Privacy Policy

GARMENT PROCESS is a trade name of MINOAR Ltd., a company registered under the Commercial Law of the Republic of Bulgaria, with its registered office and address of management: Sofia Region, Sofia Municipality, Sofia, p.k. 1527, 131 Knyaz Alexander Dondukov-Korsakov Blvd., ground floor, entered in the Commercial Register of the Registry Agency of the Republic of Bulgaria with UIC: 202384078.

As a small studio, we are below the regulatory threshold for appointing a Data Protection Officer. Our privacy contact handles all data protection enquiries directly - this means faster, more personal responses.

When you enquire or onboard with Garment Process we collect your name, contact information, business details, and any references you provide for the project.

During production we store technical documents such as measurement tables, tech packs, grading notes, and sample imagery necessary to deliver the agreed work.

We may also collect technical data such as IP address, browser type, and device information when you visit our website, primarily for security and website functionality purposes.

Data sources: We typically receive personal data directly from you. In some cases, we receive data from your employer or the client company commissioning the project (e.g., contact details of project managers, measurements of fit models). Where a client provides us with personal data about third parties, the client is responsible for ensuring they have lawful authority to share that data and for informing the individuals concerned.

Enquiries and proposals: Purpose is to respond to your enquiry and prepare proposals. Legal basis is contract (pre-contractual steps). Data types are contact details and project requirements. Retention is 24 months from last contact, or until project starts.

Awards Program: Purpose is to evaluate submissions and select a winner. Legal basis is legitimate interest and contract (terms). Data types are application data and design files. Retention: Winner data is kept for 3 years (portfolio/case study); non-winner data is deleted after 12 months unless you opt-in to future updates.

Project delivery: Purpose is to execute pattern development, sampling, and documentation services. Legal basis is contract performance. Data types are contact details, project assets, communications, and approvals. Retention is 36 months after project completion to support reorders, revisions, and warranty claims.

Invoicing and accounting: Purpose is to issue invoices, process payments, and meet tax obligations. Legal basis is legal obligation. Data types are billing details, invoices, and payment records. Retention is 10 years as required by Bulgarian tax law.

Website security and logs: Purpose is to protect against attacks, debug issues, and maintain uptime. Legal basis is legitimate interest. Data types are IP address, browser type, and access logs. Retention is 12 months.

Marketing communications: Purpose is to send newsletters, updates, and service announcements. Legal basis is consent. Data types are email address and preferences. Retention is until consent is withdrawn.

Legal claims: Purpose is to establish, exercise, or defend legal claims. Legal basis is legitimate interest. Data types are all relevant project and communication records. Retention is duration of limitation period plus 12 months.

You may request earlier deletion of project assets at any time; however, we may retain essential records where required by law or to defend legal claims.

Many files you share with us, such as tech packs, sketches, and grading tables, are commercially sensitive but may not qualify as personal data under GDPR.

Project assets are treated as confidential regardless of whether they contain personal data. They are stored securely, shared only with parties necessary for project delivery, and subject to contractual confidentiality obligations.

If project assets contain personal data (e.g., measurements linked to named fit models), we process that data in accordance with this policy.

We may share your personal data with the following categories of recipients, all of whom are contractually required to maintain confidentiality and implement GDPR-grade safeguards:

Hosting and infrastructure: Cloud storage providers and CDN services that host our website and store project files.

Communication tools: Email service providers used for project correspondence and marketing (where consented).

Accounting and payments: Invoicing software and payment processors for billing operations.

Subcontracted services: Graders, sample rooms, and pattern digitizers who assist in project delivery under confidentiality agreements.

Couriers and logistics: Delivery services for physical samples and materials.

Professional advisors: Accountants and legal counsel where necessary for compliance or dispute resolution.

We do not sell, rent, or trade your personal data. We only share data with processors under written agreements that require them to process data solely on our instructions.

We aim to keep personal data within the European Economic Area (EEA). Our primary infrastructure and storage are located in EU data centres.

Where a service provider processes data outside the EEA (e.g., certain SaaS tools for email or analytics), we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) or adequacy decisions.

We document all international transfers and verify that receiving parties maintain equivalent data protection standards. You may request information about specific safeguards by contacting us.

