Privacy Policy

1. Information about the Company that processes your data.

   Name	Abrites Ltd.
   Registration number	131566638
   Headquarters	1407 Lozenets district, 147 Cherni Vrah Blvd., Sofia, Bulgaria
   Mailing Address	1407 Lozenets district, 147 Cherni Vrah Blvd., Sofia, Bulgaria
   Phone	+359 2 955 04 56
   E-mail	info@abrites.com
   Website	www.abrites.com

2. Information on the competent data protection supervisory authority

   Name	Commission for Personal Data Protection
   Headquarters and address of management	Sofia 1592, Blvd. "Prof. Tsvetan Lazarov ” №2
   Mailing address	Sofia 1592, Blvd. "Prof. Tsvetan Lazarov ” №2
   Phone	+3592 915 3 519
   Website	www.cpdp.bg

   Abrites Ltd. (hereinafter referred to as "Controller" or "the Company") operates in accordance with the Bulgarian Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This information is intended to inform you about all aspects of the processing of your personal data by the Company through its website www.abrites.com and the rights you have in connection with this processing.

1. We collect and process the personal data that you provide us in connection with the implementation of the main activity of www.abrites.com, including for the following purposes:
   • creating a profile and providing full functionality when using the online store;
   • individualization of a party to the contract;
   • accounting purposes;
   • statistical objectives;
   • protection of information security;
   • ensuring the implementation of the contract for the provision of the respective service;
   • sending newsletters and emails with special offers if you wish;
   • sending answers to inquiries made through the feedback form on our website.
2. We observe the following principles when processing your personal data:
   • Legality, honesty and transparency:
     Personal data must be processed lawfully, fairly and transparently in relation to the data subject. The Controller shall determine in advance the purpose and the grounds within the meaning of Article 6 of the GDPR of each type of processing of personal data it carries out and shall communicate in a timely manner in compliance with the information rights of data subjects under Articles 13 and 14 of the GDPR, where it is possible to comply with the latter. Data subjects shall receive clear, detailed and specific information on the basic principles and legal framework of the processing of their personal data in accessible language and in an appropriate format.
   • Purpose restriction:
     Personal data must be collected for specific, explicit and lawful purposes and not processed in a way that is incompatible with those purposes. Immediately before the processing of personal data begins, or at the earliest opportunity - where the personal data have been obtained from a third party and the third party has not informed the subject, the latter shall be informed (where no disproportionate effort is required) of the purpose for which their data will be processed (Article 14 of the GDPR), unless the subject does not already have the information, for example.
   • Data minimization:
     Personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. The Controller shall process the minimum amount of data necessary to fulfill the purposes of the processing as communicated to the data subject.
   • Accuracy:
     Personal data must be accurate and, if necessary, updated; reasonable steps must be taken to ensure that inaccurate personal data, taking into account the purposes for which they are processed, are deleted or corrected in a timely manner.
   • Limitation of storage periods:
     Personal data must be stored no longer than the time required for the purposes for which the personal data are processed.
   • Integrity and confidentiality:
     Taking into account the state of technology and other available security measures, the cost of implementation, the likelihood, and severity of the risks associated with personal data, the Company must use appropriate technical or organizational measures to process personal data in a way that ensures adequate security of personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access or disclosure.
   • Responsibility:
     Data controllers must be accountable and able to demonstrate compliance with the principles set out above.
     The Company monitors the implementation of personal data legislation and compliance with accountability obligations, including, but not limited to, processors monitoring, preparation of assessments of the impact of potentially high-risk processing on the protection of personal data and an assessment of the need to consult the Commission for Personal Data Protection (CPDP), conducting balance and necessity tests when using legitimate interest as a basis for processing, taking timely measures, including notification and/or escalation of breaches of security, protection and confidentiality of personal data, etc.
3. During the processing of personal data, the Controller may store personal data in order to comply with the legal obligations applicable to it:
   • fulfillment of its obligations to the National Revenue Agency, the Ministry of Interior and other state and municipal bodies.

