Privacy Policy

Touchmenu Ltd. privacy policy

This privacy policy regulates the protection of natural persons in connection with the processing of their personal data by “Touchmenu” Ltd. when providing services to the information society from the touchmenuapp.com Platform.

With this privacy policy, we aim to provide you with comprehensive information regarding the processing of your personal data in a transparent, accessible and easily understandable manner in accordance with Art. 13 and Art. 14 of (EU) 2016/679  of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (  General regulation on data protection or known as GDPR), referred to for brevity in this policy as “the Regulation” or “GDPR”.

When you visit our website (load it in the browser you use), when registering and/or placing orders, by checking the relevant box (checkbox), you declare that you are familiar with and accept the terms of this privacy policy data.

As a personal data controller, we determine how to process
your personal data, for what purposes and in what ways. As the administrator of personal data, we are responsible for all data processing activities to be carried out in compliance with legal requirements and, if necessary and if there is a basis for processing them according to “GDPR. The commercial establishments that use the services provided by are also administrators in relation to the processing of your personal data, independently or jointly with us determining the purposes and means of processing.

If you have questions, need additional information or suggestions related to the processing of personal data and/or their protection, you can contact us at the coordinates specified in this policy.

 

Through this policy, you will receive information about:

I. General information about the controller of personal data and the processing actions

II. Categories of persons whose personal data are processed when using the services of the Platform

III. What personal data do we process and why? Data categories, purposes, legal grounds and retention periods.

IV. What rights you have and how to exercise them

V. Information about the supervisory authority

VI. To whom we provide personal data relating to you

VII. Security measures

VIII. Final provisions

 

DEFINITIONS

For the purposes of this policy, the terms used herein shall have the following meanings:

  • ” controller ” means a natural or legal person, public body, agency or other structure that alone or jointly with others determines the purposes and means of processing  personal data; The administrator of your data is Touchmenu Ltd.
  • ” information society service provider ” is a natural or legal entity that provides information society services. In the context of these General Terms and Conditions, the information society service provider is “Touchmenu” Ltd.
  •  ” personal data ” means any information relating to a natural person that enables his identification or identifies him, including identifiers such as name, identification number (TIN, LNCH, etc.), location data (geolocation), online identifier (e.g. IP) or by one or more characteristics specific to the physical, physiological, genetic, psychic, mental, economic, cultural or social identity of that natural person;
  • ” supervisory authority ” is an independent public authority that is responsible for monitoring the application of the Regulation in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free movement of personal data within the Union;
  • ” personal data security breach ”  means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data that is transmitted, stored or otherwise processed;
  • ” processing ” means any operation or set of operations performed on personal data or a set of personal data by automatic (electronic) or other (paper) means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, distribution or other means by which data is made available, arrangement or combination, restriction, erasure or destruction;
  • ” processor of personal data ” means a natural or legal person, public body, agency or other structure that processes personal data on behalf of the controller;
  • “Platform” means the website   touchmenuapp.com , the applications, tools and other devices of touchmenuapp.com and its related companies and business partners through which the Service is provided. 
  • ” risk ” is the possibility of material or non-material damage to the data subject under certain conditions, assessed in terms of its severity and probability.
  • ” data subject consent ” means any freely expressed, specific, informed and unequivocal indication of the will of the data subject, by means of a statement or clearly affirmative action, which expresses his consent to the personal data relating to him being processed;
  • ” data subject ” in the sense of this privacy policy is a natural person whose personal data is subject to processing by the personal data administrator within the scope of the activities of “Touchmenu” OOD; All categories of entities are comprehensively set out in Section I of this policy.
  • ” destruction ” is irreversible physical destruction of the material carrier of information;
  • ” information society services ” are such services, including the provision of commercial communications, which are generally remunerative and are provided at a distance through the use of electronic means following an express declaration by the recipient of the service.

