Last updated: 20 May 2026
Effective from: 20 May 2026
This Privacy Policy explains how B&P Co Ltd. (UIC 208260678), a company established under the laws of Bulgaria with registered seat at ul. "27 Юли" No. 21, apt. 18, Varna 9000, Bulgaria ("we", "us", "the Studio", trading as "Tropical Pilates"), collects, uses, and protects personal data relating to visitors and customers of tropical.bg (the "Website") and participants of our Pilates classes (the "Services").
We are the data controller for the personal data we process about you, within the meaning of Regulation (EU) 2016/679 (the "GDPR") and the Bulgarian Personal Data Protection Act (ЗЗЛД).
1. Who to contact
- Controller: B&P Co Ltd., UIC 208260678, ul. "27 Юли" No. 21, apt. 18, Varna 9000, Bulgaria
- Person responsible for privacy: Rebecca Patricia Kinsella
- Email for privacy requests: pilates@tropical.bg
- Phone: +359 87 725 6848
We are not required to appoint a Data Protection Officer under Article 37 GDPR. For any question about this Privacy Policy or about how we handle your personal data, write to us at the email address above. We will respond within one (1) month of receiving your request, as required by Article 12(3) GDPR.
2. What personal data we collect
2.1 Data you provide to us directly
When you register and book a class:
- Your mobile phone number in international format (required — used as your unique identifier)
- Your display name (required)
- Your email address (optional — if you provide it, we use it for booking confirmations, membership receipts, card-update notices, and other transactional account emails)
- Your confirmation that you are at least 18 years old (required)
- Your acceptance of our Terms of Service and acknowledgement of this Privacy Policy (required)
- Your acknowledgement of our liability waiver (required — see Section 2.4)
- Your optional consent to receive marketing emails (optional)
When you make a purchase through Stripe:
- Your payment details are collected directly by our payment processor, Stripe Payments Europe Ltd. (see Section 4). We never see or store your full card number, expiry, or CVC. We only receive from Stripe: the last four digits of the card, the card brand, the transaction amount, and a unique transaction identifier.
When you contact us:
- The contents of any message you send us by email, phone, or through any contact form, and any personal data voluntarily included in that message.
2.2 Data generated by your use of the Services
- Records of the classes you book, attend, cancel, or fail to attend
- Records of payments you make, credit packages you buy, credits you earn or spend, and the balance of your account
- The date and time you created your account, logged in, or last used the Services
- The IP address and approximate coarse location (country/city level) from which you access the Website, and the user agent of your browser, captured in server logs for security purposes
- Anonymous and aggregate Website analytics and performance measurements for public pages, such as page path (without query parameters), route, referrer domain, country, device type, operating system, browser, network speed, Core Web Vitals measurements, Web Vital attribution, and booking-funnel page step. We use Vercel Web Analytics and Vercel Speed Insights for this purpose without analytics cookies, advertising identifiers, or cross-site tracking. We exclude account, staff, API, and development routes from analytics and performance measurement and do not send names, phone numbers, email addresses, customer IDs, booking IDs, or payment details to Vercel Web Analytics or Vercel Speed Insights.
2.3 Data we do not collect online
We do not collect, through the Website:
- Your home address
- Your date of birth (only confirmation that you are 18+)
- Health information, medical conditions, injuries, pregnancy status, or medication information
- Government-issued identification numbers
- Biometric data
- Data about your political opinions, religious beliefs, ethnicity, sexual orientation, or trade-union membership
2.4 Liability waiver acknowledgement
When you register, you are asked to confirm: "I confirm that I am in suitable physical health to participate in Pilates. I will disclose any relevant medical conditions, injuries, or pregnancy to my instructor before each class. I understand that physical activity involves inherent risks and I participate at my own risk."
We record the fact that you confirmed this waiver, together with the date and time. We do not record or store any health information about you through the Website. Any disclosure you make to your instructor at the studio is handled by the instructor in person, not stored in our IT systems.
