzld@cpdp.bg
Website: www.cpdp.bg

(2) Commission for Consumer Protection
Address: 1000 Sofia, Pl. "Slaveykov" №4A, Fl. 3, 4, and 6,
Tel: 02 / 980 25 24
Fax: 02 / 988 42 18
Hotline: 0700 111 22
Website: www.kzp.bg

Your personal data might be transferred or accessed by various governmental bodies (investigative and administrative authorities, tax authorities, courts, etc.) concerning official proceedings, including pre-trial and court proceedings, administrative procedures related to consumer claims, ticket fraud, etc.

If necessary, in such or similar cases, your data might be provided to individuals or legal entities providing relevant legal services and advice to KUPIBILETI.BG during these proceedings.

4. Complaints and Disputes
Except for cases mentioned in point 3 above, in disputes or claims for recovery or assistance in resolving other problematic issues, your personal data might be disclosed to entities acting as organizers of specific events or to other entities within the KUPIBILETI.BG group.

If necessary, in such or similar cases, your data might be provided to individuals or legal entities providing relevant legal services and advice to KUPIBILETI.BG during the respective proceedings.

Other entities within the KUPIBILETI.BG group may receive your data for reporting on the progress of judicial cases or related to reimbursement of funds paid or other compensatory payments.

5. Video Surveillance
Recordings from video surveillance at our offices might be collected or shared with licensed private security firms in strict compliance with Bulgaria's video surveillance legislation.

Section 8
YOUR DATA OUTSIDE THE EU

If the recipients of your data are located outside the EU, we will provide appropriate guarantees that your data are processed with due care and attention required of an EU-based recipient.

Such transfers will be subject to binding corporate rules, standard data protection clauses adopted by the European Commission, as well as any other data protection mechanism considering your rights.

Section 9
YOUR DATA PROTECTION RIGHTS

Under the General Data Protection Regulation (GDPR), you have the following rights:
• Right to access;
• Right to rectification;
• Right to erasure (the right to be forgotten);
• Right to restriction of processing;
• Right to data portability;
• Right to object to processing;
• Right to withdraw consent at any time.

Here's the translation of the text in English:

"Right of Access
Upon your request, you have the right to access the personal data stored about you; you also have the right to request a copy of the personal data that is being processed.

Right to Rectification
You have the right to request incorrect, inaccurate, or incomplete personal data to be corrected. Depending on the purposes of the processing, you may have the right to supplement incomplete personal data, including by providing an additional declaration.

Right to Erasure (Right to be Forgotten)
You have the right to request the deletion of personal data when they are no longer necessary, or if their processing is unlawful. Please note that Article 17 of the GDPR outlines the cases in which we are required to delete your data. In some cases, we may need to retain your data even if deletion is requested (for example, to comply with a legal obligation that requires processing under Union law or Bulgarian legislation).

Right to Restriction of Processing
Under certain circumstances, you may have the right to request the restriction of the processing of your personal data by us. For example, you can exercise this right when we no longer need your personal data for the purposes of processing, but at the same time, we need to keep them in our systems to use them in situations such as exercising rights or legal defense.

Right to Data Portability
Under certain circumstances, you may have the right to receive your personal data, which you have provided to us, in a structured, commonly used, and machine-readable format (i.e., in digital form). You may also have the right to request the transfer of this data to another entity without hindrance from us, if such transmission is technically feasible.

Right to Object
Under certain circumstances, you may have the right to object to the processing of your personal data, and we may be required to cease processing them in the future. You can exercise this right, for example, when we use your email address for direct marketing purposes—in such a case, after your objection, we will no longer be able to send you marketing materials.

Right to Withdraw Consent
When the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time without stating reasons to us. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

How to Exercise Your Rights:

To exercise your rights, you can contact us with a written request at office@kupibileti.bg or by regular mail to the address: Sofia, Triaditsa district, Bulgaria Square 1, NDK, entrance A3. You can also send your request to the company's Data Protection Officer. We will respond to your requests without undue delay and no later than 1 month.

Your written request under this Section may be submitted on paper or electronically and should include:
• Your name
• The email address you used to register in your profile (not mandatory, but highly recommended)
• Description of the request
• Preferred form of communication (e.g., regular mail or email)
• Signature (if submitting on paper)
• Date of the request
• Mailing address
• Power of attorney—if the request is made on behalf of someone else.

You may be asked to provide information to confirm your identity (e.g., by clicking a confirmation link or providing a confirmation code) to exercise your rights.
"Section 10.
TECHNICAL AND ORGANIZATIONAL MEASURES FOR THE SECURITY OF PERSONAL DATA
The organizational and technical data security measures introduced by the Administrator provide a level of security that corresponds to the nature of the data processed by the Administrator and the risk of data processing, including, but not limited to, the measures listed in this section.
The measures for personal data security include at least:
Administrative measures (establishing a document and computer data security procedure and their archives, organizing work in different areas of activity, training of staff currently employed, and upon leaving employment/termination, etc.);
Technical and software protection (server administration, information systems, and databases maintenance, workstation protection, operating system protection, user access monitoring (control), protection against computer viruses, encryption of data storage devices containing personal data, etc.);
Contractual measures (concluding agreements or arrangements with all Data Recipients and persons who may have access to personal data in connection with providing services to the Administrator, to ensure that these individuals apply a level of personal data protection in line with the requirements of the Regulation);
The measures ensuring the security of personal data applied by the Administrator include, but are not limited to:
Using VPN technology for remote connection to the Administrator's internal network;
Using protective protocols and/or passwords when providing personal data through external data transmission networks;
Control over the security of personal data on external data carriers and email and their deletion after use, by transferring them to the Administrator's databases.

Alternative Dispute Resolution.
We hereby inform you of the Users' possibility to contact a local Alternative Dispute Resolution (ADR) body in connection with a dispute that has not been resolved with KUPIBILETI.BG.

What is Alternative Dispute Resolution (ADR)?

ADR is a procedure for out-of-court resolution of domestic and cross-border disputes related to contractual obligations arising from sales contracts or service contracts between a trader established in the Union and a consumer residing in the Union, through the intervention of a dispute resolution entity that offers or imposes a decision or brings together the parties to facilitate a mutually agreed solution.

ADR bodies are out-of-court structures. The ADR body is a neutral party (e.g., mediator, conciliator, arbitrator, ombudsman, or complaints board) that KUPIBILETI.BG will use to settle a dispute in case the consumer decides to seek out-of-court resolution of the dispute. The ADR procedure is cheap, easy, and fast, and therefore advantageous for both consumers and traders who can avoid legal costs and lengthy court procedures.

How can I file a complaint under the ADR procedure?

If you wish to file a complaint, please contact your national ADR body listed below. This ADR body will also be able to answer all your questions related to this process.

General Conciliation Commission at the Commission for Consumer Protection headquartered at:
Sofia*
4 A Slavykov Square
Sofia, 1000
Bulgaria
http://www.kzp.bg

*This ADR body is included in the national lists of ADR entities that meet mandatory quality requirements established by the ADR Directive - Directive 2013/11/EU on alternative dispute resolution for consumer disputes, link: https://eur-lex.europa.eu/legal-content/BG/TXT/?uri=celex%3A32013L0011

http://ec.europa.eu/consumers/odr/"