Terms not defined in the text above have the meaning given to them in Regulation (EU) 2016/679 (the full text of the regulation is available at the following link: https://eur-lex.europa.eu/eli/reg/2016/679/oj ) or the corresponding normative act, in which a definition is expressly provided. 

 

  1. General information about the personal data controller. Who processes your Personal Data?

“Touchmenu” Ltd. is the administrator of personal data within the meaning of Art. 4, § 7 of the Regulation, as it determines the purposes and means of processing the personal data of natural persons when carrying out their activity. In certain cases, the company can be a joint administrator, since together with the commercial establishments it determines the purposes and means of the processing.

 

Data for the administrator: “TOUCHMENU” Ltd., entered in the TRRYULNC with EIK 206162253, VAT ID No. BG206162253, with headquarters and management address Sofia, Izgrev district, “Dragan Tsankov” Blvd. No. 23A, Office Building Tetrix, fl. 2,

Contact person: Todor Bobev

Contact phone: +359885151722        

Email: info@touchmenuapp.com

 

  1. Categories of persons whose personal data are processed when using the services of the Platform

When providing services through the Touchmenu Platform, OOD processes personal data of the following categories of natural persons:

  • Visitors to the Platform;
  • Individuals who create a profile;
  • Individuals who place orders through an already created account;
  • Individuals who place orders without creating an account;
  • Natural persons with whom “Touchmenu” OOD concludes a contract for the provision of online intermediary services;
  • Representatives of legal entities with whom “Touchmenu” OOD concludes a contract for the provision of online intermediary services (e.g. managers, procurators, contact persons, etc.).
  • Natural persons sending through the contact form or the other channels provided for communication with the company inquiries, requests, requests and any other messages and/or documents to “Touchmenu” OOD (including applications to exercise the rights provided for in Articles 15-22 of the Regulation and electronic messages).

 

  1. What personal data do we process and why? Data categories, purposes, legal grounds and retention periods. 

Touchmenuapp.com processes your personal data because you use our services. We use the following personal data for the following purposes:

1. Placing an order without prior registration

We process the personal data that you provide when placing an order without prior registration, so that the relevant order can be notified to the commercial outlet of your choice and be fulfilled.

The legal basis for this processing of personal data is Art. 6, para. 1, letter “b” of the GDPR, namely – performance of a contract. The storage period of the processed data is up to 5 (five) years from the execution of the contract.  

In the ordering process, we process the following data:

  • First and last name, e-mail address, telephone, delivery address – when the subject wants delivery of his order, not pick-up.
  • Name and surname, email address and phone number – when booking a service from a spa center/a table in a restaurant;

2. Registering and creating an account, as well as placing an order when an account is created via touchmenuapp.com

We process the personal data you provide when registering and creating a profile with which you can place orders and/or reservations, view your previous orders and reservations.These personal data are necessary to fulfill, confirm and evaluate the order, as well as in individual cases to make payment for the same.

The legal basis for this processing of personal data is Art. 6, para. 1, letter “b” of the GDPR, namely – performance of a contract. The storage period of the processed data is up to 5 (five) years from termination of the contractual basis. In case you wish us to deactivate your account, we will process your data for a period of 5 years from the deactivation.

In the order process, we process the following personal data:

  • First and last name, including username
  • Address details – delivery address
  • Contact details – phone, email
  • An order
  • Payment details
  • Comments (if applicable)

3. Evaluations and opinions about objects

In addition to the above activities, we process personal data that you provide when you rate or submit an opinion about an object. The legal basis for this processing of personal data is Art. 6, para. 1, letter “e” of the GDPR, legitimate interest with the aim of: providing transparent information about user satisfaction, both of the users themselves and of the commercial establishments – in order to increase the quality of the service and judge the satisfaction of the users. We process the following personal data when you post an opinion about a specific object: 

  • Name (if specified)/Username
  • Opinion/Evaluation (which usually does not contain personal data)

