Privacy Policy

Privacy Policy

CPAPstore Ltd is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use CPAPstore.eu.

Last Updated 1 April 2026
Data Controller CPAPstore Ltd
GDPR Contact support@cpapstore.eu

We Do Not Sell Data

CPAPstore.eu does not sell personal information to third parties.

GDPR-Based Processing

Personal data is processed under GDPR and applicable Bulgarian data protection law.

Secure Operations

We use technical and organisational measures to help protect customer data.

1. Introduction

CPAPstore Ltd, hereinafter referred to as “CPAPstore.eu”, “the Company”, “we”, “us”, or “our”, is committed to protecting your personal data and respecting your privacy.

We do not sell personal information. We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679, also known as GDPR, and the Bulgarian Personal Data Protection Act.

Our mission is to provide a transparent, safe, and trustworthy shopping experience. This Privacy Policy explains how we collect, use, store, share, and protect your personal data, and what rights you have under applicable data protection laws.

For all data protection inquiries, please contact: support@cpapstore.eu

Back to top ↑

2. Company and Legal Information

Data Controller:

  • Company: CPAPstore Ltd
  • Company Registration No.: 202438857
  • Registered Office: 9 Tsar Boris III, 3rd Floor, Petrich 2850, Bulgaria
  • Operational Office and Warehouse: 135 Tsar Boris III Blvd., Sofia 1618, Bulgaria

Medical Devices Wholesale Trade Permit / Registration No.: BG/WDA/MD-0602 / 08.12.2022

Commission for Personal Data Protection Registration No.: 379685

CPAPstore Ltd is the owner and operator of CPAPstore.eu.

For order fulfilment and logistics purposes, certain activities may be handled by CPAPSTORE GP, 105 Sokratous Street, Kallithea 17672, Athens, Greece, acting strictly as a data processor under our instructions and control.

Back to top ↑

4. Information We Collect

We collect and process only the personal data necessary for legitimate business, customer service, legal, accounting, logistics, and regulatory purposes.

a) Identification and Contact Information

Full name, delivery address, billing address, phone number, email address, and any order notes or support details you provide voluntarily.

b) Financial and Billing Information

Payment method, invoice data, VAT number where applicable, transaction references, and billing information required for accounting and tax compliance.

c) Technical and Device Information

IP address, browser type and version, operating system, referral URL, pages visited, time of access, approximate location, preferred website language, and cookie preferences.

d) Communication and Interaction Data

Messages sent through contact forms, email, live chat, order communications, product support messages, transactional notifications, and customer service history.

e) Order Fulfilment Information

Product details, order history, delivery address, courier tracking number, order status, warranty information, and related fulfilment records stored securely in our order and ERP systems.

Back to top ↑

5. How We Use Your Personal Data

We use your personal data to:

  • Process, confirm, and deliver your orders.
  • Provide customer support, technical support, and after-sales assistance.
  • Send order confirmations, invoices, payment updates, and delivery updates.
  • Maintain traceability of medical devices where required under EU Regulation 2017/745 on medical devices.
  • Manage accounting, tax, audit, warranty, and legal documentation.
  • Contact customers by email or phone when order clarification is required.
  • Prevent fraud, misuse, unauthorised access, and security threats.
  • Improve our website, products, services, and customer experience.
  • Send newsletters or promotional emails only where you have opted in or where allowed by applicable law.
Back to top ↑

6. Data Retention

Customer account data is stored for as long as the account remains active or until deletion is requested, unless we are legally required to retain certain information.

Order, invoice, accounting, warranty, and medical device-related records may be retained for up to 10 years, where required for tax, accounting, legal, warranty, or medical device traceability purposes.

ERP data is securely hosted on Microsoft Azure Cloud servers, and encrypted backups may be maintained for disaster recovery, security, and business continuity purposes.

Inactive accounts may be deleted after a period of inactivity or upon verified request, provided that deletion does not conflict with legal retention obligations.

Some data cannot be deleted immediately if it must be retained for accounting, tax, warranty, fraud prevention, legal claims, or medical device traceability requirements.

Back to top ↑

7. Data Transfers and Third-Party Processors

We share personal data only with trusted processors and service providers necessary for business operations, order fulfilment, payment processing, customer communication, logistics, accounting, and website functionality.

