Media About Us

"Stores are moving from the street to the internet"

Nova

"10 times more online stores are opening"

Pari bg

"Opening an online store is becoming more accessible even for small businesses"

Capital

"An online store can be created in 10 minutes"

Trud BG

"Mirchev Ideas provides the Summer Cart solution free of charge for educational purposes"

Computer World

"A platform that is rapidly developing, adaptable, and reliable"

.NET

"Mirchev Ideas officially presented the first Bulgarian solution for online stores"

Komputri

"E-commerce in Bulgaria"

EBF

"Report during WebXpo"

M SAT

Appendix: Data Processing Agreement

1. Introduction
  • 1.1 This Data Processing Agreement ("Data Processing Agreement") governs the processing of personal data on behalf of the client ("Data Controller" or "Client") by Mirchev Ideas ("Data Processor") and is an addition to the Terms of Service of Seliton / Summer Cart ("Services"), in which the parties have agreed on the terms for the provision of the Services by Mirchev Ideas.
2. Legislation
  • 2.1 The Data Processing Agreement must ensure that the data processing is in accordance with the applicable personal data protection and privacy legislation ("applicable law"), including in particular the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR).
3. Processing of Personal Data
  • 3.1 Purpose: The purpose of data processing is the provision of Services by the data processor, according to the Terms of Service of Seliton / Summer Cart.
  • 3.2 In connection with the provision of Services by the Data Processor to the Data Controller, the Data Processor will process certain categories and types of personal data of the Data Controller on behalf of the Data Controller.
  • 3.3 "Personal Data" includes "any information relating to an identified or identifiable natural person," as defined in GDPR, Article 4, Paragraph 1, Point 1 ("Personal Data"). The categories and types of personal data processed by the Data Processor on behalf of the Data Controller are listed in Appendix A. The Data Processor only performs processing activities that are necessary and appropriate for the performance of the Services. The parties will update Appendix A when changes occur that require updating.
  • 3.4 The Data Processor maintains a record of processing activities in accordance with GDPR, Article 32, Paragraph 2.
4. Instruction
  • 4.1 The Data Processor may act and process personal data only in accordance with the documented instructions of the Data Controller ("instructions"), unless required by law to act without such instructions. The instruction at the time of the effective date of the Data Processing Agreement (DATA PROCESSING AGREEMENT) is that the Data Processor may process personal data only for the purpose of providing the Services as described in the Terms of Service of Summer Cart / Seliton. Subject to the terms of this DATA PROCESSING AGREEMENT and with the mutual agreement of the parties, the Data Controller may issue additional written instructions in accordance with the terms of this agreement. The Data Controller is responsible for ensuring that all individuals who provide written instructions are authorized to do so.
  • 4.2 The Data Controller ensures the processing of personal data in accordance with the requirements of the Data Protection Laws and Regulations. The Data Controller's instructions for the processing of personal data must comply with applicable law. The Data Controller will be fully responsible for the accuracy, quality, and legality of the personal data and the means by which they were obtained.
  • 4.3 The Data Processor will inform the Data Controller of any instruction it believes to be in violation of applicable law and will not execute the instructions until they are confirmed or amended.
5. Obligations of the Data Processor
5.3 Protection
  • 5. Obligations of the Data Processor
    5.1 Confidentiality
    • 5.1.1 The Data Processor treats all personal data as strictly confidential information. Personal data may not be copied, transferred, or otherwise processed contrary to the instructions, unless the Data Controller agrees.
    • 5.1.2 Employees of the Data Processor are required to maintain confidentiality, ensuring that they treat all personal data in full confidentiality according to this DATA PROCESSING AGREEMENT.
    • 5.1.3 Personal data will only be provided to personnel who need access to such personal data for the provision of the Services and this Data Processing Agreement.
    • 5.1.4 The Data Processor has the right to provide personal data to third parties if necessary for the provision of the Services.
  • 5.2 The Data Processor also ensures that employees processing personal data only process the personal data in accordance with the instructions.