4. Customer service and processing of inquiries, requests and any other communication addressed to us (including with a view to exercising the rights provided for in the GDPR)

When you contact us through the various communication channels, including the contact form, email, our customer service department, etc., we will use the personal data you provide to respond to a question or request/complaint made. . The legal basis for this processing of personal data depends on the specific request/inquiry, as it may be necessary for the performance of a contract or previous steps for the conclusion of such a contract – Art. 6, para. 1, letter “b” of the GDPR. In certain cases, the processing may be based on our legitimate interest according to Art. 6, para. 1, letter “f” of the GDPR. Applications for the exercise of the rights provided for in the GDPR are processed on the basis of a legal obligation according to Art. 6, para. 1, letter “c” of the GDPR.

 We process the following personal data for the purposes of customer service and receiving inquiries, requests, applications and any other correspondence:

  • Name
  • Address details (if applicable)
  • Contact data
  • Payment details (if applicable)
  • Comments (if applicable)

The term of data storage is up to 1 (one) year, unless a contract is concluded based on the communication, in which case the terms provided for in item 1 apply. The term of storage of received applications for exercising rights, as well as related documents with them are stored for up to 5 (five) years from the date of the last action taken on the application.

5. Conclusion and execution of contracts for the provision of intermediary online services

When we conclude a contract for the provision of intermediary online services with a natural person, we process the following personal data:

  • Three names;
  • EGN;
  • Names of employees that the person, at his discretion and desire, adds to the Platform;

The legal basis for processing these personal data is contractual according to Art. 6, para. 1, letter “b” of the GDPR. The storage period of the processed data is up to 5 (five) years from the termination of the contract. Also, we store the data contained in the invoices for the period provided for in the Accounting Act and DOPC (10 years, starting from January 1 of the accounting period following the accounting period to which they refer)  on the basis of Art. 6, para. 1, letter “c” of the GDPR.

When we conclude a contract for the provision of intermediary online services with a legal entity and when creating a profile on the Platform, we process the following personal data:

  • Three names of the legal representative;
  • Two contact person names;
  • Contact person’s phone number and email;
  • Names of employees that the person, at his discretion and desire, adds to the Platform;

The legal basis for processing these personal data is contractual according to Art. 6, para. 1, letter “b” of the GDPR. The storage period of the processed data is up to 5 (five) years from the termination of the contract. Also, we store the data contained in the invoices for the period provided for in the Accounting Act and DOPC (10 years, starting from January 1 of the accounting period following the accounting period to which they refer)  on the basis of Art. 6, para. 1, letter “c” of the GDPR.

6. Marketing communications (newsletter)

We also process your personal data so that we can send you (personalised) marketing messages and notifications. Such communications include the latest news, discount and new item information (emails or notifications), and loyalty programs, regardless of the format we use to share such communications (including emails or notifications). The legal basis for this processing of personal data is that you agreed to it when you placed an order – Art. 6, para. 1, letter “a” of the GDPR, granting consent. When you want to change your preferences regarding receiving such messages and notifications, incl. to withdraw the consent provided, you can unsubscribe using the link in the message in question.

We process the following personal data for marketing purposes:

  • Name/Username
  • Contact details – including telephone and email address

7. “Cookies” 

We also process personal data that you provide us indirectly. Touchmenuapp.com uses cookies for functional, analytical and marketing purposes.

Please see our Cookie Policy for more details on cookies (hyperlink).

8. Fraud Prevention 

We process some of the above personal data also to prevent fraud and other forms of abuse. The legal basis for this processing is that it is necessary on the basis of Art. 6, para. 1, letter “f” of the GDPR, legitimate interest of Touchmenuapp.com (fraud prevention).

9. Maintaining a log of security breaches

We can process your personal data in order to fulfill our statutory obligations for reporting and documenting security breaches and on the basis of Art. 6, para. 1, letter “c” of the GDPR in connection with Art. 33, para. 5 of the GDPR. The term for data processing is up to 5 years from the detection of the violation.