3. Why we use your personal data (purposes) and legal bases
We process your personal data for the purposes listed below, each under the corresponding legal basis from Article 6 GDPR.
| # | Purpose | Personal data used | Legal basis |
|---|---|---|---|
| 1 | Create and manage your account; authenticate you when you log in | Phone, name, email, login timestamps | Performance of a contract (Art. 6(1)(b) GDPR) |
| 2 | Book classes, manage cancellations and no-shows, track credit balance and attendance | Bookings, credit ledger, attendance records | Performance of a contract (Art. 6(1)(b) GDPR) |
| 3 | Process payments for class reservations and credit packs | Payment data (see Section 4) | Performance of a contract (Art. 6(1)(b) GDPR) |
| 4 | Issue receipts and, where required, VAT invoices; comply with tax and accounting obligations | Name, email, payment data, VAT number if you provide one | Legal obligation (Art. 6(1)(c) GDPR), in particular the Bulgarian Accountancy Act and VAT Act |
| 5 | Send you booking confirmations, class reminders, cancellation notifications, and other transactional messages relating to your booking | Email, booking records | Performance of a contract (Art. 6(1)(b) GDPR) |
| 6 | Send you marketing emails about classes, workshops, and promotions, if you opt in | Email, name | Consent (Art. 6(1)(a) GDPR) — you can withdraw consent at any time by clicking unsubscribe or emailing us |
| 7 | Measure aggregate public Website usage, Core Web Vitals, and booking-funnel performance so we can improve pages and reduce booking friction | Cookie-free public page analytics and performance measurements, route, referrer domain, country, device/browser/network information, Web Vital measurements and attribution, funnel page step | Legitimate interest (Art. 6(1)(f) GDPR) in improving the Website and Services |
| 8 | Operate the Website securely, prevent abuse, investigate incidents | IP address, user agent, access logs | Legitimate interest (Art. 6(1)(f) GDPR) in keeping the Website secure and preventing fraud |
| 9 | Defend, establish, or exercise legal claims | Any data necessary | Legitimate interest (Art. 6(1)(f) GDPR) in protecting our legal rights, and/or legal obligation (Art. 6(1)(c) GDPR) |
| 10 | Demonstrate compliance with GDPR (consent records, Terms acceptance records) | Timestamps and IP of consent/acceptance actions | Legal obligation (Art. 6(1)(c) and Art. 7(1) GDPR) |
4. Who we share your personal data with
We do not sell your personal data. We share it only with the following categories of recipients, who act as our processors on our behalf under written contracts (Data Processing Agreements) that meet the requirements of Article 28 GDPR:
| Recipient | Role | Location of data processing |
|---|---|---|
| Supabase, Inc. | Hosting of the Website's database and backend functions | EU — Ireland (eu-west-1) |
| Vercel, Inc. | Hosting of the Website's frontend and build infrastructure; cookie-free aggregate Web Analytics and Speed Insights | United States (see Section 5) |
| Stripe Payments Europe Ltd. | Processing card payments on the Website | EU — Ireland (primary), with possible routing via Stripe affiliates in other jurisdictions |
| Resend | Sending transactional emails (booking confirmations, receipts, reminders) | EU region (configured per account) |
| Meta Platforms, Inc. | Instagram API provider used to read the studio's own Instagram media and metadata for the /events marketing feed | United States (see Section 5) |
| Slack Technologies Limited | Internal staff notifications for bookings, cancellations, and payments | European Economic Area (with data transfers as described by Slack's DPA) |
We may also share your personal data with:
- Our professional advisors — accountants, auditors, and lawyers — where strictly necessary and under obligations of confidentiality.
- Public authorities — such as the National Revenue Agency, courts, the police, or the Commission for Personal Data Protection — where we are required by law, court order, or binding regulatory request to do so.
5. International transfers
Your personal data is primarily hosted in the European Economic Area (EEA), specifically in Ireland, through our database provider Supabase.
Some of our processors — notably Vercel (frontend hosting) and Stripe (in the course of global card network routing) — may process personal data outside the EEA, including in the United States. When that happens, we ensure that the transfer is covered by one of the transfer mechanisms permitted by Chapter V GDPR:
- the EU–U.S. Data Privacy Framework (where the processor is certified), and/or
- the European Commission's Standard Contractual Clauses (Module 2 — Controller to Processor), supplemented by additional technical and organisational measures where appropriate.
