Privacy Policy

Privacy Policy and Personal Data Protection

Vessy Mineva Make up Artist Last updated: March 2026

1. Who processes your personal data

Data controllers within the meaning of Regulation (EU) 2016/679 (GDPR) are:

ETA - Zheleva (hereinafter “the Company”), UIC: 203271507 registered address: Sofia 1113, Izgrev, 20 Rayko Aleksiev St, phone: +359 887 291 461, e-mail: vessy.mineva@gmail.com

Together referred to as “I”, “we”, or “the Controller”.

Depending on the specific service and work organisation, your data may be processed:

  • directly by me as a natural person — professional makeup artist; and/or
  • by ETA “Zheleva” as a joint controller when services are provided through the company (e.g., invoicing, accounting, studio management, etc.).

This policy describes how we collect, use, store, and protect personal data of:

  • clients and potential clients;
  • visitors to the website www.vessymineva.com;
  • individuals who communicate with us by phone, email, social media, and messaging apps.

2. What personal data we collect

Depending on how you contact me and the services you use, I may process the following categories of personal data:

Identification data

  • first and last name;
  • username on social media/messaging apps;
  • age (if needed to assess whether you are a minor).

Contact data

  • phone number;
  • email address;
  • profile(s) on social media / messaging apps (Viber, WhatsApp, Messenger, Telegram, etc.).

Booking and service data

  • desired date and time for makeup;
  • type of service (wedding makeup, evening makeup, trial makeup, etc.);
  • service location (studio, client’s address, event venue);
  • additional notes and requirements (e.g., preferred style, special considerations).

Health information and allergies (sensitive data)

  • data about allergies to cosmetic products or ingredients;
  • data about skin conditions, reactions, or other relevant health considerations that affect product selection and safe service delivery.

These data are considered special categories of personal data and are processed only with your explicit consent and only to the extent necessary for safe service delivery.

Photos and video

  • taken before/during/after makeup for portfolio, social media, advertising, etc.
  • These are never published without separate explicit consent, unless fully anonymised (e.g., the face is not visible and identification is not possible).

Correspondence and feedback data

  • content of correspondence by phone, email, social media, or messaging apps;
  • complaints, enquiries, compliments, and other feedback;
  • reviews/testimonials that you voluntarily publish or send.

Payment and accounting data (if applicable)

  • data on issued invoices — name, address, personal ID/UIC (where required by law);
  • information about payments made (payment type, date, amount).

Note: I do not store bank card data when payment is made through an external payment operator — such data is processed by the respective payment service provider.

We process your personal data only when we have a valid legal basis under GDPR:

To respond to enquiries and book appointments

  • to identify you and communicate with you;
  • to offer an appropriate service and confirm a booking.

Legal basis: performance of a contract or steps at your request prior to entering into a contract (Art. 6(1)(b) GDPR); our legitimate interest in responding to received enquiries (Art. 6(1)(f) GDPR).

To perform the agreed service (makeup)

  • to deliver the service in the best and safest way;
  • to inform you of changes/cancellations of appointments.

Legal basis: performance of a service contract (Art. 6(1)(b) GDPR).

To process health information and allergies

  • to assess which products are safe for you;
  • to avoid health risks (allergic reaction, irritation, etc.).

Legal basis: your explicit consent for processing special categories of personal data (Art. 9(2)(a) GDPR). You can withdraw consent at any time, but this may mean I cannot perform the service under safe conditions.

For invoicing, accounting, and compliance with legal obligations

  • issuing receipts and invoices;
  • maintaining accounting records and storing documents as required by law;
  • fulfilling tax and other regulatory obligations.

Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).

To protect rights and legitimate interests

  • to protect legitimate interests in case of disputes, complaints, judicial, or administrative proceedings;
  • to prevent misuse.

Legal basis: our legitimate interest (Art. 6(1)(f) GDPR).

For marketing, portfolio, and social media (optional)

  • sending information about new services, promotions, and offers by e-mail, phone, or messaging apps;
  • publishing makeup photos/videos (portfolio on website, social media, advertising materials).

Legal basis: your prior consent (Art. 6(1)(a) GDPR). Marketing communications and publishing photos with a recognisable face are only done if you have voluntarily given consent, which you can withdraw at any time without negative consequences for the service itself.

To improve services and statistics

  • analysis of most-used services;
  • improving work organisation and customer service.

Where possible, we use aggregated and anonymised data that do not allow identification.

4. Processing data of minors

Makeup services are typically aimed at persons aged 14 and over. If you are under 14 years of age, we process your personal data only with the explicit consent of a parent/guardian, in accordance with Art. 8 of Regulation (EU) 2016/679 and applicable Bulgarian law.

For health data and photos of persons under 18, written or clearly documented consent from a parent/guardian is always required.

5. Communication by phone, email, and messaging apps

Phone and email

When you contact me by phone or email, I process data such as: name, phone number, email address, and the content of the enquiry/correspondence. The purpose is to answer your question, offer a service, or make or change a booking.

Legal basis: performance of a contract or pre-contractual steps and our legitimate interest in communicating with clients.