The data that we will process in the event of a security breach are those that you provided to us at the time the breach was detected – in general, first and last name, phone number and email address.

Age

Our website is not intended for persons under the age of 16 and we do not collect personal data of website visitors who are under the age of 16. However, we cannot verify the actual age of visitors. Therefore, we advise parents to monitor their children’s online activities to prevent their personal data from being shared without parental consent. If you believe that we have collected personal data of a minor without consent, please contact us at info@touchmenuapp.com. As a result, we will proceed to delete this data.

 

IV.What rights you have and how to exercise them

 If Touchmenu Ltd. processes your data, you have the following rights:

  1. Right of access

You have the right to receive confirmation as to whether we are processing personal data relating to you. In the event that we process such data, we will provide you with a copy of the data as well as the following information:

  • the purposes of the processing;
  • relevant categories of personal data;
  • the recipients or categories of recipients to whom the personal data has been or will be disclosed;
  • when possible, the expected period for which the personal data will be stored, and when not possible – the criteria for its determination;
  • the existence of a right to require the controller to correct or delete personal data or to limit the processing of personal data related to the data subject, or to object to such processing;
  • the right to appeal to a supervisory authority;
  • where the personal data is not collected from the data subject, any available information about its source;
  • the existence of automated decision-making, incl. profiling (with relevant information about the logic used and the meaning and intended consequences of this processing).

In the event that the documents containing personal data of the subject contain personal data of other persons, they will be deleted in an appropriate manner.

  1. Right to rectification

You have the right to request that we correct the personal data we process about you if it is inaccurate. In case you wish to supplement your personal data, we will need you to submit a declaration/application containing the relevant information.

Once we receive your request, we will correct/supplement the data as soon as possible.

  1. Right to erasure (so-called right to be forgotten)

You have the right to request the deletion of personal data relating to you, which will be deleted when any of the following grounds apply:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • You withdraw your consent on which the processing of the data is based and we have no other legal basis for the processing;
  • You object to the processing and there are no overriding legal grounds for the processing;

When you have objected to processing that takes place for marketing purposes, the grounds are not analyzed and the data is deleted.

  • your personal data has been processed unlawfully;
  • personal data must be deleted in order to comply with a legal obligation under EU law or Bulgarian law;
  • personal data were collected in connection with the provision of information society services.

An information society service is any service normally provided for a fee, at a distance, by electronic means and at the individual request of the recipient of the services.

Even if one of the scenarios described above is present, we will not delete your personal data when the processing is necessary for:

  • exercising the right to freedom of expression and the right to information;
  • compliance with a legal obligation that requires processing provided for in EU law or Bulgarian law, or for the performance of a task of public interest, or in the exercise of official powers of the administrator;
  • the establishment, exercise or defense of legal claims;
  • two more specific hypotheses set forth in art. 17, § 3, letters “c” and “d” of the Regulation.
  1. Right to restriction of processing

You have the right to ask us to restrict processing where:

  • You dispute the accuracy of the personal data. In this case, the limitation takes place for the period necessary for “Touchmenu” OOD to verify the accuracy of the data;
  • The processing is unlawful, but you want the use of the personal data to be restricted instead of deleted;
  • “Touchmenu” Ltd. no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defense of legal claims;
  • You have objected to the processing and are awaiting verification of whether the legitimate interests of “Touchmenu” OOD take precedence over your interests;

Touchmenu will inform any person to whom data has been disclosed that it has been corrected, deleted or restricted, except in cases where this is impossible or requires a disproportionate effort. In case you wish, we will let you know who these persons are.

