ALVITERA LTD., with Unified ID Code 206629984, with seat and registered address: city of Sofia, p.c. 1766, 251 Okolovrasten Pat St. (“the Company”), is a personal data controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Regulation (EU) 2016/679), and the Personal Data Protection Act (PDPA).

This Personal Data Privacy Policy provides information about how ALVITERA LTD processes the collected or received personal data of its partners, employees, clients and counterparties through paper forms filled in personally by you or by our representative, through e-mail correspondence, by the conclusion of a contract or via other means for collection of personal data permitted by the law, as well as the data collected from the internet through our website, https://www.alvitera.com/.

Our contact details are:

ALVITERA LTD, Unified ID Code 206629984, with seat and registered address: city of Sofia, p.c. 1766, 251 Okolovrasten Pat St.

tel.: +359 894481312

e-mail: info@alvitera.com

With this policy, we are informing you about our practices for protecting your data, about your rights in connection with the personal data collected about you through our website and/or using the other methods mentioned above.

If you have any questions, you may contact us and request information from our employees.

When collecting and processing your personal data, the Company follows various laws and rules that regulate how to perform these actions, for what purposes, and what guarantees for personal data protection are to be given. The applicable regulations include, without limitations, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Regulation (EU) 2016/679), the PDPA, and other laws and regulations issued on the grounds of such laws.

Grounds for collection, processing, and storage of your personal data

Art. 1. The Controller shall collect and process your personal data in connection with the use of the online store https://www.alvitera.com/, and in connection with the conclusion and performance of contracts with the Company on the grounds of Art. 6, Para. 1 of Regulation (EU) 2016/679, and on the following grounds in particular:

1.1. Your explicit consent as a client;

1.2. In the performance of the Controller’s obligations under a contract with you;

1.3. In order to take steps in connection with your request for the conclusion of a contract if you have applied for a job with us;

1.4. For the performance of a contract or in order to take steps to conclude a contract with a business partner;

1.5. To comply with a legal obligation applicable to the Controller;

1.6. For the lawful interests of the Controller or of a third party.

Purposes and principles in the collection, processing, and storage of your personal data

Art. 2. We shall collect and process the personal data you provide to us in connection with the use of the online store https://www.alvitera.com./ and with the conclusion of a contract with the Company, including for the following purposes:

1. Creation of a profile and/or submitting a request and providing access to the full functionality when using the online store;

2. Establishing the identity of a party to the contract;

3. Accounting purposes;

4. Statistical purposes;

5. Protection of information security;

6. Securing the performance of the contract for provision of the respective service;

7. Sending a newsletter and e-mails with special offers if you have requested that;

8. Sending answers to queries sent as feedback through our webpage or via e-mail.

Art. 3. (1) When we conclude a contract with a business partner, we collect and process personal data about the names of the legal representative of the legal entity that is a party to the agreement to establish the identity of the party to the contract and contractual performance.

(2) When we conclude a contract with a partner who is a natural person, we collect and process data about said person’s full name, national identity number and personal document information (number, date of issue, issuing authority) to establish the identity of the party to the contract and contractual performance.

Art. 4. (1) We collect and process personal data provided by you when you apply for work at the Company, including for the following purposes:

1. establishing the identity of the applicant;

2. getting in touch with you and communicating;

3. candidate selection.

(2) We keep the personal data that you have provided to us throughout the entire period of the job application. If you wish for us to continue storing your data after that period for the purposes of subsequent communications with us, we will send you an e-mail query so that you can grant your explicit consent for your data to continue to be stored for a certain period.

Art. 5. We observe the following principles when processing your personal data:

lawfulness, fairness, and transparency;

processing purpose limitation;

relevance to the purposes of the processing and minimizing the processing of data;

accuracy and age of the data;

limiting the storage within the scope of the purposes;

integrity and confidentiality of the processing and guaranteeing an appropriate level of security of the personal data;

accountability.

Why do we need personal data, and on what grounds do we use them?