You can obtain a copy of the safeguards in place for any specific transfer by emailing us at pilates@tropical.bg.
6. How long we keep your personal data
| Category | Retention period |
|---|---|
| Account profile (name, phone, email) | For the duration of the customer relationship, plus 3 years after your last booking or activity |
| Booking and attendance records | For the duration of the customer relationship, plus 3 years after your last booking |
| Credit ledger entries | Same as payment records below, as they form part of our accounting records |
| Payment records, subscription invoices, VAT records | 10 years from the end of the fiscal year to which they relate (legal obligation under Art. 12 of the Bulgarian Accountancy Act) |
| Consent and Terms-acceptance records | For the duration of the customer relationship, plus 3 years after your last activity |
| Marketing opt-in records (if applicable) | Until you withdraw consent, plus 3 years after withdrawal (to demonstrate the withdrawal was respected) |
| Website server and access logs | 90 days |
After the retention period expires, we either delete your personal data or anonymise it so that it can no longer be associated with you. Data that is required to be retained for accounting purposes is kept in our accounting system and access to it is restricted to staff with a legitimate business need.
7. Your rights
Under GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR) — to obtain a copy of the personal data we hold about you, and to understand how we use it.
- Right to rectification (Art. 16 GDPR) — to have inaccurate personal data corrected, or incomplete data completed.
- Right to erasure / "right to be forgotten" (Art. 17 GDPR) — to have your personal data deleted. This right is not absolute; for example, we cannot delete payment records we are legally required to keep.
- Right to restriction of processing (Art. 18 GDPR) — to ask us to stop actively using your data while a dispute about it is resolved.
- Right to data portability (Art. 20 GDPR) — to receive the personal data you have provided to us in a structured, commonly used, machine-readable format (we provide this as JSON or CSV).
- Right to object (Art. 21 GDPR) — to object to processing carried out on the basis of our legitimate interest, or to object at any time to the processing of your personal data for direct marketing.
- Right to withdraw consent (Art. 7(3) GDPR) — where we rely on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
- Right to lodge a complaint (Art. 77 GDPR) — with the Bulgarian Commission for Personal Data Protection (КЗЛД) at cpdp.bg or any other EU supervisory authority, if you believe we have infringed your rights.
To exercise any of these rights, email us at pilates@tropical.bg. We may ask you to verify your identity before we act on a request (typically by asking you to confirm the phone number and email associated with your account). We will respond within one month of receiving a valid request, free of charge, unless the request is manifestly unfounded or excessive.
8. Automated decision-making and profiling
We do not make any decisions about you based solely on automated processing (including profiling) that produces legal effects on you or similarly significantly affects you within the meaning of Article 22 GDPR.
9. Cookies and similar technologies
We use a small number of strictly necessary cookies to operate the Website (such as session cookies for keeping you logged in). We also use Vercel Web Analytics and Vercel Speed Insights for cookie-free, aggregate analytics and performance measurement on public Website pages. We do not use Google Analytics, analytics cookies, advertising cookies, behavioural profiling cookies, or session replay tools.
For full details, see our Cookie Policy.
10. Children
The Services are intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18 through the Website. If you believe that a minor has registered on the Website, please contact us at pilates@tropical.bg and we will promptly delete the account.
11. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or alteration. These include:
- Encryption of data in transit (HTTPS) and at rest (database-level encryption provided by Supabase)
- Access control: only authorised staff with a legitimate business need can access customer data
- Secure authentication and role-based access for staff accounts
- Regular software updates and monitoring
- Logging and auditing of privileged actions
- Data processing agreements with all processors, as required by Article 28 GDPR
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Commission for Personal Data Protection within 72 hours of becoming aware of it, as required by Article 33 GDPR, and notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms, as required by Article 34 GDPR.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this document indicates when it was last revised. For material changes, we will notify you by email (if you have provided one) and/or by a prominent notice on the Website at least 30 days before the change takes effect.
13. Authoritative language
This Privacy Policy is published in both Bulgarian and English. In the event of any inconsistency between the two versions, the Bulgarian version governs.