We take the security of your personal data and project assets seriously. Our measures include:

Access control: Least-privilege access ensures only team members directly involved in your project can view your files. Access is reviewed regularly and removed promptly upon project completion or team changes.

Authentication: Multi-factor authentication (MFA) is required for access to systems containing personal data and project assets.

Encryption: Data is encrypted in transit (HTTPS/TLS) and at rest in our cloud storage systems.

Device security: Team devices are protected with encryption, up-to-date security patches, and endpoint protection.

Audit logging: We maintain logs of access to sensitive systems to detect and investigate potential security incidents.

Vendor management: We require Data Processing Agreements (DPAs) from all processors and verify their security practices.

Physical security: Any physical samples or documents are stored in locked, access-controlled premises.

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware of the breach, as required by GDPR.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, describing the nature of the breach, likely consequences, and measures taken or proposed to address it.

We maintain internal records of all breaches, including those that do not meet the notification threshold, as part of our accountability obligations.

Our website uses essential cookies that are necessary for core functionality and security. These cookies are active by default and cannot be switched off in our consent interface.

Analytics and marketing cookies are optional and are enabled only after your consent choice. We apply consent controls before optional tags execute.

If you arrive via a paid ad, we may capture campaign identifiers (used by Google and Meta) for attribution - but only if you have consented to marketing cookies. Technical identifiers involved include gclid, gbraid, wbraid, and fbclid.

You can open cookie settings at any time using the Cookie Preferences control in the website footer and update or withdraw your choices.

Withdrawing consent does not affect core website functionality, but it may reduce analytics and campaign measurement accuracy.

With your consent, we may send occasional email updates about our services, industry insights, or company news. We typically send marketing emails no more than once per month.

Every marketing email includes a clear unsubscribe link. You can also opt out by emailing [email protected] or replying to any marketing message with 'unsubscribe'.

Service-related communications (such as project updates, invoice notifications, and delivery confirmations) are sent based on our contractual relationship and do not require marketing consent. These cannot be opted out of while you have an active project.

Right of access: You have the right to request a copy of the personal data we hold about you and information about how we process it.

Right to rectification: You can request correction of inaccurate or incomplete personal data.

Right to erasure: You can request deletion of your personal data where there is no compelling reason for its continued processing, subject to legal retention requirements.

Right to restriction: You can request that we restrict the processing of your personal data in certain circumstances, such as while we verify accuracy.

Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., CSV, JSON), and to transmit it to another controller.

Right to object: You can object to processing based on legitimate interests (we will stop unless we have compelling grounds) or for direct marketing purposes (we will always stop).

Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

Right not to be subject to automated decisions: We do not use solely automated decision-making that produces legal effects concerning you or similarly significantly affects you.

Just email [email protected] - include your name, the email you used with us, and what you’d like us to do. Put ‘Privacy Request’ in the subject so we can prioritise it.

We will acknowledge your request within 5 business days and aim to respond substantively within one month of receipt, as required by GDPR.

For complex requests or where we receive a high volume, we may extend the response period by up to two additional months. If an extension is needed, we will inform you within the first month and explain why.

We may request proof of identity (such as a copy of ID with sensitive details redacted, or verification via the email address on file) before processing your request to protect your data from unauthorised access.

Exercising your rights is free of charge. However, if requests are manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee or refuse to act, explaining our reasons.

We encourage you to contact us first if you have concerns about how we handle your data, as we are committed to resolving issues promptly.

If you believe that our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority. You may contact the authority in your country of residence, place of work, or where the alleged infringement occurred.

In Bulgaria, the competent authority is the Commission for Personal Data Protection (CPDP).

Garment Process provides professional B2B services for fashion brands and does not knowingly collect personal data from children under 16 years of age.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such information promptly. If you believe we may have collected data from a child, please contact us immediately.

This policy is effective from the date shown at the top. We keep prior versions available on request.

When we make material changes to this privacy policy, we will notify you by posting the updated policy on our website with a new effective date.

For significant changes that affect how we process your personal data, we will provide additional notice, such as an email notification to active clients.

We encourage you to review this policy periodically to stay informed about how we protect your data.

This privacy policy is published in English and Bulgarian. In case of any discrepancy between versions, the English version shall prevail for interpretation purposes.

For users located in Bulgaria, the Bulgarian version is provided for convenience and accessibility.