  1. Right of portability

You have the right to receive the personal data you have provided to us in a structured, widely used and machine-readable format, and to request that we transfer it to another controller of your choice. In order to take such actions, the following two prerequisites should be present:

  • the processing is based on consent or  contractual obligation and
  • the data to be processed in an automated manner.
  1. Right to object to processing

You have the right to object to the processing of your personal data when it is based on:

  • performance of a task in the public interest or in the exercise of official powers conferred on the controller or
  • legitimate interest.

We will stop processing your data immediately if we are unable to demonstrate that there are compelling legal grounds for the processing that override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.

Where the processing is for marketing purposes, we will stop processing your data at the moment we process your request.

  1. Right to withdraw consent provided

When the processing of your data is based on consent, you have the right to withdraw the consent provided at any time by notifying us of this at the indicated contacts.

How to exercise the rights described above?

1. In case you wish to exercise any of your rights, please download the application from HERE  and fill in the necessary information. The application has been created for your convenience, but is not mandatory.

If you prefer, you can also send us a request in free form, which must contain the following information:

  • your three names;
  • address;
  • mailing address;
  • description of the request;
  • preferred form of receiving response and information;
  • signature;
  • Submission date.

2. Please send your application in one of the following ways:

  • by e-mail to info@touchmenuapp.com  under the terms of the Electronic Document and Electronic Authentication Services Act (EAD), the Electronic Government Act (EAD) or the Electronic Identification Act (EID). 
  • by mail or in person at the address: Sofia, Izgrev district, Dragan Tsankov Blvd. 23A, Tetrix Building Office, 2nd floor.

When the application is submitted by an authorized person, a power of attorney should be attached to it .

3.  After reviewing your application, we will analyze its content and, if necessary, ask you for additional information. You will receive information about its processing within one month of sending it in the way you indicated as your preferred communication.

4. In the event that you need assistance in filling out the form offered by us, you can contact us at the contact details specified in this policy. For your convenience, we have prepared short instructions for the application (page 3): ( download )

You should keep in mind that “Touchmenu” EOOD may refuse to fully or partially satisfy any of the rights described above, when their satisfaction would create a risk to public order and security, the prevention, investigation, detection or prosecution of crimes or the execution of the penalties imposed, including the protection against and prevention of threats to public order and security, other important objectives of broad public interest and in particular an important economic or financial interest, including monetary, budgetary and tax matters, public health and social security, the protection of the data subject or the rights and freedoms of other persons or the enforcement of civil claims.

 

Other rights you have:

1.Complaint to a data protection supervisory authority

In addition to the possibility to lodge a complaint with us, you have the right to lodge a complaint with the relevant supervisory authority for the protection of personal data. Each data subject has the right to file a complaint with a supervisory authority if he/she believes that the processing of personal data concerning him/her violates the provisions of the Regulation or the GDPR. In the event that the subject has a place of employment or habitual residence in the Republic of Bulgaria, as well as when the violation was committed in the Republic of Bulgaria, the latter should refer the Commission for the Protection of Personal Data (KPLD) within 6 months of learning of the violation, but not later – later than 2 years from its execution, by filing a complaint in one of the ways described here: https://www.cpdp.bg/?p=pages&aid=56.

After the entry into force of the Regulation, the subjects of personal data may also submit complaints to other supervisory authorities in the territory of the European Union, when this is provided for in the Regulation.

The supervisory authority competent on the territory of the Republic of Bulgaria is the Commission for the Protection of Personal Data (PCPD).


Commission for the Protection of Personal  Data
Address: Bul. Tsvetan Lazarov 2
Postal code: 1592 Sofia
E-mail address: kzld@cpdp.bg

Website: www.cpdp.bg

Center for information and contacts – tel. 02/91-53-518

2. Appeal to the competent administrative court

Without prejudice to your right to appeal to the GDPR, described in item 1, you have the opportunity to file a complaint with the competent administrative court when you believe that your rights under the Regulation/PRGDP have been violated as a result of the processing of your personal data .