Art. 6. The Controller may process and collect personal data for the performance of our legal obligations, such as:

1. For tax and insurance control by the respective competent authorities or in compliance with tax and insurance obligations;

2. For issuing of invoices and other accounting and/or reporting documents required by law;

3. For the provision of information to competent state authorities.

Art. 7. The Controller may process and store personal data for protection of its following legitimate (lawful) interests, such as:

1. Processing of queries and sending of offers – to take steps at the request of the data subject prior to entering into a contract (Art. 6, Para. 1, letter b) of Regulation (EU) 2016/679);

2. Preparation of proposals for the conclusion of contracts and related documents, such as powers of attorney, securities, etc.;

3. Performance of requests by clients – on the grounds of contractual performance (Art. 6, Para. 1, letter b) of Regulation (EU) 2016/679);

4. Provision of services and actions for purchasing of goods and services from suppliers – on the grounds of contractual performance (Art. 6, Para. 1, letter b) of Regulation (EU) 2016/679);

5. Preparation, analysis, and storage of statistical information for internal company purposes in connection with financial analysis and reports;

6. Personal data processed for personnel selection;

7. Personal data processed for lawful exercising of the rights of partners in the company;

8. Personal data processed when visiting our webpage.

Art. 8. (1) Outside of the cases where we collect personal data on the grounds of a law, contract, legitimate interest, or to protect your vital interests, we will request your consent.

(2) We will use your personal data only after your explicit consent for the specific purpose.

(3) You have the right, if you reconsider at a later stage, to withdraw your consent – this will not affect the lawfulness of the processing based on your consent before it is withdrawn.

(4) In cases where we need to collect your personal data due to our legitimate interest or in order to protect your vital interests, we will immediately notify you and explain your rights.

(5) You have the right to object against such collection of your personal data if you think we do not have a legitimate interest to collect. We will take additional measures, and we will provide you with additional information and our motives no later than 30 (thirty) days after your request.

What types of personal data are collected, processed, and stored by the Company

Art. 9. (1) The Company shall perform the following operations with the personal data provided by you, for the following purposes:

1. Registration of a client to the online store and/or submission of a request as a guest, and performance of a remote purchase and sale contract – the purpose of this operation is to create a profile for the use of the online store in order to buy goods and/or submit a request as a guest and to provide contact details for the delivery of purchased goods. The registration and creation of a profile to use the online store is not a mandatory step in the provision of the service. The service is accessible to a substantial degree without creating a profile through the Order as a guest option.

2. Sending a newsletter – the purpose of this operation is to administer the process of sending newsletters, e-mails with special offers, promotions, promo codes, news and new functionalities to the clients who have stated that they wish to receive such communications.

3. Exercising the right of withdrawal or return – the purpose of this operation is the administration of the processes for exercising the right of withdrawal or return by the client of goods for which such rights may be exercised.

4. Sending queries through the feedback form on the website or by e-mail – this operation aims to answer a question.

(2) The Controller shall process the following categories of personal data and information about the clients for the following purposes and on the following grounds:

1. Your identity data (e-mail, name, etc.)

1.1. Purpose of data collection: 1) Getting in touch with the user and provision of information to them; 2) for registration of a user at the online store and/or sending a request as a guest; 3) to send a newsletter, e-mails with special offers, promotions, promo codes, news and new functionalities, and 4) answering a question send through the website form or by e-mail.

1.2. Grounds for processing of your personal data – when you accept the general terms and conditions and register at the online store, order without registering, or conclude a written contract, this creates a contractual relationship between you and the Controller on the grounds of which we process your personal data – Art. 6, Para. 1, Letter b) of Regulation (EU) 2016/679. Your data for sending of newsletters and e-mails, as well as sending an answer to your question though the form on our website are processed on grounds of your explicitly provided consent – Art. 6, Para. 1, Letter a) of Regulation (EU) 2016/679

2. Data for the performance of a delivery (names, telephone, address, etc.)

2.1. Purpose of data collection: 1) Performance of the Controller’s obligations under a contract to purchase and sell and deliver the purchased goods.

2.2. Grounds for processing of your personal data – when you accept the general terms and conditions and register at the online store, order without registering, or conclude a written contract, this creates a contractual relationship between you and the Controller on the grounds of which we process your personal data – Art. 6, Para. 1, Letter b) of Regulation (EU) 2016/679.

