(effective as of 18.03.2026)

This Privacy Policy governs the manner in which Bioterapeut EOOD, with registered office and registered address: 9-11 Knyaginya Maria Luiza Blvd., floor 5, office 1, e-mail: info@bioterapeut.hr  (hereinafter referred to as the “Administrator”), in its capacity as the personal data controller, collects, uses, stores and protects the personal data of visitors and users of the website https://bioterapeut.hr (hereinafter referred to as the “Site”).

The Administrator processes personal data in accordance with Regulation (EU) 2016/679 (GDPR), the Personal Data Protection Act and applicable Bulgarian legislation.

2. Categories of processed personal data

In connection with the use of the Site, the Administrator may process personal data voluntarily provided by users via contact forms, e-mail, telephone communication, SMS, electronic messaging applications (including Viber, WhatsApp and other similar platforms), social networks or through an online booking system.

Such data may include name and surname, e-mail address, telephone number, username or profile information on the relevant platform, content of messages sent, information necessary to organize and confirm an appointment for a consultation, as well as any other data voluntarily provided by the data subject.

In the process of using the Site, technical data may also be processed, including IP address, date and time of access, device used, browser, log files and other information collected through cookies, where applicable.

The Administrator does not require the provision of special categories of personal data within the meaning of Art. 9 of the GDPR. In the event that a user voluntarily provides information regarding health or other sensitive data in connection with an inquiry or reservation, these data are processed solely for the purposes of carrying out communication and organizing a consultation, based on explicit consent pursuant to Art. 9, par. 2, letter. “a” GDPR. Explicit consent is also deemed to be present when the data subject voluntarily provides such information by sending a message, request or reservation.

3. Purposes of processing

Personal data is processed for the purpose of responding to inquiries, organizing and confirming appointments for consultations, communicating in connection with the services provided, fulfilling contractual or pre-contractual obligations, improving the content and functionality of the Site, fulfilling legal obligations, as well as protecting the legitimate interests of the Administrator in the event of any disputes or legal claims.

4. Legal basis for processing

The processing of personal data is carried out if one of the grounds under Art. 6, par. 1 of Regulation (EU) 2016/679 (GDPR) is present, as follows:

  • when processing is necessary to take action at the request of the data subject before entering into a contractual relationship (for example, when making an inquiry or requesting a consultation);
  • when processing is necessary for the performance of a contract to which the data subject is a party;
  • when the data subject has given explicit consent to the processing of his or her personal data;
  • when processing is necessary for the performance of a legal obligation of the Administrator;
  • when processing is necessary for the purposes of the legitimate interests of the Administrator, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject.

When data concerning health or other special categories of personal data within the meaning of Art. 9 GDPR are provided within the framework of communication or booking, their processing is carried out on the basis of the explicit consent of the data subject pursuant to Art. 9, par. 2, letter. “a” of the Regulation.

The provision of personal data necessary for communication or booking a consultation is voluntary, but if they are refused, the Administrator may not be able to respond to an inquiry or organize a consultation.

5. Storage period

Personal data are stored for a period necessary to achieve the purposes for which they were collected, as well as for the periods provided for in the applicable legislation. When determining the storage period, the Administrator takes into account the nature and sensitivity of the data, the purposes of the processing, the possible risk of unauthorized access or use, as well as the applicable legal requirements.

Specifically:

1. Data provided via a contact form, e-mail or telephone inquiry are stored for a period of up to 1 year from the end of the communication, unless there is a legal basis for longer storage (for example, in the event of a dispute).

2. Data related to booking and conducting a consultation are stored for a period of up to 5 years from the date of the last consultation, in order to protect the legitimate interests of the Administrator in the event of possible legal claims.

3. Data subject to accounting and tax reporting are stored for the periods provided for in the current Bulgarian legislation.

4. Technical data (including IP addresses and log files) collected for the purpose of security and normal functioning of the Site are stored for a period of up to 12 months, unless longer storage is necessary in connection with the establishment, exercise or defense of legal claims.

