Privacy Policy

Data Controller: ARFA ES LTD · UIC 205173951 · 3 eng. Stoimen Sarafov Str., Sofia, Bulgaria · pambiotic@arfa7.com · +359 877 900 982.

This Privacy Policy describes how Pambiotic / ARFA ES LTD ("we", "us", "our") collects, uses, and shares your personal data when you visit our website (the "Site"), make a purchase, or sign up for our marketing communications.

When you place an order

• Name, email address, telephone number
• Billing and shipping address
• Payment information (processed securely by Shopify Payments / Stripe — we do not store card details)
• Order history and purchase behaviour
• IP address and device / browser information

When you sign up for marketing

• Email address
• Preferences indicated through quiz responses or form submissions
• Engagement data (email opens, clicks)

When you browse the Site

• Cookies and tracking data (see our Cookie Policy)
• Pages visited, time on site, referral source
• Device type, operating system, browser

We process your personal data on the following legal bases under the GDPR / UK GDPR:

• Performance of a contract — to process and fulfil your order, and to send order confirmations and shipping updates.
• Consent — to send marketing emails (welcome series, promotions) to subscribers who have opted in.
• Legitimate interests — to personalise email content based on purchase history, improve our website and products through analytics, and for fraud prevention and site security.
• Legal obligation — to comply with tax, accounting and customs record-keeping requirements.

Merchant note: confirm the exact processors and purposes active in your store before publishing.

We do not sell your personal data. We share it only with trusted service providers who help us operate our business:

• Shopify Inc. — e-commerce platform and payment processing (Canada / USA)
• Klaviyo Inc. — email marketing platform (USA)
• Recharge Payments — subscription management (USA)
• Judge.me — product review platform (Canada)
• Shipping carriers — postal / courier services for fulfilment (Bulgarian Post, Royal Mail, USPS and local delivery partners)
• Google Analytics / Meta Pixel — website analytics and advertising (only where you have consented to marketing cookies)

All third-party processors are bound by data processing agreements and required to protect your data in accordance with applicable law. Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place (Standard Contractual Clauses, adequacy decisions, or equivalent).

• Order records: 7 years (required for EU / Bulgarian tax law compliance)
• Marketing preferences and email data: until you unsubscribe or request deletion
• Website analytics data: up to 26 months
• Customer account data: for the lifetime of your account, plus 2 years after last activity

Depending on your location, you have the following rights regarding your personal data.

EU and UK residents (GDPR / UK GDPR)

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion of your data ("right to be forgotten")
• Right to restrict processing — ask us to limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — withdraw marketing consent at any time without affecting past processing

California residents (CCPA)

• Right to know what personal information we collect and how it is used
• Right to delete personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at pambiotic@arfa7.com. We will respond within 30 days (EU / UK) or 45 days (California). We may need to verify your identity before processing your request.

EU and UK residents also have the right to lodge a complaint with their local supervisory authority. In Bulgaria: Commission for Personal Data Protection (CPDP), cpdp.bg. In the UK: Information Commissioner's Office (ICO), ico.org.uk.

We use cookies and similar tracking technologies to operate the Site, analyse traffic, and (with your consent) serve personalised advertising. You can manage your preferences at any time using the cookie banner on our website. The categories we use are:

• Strictly necessary — shopping cart, login session, security (no consent required)
• Functional — remembering preferences and language (no consent required)
• Analytics — site performance via Google Analytics (consent required in EU / UK)
• Marketing — retargeting via Meta Pixel and Google Ads (consent required in EU / UK)

For full detail, see our Cookie Policy.

Our Site and products are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, please contact us immediately at pambiotic@arfa7.com.

We may update this Privacy Policy from time to time. We will notify you of material changes by email (if you are a customer or subscriber) and by updating the "Last updated" date above. Continued use of the Site after any changes constitutes acceptance of the updated policy.

For any privacy-related questions, data requests, or concerns:

ARFA ES LTD · 3 eng. Stoimen Sarafov Str., Sofia, Bulgaria
Email: pambiotic@arfa7.com · Tel: +359 877 900 982