Privacy Policy


This Privacy Policy aims to inform you in a clear and understandable way how "ECOPHARM" Ltd. (the “Company”) collects, uses, stores and protects your personal data in accordance with the applicable legislation, including Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and the Personal Data Protection Act. We respect your privacy and are committed to ensuring a high level of protection for the personal information you provide through our website, contact forms, adverse drug reaction reporting forms, or other communication with us. Please read this policy carefully to understand:

  • ➟ what personal data we collect;
  • ➟ for what purposes we process it;
  • ➟ the legal basis for processing;
  • ➟ how long we store it;
  • ➟ to whom it may be disclosed;
  • ➟ your rights as a data subject;
  • ➟ how you can contact us regarding personal data protection.
By using this website and providing us with personal data, you confirm that you are aware of this Privacy Policy.

Data Controller

The personal data controller is: ECOPHARM Ltd. Company ID (UIC): 130390055 Address: Sofia 1407, Lozenets district, 29 Atanas Dukov Str., Floor 3 Email: privacyteam@ecopharm.bg For questions regarding personal data processing you may contact us at the email address above.

What Personal Data Do We Collect?

Our website collects personal data only when it is voluntarily provided by you through the available communication forms. We do not require user account registration, we do not offer newsletter subscriptions and we do not perform automated profiling or behavioral tracking beyond what is necessary for the normal functioning of the website. Personal data may be collected through the following forms:

Contact Form When using the contact form you provide your name and email address. This information is used solely to respond to your inquiry, establish communication and, if necessary, request additional information related to your request. The data is not used for marketing purposes and is not shared with third parties except where required by law.

Adverse Drug Reaction Reporting Form In accordance with pharmacovigilance regulatory requirements, the adverse drug reaction reporting form may collect personal data such as name, address, email address and telephone number. This information is necessary for processing and validating the report, establishing contact if additional information is required, and fulfilling the company’s legal obligations related to medicinal product safety. The provided information is processed in accordance with the principles of lawfulness, fairness and transparency, ensuring confidentiality and protection against unauthorized access, disclosure or misuse. Except for the cases explicitly described above, we do not collect other personal data through the website nor use the provided information for purposes different from those stated in this policy.

Purpose of Processing

The personal data provided through the website is processed only for specific, explicit and legitimate purposes. The main objective is to ensure effective communication with users and lawful fulfillment of the company’s obligations. When personal data is submitted through the contact form, it is used to review the inquiry and provide a response. If necessary, the data may be used for additional communication in order to clarify the provided information. When submitting an adverse drug reaction report, personal data is processed for the purpose of reviewing and analyzing the information, evaluating the safety of the medicinal product and fulfilling obligations under pharmacovigilance legislation. In some cases additional contact with the reporter may be necessary in order to obtain further information required for proper processing of the report. The personal data provided is not used for marketing purposes, including sending advertising messages, newsletters or commercial offers.

Personal data processing is carried out only when a valid legal basis exists in accordance with applicable data protection legislation. When personal data is provided through the contact form, processing is based on the data subject’s request expressed through the voluntary submission of the inquiry. In the case of adverse drug reaction reports, the legal basis is the fulfillment of legal obligations arising from pharmaceutical legislation and pharmacovigilance regulations. In certain cases processing may also be based on the legitimate interest of the company to ensure product safety, analyze received information and take necessary measures. In all cases processing is carried out in accordance with the principles of lawfulness, fairness, transparency and data minimization.

Personal Data Retention Period

Personal data is stored for a period necessary to achieve the purposes for which it was collected, unless applicable legislation requires or allows a longer retention period. Data provided through the contact form is stored for up to 12 months after the completion of the corresponding communication unless there is a legal basis for longer retention. This period is defined in order to allow subsequent reference or additional communication related to the same inquiry.
Data submitted through the adverse drug reaction reporting form is stored in accordance with the applicable regulatory requirements in the field of pharmacovigilance and medicinal products. In certain cases legislation may require longer retention periods for the purposes of traceability, analysis and ensuring product safety. Where no specific statutory retention period exists, the data is stored for the time necessary to review, analyze and properly document the report.
After the expiration of the applicable retention period, personal data is deleted or anonymized in a manner that does not allow identification of the individual.

Disclosure of Personal Data to Third Parties

The Company does not sell, rent or provide personal data to third parties for commercial or marketing purposes. Personal data may only be disclosed in limited cases where this is necessary and lawful.
Such cases include disclosure where there is an explicit legal obligation or upon request by competent public authorities within their legal powers. Personal data may also be provided to external service providers, including hosting or technical support providers, who process data on behalf of the Company. In such cases it is ensured that the processing is carried out in compliance with applicable data protection requirements and subject to contractual guarantees for confidentiality and security.
In all cases personal data is disclosed in accordance with the principle of data minimization and only to the extent necessary for the respective purpose.

Security Measures

The Company applies appropriate technical and organizational measures to protect personal data against unauthorized access, unlawful disclosure, loss, destruction or alteration. The implemented measures include SSL encryption when transferring data through the website, restricted access to administrative panels and information systems, protection of the server infrastructure through modern security tools, and controlled access to submitted reports and messages. Access to personal data is granted only to persons for whom such access is necessary for the performance of their professional duties and who are bound by confidentiality obligations. Security measures are periodically reviewed and updated in order to maintain an adequate level of protection in accordance with technological development and regulatory requirements.

Rights of Data Subjects

In accordance with applicable legislation, every individual whose personal data is processed has certain rights. These include the right of access to personal data, the right to rectification of inaccurate or incomplete data, and the right to erasure where the legal conditions are met.
Data subjects also have the right to request restriction of processing, to object to processing in certain circumstances, and to exercise other rights provided by applicable legislation. If you believe that the processing of your personal data violates applicable rules, you have the right to lodge a complaint with the competent supervisory authority.

In the Republic of Bulgaria the competent supervisory authority is the Commission for Personal Data Protection, address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd., email: kzld@cpdp.bg
To exercise your rights or for questions related to personal data processing, you may contact us at: privacyteam@ecopharm.bg

Changes to the Privacy Policy

This Privacy Policy may be updated in case of changes in applicable legislation, the methods of processing personal data or the structure and activities of the Company. In case of any substantial change, the updated version of the policy will be published on this page and will indicate the date of the latest update. We recommend periodically reviewing this page in order to stay informed about how we protect your personal data.
Last updated: 01.01.2026