(3) The Controller shall not collect or process personal data that:

1. reveal racial or ethnic origin;

2. reveal political, religious, or philosophical beliefs or membership in trade unions;

3. genetic and biometric data, data concerning health or data on sex life or sexual orientation.

(4) The Controller shall collect personal data from the persons to whom they refer.

(5) The Controller cannot take automated decisions for data.

(6) The Company shall not collect data on persons under 16 years of age except with the explicit consent of their parent or legal representative.

Art. 10. (1) The Company shall perform the following operations with the personal data you provide when you apply for work, for the following purpose: conclusion and performance of an employment contract or a service contract.

(2) To select job applicants, we process the personal data you have sent to us in your CV.

(3) The Controller shall not collect or process personal data that:

1. reveal racial or ethnic origin;

2. reveal political, religious, or philosophical beliefs or membership in trade unions;

3. genetic and biometric data, data concerning health or data on sex life or sexual orientation.

(4) The Controller shall collect personal data from the persons to whom they refer.

(5) The Controller shall not collect and process data concerning the health of job applicants except after selection to conclude an employment contract and determine appropriate work conditions.

(6) The Controller cannot take automated decisions for data.

Art. 11. (1) The Company shall perform operations with your data provided as a legal representative of proxy of legal entities that are our business partners, including as natural persons who are partners, for the following purposes: conclusion and performance of a business transaction or a contract with a client.

(2) To conclude and perform a business transaction with a business company, we only process the full name of the legal representative of the proxy of the company and a natural person who is a contractual partner.

(3) The personal data shall be collected from the persons they refer and by the Commercial Register with the Registry Agency.

Period for storage of your personal data

Art. 12. (1) The Controller shall store the personal data of clients of the online store for a period that is not longer than the existence of your profile at the online store or for completion of the order as a guest. After deleting your profile or completing the order, the Controller shall take the necessary steps to erase and destroy all of your data without undue delay or to render them anonymous (i.e. to render them in a state that does not reveal your identity).

(2) The Controller shall store your personal data provided in connection with online orders for 5 years to protect the Controller’s legal interests in the event of judicial or administrative disputes with users of the online store. Accounting documents shall be stored for the respective period set forth by the law.

(3) The Controller shall notify you if it is necessary to extend the data storage period to fulfil a statutory requirement, in connection with the Controller's legitimate interests, or other purposes.

(4) The Controller shall store the personal data that must be stored under the applicable law for the respective prescribed period that may exceed the period of existence of your profile at the online store or the completion of the order.

Art. 13. (1) The Controller shall store the personal data of legal representatives of its business partners, the legal representatives of legal entities that are parties to a contract or of natural persons who are partners under contracts with the Company, throughout the contractual performance period, to protect the legitimate interests and comply with the statutory obligations of the Controller. This period may exceed the duration of the concluded contract.

(2) The Company shall store your personal data as a job applicant for a period that does not exceed the existence of a current job listing published on our website or elsewhere. After expiry of the listing period or completion of the selection, the Company shall take the necessary steps to erase and destroy all of your data without undue delay or to render them anonymous (i.e. to render them in a state that does not reveal your identity), unless you provide your explicit consent for your data to continue to be stored and processed in the future.

Transfer of your personal data for processing

Art. 14. (1) The Controller may transfer in its own discretion a part or all of your personal data to personal data processors in order to achieve the purposes of the processing you have agreed to, in compliance with the requirements of Regulation (EU) 2016/679.

(2) The Controller shall notify you if it intends to transfer a part or all of your personal data to third countries or international organizations.

Your rights for the collection, processing, and storage of your personal data

Withdrawal of your consent for the processing of your personal data

Art. 15. (1) If you do not wish for all or a part of your personal data to continue to be processed by the Company for a specific purpose or all purposes of the processing, you may withdraw your consent for processing at any time by sending a free-format text.

(2) The Controller may ask that you prove your identity and that you are the person the data refer to.

(3) In order to withdraw your consent for the processing of personal data that are mandatory for the creation and maintenance of a profile at the online store, your account will be deactivated. Of course, you will still be able to browse the online store and the offered products and send orders as a guest or make a new registration.