Messaging apps (Viber, WhatsApp, Messenger, Telegram)

For client convenience, I use the following messaging apps for enquiries and bookings: Viber, WhatsApp, Facebook Messenger, and Telegram.

When you contact me this way, I process personal data such as name, profile information, phone number, and message content, in order to respond to your enquiry, offer information about a service, and confirm, change, or cancel an appointment.

Legal basis: performance of a contract or pre-contractual steps, and legitimate interest in communicating with clients through their preferred channel.

Viber, WhatsApp, Facebook (Messenger), and Telegram are separate data controllers and process information according to their own privacy policies, including through servers outside the EU. I have no control over these platforms.

I recommend not sending sensitive personal data such as medical documents or detailed health information through messaging apps. If you do share information about allergies or skin reactions, I will use it solely for the purpose of safe service delivery.

6. Who has access to your personal data

Access to your personal data is limited to:

  • Me and, where applicable, the team/representatives of ETA “Zheleva” who are directly involved in providing the service and are bound by confidentiality.
  • External service providers (data processors), e.g.: website hosting and maintenance provider; accounting firm/accountant; online booking software providers; email service providers. We enter into data processing agreements with these parties.
  • State authorities, where required by law (e.g., NRA, courts, law enforcement agencies).

We do not sell or provide your personal data to third parties for their own marketing purposes.

7. Data transfers outside the EU/EEA

We generally strive to process and store personal data within the European Union/European Economic Area (EU/EEA).

However, some services we use (e.g., certain messaging apps, email, or hosting providers) may transfer data to countries outside the EU/EEA. In such cases, we use providers that apply the necessary safeguards under GDPR (e.g., standard contractual clauses, additional technical measures), or the transfer is based on your explicit informed consent where necessary.

8. Data retention periods

We store personal data only for the period necessary for the purposes for which they were collected, or longer where required by law:

  • Booking and correspondence data — up to 1 year after our last contact, unless longer retention is needed for the protection of legal claims.
  • Data on services provided and contractual relations — until the expiry of the general limitation period for potential claims (typically up to 5 years after the end of the relationship).
  • Accounting documents (invoices, payment documents, etc.) — in accordance with Bulgarian accounting and tax law requirements — currently typically up to 10 years.
  • Health information and allergies — for the shortest period strictly necessary for safe service delivery: for one-time services — typically up to 1 month after the service; for regular clients — as long as necessary for safe service delivery or until consent is withdrawn.
  • Photos and video for portfolio/marketing — until the given consent is withdrawn or upon your request for deletion.

After the respective periods expire, data is securely deleted or anonymised.

9. Your rights as a data subject

Under GDPR, you have the following rights regarding your personal data:

  • Right of access — to receive confirmation whether we process your personal data and to obtain a copy.
  • Right to rectification — to request correction of inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”) — to request deletion of personal data when they are no longer needed, you withdraw consent, or data has been unlawfully processed. This right is not absolute — exceptions exist where the law requires retention.
  • Right to restriction of processing — in certain cases, you can request temporary suspension or restriction of processing.
  • Right to data portability — to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to object — to object to processing based on our legitimate interest. We will then cease processing unless we can demonstrate compelling legitimate grounds.
  • Right to withdraw consent — where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.
  • Right to lodge a complaint with the supervisory authority — Commission for Personal Data Protection (CPDP).

10. How to exercise your rights

You can exercise your rights by contacting us:

We may request additional information to verify your identity where necessary to protect your data. We will respond within 1 month of receiving the request; for complex or numerous requests, the period may be extended by up to 2 additional months.

11. Data security

We apply appropriate technical and organisational security measures to protect personal data from unauthorised access, accidental loss, destruction or damage, and unlawful disclosure.

Such measures include: restricted data access only to persons with a business need; use of secure devices and software (passwords, encryption, antivirus protection); periodic backups and access control for social media/messaging accounts.

In the event of a suspected security breach affecting your data, we will take the necessary actions under GDPR, including notifying the competent authority and, where needed, the affected individuals.

12. Website and technical data

The website www.vessymineva.com does not use tracking cookies, analytics scripts, or marketing trackers. We do not automatically collect personal data when you visit the site.

The contact page includes an embedded Google Maps widget. When the map loads, Google may process technical data (IP address, device type) according to its own privacy policy. The embedding uses loading="lazy", so the map only loads when you scroll to it.

Social media platforms (Instagram, Facebook, TikTok) linked from our site are separate data controllers. When you click these links, the respective platform may process data according to its own rules.

13. Automated decision-making and profiling

We do not use your personal data for automated decision-making, including profiling, that produces legal effects concerning you or significantly affects you.

14. Complaints to the supervisory authority

If you believe that the processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with:

Commission for Personal Data Protection (CPDP) Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd. Website: https://www.cpdp.bg E-mail: kzld@cpdp.bg Phone: +359 2 915 3 518

Of course, you are always welcome to contact me first so we can try to resolve the matter quickly and amicably.

15. Changes to this policy

I may periodically update this Privacy Policy to reflect changes in activities or services, changes in legislation, and new data protection technologies or practices.

The updated version will always be published on this website with the date of last update noted.