Legal · Privacy Policy

Privacy Policy

Last updated: May 31, 2026

1. Introduction

ZeroShop E-Commerce Ltd ("ZeroShop", "we", "us", or "our"), a company incorporated under the laws of the Republic of Bulgaria, is the data controller responsible for the personal data processed in connection with the ZeroShop website and platform at zeroshop.io (the "Platform").

This Privacy Policy applies to visitors of the Platform, registered users, and Merchants using the Platform. It describes how we collect, use, store, share, and protect your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Bulgarian Personal Data Protection Act, and other applicable data protection legislation.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. For information about the terms governing your use of the Platform, please see our Terms of Service.

2. Data Controller

ZeroShop E-Commerce Ltd

VAT number: BG208879424

j.k. Mladost 2, bl. 262, Sofia, Republic of Bulgaria

Email: privacy@zeroshop.io

For any questions or requests regarding your personal data, you may contact us at the address above.

ZeroShop is the data controller for the personal data described in this Policy — principally the account data of merchants and Platform-level usage data. Where you operate an eshop, ZeroShop acts as a data processor on your behalf for the personal data of your own customers; your responsibilities and our role for that data are described in Section 3.3.

3. Data We Collect

3.1 Account Data (Data You Provide)

  • Account information: Name, email address, and password when you register for an account.
  • Merchant store information: Business name, description, configuration settings, and any content you upload to your eshop (product listings, images, descriptions).
  • Communications: Any information you provide when contacting us for support, feedback, or inquiries.

3.2 Platform-Level Statistical Data (Collected Automatically)

We collect limited usage data at the Platform level for statistical purposes only, such as:

  • Traffic sources: Where visitors come from (referral URLs, search engines, direct visits).
  • Page views and feature usage: Which pages are visited and which features are used, in aggregate.
  • Device and browser type: General categories (e.g., mobile vs. desktop, browser family) for compatibility purposes.
  • Cookies and similar technologies: See Section 7 below for details.

This data is used exclusively to understand how the Platform is used and to improve the service.

3.3 Your Customers' Data (Processed on Your Behalf)

ZeroShop acts as your processor for this data

When you operate an eshop, the Platform stores and processes the personal data of your customers that you collect through it. With respect to that data, you are the data controller and ZeroShop is your data processor under Article 28 GDPR. We process it only on your instructions and to provide the Services, and we do not use it for our own purposes.

Depending on how you configure your eshop, this customer data may include names, email addresses, phone numbers, billing and shipping addresses, order and transaction records, and technical identifiers such as IP addresses associated with registration or login.

For our own analytics and reporting to merchants, we use this data only in aggregated, non-identifying form (for example, total order counts, revenue summaries, and general geographic regions). As the controller of your customers' data, you are responsible for providing them with appropriate privacy information and for honouring their data subject rights; we will assist you in doing so as your processor. The terms governing this processing are set out in our Data Processing Agreement.

If we receive a request directly from one of your customers regarding Personal Data that we process on your behalf, we will, unless legally prohibited from doing so, promptly forward the request to you. We may assist you in responding to such requests where required under the applicable Data Processing Agreement or by applicable data protection law.

3.4 Data We Do Not Collect

  • Payment card numbers or full financial instrument details — card payments are handled directly by our payment processors (see Section 6).
  • Health, biometric, or other special category data, unless you choose to collect it through your eshop, in which case you remain the controller and are responsible for meeting the additional requirements that apply to such data.

4. Legal Bases for Processing

We process your personal data on one or more of the following legal bases under Article 6 of the GDPR, depending on the purpose of the processing:

Performance of a Contract (Art. 6(1)(b))

We process your personal data where necessary to:

  • create and manage your ZeroShop account;
  • provide access to the Platform and its features;
  • operate and maintain your Merchant Store;
  • provide customer support and respond to your service-related requests.

Legitimate Interests (Art. 6(1)(f))

We process personal data where necessary for our legitimate interests, provided that such interests are not overridden by your rights and freedoms. This includes:

  • maintaining the security and integrity of the Platform;
  • detecting, preventing, and investigating fraud, abuse, and unauthorized access;
  • monitoring Platform performance and improving our Services;
  • generating Platform-level statistical and analytical information.

Consent (Art. 6(1)(a))

Where required by applicable law, we rely on your consent for:

  • the use of non-essential cookies and similar tracking technologies;
  • any other processing activities for which consent is required.

You may withdraw your consent at any time without affecting the lawfulness of processing carried out before its withdrawal.

Compliance with a Legal Obligation (Art. 6(1)(c))

We process personal data where necessary to comply with applicable legal obligations, including obligations relating to taxation, accounting, regulatory compliance, law enforcement requests, and other legal requirements.