(4) If there is an order sent by you that is being processed, the earliest time you can withdraw your consent for processing will be upon successful completion of the order.

(5) You may withdraw your consent for processing your personal data for direct marketing at any time.

(6) The withdrawal of your consent shall not affect the lawfulness of the processing of personal data that the Controller has performed until such time.

(7) The Company may continue to process a part or all of your data if there is a statutory obligation to do so or to protect its legitimate interests.

(8) Paragraph 7 shall apply to legal representatives and natural persons who are parties to a contract with the company.

Right of access

Art. 16. (1) You have the right to request and receive a confirmation from the Controller whether the personal data connected to you is being processed.

(2) You have the right to receive access to the data connected to you and the information relevant to the collection, processing, and storage of your personal data.

(3) Upon request, the Controller shall provide you with a copy of the processed personal data connected to you in an electronic or other appropriate formats.

(4) The provision of access to the data shall be free, but the Controller reserves the right to charge an administration fee in the event of repeated or excessive requests.

Right of rectification or completion

Art. 17. (1) You have the right to request from the Controller:

1. to rectify incorrect personal data connected to you;

2. to complete incomplete personal data connected to you;

(2) If you are a registered user of the site, you can rectify or complete incorrect or incomplete personal data connected to you directly through your profile at the website or by sending a request to the Controller.

Right to erasure (‘right to be forgotten’)

Art. 18. (1) You have the right to request from the Controller to erase a part or all of the personal data connected to you, and the Controller is obligated to erase such data without undue delay if any of the following grounds are present:

1. the personal data are no longer necessary for the purposes for which they have been collected or otherwise processed;

2. you withdraw your consent on which the data processing is based, and there are no other legal grounds for the processing;

3. you object against the processing of the personal data connected to you, and there are no legal grounds for the processing that have precedence;

4. the personal data have been processed unlawfully;

5. the personal data have to be erased to comply with a legal obligation under EU law or under the law of a Member-State that applies to the Controller;

6. the personal data have been collected in connection with the offering of information society services.

(2) The Controller shall not be obligated to erase the personal data if they are storing and processing the data:

1. in order to exercise the right of freedom of expression and information;

2. in order to comply with a legal obligation that requires processing and that is set forth in the EU law or in the law of a Member-State that applies to the Controller, or for the performance of a task in the public interest or the exercise of official authority vested in the Controller;

3. for reasons in the public interest in the area of public health;

4. for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes;

5. for the establishment, exercise or defense of legal claims.

(3) If you exercise your right to be forgotten, this will cause the erasure of all of your data except for the following information:

1. information necessary to confirm that your right to be forgotten has been exercised – e-mail, IP address;

2. technical information for the functioning of the online store that cannot be connected in any way to your identity;

3. e-mail address you have used to register at the online store (if you are a registered user of the site).

(4) If you exercise your right to be forgotten, the Company will delete all of your data.

(5) The data about legal representatives and natural persons who are contractual partners of the Company shall continue to be stored and processed, despite a filed request to be forgotten, if necessary to comply with a legal obligation of the Company, to protect the legitimate interest of the Company and in connection with the establishment, exercise or defense of legal claims.

(6) In order to exercise your right to be forgotten, you have to send a request to ALVITERA LTD by a method convenient for you (by mail, a courier, electronically with an electronic signature, personally or via a proxy authorized with a notarized power of attorney).

(7) The Controller shall not erase data they have a statutory obligation to store, including for defense in connection with court claims filed against the Controller or to prove its rights.

Right to restriction

Art. 19. You have the right to request from the Controller to restrict the processing of data connected to you when:

1. you dispute the accuracy of the personal data, for a period that allows the Controller to verify the accuracy of the personal data;

2. the processing is unlawful, but you do not wish your personal data to be deleted, only to restrict their use;

3. The Controller does not need more than the personal data for the processing, but you request the data for the establishment, exercise, or defense of your legal claims;

4. You have objected against the processing pending the verification of whether the Controller's legitimate grounds override yours.

