Privacy Policy
Last updated: 3 July 2026
This privacy notice for Concept-X EOOD (doing business as Kraken MX-5) (“we”, “us”, or “our”), describes how and why we might collect, store, use, and/or share (“process”) your information when you use our services (“Services”), such as when you visit our website at kraken-mx5.eu.
Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have questions or concerns, please contact us at [email protected].
1. What information do we collect?
1.1 Personal information you disclose to us
In Short: We collect personal information that you voluntarily provide to us.
We collect personal information that you voluntarily provide to us when you make a purchase, register an account, express an interest in obtaining information about us or our products, or otherwise contact us.
Personal information provided by you. The personal information we collect depends on the context of your interactions with us and the Site, the choices you make, and the products and features you use. The personal information we collect may include the following:
- Names
- Email addresses
- Phone numbers
- Mailing addresses (billing and shipping)
- Payment data (card numbers are processed by Stripe or PayPal — we do not store full card details)
- Order history and transaction data
- Contact or authentication data
All personal information that you provide to us must be true, complete, and accurate. You must notify us of any changes to such personal information.
1.2 Information automatically collected
In Short:Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Site.
We automatically collect certain information when you visit, use, or navigate the Site. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as:
- Log and usage data— IP addresses, browser type and version, operating system, referring/exit URLs, date/time stamps, pages viewed, links clicked, and search queries
- Device data— hardware model, operating system, unique device identifiers, and browser information
- Location data— IP-based geolocation (city/country level) for tax calculation purposes (VAT determination)
- Analytics data— we use a self-hosted, privacy-focused analytics tool to collect anonymised usage statistics. Our analytics solution does not use cookies and does not collect personally identifiable information.
1.3 Payment information
We use Stripe and PayPal to process payments. When you make a purchase, your payment card details are provided directly to the relevant payment processor and are not stored on our servers. We only share the information necessary for them to complete your transaction — we do not share your data with them for marketing or any other purpose.
These processors are independent data controllers in their own right. We do not control how they collect, store, or use information they hold about you beyond what is needed to process your payment. We encourage you to review their privacy policies:
- Stripe: stripe.com/privacy
- PayPal: paypal.com/privacy
2. How do we process your information?
In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.
We process your personal information for a variety of reasons, depending on how you interact with our Services, including:
- To fulfil and manage your orders. We process your information to fulfil and manage orders, payments, returns, and exchanges made through the Site.
- To deliver products to you. We process your information to provide shipping services, including address validation, customs declarations, and delivery tracking.
- To send you transactional communications. We may send you order confirmations, shipping updates, refund notifications, review requests, and account-related information via our email service provider.
- To manage user accounts. We process your information to manage your account and keep it in working order.
- To respond to enquiries and provide support. We process your information to respond to your enquiries and resolve any potential issues with our Services.
- To calculate and apply VAT. We process your location data to determine the correct VAT rate for your jurisdiction.
- To protect our Services. We process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
- To evaluate and improve our Services. We may process your information to understand how our Site is used (via anonymised analytics) and to improve our product offering.
- To comply with legal obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as tax reporting.
3. What legal bases do we rely on to process your information?
3.1 If you are in the EU or EEA
The General Data Protection Regulation (GDPR) requires us to explain the valid legal bases we rely on to process your personal information. We may rely on the following legal bases:
- Consent. We may process your information if you have given us specific consent to use your personal information for a specific purpose. You may withdraw your consent at any time.
- Performance of a contract. We may process your personal information when we believe it is necessary to fulfil our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.
- Legitimate interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms.
- Legal obligations. We may process your information where we believe it is necessary for compliance with our legal obligations.
- Vital interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party.
3.2 If you are in the UK
The UK GDPR applies. The legal bases are the same as those outlined above for the EU/EEA.
3.3 If you are in Switzerland
The Swiss Federal Data Protection Act (revDSG) applies. The legal bases are equivalent to those under EU GDPR as outlined above.
3.4 If you are in Canada
We may process your information if you have given us specific permission (i.e. express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e. implied consent). You may withdraw your consent at any time.
In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including:
- If collection is clearly in the interests of an individual and consent cannot be obtained in a timely way
- For investigations and fraud detection and prevention
- For business transactions provided certain conditions are met
- If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records
- If the information is publicly available and specified by regulation
4. When and with whom do we share your information?
In Short: We may share information in specific situations described in this section and/or with the following categories of third parties.