    • 5.3.1 The Data Processor will implement appropriate technical and organizational measures specified in this agreement and in Applicable Law, including in accordance with GDPR, Article 32. Security measures are subject to change with technological progress and development. The Data Processor may update or modify the security measures from time to time, provided that these updates and modifications do not result in a degradation of overall security.
  • 5.4 The Data Processor must provide documentation of the security measures to the Data Controller within a reasonable time, no longer than one month, if requested in writing by the Data Controller.
  • 5.5 Data Protection Impact Assessments and Prior Consultations
    • 5.5.1 If the assistance of the Data Processor is necessary and appropriate, the Data Processor will assist the Data Controller in carrying out data protection impact assessments in accordance with GDPR, Article 35, along with any prior consultations in accordance with GDPR, Article 36.
  • 5.6 Data Subject Rights
    • 5.6.1 If the Data Controller receives a request from a data subject to exercise their data subject rights under applicable law and a correct and legitimate response to such a request requires the assistance of the Data Processor, the Data Processor will assist the Data Controller by providing the necessary information and documentation. The Data Processor will have a reasonable period to assist the Data Controller with such requests in accordance with applicable law.
    • 5.6.2 If the Data Processor receives a request from a data subject to exercise their data subject rights under applicable law and such a request pertains to the Data Controller's personal data, the Data Processor will promptly forward the request to the Data Controller and will refrain from responding directly to the individual.
  • 5.7 Personal Data Breach
    • 5.7.1 The Data Processor will promptly notify the Data Controller if a breach occurs that may lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed personal data processed on behalf of the Data Controller ("personal data breach").
    • 5.7.2 The Data Processor will make reasonable efforts to identify the cause of such a breach and take steps it deems necessary to determine the cause and prevent a recurrence of such a breach.
  • 5.8 Compliance Documentation and Audit Rights
    • 5.8.1 Upon request by the Data Controller, the Data Processor will provide the Data Controller with all necessary information to demonstrate compliance with this DATA PROCESSING AGREEMENT and to allow for and reasonably assist with audits, including inspections by the Data Controller or an auditor designated by the Data Controller. The Data Controller will notify the Data Processor of any audit or inspection to be conducted and will make reasonable efforts to avoid causing damage or disruption to the Data Processor's premises, equipment, and business during such an audit or inspection. All audits or document inspections are conducted with reasonable prior written notice, no less than 30 days, and no more than once a year.
    • 5.8.2 The Data Controller may be required to sign a confidentiality agreement acceptable to the Data Processor before the information and access described above are provided.
  • 5.9 Data Transfer
    • 5.9.1 Generally, the Data Processor will not transfer your data to countries outside the European Economic Area. In some cases, personal data will be retained through storage solutions that have servers outside the European Economic Area (EEA), such as Dropbox or Google. Only those storage solutions that provide secure services with appropriate adequate safeguards will be used.
6. Sub-processors
  • 6.1 The Data Processor is granted general authorization to engage third parties to process personal data ("Sub-processors") without obtaining additional written and specific authorization from the Data Controller. The Data Processor will inform the Data Controller of any planned changes regarding the addition or replacement of sub-processors for the Data Controller's personal data. If the Data Controller wishes to object to the relevant sub-processor, the Data Controller will notify the Data Processor in writing within five business days of receiving the notification from the Data Processor. The absence of objections from the Data Controller will be considered as consent to the relevant sub-processor.
  • 6.2 The Data Processor will enter into a written sub-processor agreement with all sub-processors. Such an agreement will impose at least the same data protection obligations as those applicable to the Data Processor, including the obligations under this Data Processing Agreement. The Data Processor will continuously monitor and control the sub-processors' compliance with applicable law. Documentation of such monitoring and control will be provided to the Data Controller if requested in writing.
