Privacy Policy
Privacy Policy
Effective from 2026-05-28
1. Data Controller
Амарид ООД
Registered office: Ул. Георги С. Раковски 82, София
Company registration no.: 206295164
VAT no.: BG206295164
Email: vanjadz@gmail.com
Phone: +359896618358
This Privacy Policy describes how we process your personal data when you place an order through Yugo by Dzaferovic, in accordance with Regulation (EU) 2016/679 (GDPR).
Data Protection Officer (DPO): appointment is not mandatory under Art. 37 GDPR and we have not appointed one at this time. For data-protection queries, contact us at vanjadz@gmail.com.
2. What Data We Collect
Order data
- Name and surname
- Email address
- Contact phone
- Delivery address (where applicable)
- Order contents and special instructions
- Payment metadata (we do not store card numbers)
Technical data
- IP address, device type, browser
- Cookie consent state (see Cookie Policy)
- Cart session identifier (localStorage)
Data from a linked reservation: if you reached the site via a link from a reservation system (e.g. Reservation.Tools), your name and phone from the reservation may be pre-filled in the order. The source is the reservation platform where you made the booking — as required by Art. 14 GDPR.
Consequences of not providing data (Art. 13(2)(e) GDPR): name, phone and (for delivery) address are necessary to perform the order contract. If you refuse to provide them, we cannot accept or fulfil the order. Cookies and marketing data are consent-based — refusing does not affect orders.
3. Purposes and Legal Bases
| Purpose | Legal basis (GDPR) | Retention |
|---|---|---|
| Order fulfilment | Art. 6(1)(b) — performance of a contract | Up to 3 years from order date |
| Invoicing and accounting | Art. 6(1)(c) — legal obligation | Up to 10 years (local accounting law) |
| Customer service and complaints | Arts. 6(1)(b), (f) — contract / legitimate interest | Up to 2 years after case closure |
| Consent-based marketing (email/SMS) | Art. 6(1)(a) — consent | Until consent is withdrawn (max 3 years of inactivity) |
| Email confirmation / OTP codes | Art. 6(1)(f) — legitimate interest (fraud prevention) | Codes: up to 10 minutes. Verification logs: up to 6 months |
| Technical logs (IP, user-agent) | Art. 6(1)(f) — legitimate interest (security) | Up to 90 days |
| Analytics / marketing cookies | Art. 6(1)(a) — consent | See Cookie Policy |
Automated decision-making / profiling (Art. 22 GDPR): we do not take decisions that produce legal effects or similarly significantly affect you based solely on automated processing. We do not carry out profiling with such effects.
4. Recipients
We use Ordering.Tools (operator: Reservation Ltd., EIK 203865762, Varna, Bulgaria) as our technology provider for online ordering and digital menus. Ordering.Tools acts as a data processor on our behalf under Article 28 GDPR, governed by a Data Processing Agreement (DPA).
Ordering.Tools uses its own chain of sub-processors (hosting, bot protection, SMS delivery, error monitoring, etc.) to operate the platform. The current list is published in the "Sub-processors" section of the Ordering.Tools privacy policy and is updated whenever it changes: Ordering.Tools sub-processors.
Outside the platform, data may be shared with:
- Payment service provider (Stripe, MyPOS, Borica or similar — processes payments directly; we do not store card numbers)
- Courier (only if you choose delivery — name, phone and address)
- Accounting and supervisory authorities — only when legally required
We do not sell personal data and do not transfer it outside the EEA without appropriate safeguards (Arts. 44–49 GDPR).
5. Your Rights (GDPR)
Right of access (Art. 15)
Obtain a copy of the personal data we hold about you.
Right to rectification (Art. 16)
Request correction of inaccurate or incomplete data.
Right to erasure ("right to be forgotten", Art. 17)
Request deletion when there is no legal basis for continued processing.
Right to restriction (Art. 18)
Restrict processing in specific cases (accuracy contested, etc.).
Right to portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to object (Art. 21)
Object to processing based on legitimate interest.
Right to withdraw consent (Art. 7(3))
For cookies — via the Cookie Policy.
Right to lodge a complaint (Art. 77)
You may complain to Commission for Personal Data Protection (CPDP) — https://www.cpdp.bg/, kzld@cpdp.bg.
How to exercise your rights
Email us at vanjadz@gmail.com.
We will respond within 30 days (extendable by up to 60 days for complex requests).
6. Security
We apply appropriate technical and organisational measures (TLS encryption, access control, backups, audit logs) to protect data against unauthorised access, loss, or disclosure. Payment card numbers are never stored on our servers.
Breach notification (Arts. 33–34 GDPR): in the event of a personal data breach that poses a risk to your rights, we notify the competent supervisory authority (Commission for Personal Data Protection (CPDP)) within 72 hours of becoming aware. Where the breach is likely to result in a high risk, we will also inform you directly without undue delay.
8. Identity Verification
To prevent fake orders and abuse, we require email confirmation before an order is finalised. Codes are valid for a short time (typically 10 minutes) and are not stored long-term.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest (fraud prevention and abuse protection).
9. Children
The service is not directed at children under 14 (digital-consent age under Art. 8 GDPR as implemented nationally). If we learn we have collected data from a child without parental consent, we will delete it.
10. Changes to this Policy
We may update this policy from time to time. The current version is effective from 2026-05-28. Material changes will be announced on the site or by email.
