Privacy policy

PRIVACY POLICY

Last updated: May 2026

VelitFit Ltd. (ВелитФит ЕООД) operates the website and online store velit.fit. This policy describes how we collect, use, and protect your personal data.

1. Data Controller

VelitFit Ltd. (ВелитФит ЕООД) Company Registration No.: BG208648905 Address: Sofia, Zapaden Park district, bl. 121, ent. V, fl. 3, apt. 9, Bulgaria Email: support@velit.fit

2. Data We Collect

Data you provide directly:

  • Full name
  • Email address
  • Phone number
  • Delivery and billing address
  • Payment details (processed securely by our payment provider — we do not store card numbers)
  • Messages and correspondence with us

Data collected automatically when you visit the site:

  • IP address, browser type, and device
  • Pages you visit and time spent on them
  • On-site actions (clicks, scrolling, adding items to cart)
  • Session recordings and heatmaps (only with your consent, via Microsoft Clarity)
  • Ad and conversion data (only with your consent, via Meta Pixel)

3. Legal Basis for Processing (GDPR)

We only process your data when we have a valid legal basis:

  • Contract — to process orders, arrange delivery, and issue invoices
  • Legal obligation — for accounting and tax compliance
  • Legitimate interest — for security and fraud prevention
  • Consent — for marketing, analytics cookies, and tracking tools (Meta Pixel, Microsoft Clarity)

4. How We Use Your Data

  • Processing, confirming, and fulfilling orders
  • Communicating with customers
  • Issuing invoices and meeting accounting obligations
  • Improving the website and user experience
  • Analysing visitor behaviour (consent required)
  • Personalised advertising and remarketing (consent required)
  • Fraud prevention and security

5. Third-Party Tools

Meta (Facebook) Pixel — ID: 2756571474677216

We use Meta Pixel to measure ad performance, build audiences, and run remarketing campaigns. The Pixel is activated only after your explicit consent. No data is collected without consent.

  • Data collected: hashed IP address, on-site behaviour, conversions
  • Data controller: Meta Platforms Ireland Ltd., Dublin, Ireland
  • Privacy policy: https://www.facebook.com/privacy/policy/
  • Cookies: _fbp (3 months), _fbc (2 years), fr (3 months)

Microsoft Clarity

We use Microsoft Clarity for session recordings, heatmaps, and behavioural analysis. It is activated only after your explicit consent. No data is collected without consent.

  • Data collected: on-site behaviour, clicks, scrolling (no names, emails, or direct identifiers)
  • Data is stored on Microsoft servers in the United States
  • Legal transfer basis: EU–US Data Privacy Framework (European Commission decision, July 2023)
  • Privacy policy: https://privacy.microsoft.com/
  • Cookies: _clck (1 year), _clsk (1 day), _clgs (session)

Shopify (Platform)

Our store is built on Shopify. Shopify acts as a data processor on our behalf under a Data Processing Agreement (DPA). Shopify is certified under the EU–US Data Privacy Framework.

  • Privacy policy: https://www.shopify.com/legal/privacy

6. Cookies

Strictly necessary cookies (no consent required — essential for the store to function):

  • _session_id — store session (Shopify, expires at end of session)
  • cart — shopping cart contents (Shopify, 2 weeks)
  • secure_customer_sig — customer authentication (Shopify)
  • storefront_digest — access protection (Shopify)

Analytics cookies (consent required):

  • _clck — visitor identifier for Clarity (Microsoft, 1 year)
  • _clsk — session linking for Clarity (Microsoft, 1 day)
  • _clgs — session data for Clarity (Microsoft, end of session)

Marketing cookies (consent required):

  • _fbp — Meta advertising identifier (Meta, 3 months)
  • _fbc — ad click tracking (Meta, 2 years)
  • fr — ad frequency control (Meta, 3 months)

Managing your cookie preferences: On your first visit, a cookie banner allows you to accept, decline, or customise your choices. You can change your preferences at any time using the cookie settings icon in the bottom-left corner of the site. Under Article 7(3) GDPR, you have the right to withdraw your consent at any time, as easily as you gave it.

7. Sharing Your Data

We share personal data only when necessary:

  • Shopify — hosting and order management (DPA in place)
  • Payment providers — to process payments
  • Courier companies — to fulfil deliveries
  • Meta Platforms — only when marketing consent has been given
  • Microsoft — only when analytics consent has been given
  • Competent authorities — only when required by law

We do not sell or rent your data to third parties for their own purposes.

8. International Data Transfers

Some of our providers process data outside the EU:

  • Shopify (Canada/USA) — EU–US Data Privacy Framework + Standard Contractual Clauses
  • Microsoft (USA) — EU–US Data Privacy Framework (EC decision, July 2023)
  • Meta (USA/Ireland) — EU–US Data Privacy Framework + Standard Contractual Clauses

9. Data Retention

  • Order and invoice data — 10 years (accounting legislation)
  • Customer account — until deletion or 3 years after last activity
  • Email correspondence — 3 years
  • Consent logs — 5 years
  • Microsoft Clarity sessions — up to 13 months (Microsoft policy)
  • Meta Pixel data — up to 180 days (Meta policy)

10. Your Rights

Under GDPR you have the following rights:

  • Right of access (Art. 15) — to receive a copy of the data we hold about you
  • Right to rectification (Art. 16) — to request correction of inaccurate data
  • Right to erasure (Art. 17) — the "right to be forgotten", under certain conditions
  • Right to restriction (Art. 18) — to limit how we process your data
  • Right to data portability (Art. 20) — to receive your data in a machine-readable format
  • Right to object (Art. 21) — to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)) — at any time, without affecting prior processing

To exercise your rights: support@velit.fit — we respond within 30 days.

Supervisory authority: Commission for Personal Data Protection (CPDP) 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria Website: https://www.cpdp.bg Email: kzld@cpdp.bg

11. Security

We apply the following measures to protect your data:

  • SSL/TLS encryption on all communications
  • Shopify PCI DSS Level 1 compliance for payments
  • Restricted access to personal data — authorised staff only
  • In the event of a data breach, we notify the CPDP within 72 hours (Art. 33 GDPR)

12. Children

Our services are not intended for persons under the age of 18. If we become aware that we have collected data from a child without parental consent, we will delete it immediately.

13. Changes to This Policy

We will notify you of any significant changes by email or via a notice on the site. The current version is always available on this page with the date of last update.

14. Contact

VelitFit Ltd. (ВелитФит ЕООД) Email: support@velit.fit Address: Sofia, Zapaden Park district, bl. 121, ent. V, fl. 3, apt. 9, Bulgaria