1. Operations performed by the Company, with the data provided by the subject:
   1. Тhe Company performs the following operations with the personal data provided by you as а customer, for the following purposes:
      • Registration of a user in the e-shop and execution of a distance sales contract – the purpose of this operation is to create a profile for using the e-shop to purchase services and products and provide contact information for delivery.
      • Sending a newsletter - the purpose of this operation is to administer the process of sending newsletters, emails with special offers, promotions, promo codes, news and new features to customers who have stated that they wish to receive.
      • Advertisement and Marketing – the purpose of this operation is to promote Controller’s activities as a company, as well as company’s participation in regular industry events, private events organized by the company and but not limited - sales open days.
      • Exercising the right of withdrawal or making a claim - the purpose of this operation is to administer the process of exercising the right of withdrawal or claim by the customer for the products and services in respect of which these rights may be exercised.
      • Inquiries through the website feedback form - the purpose of this operation is to send a response to an inquiry.
      • Use of log files by a customer - the purpose of this operation is to maintain the e-shop, ensure the security of your personal data and maintain the continuous security and operation of the website, including protection against cybercrime.
      • Improvement of services and products – the purpose of this operation is to perform regular improvement of the quality of the Controller’s services and products.
   2. The Controller shall not collect or process sensitive personal data except where the prerequisites of the GDPR apply, which refer to the following:
      • reveal racial or ethnic origin;
      • disclose political, religious or philosophical beliefs, or trade union membership;
      • genetic and biometric data (for the sole purpose of identifying a Person), health data or data on sexual life or sexual orientation.
   3. Personal data is collected by the Controller from the persons to whom it relates.
   4. The Controller does not perform automated data decision-making.
   5. The Company does not collect data on persons under 16 years of age, except with the express consent of their parents or legal representative/s.
2. Categories of personal data and purposes and grounds for processing by the Controller
   1. The Controller processes the following categories of personal data and information for the following purposes and on the following grounds:
      • Your personal data (E-mail, names, facial data etc.) The purpose for which the data is collected: 1) Making contact with the user and sending information to him, 2) for the purposes of registering a user in the online store, and 3) sending a newsletter, E-mails with special offers, promotions, news, and new features, where the Controller has this right, 4) send a response to an inquiry through the form of our website, and 5) to record our presence during public and private events where the company has participated or which the same organized, as any data subject can accidentally fall into the frames. Grounds for processing your personal data: By accepting the general conditions and registration in the e-shop or when concluding a written contract, a contractual relationship is created between the Controller and you, on which basis we process your personal data - Art. 6, para. 1, p. (b) GDPR. Your data for sending a newsletter and marketing e-mails, as well as for sending a response to an inquiry through the form of our website, are processed with your explicit consent - Art. 6, para. 1, p. (a) GDPR where this does not concern the conclusion of a contract. Where the Controller processes your personal data obtained from filming at public and private events in which the company participates, the basis for doing so is Art. 6, para. 1, p. (f) GDPR.
      • Delivery details (names, phone, address, E-mail, etc.) The purpose for which the data is collected: 1) Fulfillment of obligations of the Controller under a contract of sale and delivery of purchased products and services. Grounds for processing your personal data: By accepting the general conditions and registration in the e-shop or placing an order without registration, or when concluding a written contract, a contractual relationship is created between the Controller and you, on which basis we process your personal data - Art. 6, para. 1, p. (b) GDPR.
      • Data for preparation of invoice (names, PIN, address). The purpose for which the data is collected: 1) Fulfillment of legal obligations of the Controller. Grounds for processing your personal data: compliance with a legal obligation applicable to the controller - Art. 6, para. 1, p. (c) GDPR.
      • Data related to diagnostics, incl. logging of the communication that takes place on the vehicle's OBD port. This communication may include data such as VIN number, module batch numbers, vehicle model, interface ID, mobile device IP, interface number (hardware number), and also statistics about the number of vehicles with which the device connected and subsequently disconnected.
      • Purpose for which the data is collected: 1) regular improvement of the quality of Controller’s services and products, 2) statistical purposes, 3) creation of reports from third parties that provide insights into the business, 4) security purposes and in order to prevent law violations 5) performance of contractual obligations.
      • Grounds for processing your personal data: By accepting the general conditions and registration in the e-shop or placing an order without registration, or when concluding a written contract, a contractual relationship is created between the Controller and you, on which basis we process your personal data - Art. 6, para. 1, p. (b) GDPR and also statutory purposes.
      • Data from your social media accounts (publicly available information from your Google+, and Facebook accounts)
        The purpose for which the data is collected: 1) for the purposes of registration of a user in the online store.
        Grounds for processing your personal data: your explicit consent - Art. 6, para. 1, p. (a) GDPR
      • Data from log files (IP address, web browser used, time of visit to our website, pages visited.)
        The purpose for which the data is collected: 1) Maintenance of the online store, ensuring the security of your personal data, ensuring the continuous security and operation of the website, including protection against cybercrime.

