Privacy Policy

Effective date: 23 October 2025
Version: 1.0

1) Who we are (Data Controller)

Company name: MILCO Ltd
Unique identification number (UIN): 115288100
Registered office: 11 Kozanovska Str., 4230 Asenovgrad, Asenovgrad Municipality, Plovdiv Region, Bulgaria
Email: info@milco.bg

MILCO Ltd determines the purposes and means of processing personal data in connection with this website (the “Site”) and our online store.

We have not appointed a Data Protection Officer (DPO). For all privacy-related questions, please contact us at info@milco.bg.

2) Scope of this Policy

This Policy explains how we collect, use, disclose, and protect personal data when you:

  • browse our Site,
  • create an account,
  • place orders via WooCommerce,
  • subscribe to communications,
  • contact us (e.g., forms, email, phone),
  • interact with embedded services and analytics.

This Policy applies in addition to our Terms of Use and Cookie Policy.

3) Categories of personal data we process

Depending on your interactions with us, we may process:

Identity & contact data
Name, company, billing/shipping addresses, VAT number (if applicable), email, phone.

Account data
Username, hashed password, user role, preferences, order history.

Order & payment data
Products purchased, order value, currency, chosen delivery method, transaction identifiers, partial card details masked by the payment provider, payment status. We do not store full card numbers; payments are processed by third-party providers (see Section 7).

Communications data
Messages sent through contact forms, request/quote details, support correspondence.

Marketing & consent data
Newsletter subscriptions, consent timestamps, unsubscribe preferences.

Technical & usage data
IP address, device/OS/browser information, pages viewed, referring URLs, time spent, cookies and similar technologies. See Cookies (Section 10).

User-generated content (optional)
Product reviews/comments (name, review text, rating, time posted).

4) Sources of data

  • Directly from you (forms, checkout, account).
  • Automatically via cookies, server logs, and similar technologies.
  • From third parties when necessary (e.g., payment providers confirming a transaction, delivery carriers).
  • Public registers or business directories for B2B accuracy checks where lawful.

5) Purposes and legal bases (GDPR Art. 6)

We process personal data for the purposes and on the legal bases listed below:

  • Online store operations & order fulfillment
    To process orders, payments, invoicing, delivery, returns, and warranties.
    Legal basis: Performance of a contract (Art. 6(1)(b)); compliance with legal obligations (tax/accounting) (Art. 6(1)(c)).
  • Customer account management
    To create and maintain your account, provide order history and saved details.
    Legal basis: Performance of a contract (Art. 6(1)(b)).
  • Customer support & communications
    To answer inquiries, provide product/service information, and address issues.
    Legal basis: Performance of a contract or steps prior to entering into a contract (Art. 6(1)(b)); legitimate interests (service quality) (Art. 6(1)(f)).
  • Marketing communications
    To send newsletters, updates, and offers.
    Legal basis: Consent (Art. 6(1)(a)); for existing customers, legitimate interests (Art. 6(1)(f)) as permitted by applicable law. You may opt out at any time.
  • Security, fraud prevention & abuse detection
    To protect accounts, investigate suspicious activity, and secure our Site.
    Legal basis: Legitimate interests (IT security and fraud prevention) (Art. 6(1)(f)).
  • Analytics & performance
    To understand Site usage, improve content, UX, and performance.
    Legal basis: Consent (Art. 6(1)(a)) where required for analytics cookies; otherwise legitimate interests (Art. 6(1)(f)).
  • Legal compliance & claims
    To meet tax/accounting rules, keep transaction records, and defend legal claims.
    Legal basis: Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)).

We do not engage in automated decision-making with legal or similarly significant effects (Art. 22 GDPR).

6) WooCommerce and WordPress specifics

Our Site runs on WordPress with WooCommerce as our e-commerce platform. WooCommerce requires certain functional cookies and processes order-related and account data to provide store features (see Section 10 for cookie details). WordPress may set cookies to remember logged-in users and commenters (if enabled).

If you choose to leave product reviews or comments, the content and metadata you submit are stored to display them publicly and help with spam detection.

7) Recipients and categories of recipients

We share data only as needed and under appropriate safeguards with:

  • Hosting & IT providers (website hosting, backup, security, CDN).
  • Payment service providers (Stripe, Bank POS). They process payment transactions and may act as independent controllers for anti-fraud and regulatory checks.
  • Email & communication tools (transactional emails, newsletter services).
  • Delivery & logistics partners (couriers, freight companies) to deliver orders.
  • Professional advisers (accountants, auditors, legal counsel).
  • Analytics & consent tools (Google Analytics, Consent Management Platform) where enabled.
  • Public authorities where required by law (e.g., tax authorities).