5. Special categories of personal data (including information regarding health), when voluntarily provided, are stored for a period necessary to organize and conduct the relevant consultation and to protect against possible legal claims, after which they are deleted or anonymized.

After the relevant period has expired, the personal data are deleted, destroyed or anonymized in a secure manner that does not allow subsequent identification of the data subject.

6. Provision of data to third parties

The Administrator may provide personal data to third parties only when this is necessary to achieve the purposes specified in this Policy, and in compliance with the requirements of Regulation (EU) 2016/679 (GDPR) and applicable Bulgarian legislation.

Depending on the specific case, personal data may be provided to:

  • providers of hosting services and technical support for the Site;
  • provider of the online booking system through which consultations are organized and confirmed;
  • providers of cloud mail services used for electronic communication;
  • accounting and legal consultants, when this is necessary to fulfill legal obligations or protect the legitimate interests of the Administrator;
  • competent state, judicial or supervisory authorities, when required by law.

When third parties process personal data on behalf of the Administrator, they act as processors of personal data within the meaning of Art. 28 GDPR. In these cases, the Administrator concludes contracts or implements other legal mechanisms ensuring that the processing is carried out only on its behalf and in compliance with the confidentiality and security requirements.

When using cloud services, data may be stored outside the European Union. In such cases, the Administrator ensures the implementation of appropriate safeguards in accordance with Chapter V of the GDPR.

When communicating through external electronic messaging applications, including Viber, WhatsApp and other similar services, personal data may also be processed by the relevant platform in accordance with its privacy policy. The Administrator is not responsible for the processing of data carried out by these platforms outside its control.

The Administrator does not sell, rent or provide personal data to third parties for independent marketing or other independent commercial purposes.

Personal data is provided to government authorities only if there is a legal basis and to the extent necessary to fulfill the relevant obligation.

7. Rights of data subjects

In accordance with Regulation (EU) 2016/679 (GDPR) and applicable law, data subjects have the following rights:

  • right of access to their personal data and to obtain information about their processing;
  • right to rectification of inaccurate or incomplete personal data;
  • right to erasure of personal data (“right to be forgotten”), where the legal prerequisites are met;
  • right to restriction of processing;
  • right to object to processing, where it is based on legitimate interest;
  • right to data portability, where the prerequisites are met;
  • right to withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of the processing up to the moment of withdrawal.

Data subjects may exercise their rights by sending a written request to the Administrator at the email address specified in this Policy.

The administrator shall consider each request and provide a response within one month of its receipt, unless the complexity or number of requests requires an extension of the period in accordance with the requirements of the GDPR.

Data subjects have the right to lodge a complaint with the competent supervisory authority.

The competent supervisory authority in the Republic of Bulgaria is:

Commission for Personal Data Protection
2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
www.cpdp.bg
kzld@cpdp.bg

8. Data security

The Administrator implements appropriate technical and organizational measures to protect personal data against unauthorized access, unlawful disclosure, alteration, loss or destruction.

These measures include, where applicable:

  • use of a secure connection (SSL/HTTPS);
  • limited access to personal data only to persons for whom this is necessary in connection with the performance of their official duties;
  • use of reliable hosting providers, cloud services and online booking systems;
  • implementation of measures to protect postal communication and the storage of electronic correspondence;
  • periodic verification and updating of the technical solutions used.
  • Access to personal data is provided only to persons who are bound by an obligation of confidentiality.

Despite the measures taken, due to the nature of the Internet as a public communication environment, absolute security of the transmission and storage of information cannot be guaranteed. There is a possibility of technical malfunctions, cyberattacks or other events beyond the reasonable control of the Administrator.

Upon detection of a personal data security breach, the Administrator takes action in accordance with the requirements of the GDPR, including notification of the competent supervisory authority and the affected individuals, where applicable.

9. Policy changes

The Administrator reserves the right to amend and supplement this Privacy Policy in the event of changes in applicable legislation, in the method of processing personal data or in the event of other objective circumstances.

The updated version of the Policy is published on the Site and enters into force from the date of its publication, unless expressly stated otherwise.

It is recommended that users periodically review this Policy in order to be informed about the method of processing their personal data.