The retention periods of your personal data depend on the purposes for which the Controller processes it and the legal basis on which he collects it, as well as the time limits set out in legislation.

Personal data collected through cookies is stored for the periods specified in the Cookie Policy.

In order to fulfil its obligations, the Controller, after the expiry of the processing periods, anonymises the personal data (i.e. put into a form that does not reveal your identity) or deletes/destroyes, unless the data subject concerned has exercised his/her right to request the restriction/deletion of the processing of personal data relating to him/her.

The Controller stores your personal data provided to him by you in connection with online orders/contracts for the purchase of products/ services via the E-shop for a period of 5 years after the expiry of the limitation period for extinguishing the public debt to which they relate and for a longer period in the event of a legal dispute already arising in connection with the foregoing until its final resolution by a final court decision.

Personal data processed for the purpose of issuing accounting/financial documents for tax and social security control, such as, but not limited to, invoices, electronic fiscal receipt, and acceptance protocols, shall be stored for the relevant statutory period, which is five years from the execution of the order or termination of the contract, unless a longer period is provided for by law or regulation.

The Controller does not have access to your payment details via the vPOS terminal. The Controller only receives the results of approved transactions and the last four digits of the used debit/ credit card. The latter are processed and stored within the statutory time limits by the vPOS providers.

If you have given your consent to receive the newsletter, the personal data is stored until you unsubscribe or request to be unsubscribed.

Personal data for which there is no explicit legal obligation to store will be deleted once the purposes for which the personal data was collected and processed have been achieved.

The Controller notifies you in case the data retention period needs to be extended in view of the legitimate interests of the Controller or otherwise.

The Controller stores the personal data that it is necessary to keep in accordance with the applicable legislation for the relevant period, which may exceed the period of existence of your account in the e-shop or until the completion of the order.

The Controller may, at its discretion, transfer some or all your personal data to data processors for the purposes of processing you have agreed to, subject to the requirements of Regulation (EU) 2016/679 (GDPR).

The Controller notifies you in case of intention to transfer part or all your personal data to third countries or international organizations.

1. Withdrawal of consent for the processing of your personal data

   In case you do not wish all or part of your personal data to continue to be processed by the Company for specific or all purposes of processing, and where the legal basis for processing is consent, you may at any time withdraw your consent to processing by filling out the "Withdrawal of Personal Data Consent Form” or by request in free text.

   The Controller may ask you to verify your identity and identity with the data subject.

   Likewise, please be informed that in case you withdraw your consent such action may hinder your opportunity and right to benefit from the regular improvement of the quality of Abrites services and products.

   You may at any time withdraw your consent to the processing of your personal data for the purposes of direct marketing.

   The withdrawal of the consent does not affect the legality of the processing of personal data, which the Controller has performed so far.

2. Right of access

   You have the right to request and receive confirmation from the Controller whether and what your personal data is processed, and you can at any time see in your account if you are a registered user and the data we process for you.

   You have the right to access data related to you, as well as information related to the processing of your personal data.