3. Right to compensation and liability for damages

In the event that you have suffered material or non-material damages as a result of a violation of the Regulation, you have the right to receive compensation from the administrator for the damages caused.

Contact details for “Touchmenu” OOD

Address: Sofia, Izgrev district, Dragan Tsankov Blvd. No. 23A, Office Building Tetrix, 2nd floor

Contact phone: +359885151722

Email: info@touchmenuapp.com

 

VI.To whom we provide personal data relating to you

  • Sharing with Stores

Touchmenuapp.com shares your personal data (name, e-mail address, address and telephone number, order) with the Merchant of your choice so that the latter can deliver your order. Since you are a direct customer of the Commercial Site, the Commercial Site bears its responsibility and has its own obligations regarding the processing of your personal data in its capacity as an administrator. If you have any questions about how the Merchant processes your personal data, you should contact the relevant entity directly.

  • Sharing with others (except Stores)

Touchmenuapp.com will disclose your personal data to third parties only if this is necessary to fulfill our contract with you in the presence of express consent or to comply with legal obligations.

Your personal data may be shared with the following parties:

  • Software providers;
  • Fulfillment partners such as (e.g. couriers, etc.);
  • User satisfaction survey companies if you have given us consent;
  • Advertising platforms (eg Google and Facebook) if you have provided consent;

Where we commission third parties to process your personal data on our behalf, we will enter into a data processing agreement to ensure the same level of protection and privacy of your personal data. Touchmenuapp.com will continue to be ultimately responsible for such processing activities.

  • Sharing with third countries

We transfer your data to the following persons outside the EU

  • DigitalOcean (https://www.digitalocean.com) – DigitalOcean, LLC, a company located in New York, 101st Avenue, 100013. In the relations between the parties, standard contractual clauses have been concluded according to Art. 46, para. 2, letter “c” of the GDPR, the content of which is available: https://www.digitalocean.com/legal/data-processing-agreement  

Your personal data is not provided to other persons within the EU, nor to third countries or international organizations.

Third Party Websites

Our website may contain links to third party websites. When visiting such websites, please note that each of them has its own privacy policy. Although Touchmenuapp.com takes great care in selecting websites to post links to, we cannot take responsibility for how they handle your personal data.

 

VII.Security measures

Touchmenuapp.com takes the protection of personal data very seriously and in this regard we take appropriate measures to protect your personal data against misuse, loss, unauthorized access, unwanted disclosure and unauthorized changes. If you believe that your personal data is not adequately protected or there are indications of improper use, please contact us at the email address: info@touchmenuapp.com

Some of the security measures we have implemented are as follows:

  • integrated TSL certificate;
  • 24/7 server monitoring with automatic notifications to the technical staff in case of problems, site monitoring, regular security tests;
  • automated testing of all new changes to the program code;
  • limited access to program code and server space;
  • keeping operating systems up to date;
  • keeping anti-virus programs up-to-date;
  • other measures to protect the buildings, premises and facilities in which personal data are processed and stored, detailed in the Company’s Internal Rules;
  • limited access of employees to information resources according to the “need to know” principle;
  • documented procedures for processing personal data of natural persons, etc.

 

VIII.Final provisions

§1. “Touchmenu” OOD makes efforts to ensure that processed personal data relating to all natural persons are updated (and if necessary corrected) and that no data is stored that is not necessary to achieve the objectives, described in this policy.

§2.  All amendments and additions to the Privacy Policy will be applied after the publication of its current content, accessible through this platform. In case the amendments are substantial and/or substantive, in accordance with the Guidelines on transparency under Regulation 2016/679 of the Article 29 Working Party (now European Data Protection Board), adopted on 29.11.2017, last revised on 11.04 .2018, we will notify you of them by means of a pop-up message on our website, or by email to the email address you provided, when we have one.

Enquire now

Give us a call or fill in the form below and we will contact you. We endeavor to answer all inquiries within 24 hours on business days.







    Desired Services