  • 6.3 The Data Processor is accountable to the Data Controller for each sub-processor in the same way as for its own actions and omissions.
7. Fees and Expenses
  • 7.1 The Data Controller will compensate the Data Processor based on the time spent fulfilling the obligations under sections 5.5, 5.6, 5.7, and 5.8 of this Data Processing Agreement based on the hourly rates of the Data Processor.
  • 7.2 The Data Processor is also entitled to compensation for any time and resources spent adapting and changing processing activities to comply with any changes in the Data Controller's instructions, including the implementation costs and additional expenses necessary to deliver the Services as a result of the change in instruction. The Data Processor is exempt from liability for non-performance of the primary agreement if the performance of obligations under the primary agreement would contradict the modified instruction or if agreed performance in accordance with the modified instruction is impossible. This may be the case, for example; (i) if the changes in the instruction cannot be implemented technically, practically, or legally; (ii) when the Data Controller explicitly requires the changes in the instruction to be applicable before the changes are implemented; and (iii) during the period in which the primary agreement is amended to reflect the new instructions and commercial terms.
8. Limitation of Liability
  • 8.1 The total aggregate liability to the Client, regardless of its nature, whether in contract, tort, penalties, lost profits, or otherwise caused by the Data Processor for any losses and any reasons arising from or in any way related to this agreement, is subject to the limitation of liability set forth in the Terms of Service of Seliton / Summer Cart.
  • 8.2 Nothing in this DATA PROCESSING AGREEMENT removes the obligations of the Data Processor under Regulation (EU) 2016/679 (GDPR).
9. Duration
  • 9.1 The Data Processing Agreement remains in effect until the termination of the Service Agreement.
10. Data Protection Officer
  • 10.1 The Data Processor will appoint a Data Protection Officer when such an appointment is required by data protection laws and regulations.
11. Termination
  • 11.1 Upon expiration or termination of the Agreement, the Data Processor will delete or return to the Data Controller all personal data in its possession as provided in the agreement and the internal policies of the Data Processor, except to the extent that the Data Processor is required by applicable law to retain some or all personal data (in which case the Data Processor will archive the data and implement reasonable measures to prevent further processing of the personal data). The terms of this DATA PROCESSING AGREEMENT will continue to apply to such personal data.
12. Contact
  • 12.1 The contact information for the Data Processor and the Data Controller is provided in the Service Agreement.
Appendix A
  • 1. Personal Data
    • 1.1 The Data Processor processes the following types of Personal Data in connection with the provision of its Services:
    • 1. Information about visitors, customers, and administrators of your online store:
      • 1. Usernames and passwords
      • 2. Name, postal, and email address
      • 3. IP addresses and cookies
      • 4. Activity logs
      • 5. Product lists
      • 6. Shopping carts
      • 7. Tax numbers
      • 8. Product and blog post comments
      • 9. Survey responses, product ratings, and order fulfillment
      • 10. Orders
      • 11. Any information you request end customers to enter in your online store, such as: Personal Identification Number, Number, dates of identity cards, Bank account information
      • 12. Email content for which you use our servers for sending, receiving, or storage
  • 2. Sub-processors
    • 2.1 External software suppliers: Upwork
    • 2.2 Hosting providers: OVH, Hetzner, ICN.bg, Vultr, Digital Ocean
    • 2.3 Communication providers: Microsoft
    • 2.4 Data analysis: Google
  • 3. Cookies used by Seliton / Summer Cart
  • 3.1 WLID: Allows us to find the customer's wish lists, stored for 6 months
  • 3.2 PCC: Allows us to find the customer's persistent or abandoned cart, stored for 6 months
  • 3.3 PPLastShow: Limits how often pop-ups are displayed, stored for 2 months, does not contain personal data
  • 3.4 PCODE: Allows linking to a partner and respective pricing, stored for 90 days
  • 3.5 PointsReferrer: Allows correct rewarding with bonus points, stored for 30 days
  • 3.6 MIPHPF_SESSION<number>: Stores the customer's session identifier, stored only for the current browser session
+359 889 10 33 02
Try For Free
Seliton E-commerce Solution