1. Controller
Lacartelive Ltd. (Лакартелайв ООД) is the independent data controller under Article 4(7) GDPR and the Bulgarian Personal Data Protection Act.
- Name: Lacartelive Ltd.
- Reg. №: XXXXXXXXX
- Registered office: [city, address]
- E-mail: hello@lacarte.live
2. Data Protection Officer (DPO)
For data protection matters: DPO: [DPO name — to be filled], e-mail: hello@lacarte.live (subject "GDPR request").
3. Data we collect
3.1 Business customer (account owner) data
| Category | Specific data | Source |
|---|---|---|
| Identification | Name, e-mail, phone (optional), restaurant name | Registration form |
| Company details | Company name, reg. №, VAT ID, registered office, authorised representative | Before first payment |
| Authentication | Password (hashed), Google OAuth ID, e-mail verification | Registration / login |
| Payments | Last 4 digits of card, billing address, transaction history | Stripe (PCI-DSS) — full card data never reaches our servers |
| Behaviour | IP, browser, OS, access time | Server logs |
| Support | Correspondence with our support team | E-mail / contact form |
3.2 Sub-user (Account Admin) data
Name, e-mail, position, access permissions, password (hashed), e-mail verification status.
3.3 End customer (menu visitor) data
Technical: anonymised IP, random device ID, browser language. Behavioural: dish views, anonymous ratings. Cookies: see Cookie Policy. End customers are not required to create an account or provide personal data to view a menu.
3.4 Online store buyer data
When ordering via the e-commerce module: name, phone, country, city, postal code, shipping address, optional note.
4. Purposes of processing
- Providing the service: registration, authentication, subscription management, AI content generation, notifications.
- Payment processing via Stripe.
- Communication: support, important service notifications.
- Analytics for service improvement.
- Marketing: only with your explicit consent.
- Legal compliance: tax/accounting, responding to authorities' requests.
- Protection of interests: fraud prevention, legal disputes.
5. Legal bases (Art. 6 GDPR)
| Basis | Applies to |
|---|---|
| Art. 6(1)(b) — performance of contract | Registration, subscription, e-commerce orders, core features |
| Art. 6(1)(a) — consent | Marketing e-mails, analytics/marketing cookies |
| Art. 6(1)(c) — legal obligation | Accounting records, invoicing |
| Art. 6(1)(f) — legitimate interest | Platform security, fraud prevention, basic analytics |
6. Retention periods
| Data type | Retention |
|---|---|
| Active accounts | For as long as the account exists + 30-day grace period |
| Financial records (invoices, payments) | 10 years (Bulgarian Accounting Act, Art. 12) |
| Stripe payment records | Up to 7 years (Stripe terms) |
| Server logs | 12 months (security) |
| Anonymised menu analytics | 26 months (GA4 retention) |
| Support correspondence | 3 years after last contact |
| Consent logs | 3 years after withdrawal (GDPR Art. 7 evidentiary burden) |
| Marketing list | Until consent withdrawn |
7. Recipients and transfers
We do not sell personal data. We share data only with processors helping us deliver the service:
| Recipient | Purpose | Location | Safeguards |
|---|---|---|---|
| Google LLC (Firebase, Functions, Gemini AI, OAuth) | Hosting, auth, AI processing | US + EU region | Standard Contractual Clauses (SCCs), DPA |
| Stripe Payments Europe Ltd. | Payment processing | Ireland + US | PCI-DSS Level 1, SCCs |
| Resend Inc. | Transactional e-mail | US | SCCs, DPA |
| Namecheap (Email Forwarding) | Business e-mail | US | DPA |
| Google Analytics 4 / GTM / Facebook Pixel | Marketing analytics — only with consent | US | SCCs; IP anonymisation enabled |
Transfers outside the EEA take place under European Commission-approved Standard Contractual Clauses and/or supplementary technical safeguards.
8. Data security
We apply technical and organisational measures including: encryption in transit (TLS 1.2+) and at rest; PBKDF2 password hashing; multi-factor authentication for administrative accounts; least-privilege access; regular audits and dependency updates; sensitive-data access logging; incident response procedures. In the event of a high-risk breach we will notify you within 72 hours under Art. 33-34 GDPR.
9. Your GDPR rights
Subject to applicable conditions you have the rights to: access (Art. 15), rectification (Art. 16), erasure / "right to be forgotten" (Art. 17), restriction (Art. 18), portability in JSON format (Art. 20), objection to processing based on legitimate interest (Art. 21), withdrawal of consent at any time, and not to be subject to fully automated decisions (Art. 22) — we do not make such decisions with significant effect.
Exercise via the OwnerView → Settings → "Data protection" panel (export and deletion) or by e-mailing hello@lacarte.live with subject "GDPR request". We respond within 30 days (extendable by 60 days for complex requests). Free of charge unless requests are manifestly unfounded or excessive.
10. Cookies
See our Cookie Policy. You can manage your consent at any time via the banner or the "Manage cookies" link in the footer.
11. Children's data
The Platform targets business customers and is not intended for persons under 18. We do not knowingly collect data from children. If we discover such collection, we will delete it immediately.
12. Policy changes
We may update this Policy periodically. For material changes we will notify active users by e-mail or in-platform notice at least 14 days before the change takes effect.
13. Complaints
If you believe processing of your data violates GDPR you have the right to lodge a complaint with the Bulgarian Personal Data Protection Commission (KZLD), 2 Tsvetan Lazarov Blvd., 1592 Sofia; e-mail kzld@cpdp.bg; www.cpdp.bg. We encourage you to contact us first so we can try to resolve the matter.