Service providers. We may share your information with third-party service providers who perform services on our behalf. We only share the minimum information necessary for each provider to deliver its service. We do not share your personal information with service providers for marketing purposes or any purpose unrelated to the service they provide to us.
| Category | Purpose |
|---|---|
| Payment processing (Stripe, PayPal) | Processing card payments securely |
| Email delivery | Sending transactional emails (order confirmations, shipping notifications) |
| Shipping & fulfilment | Delivering products, address validation, customs processing, tracking |
| Cloud storage | Storing product images and media files |
| CDN and infrastructure | Content delivery, security, and performance optimisation |
| Analytics (self-hosted) | Anonymised website usage statistics |
These service providers may be independent data controllers for data they process. While we require them to protect your information, we cannot control how they handle data they independently hold about you. We encourage you to review the privacy policies of any third-party service you interact with through our Site.
Business transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
Legal requirements. We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process.
Vital interests and legal rights. We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person, or as evidence in litigation in which we are involved.
5. Do we use cookies and other tracking technologies?
In Short: We use minimal tracking. Our analytics solution does not use cookies.
Essential cookies: We use strictly necessary cookies to maintain your shopping cart, session, and authentication state. These cookies are required for the Site to function and cannot be switched off.
Analytics: We use a self-hosted, privacy-focused analytics tool that does not use cookies, does not track users across websites, and does not collect personally identifiable information. All data is anonymised and aggregated.
Session recording (with your consent):If you allow it in our consent banner, we record an anonymised sample of browsing sessions to diagnose usability problems on the Site. Everything you type is masked in your browser before it is sent, and payment card details are entered inside our payment provider’s own secure frame, which cannot be recorded. Recordings are limited to five minutes, are stored on our own infrastructure, and are used solely to improve the Site. You can withdraw consent at any time via the cookie preferences.
No marketing cookies: We do not use marketing, advertising, or third-party tracking cookies.
You can set your browser to refuse all or some cookies. If you disable or refuse essential cookies, some parts of the Site (such as the shopping cart) may not function properly.
6. How long do we keep your information?
In Short: We keep your information for as long as necessary to fulfil the purposes outlined in this privacy notice unless otherwise required by law.
Specifically:
- Account information: retained for as long as your account is active, and up to 1 year after last interaction if your account becomes inactive
- Order and transaction data: retained for 7 years as required by Bulgarian tax and accounting law
- Shipping records: retained for 7 years as required by customs and VAT regulations
- Analytics data:anonymised and aggregated — no personally identifiable information is retained
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
7. How do we keep your information safe?
In Short: We aim to protect your personal information through a system of organisational and technical security measures.
We have implemented appropriate and reasonable technical and organisational security measures designed to protect the security of any personal information we process. These include:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Payment card data handled exclusively by PCI DSS Level 1 compliant payment processors (Stripe, PayPal)
- Access controls to restrict unauthorised access to personal data
- Regular security updates to our systems
However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. We cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.
8. Do we collect information from minors?
In Short: We do not knowingly collect data from or market to children under 18 years of age.
We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services.
If we learn that personal information from users less than 18 years of age has been collected, we will take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at [email protected].
9. What are your privacy rights?
9.1 Rights for EU/EEA/UK/Swiss residents (GDPR)
If you are a resident of the European Economic Area, the United Kingdom, or Switzerland, you have the following data protection rights:
- Right of access— You can request copies of your personal data.
- Right to rectification— You can request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
- Right to erasure— You can request that we erase your personal data, under certain conditions.
- Right to restrict processing— You can request that we restrict the processing of your personal data, under certain conditions.
- Right to data portability— You can request that we transfer the data we have collected to another organisation, or directly to you, under certain conditions.
- Right to object— You can object to our processing of your personal data, under certain conditions.
- Right to withdraw consent— Where we rely on your consent to process your personal information, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing carried out before the withdrawal.
If you wish to exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month.
If you believe we are unlawfully processing your personal information, you have the right to lodge a complaint with your local data protection supervisory authority. For Bulgaria, this is the Commission for Personal Data Protection (CPDP). For the UK, this is the Information Commissioner's Office (ICO).
9.2 Marketing opt-out
You can unsubscribe from our marketing and promotional communications at any time by clicking the unsubscribe link in our emails or by contacting us at [email protected]. You will still receive transactional communications related to your orders.