   Upon request, the Controller provides you with a copy of the processed personal data related to you in electronic or other appropriate form.

   Providing access to the data is free of charge, but the Controller reserves the right to impose an administrative fee in case of repetitive or excessive requests.

   In order to exercise your right to access, you need to submit a request via the "Access to Personal Data Request Form" or by e-mail;

3. Right of correction or completion

   You may correct or complete inaccurate or incomplete personal data relating to you by making a request to the Controller via e-mail.

4. Right to delete ("to be forgotten")
   You have the right to request from the Controller the deletion of part or all the personal data related to you, and the Controller has the obligation to delete them without undue delay when there is any of the following reasons:
   • personal data are no longer needed for the purposes for which they were collected or otherwise processed;
   • You withdraw your consent on which the data processing is based and there is no other legal basis for the processing;
   • You object to the processing of personal data related to you, including for the purposes of direct marketing, and there are no legal grounds for processing to take precedence;
   • personal data have been processed illegally;
   • personal data must be deleted in order to comply with a legal obligation under EU law or the law of a Member State applicable to the Controller;
   • personal data have been collected in connection with the provision of information society services.
   The Controller is not obliged to delete personal data if he stores and processes them:
   • to exercise the right to freedom of expression and the right to information;
   • to comply with a legal obligation requiring processing provided for in EU or Member State law applicable to the Controller or for the performance of a task in the public interest or in the exercise of official powers conferred on him or her;
   • for reasons of public interest in the field of public health;
   • for archiving purposes in the public interest, for scientific or historical research or for statistical purposes;
   • to establish, exercise or defend legal claims.
   In case of exercising your right to be forgotten, the Company will delete all your data, except for the following information:
   • information needed to certify that your right to be forgotten has been exercised – e-mail;
   • technical information about the operation of the online store and/or in relation with the use of Controller’s products and services, which information can not be associated in any way with your personality;
   • e-mail with which you registered in the online store.

   To exercise your right to be forgotten, you need to submit an application via the "Delete Request Form (right to be forgotten)" or by e-mail;

   If you have an order that is being processed, the earliest time you can ask to be "forgotten" is when the order is successfully completed.

   By deleting your personal data, your account will become inactive. Of course, you will be able to browse the online store and the services and products offered make a new registration.

   Likewise, please be informed that in case that you exercise your “Right to be Forgotten” such action may hinder your opportunity and right to benefit from the regular improvement of the quality of Abrites services and products.

   The Controller does not delete the data that he has a legal obligation to store, including for protection in connection with court claims against him or proof of his rights.

5. Right of restriction
   You have the right to ask the Controller to restrict the processing of data related to you when:
   • challenge the accuracy of personal data for a period that allows the Controller to verify the accuracy of personal data;
   • the processing is illegal, but you do not want the personal data to be deleted, but only their use to be restricted;
   • The Controller no longer needs the personal data for the purposes of processing, but you require them to establish, exercise or defend your legal claims;
   • You have objected to the processing pending verification of whether the legal grounds of the Controller take precedence over your interests.
6. Right of portability
   If you have given your consent for the processing of your personal data or the processing is necessary for the performance of the contract with the Controller, or if your data is processed in an automated manner, you may, after identifying yourself with the Controller:
   • ask the Controller to provide you with your personal data in a readable format and transfer them to another Controller;
   • ask the Controller to directly transfer your personal data to an Controller designated by you, when this is technically feasible.
   You may at any time request to exercise your right of transfer through the "Personal Data Portability Request Form" or by requesting an email to the Controller.
7. Right to receive information

   You may request the Controller to inform you of all recipients to whom the personal data for which correction, deletion or restriction of processing has been requested have been disclosed. The Controller may refuse to provide this information if this would be impossible or would require a disproportionate effort.

8. Right to object

   You may object at any time to the processing of personal data by the Controller relating to him, including if they are processed for profiling or direct marketing purposes.