Right to data portability

Art. 20. (1) If you have consented to the processing of your personal data or the processing is needed for the performance of the contract with the Controller, or if your data are processed automatically, you may, after establishing your identity to the Controller:

1. request from the Controller to provide you with your personal data in a readable format and to transfer them to another controller;

2. to request from the Controller to transfer your personal data directly to a controller specified by you if this is technically feasible.

(2) You may exercise your right to portability by sending a request in free-format text.

Right to receive information

Art. 21. You may request from the Controller to inform you about all recipients to whom have been revealed personal data for which correction, erasure or restriction of processing has been requested. The Controller may refuse to provide such information if it proves impossible or would involve a disproportionate effort.

Right to object

Art. 22. You may object at any time against the processing of personal data by the Controller that is connected to you, including if they are being processed for profiling or direct marketing.

Your rights in the event of a personal data security breach

Art. 23. (1) If the Controller establishes a security breach of your personal data that may be a high risk to your rights and freedoms, it shall notify you without undue delay about the breach and all measures it has taken or will take.

(2) The Controller shall not be obligated to notify you if:

1. it has undertaken appropriate technical and organizational measures for the protection of the data affected by the security breach;

2. has subsequently taken measures that guarantee the breach will not result in a high risk to your rights;

3. the notification would involve a disproportionate effort.

Persons to whom your personal data are provided

Art. 24. For the purpose of processing your personal data and provide the service in its full functionality and connection with your interests, the Controller may provide your data to the following data processors:

1. Persons who are maintaining software used for the protection of your personal data;

2. Persons who are carrying out consultancy activities in various areas and with whom ALVITERA LTD has contractual relations;

3. Banks processing payments by and to you;

4. Courier companies carrying out deliveries of goods, documents or correspondence to you;

5. State authorities receiving your personal data further to statutory regulation or who are entitled to request from ALVITERA LTD to provide information about you.

Art. 25. The Controller shall not transfer your data to third countries.

Exercising your rights

Art. 26. (1) If you wish to exercise any of your rights and have questions about the processing of your personal data, please contact us using the details published on our web page.

(2) You can exercise your rights by submitting a written request to ALVITERA LTD by a method convenient for you (by mail, a courier, electronically with an electronic signature, personally or via a proxy authorized with a notarized power of attorney).

(3) The application shall have the contents specified in Art. 337 of the PDPA, namely, it shall include:

1. name, address, national identity number or personal identification number for a foreign individual or another similar ID number;

2. a description of the request;

3. preferred way to receive information when exercising the rights under Art. 15-22 of Regulation (EU) 2016/679;

4. signature, date of issue of the request, and correspondence address.

(4) When an authorized representative is submitting a request, a power of attorney is to be attached to the request.

(5) ALVITERA LTD will review your question/complaint, and you will receive an answer within 2 (two) months after its receipt. If necessary, this period may be extended for another month considering the complexity and number of requests. In that case, you will be immediately notified, including the specific reasons for the delay.

(6) In the circumstances under Art. 54, Para. 3, Art. 55, Para. 3 and 4 and Art. 56, Para. 6 and 7 of the PDPA, you may exercise your rights with the Commission for Personal Data Protection.

Right to complaint

Art. 27. (1) If you think we violate your rights, you may contact us to check the issue.

(2) In the event of a violation of your rights under the applicable personal data protection legislation, you have the right to submit a complaint to the Commission for Personal Data Protection (CPDP) in one of the following ways:

1. In person, on paper: to the records office of the CPDP at the following address: city of Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

2. By letter to: city of Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd., Commission for Personal Data Protection.

3. By fax – 029153525.

4. Electronically to the e-mail of the CPDP (kzld@cpdp.bg). When submitting a complaint by e-mail, it must be formatted as an electronic document signed with a qualified electronic signature.

5. Through the secure electronic delivery system maintained by the State e-Government Agency.

(3) You may receive additional information at the Commission’s webpage: www.cpdp.bg.

Update / Renewal

Art. 28. (1) This Privacy Policy shall be revised and updated by us regularly to ensure maximum clarity, accuracy, and transparency and to cover any changes (if necessary).

(2) The Company may amend the Privacy Policy with a notification on its website.

This Privacy Policy was last amended on 22 February 2022.