Recipient / Partner Purpose of Processing Location
CPAPSTORE GP Order fulfilment and logistics support EU, Greece
Courier Companies, including DHL, UPS, FedEx, Speedy, Geniki and similar carriers Delivery of orders and shipment tracking EU and international
MailerLite Newsletter subscriptions, email campaigns, and marketing automation where consent applies EU, Lithuania
Aftersalespro.gr Order tracking, shipment updates, and after-sales communication EU, Greece
PayPal, Mollie, Stripe or other payment providers available at checkout Secure payment processing and transaction verification EU / EEA and, where applicable, international safeguards
FastComet Inc. Secure web hosting and website infrastructure Germany, EU
Accounting Office Tax, accounting, invoicing, and financial compliance Bulgaria
Microsoft Azure ERP hosting, secure storage, backups, and business continuity EU / EEA or regions configured by service agreement

Where required, third parties are bound by data processing agreements or equivalent confidentiality and data protection obligations.

Back to top ↑

8. Data Security

We apply technical and organisational security measures designed to protect personal data, including:

  • SSL encryption across CPAPstore.eu.
  • Firewalls and access control systems.
  • Limited internal access to authorised personnel only.
  • Secure hosting and infrastructure protection.
  • Encrypted backups stored for disaster recovery where applicable.
  • Internal security reviews and access management procedures.

Although no system is completely immune from risk, CPAPstore.eu takes reasonable measures to protect personal data against unauthorised access, alteration, disclosure, loss, misuse, or destruction.

Back to top ↑

9. Cookies, Analytics and Social Media

CPAPstore.eu uses cookies to ensure proper website functionality, improve user experience, analyse website performance, and support selected marketing and communication tools.

Cookies are managed through CookieYes, allowing visitors to accept, reject, or customise non-essential cookies.

We may use Google Analytics 4, Microsoft Clarity, Google Ads, Meta tools, MailerLite, and similar services depending on the user’s consent settings and website configuration.

We do not perform automated decision-making that produces legal or similarly significant effects for users.

Social Media and Third-Party Integrations

Our website and online store may include links to or integrations with Facebook, Instagram, TikTok, Pinterest, LinkedIn, YouTube, X, Google, and other platforms.

When you visit our social media pages or interact with embedded content, such as “Like”, “Follow”, videos, maps, or social widgets, these platforms may collect data about your interaction under their own privacy policies.

CPAPstore.eu does not control how these third-party platforms process your data after you interact with their services. Please review each platform’s privacy policy for more information.

For more details, please visit our Cookie Policy.

Back to top ↑

10. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR, subject to applicable legal conditions and limitations:

  • The right to access your personal data.
  • The right to request correction of inaccurate or incomplete personal data.
  • The right to request deletion of personal data, where legally possible.
  • The right to withdraw consent where processing is based on consent.
  • The right to request restriction of processing.
  • The right to object to processing based on legitimate interest.
  • The right to data portability, where applicable.
  • The right to lodge a complaint with a supervisory authority.

To exercise your rights, please contact us at support@cpapstore.eu.

For your protection, identity verification may be required before we process a data access, correction, deletion, portability, or objection request.

Back to top ↑

11. International Data Transfers

Some service providers, such as payment processors, analytics providers, advertising platforms, cloud providers, or communication tools, may process data outside the European Economic Area.

Where such transfers occur, CPAPstore.eu relies on appropriate safeguards, such as European Commission Standard Contractual Clauses, adequacy decisions, or other mechanisms recognised under GDPR Chapter V.

International transfers are limited to what is necessary for the relevant service and are handled with trusted processors or service providers.

Back to top ↑

12. Data Breach Notification

In the unlikely event of a personal data breach, CPAPstore.eu will assess the situation promptly.

Where required by GDPR, we will notify the Commission for Personal Data Protection and affected individuals in accordance with Articles 33 and 34 of the GDPR.

Back to top ↑

13. Changes to This Policy

CPAPstore.eu may update this Privacy Policy periodically to reflect legal, technical, operational, or service-related changes.

The latest version will always appear on this page with the effective date clearly stated.

If significant changes occur, registered users may be informed by email or through a notice on the website, where appropriate.

Back to top ↑

14. Governing Law and Supervisory Authority

This Privacy Policy is governed by the laws of Bulgaria and applicable European Union data protection law.

Supervisory Authority:

  • Commission for Personal Data Protection
  • 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
  • www.cpdp.bg
Back to top ↑

15. Contact Information

If you have any questions or concerns regarding this Privacy Policy or your personal data, please contact us:

  • Company: CPAPstore Ltd
  • Email: support@cpapstore.eu
  • General Contact: info@cpapstore.eu
  • Registered Office: 9 Tsar Boris III, 3rd Floor, Petrich 2850, Bulgaria
  • Operational Office and Warehouse: 135 Tsar Boris III Blvd., Sofia 1618, Bulgaria
  • Website: www.cpapstore.eu
Back to top ↑