We enter into data processing agreements where required and disclose only the minimum data necessary for each purpose.

8) International data transfers

Where data is transferred outside the EEA/UK (e.g., when our processors use servers or sub-processors in third countries), we ensure appropriate safeguards, such as EU Standard Contractual Clauses (SCCs), and conduct transfer risk assessments as required. You may request a copy of the relevant safeguards by contacting info@milco.bg.

9) Retention periods

We retain personal data only for as long as necessary to fulfil the purposes set out above, or as required by law. Typical timeframes:

  • Order & invoicing records: 10 years (Bulgarian accounting/tax laws).
  • Customer account data: While the account is active; deleted or anonymized within 12 months after closure unless needed for legal claims.
  • Customer support communications: Up to 36 months after resolution.
  • Marketing data (consent logs, subscription status): Until you withdraw consent/opt out; basic proof of consent retained for up to 3 years thereafter.
  • Analytics data: Per tool settings; see Section 10 and provider documentation.

We may retain limited data longer if necessary for establishing, exercising, or defending legal claims.

10) Cookies and similar technologies

Cookies are small files placed on your device to make the Site work, improve performance, and analyze usage. You can manage preferences via our Cookie banner and your browser settings. Blocking some cookies may impact Site functionality.

10.1 Strictly necessary (cannot be disabled)

Examples (names may vary by setup/version):

  • woocommerce_cart_hash, woocommerce_items_in_cart – store cart information.
  • wp_woocommerce_session_* – unique code to find cart data in the database.
  • store_notice[notice id] – remembers if you dismissed store notices.
  • wordpress_logged_in_*, wordpress_sec_* – keeps you logged in (for account holders/admins).

10.2 Preferences/functional

  • Remembers choices such as language, shipping country, or login details (if you opt to save them).

10.3 Analytics/performance (require consent in many jurisdictions)

  • [e.g., *_ga (Google Analytics)] – helps us understand how visitors use the Site.

10.4 Marketing/advertising (require consent)

  • [e.g., fbp, fr, Google Ads cookies] – used for remarketing and ad performance (only if enabled).

Third-party cookies: If we embed content or pixels from third parties (e.g., YouTube, LinkedIn, Meta), those providers may set cookies according to their policies.

For a full up-to-date list, please check our Cookie banner / Cookie settings on the Site.

11) Children’s data

Our products and services are not directed to children. We do not knowingly collect personal data from persons under 16. If you believe a child has provided personal data, please contact us to remove it.

12) Your rights under GDPR

Subject to conditions and exceptions, you have the right to:

  • Access your personal data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase data (“right to be forgotten”).
  • Restrict processing.
  • Data portability (receive data in a structured, commonly used format).
  • Object to processing based on legitimate interests or to direct marketing.
  • Withdraw consent at any time (where processing is based on consent).
  • Lodge a complaint with a supervisory authority.

Supervisory authority in Bulgaria:
Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
[You may also exercise your rights with your local EU authority.]

To exercise your rights, contact info@milco.bg. We may need to verify your identity.

13) Security

We implement appropriate technical and organizational measures to protect personal data, including encryption in transit (HTTPS), access controls, least-privilege permissions, backups, and security monitoring. However, no method of transmission or storage is 100% secure.

14) Social media, embeds, and external links

Our Site may include links to external websites, social media profiles, or embedded media (e.g., product videos). These third-party sites operate under their own privacy policies. We are not responsible for their content or practices.

15) Payments

Payments are processed by third-party payment providers. When you make a payment, you will provide data directly to that provider under its own privacy terms. We receive confirmation of payment status and necessary transaction identifiers. We do not store full payment card details.

16) Deliveries

To deliver your order, we share necessary data (name, address, phone, order number) with our delivery partners. They act as independent controllers or processors depending on context and their own terms.

17) Business customers (B2B)

Where you interact on behalf of a company, we may process your business contact details to communicate and fulfil orders. Our legitimate interests include maintaining relationships with customers and suppliers while respecting your rights (Art. 6(1)(f)).

18) Changes to this Policy

We may update this Policy from time to time. We will post the new version on this page and update the “Effective date.” Material changes may be communicated by email or a notice on the Site.

19) Contact us

For questions about this Policy or your data:

MILCO Ltd
11 Kozanovska Str., 4230 Asenovgrad, Plovdiv Region, Bulgaria
Email: info@milco.bg