Privacy policy

Last updated: August 16, 2025

Lapis Magica Ltd. (“we”, “our”, “us”) operates this online store and website, including all related information, content, features, tools, products and services (collectively, the “Services”), in order to provide you with a curated shopping experience. The store is powered by Shopify, which enables us to deliver the Services.

This Privacy Policy explains how we collect, use, and disclose your personal data when you visit, use, or make a purchase through the Services, or otherwise communicate with us. In case of conflict between our Terms of Service and this Privacy Policy, this Policy will prevail with respect to the collection and processing of your personal data.

By using the Services, you confirm that you have read and understood this Privacy Policy.

Personal Data We Collect or Process

“Personal data” means any information that identifies you or can reasonably be linked to you. It does not include anonymized or de-identified information. Depending on your interaction with the Services, we may collect:

  • Contact details: name, billing and shipping address, phone number, email.
  • Financial data: credit/debit card information, bank account details, payment confirmations.
  • Account data: username, password, preferences, settings.
  • Transaction data: products viewed, added to cart, purchased, returned, or exchanged.
  • Communications: information you provide when contacting us (e.g. customer support).
  • Device data: browser, IP address, device identifiers, network connection.
  • Usage data: information on how and when you interact with the Services.

Sources of Data

We may collect your data:

  • Directly from you (e.g. when creating an account, placing an order, or contacting us).
  • Automatically (through cookies and similar technologies when using our Services).
  • From service providers (e.g. payment processors, logistics partners).
  • From business partners or third parties, as permitted by law.

How We Use Your Data

We process personal data only where there is a lawful basis under the GDPR, including:

  1. Contract performance - to process your orders, payments, deliveries, returns, and account management.
  2. Consent - to send you marketing communications or place cookies (where required). You can withdraw consent at any time.
  3. Legitimate interests - to improve our Services, protect against fraud, ensure network and information security.
  4. Legal obligations - to comply with applicable laws, regulations, or lawful requests.

Disclosure of Data

We may disclose your data in the following cases:

  • To Shopify (as hosting provider and e-commerce platform).
  • To service providers - e.g. IT, payment processing, logistics, cloud storage.
  • To marketing partners - only with your consent for promotional activities.
  • To public authorities - if required by law.
  • In business transactions - e.g. mergers, acquisitions, or restructuring.

Where Shopify acts as a separate controller, it is responsible for its own processing. More information is available in the Shopify Privacy Policy.

Your GDPR Rights

As a data subject under the GDPR, you have the following rights:

  • Right of access - to obtain a copy of your personal data.
  • Right to rectification - to correct inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”).
  • Right to restriction of processing - in certain circumstances.
  • Right to data portability - to receive your data in a structured format and transfer it to another controller.
  • Right to object - to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent - where processing is based on consent.

To exercise your rights, please contact us at the details below. We may need to verify your identity before fulfilling your request.

Security and Retention

We implement appropriate technical and organizational measures to safeguard your personal data. However, no system is completely secure, and we cannot guarantee absolute protection.

We retain personal data only as long as necessary for the purposes for which it was collected, to comply with legal obligations, or to resolve disputes.

Data Deletion Request
If you have created an account or logged in to our store using Facebook Login and you wish to delete your data, please contact us at lapismagica@gmail.com with your request.
We will delete your account data (including personal information obtained via Facebook Login) within 30 days, except for data we are required to keep by law (e.g. transaction records for tax and accounting purposes).

Children’s Data

Our Services are not directed to children under 18, and we do not knowingly collect personal data from them.

International Transfers

If personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, we rely on approved safeguards such as the European Commission’s Standard Contractual Clauses or equivalent mechanisms, unless the recipient country has been recognized as providing adequate protection.

Changes to This Policy

We may update this Privacy Policy to reflect changes in practices or legal requirements. Updates will be published here with a revised “Last updated” date.

Contact

For any questions, or to exercise your data protection rights, please contact us:

Lapis Magica Ltd.
UIC: 206232228
Address: Sofia, kv. Lagera, ul. Maglen, bl. 54
Phone: +359 878 687 616
Email: lapismagica@gmail.com
Managing Director: Svetozar Simov

For the purposes of applicable data protection laws, Lapis Magica Ltd. is the data controller of your personal data.

You also have the right to lodge a complaint with your local supervisory authority. In Bulgaria, this is the Commission for Personal Data Protection (КЗЛД).