9. The deadline for fulfilling a request made by you as a data subject is one month after receiving the request, except in cases where, due to the complexity of the processing, the volume of data, technical difficulties or other circumstances, the deadline needs to be extended, but for no more than two months, for which the Controller notifies you.

In case that the Controller finds a violation of the security of your personal data, which may pose a high risk to your rights and freedoms, he shall notify you without undue delay of the violation, as well as of the measures that have been taken or are to be taken.

The Controller is not obliged to notify you if:

• has taken appropriate technical and organizational protection measures with regard to data affected by the security breach;
• has subsequently taken steps to ensure that the breach does not pose a high risk to your rights;
• notification would require a disproportionate effort. In such a case a public announcement shall be made or another similar measure shall be taken.

In all cases, the list of recipients of personal data processed by the Controller derives mainly from the scope of services used by you.

The list of recipients of the data is also the result of your consent or derives from the law and is specified as a result of the actions taken by you in the online store www.abrites.com.

In the processing of personal data, the partners, associates and employees of the Controller may participate to a certain extent, for activities as follows:

• those who provide technical assistance for the effective operation of the online store, including communication with customers (eg assistance in sending e-mails; in the case of advertising activities - assistance in marketing campaigns);
• hosting services or telephone or IT service providers;
• carriers or agents executing orders;
• vPOS providers;
• companies that service the software support the Controller in marketing companies;
• providers of legal and consulting services;
• others.

Based on the above principles, your personal data may also be transferred to companies from the Abrites Group which are as follows: “ABRITES” LTD, , „ABRITES FRANCE” SAS, „ABRITES TRADE“ LTD., „ABRITES ITALY“ SRL, „ABRITES USA“ LLC, „MODI Abrites“ LTD.

The specified processors of personal data comply with all requirements for legality and security in the processing and storage of your personal data.

As part of the use of tools by the Controller that support its current activity, provided e.g. by Google, your personal data may be transferred to a country outside the European Economic Community, in particular to the United States of America (USA) or another country where a person cooperating with the Controller maintains personal data processing tools in cooperation with Controller.

Data accessed by е.g. Google Analytics may include information about VIN number, vehicle model, number of times screens were accessed and also what types of screens were accessed. The purpose of the above data operations is related to the regular improvement of the quality of Controller’s services and products and the creation of reports that provide insights into the business, and also has a statistical focus.

For security purposes and in order to prevent law violations, the Controller shares information about VIN numbers with the “European database for stolen vehicles”: https://www.stolencars24.eu and the “South African database for stolen cars”: https://coza.net.za/

The Controller ensures appropriate security measures by concluding standard contractual clauses and data processing agreements where applicable. When transferring data to the USA, the Controller ensures that the relevant controller/processor is certified under the Data Privacy Framework.

The company carries out cross-border processing of personal data, as, according to Art. 4, para. 23 of GDPR, the processing of personal data takes place in the context of the activities of the places of establishment in more than one Member State of a Controller or Processor in the Union, the Controller or Processor being established in more than one Member State (France and Italy).

The Commission for Personal Data Protection has been appointed as the leading supervisory body. In appointing a Leading supervisory body, the Controller complied with the " Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority" adopted on 28th of March 2023 by The European Data Protection Board.

In the event of a breach of your rights under the above or applicable personal data protection legislation, you have the right to lodge a complaint with the Commission for Personal Data Protection as follows:

You can exercise all your rights regarding the protection of your personal data through the forms attached to this policy. Of course, these forms are optional and you can submit your requests in any form that contains the following requisites:

1. names, address, personal identification number or another similar identifier;

2. statement of the request;

3. preferred form in which information is to be received;

4. signature, date of submission of the application and address for correspondence.

The following forms are relevant as annexes to this Policy:
1. Withdrawal of Personal Data Consent Form
2. Access to Personal Data Request Form;
3. Delete Request Form (right to be forgotten);
4. Personal Data Portability Request Form

The Controller has the right to amend the Policy at any time. Any changes to the Policy will be reflected promptly on the website to ensure full transparency and awareness of your rights as a data subject.