5. How We Use Your Data

We use your data for the following purposes:

  • Service delivery: To create and manage your account, operate your merchant stores, and provide the Platform's features.
  • Platform statistics: To understand traffic sources, feature popularity, and general usage patterns in order to improve the Platform. This analysis is performed on aggregate, non-identifying data.
  • Security: To detect, prevent, and respond to security threats, fraud, and abuse.
  • Communication: To send you service-related notifications and respond to your inquiries.
  • Legal compliance: To comply with applicable laws, regulations, and legal processes.
  • Usage limits: To monitor and enforce usage limits associated with your account and merchant stores.

We do not use your data for advertising, profiling, or selling to third parties.

6. Data Sharing and Third Parties

We do not sell your personal data. We may share your data with the following categories of recipients:

  • Service providers: Hosting providers, analytics services, email delivery services, and other vendors who process data on our behalf under Data Processing Agreements (DPAs) compliant with Article 28 GDPR. Further information regarding the Sub-processors engaged by ZeroShop in connection with the Services is available in our Data Processing Agreement.
  • Payment processors: When a customer pays through your eshop, the relevant payment data is handled by third-party payment providers such as Stripe (including Stripe Connect) or PayPal. These providers process payment and related personal data under their own terms and privacy policies, as independent controllers or as processors, depending on the service.
  • Legal requirements: Law enforcement, regulatory authorities, or courts when required by law or to protect our rights, safety, or property.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you of any such transfer and the applicable terms.

All third-party service providers are contractually bound to protect your data and may only process it for the specific purposes we authorize.

7. Cookies and Tracking Technologies

We use cookies and similar technologies on the Platform. These fall into the following categories:

7.1 Essential Cookies

Required for the Platform to function (e.g., session management, authentication, CSRF protection). These cannot be disabled. Legal basis: Contract performance.

7.2 Analytics Cookies

Used to understand how users interact with the Platform, measure performance, and identify areas for improvement. Legal basis: Consent. You may opt out at any time through our cookie settings.

7.3 Managing Cookies

You can manage your cookie preferences through:

  • Our cookie consent banner (displayed on your first visit).
  • Your browser settings (note: disabling essential cookies may prevent the Platform from functioning correctly).

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy:

  • Account data: Retained for the duration of your account and up to 30 days after account deletion to allow for data export and recovery.
  • Merchant store data: Retained for the duration of the associated account. Upon store deletion, data is permanently removed within 30 days.
  • Usage and analytics data: Retained in identifiable form for up to 26 months, after which it is anonymized or deleted.
  • Legal obligations: Certain data may be retained longer where required by tax, accounting, or other legal obligations (typically up to 10 years under Bulgarian law).
  • Backup copies: May persist in encrypted backups for up to 90 days after deletion from production systems.

9. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). If we transfer your data outside the EEA, we ensure adequate protection through one or more of the following mechanisms:

  • EU adequacy decisions (Art. 45 GDPR).
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR).
  • Binding Corporate Rules, where applicable.

You may request information about the specific safeguards applied to transfers of your data by contacting us.

10. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR. To exercise any of these rights, contact us at privacy@zeroshop.io. We will respond within 30 days.

Right of Access (Art. 15)

Request a copy of the personal data we hold about you and information about how it is processed.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Art. 17)

Request deletion of your personal data when it is no longer necessary, you withdraw consent, or processing is unlawful.

Right to Restriction (Art. 18)

Request restriction of processing in certain circumstances (e.g., while we verify accuracy of data you contest).

Right to Data Portability (Art. 20)

Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent (Art. 7(3))

Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Right Not to Be Subject to Automated Decision-Making (Art. 22)

We do not currently make decisions based solely on automated processing that produce legal effects concerning you.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/SSL) and at rest.
  • Regular security assessments and vulnerability testing.
  • Access controls and authentication mechanisms.
  • Employee training on data protection.
  • Incident response procedures.

While we strive to protect your data, no method of transmission or storage is 100%% secure. We encourage you to use strong passwords and protect your account credentials.

12. Data Breach Procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Bulgarian Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR.
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 GDPR.
  • Document all breaches, including facts, effects, and remedial actions taken.

13. Children's Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@zeroshop.io.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes:

  • We will notify you via email and/or a prominent notice on the Platform at least 30 days before the changes take effect.
  • The "Last updated" date at the top of this page will be revised.
  • Where changes require consent under GDPR, we will seek your explicit consent before applying the new terms to your data.

15. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

Commission for Personal Data Protection (CPDP)

Republic of Bulgaria

Website: www.cpdp.bg

You may also lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

16. Contact Information

For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact us at:

ZeroShop E-Commerce Ltd

VAT number: BG208879424

j.k. Mladost 2, bl. 262, Sofia, Republic of Bulgaria

Email: privacy@zeroshop.io

We aim to respond to all legitimate requests within 30 days. In exceptional circumstances, it may take us longer, in which case we will notify you and explain the reason for the delay.

We value your privacy

We use cookies for essential site functionality and, with your consent, analytics to understand how our platform is used. No personal data is shared with third parties. See our Privacy Policy for details.