9.3 Account information
If you would at any time like to review or change the information in your account, you can log in to your account settings and update your personal information, or contact us to request changes.
10. Do-Not-Track features
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected.
We respect DNT signals. If your browser sends a Do-Not-Track request, our analytics will not collect any data from your visit. You may also opt out of analytics tracking via the option in our website footer.
11. California residents — your privacy rights (CCPA)
In Short: If you are a resident of California, you are granted specific rights regarding access to your personal information.
11.1 Categories of personal information collected
We have collected the following categories of personal information in the past twelve (12) months:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email address, postal address, IP address | Yes |
| California Customer Records | Name, address, telephone number, payment information | Yes |
| Commercial information | Transaction history, products purchased | Yes |
| Internet or similar network activity | Browsing history, interaction with our Site | Yes (anonymised) |
| Geolocation data | Country/region (IP-based, for VAT calculation) | Yes |
11.2 Sale of personal information
We have not sold any personal information to third parties for business or commercial purposes in the preceding twelve (12) months. We will not sell personal information in the future belonging to Site visitors, users, or other consumers.
11.3 Your rights under the CCPA
- Request deletion of your personal data
- Request disclosure of what personal data has been collected
- Request disclosure of what personal data has been sold or disclosed for a business purpose
- Opt out of the sale of personal information (we do not sell personal data)
- Non-discrimination for exercising your privacy rights
11.4 How to exercise your rights
To exercise any of these rights, please contact us at [email protected]. Upon receiving your request, we will need to verify your identity. We will respond to a verifiable consumer request within forty-five (45) days of its receipt.
12. Virginia residents — your privacy rights (VCDPA)
Under the Virginia Consumer Data Protection Act (VCDPA), “consumer” means a natural person who is a resident of the Commonwealth of Virginia acting only in an individual or household context.
12.1 Your rights
- Right to confirm whether we are processing your personal data
- Right to access your personal data
- Right to correct inaccuracies in your personal data
- Right to request deletion of your personal data
- Right to obtain a copy of your personal data in a portable, readily usable format
- Right to opt out of the processing of your personal data for purposes of targeted advertising, sale of personal data, or profiling
12.2 Sale of personal data
We have not sold any personal data to third parties for business or commercial purposes. We do not process personal data for the purposes of targeted advertising.
12.3 Right to appeal
If we decline to take action regarding your request, you may appeal our decision by emailing us at [email protected]. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal.
13. Canadian residents — your privacy rights (PIPEDA)
If you are a resident of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) grants you certain rights with respect to your personal information.
- Right to be informed of the existence, use, and disclosure of your personal information
- Right to access your personal information held by us
- Right to challenge the accuracy and completeness of your personal information and have it amended as appropriate
- Right to withdraw consent to the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions)
To exercise your rights, contact us at [email protected]. We will respond within thirty (30) days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner of Canada.
14. International data transfers
Our company is registered in the European Union and our servers are located within the EU. Your personal data is primarily stored and processed within the EU.
However, some of the third-party service providers we use are headquartered outside the EU — including our payment processors (Stripe and PayPal), which are US-based companies, and our content delivery and infrastructure provider. These providers may process your data in the EU, the United States, or other jurisdictions. We do not control where these providers store or process data they hold, but each maintains appropriate data protection agreements.
Where personal data is transferred to countries outside the EEA/UK that have not been deemed to provide an adequate level of data protection, we and our service providers rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The UK International Data Transfer Agreement or Addendum (for UK transfers)
- EU-US Data Privacy Framework certification (where applicable)
- Other lawful transfer mechanisms as applicable
If you are a resident of the European Economic Area (EEA), United Kingdom, or Switzerland, we will take all necessary measures to protect your personal information in accordance with this privacy notice and applicable law.
15. Do we make updates to this notice?
In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.
We may update this privacy notice from time to time. The updated version will be indicated by an updated “Last updated” date at the top of this privacy notice. If we make material changes, we may notify you by prominently posting a notice on our website or by directly sending you a notification.
16. How can you contact us about this notice?
If you have questions or comments about this notice, you may email us at [email protected] or by post to:
Concept-X EOODWest Industrial Zone
Vratsa 3000
Bulgaria
Company Registration (EIK): 204826901
VAT Number: BG204826901
17. How can you review, update, or delete the data we collect from you?
Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it.
To request to review, update, or delete your personal information, please contact us at [email protected].
We will respond to your request within 30 days (or within the timeframe required by your applicable local law).