Privacy Policy

"IDEA LAB Ltd. is a personal data collector under the General Data Protection Regulation (GDPR) and carries out its activities in full compliance with European and Bulgarian legislation in personal data protection.

This Privacy Policy aims to inform you transparently about the following:

  1. The personal data we collect when you use our experience platform
  2. The purposes and legal bases for their processing
  3. How we protect the privacy of your information
  4. The rights you have as a data subject

This document is integral to the platform's Terms and Conditions and applies to all users: site visitors, registered users, customers, and experience voucher recipients.

Protecting your data is a top priority for us. We apply strict technical and organizational measures to ensure the security of the information you entrust.

We recommend that you read this document carefully as it contains essential information about your rights under data protection legislation.

Section I - General Information about the Data Collector. Terms used

Art. 1 (1) The data you share on this platform is processed and stored by:

Name of the Data Collector: "IDEA LAB" Ltd.

Registered office and registered address. The headquarters and registered office are in Sofia, Triaditsa district, ul. Bulgaria, 111, bl. building F1, et. 1

Address for the exercise of the activity and address for addressing complaints from CLIENTS for the territory of the Republic of Bulgaria. Sofia, Triaditsa district, Sofia, Bulgaria. Bulgaria, 111, bl. building F1, et. 1

For general inquiries, please call +359 878 690 225;
Contact telephone number for reservations: +359 884 016 275

Email: office@giftcometrue.com

UIC: 204864275
VAT registration number: BG204864275

(2) To contact the competent data protection supervisory authority, you may use the following contact details:

Name: Commission for Personal Data Protection

Registered office and registered address. Registered office and registered office: 1592 Sofia Blvd. "1592, Prof. No. 2 Tsvetan Lazarov

Address for correspondence. Address for correspondence. "1592, Prof. No. 2 Tsvetan Lazarov

Phone: 02 915 3 518

Website: 

Section II - Basis for collecting, processing, and storing your data

Art. 2 The controller processes the personal data of users of the Gift Come True platform in strict compliance with the General Data Protection Regulation (GDPR) and on the following legal grounds:

(1) Consent (Article 6(1)(a) GDPR) - where you have voluntarily consented to the processing of your data for specific purposes, such as:

  1. Get personalized experience suggestions
  2. Subscribe to our newsletter
  3. Use of cookies for marketing purposes

(2) Performance of a contract (Art. 6 par. 1, b. GDPR) - where the processing is necessary for:

  1. Create and manage your user profile
  2. Order processing for experience vouchers
  3. Issue and delivery of vouchers
  4. Customer service and reservation assistance

(3) Legal obligations (Article 6(1)(c) GDPR) - where we are legally obliged to process data for:

  1. Invoicing and accounting
  2. Storage of financial transaction data
  3. Responding to official requests from public authorities

(4) Legitimate interest (Article 6(1)(f) GDPR) - where processing is necessary to protect our legitimate interests, such as:

  1. Prevention of fraud and abuse
  2. Ensuring platform security
  3. Analysis and improvement of the services offered
  4. Defense of legal claims

Section III - Purposes and Principles for the Collection, Processing, and Storage of Your Data

Art. 3 When processing personal data, Gift Come True strictly observes the following principles:

  • Lawfulness, fairness, and transparency - we process data clearly and openly, always informing you of the purposes and legal grounds;
  • Purpose limitation - we collect data only for specific, explicit, and legitimate purposes, without further processing in a way incompatible with those purposes;
  • Data minimization - we only process data that is appropriate, relevant, and limited to what is necessary for the processing;
  • Accuracy - We keep data up to date and take reasonable steps to correct or delete inaccurate data;
  • Storage limitation - we store the data in a form that allows identification of the subjects for a period no longer than necessary for the purposes;
  • Integrity and confidentiality - we process data in a way that provides appropriate security, including protection against unauthorized or unlawful processing.

Art. 4 The purposes of the processing are the specific intentions of the Controller in collecting and using personal data, which are predetermined, explicit, and lawful, in all cases directly related to the provision of services through the Gift Come True platform and the protection of the legitimate interests of all participants in the process, as follows: 

  1. User profile management: We process personal data to create and maintain individual profiles on the platform. This includes personalizing the user experience and storing preferences for different categories of experiences.
  2. Order processing: We process the data necessary to generate vouchers, arrange their delivery, process payments, and assist with bookings with experienced provider partners.
  3. According to applicable law, we process data for administrative purposes to comply with legal obligations, including invoicing, accounting, and record-keeping.
  4. Improving services: We analyze aggregated data on user behavior and conduct statistical research to optimize the platform and expand the portfolio of experiences.
  5. Customer communication: We process data to send order-related messages, reminders about expiring vouchers, and notifications about changes to experience bookings.
  6. Marketing purposes - subject to explicit consent, we process data to send personalized offers, information about promotions, and new experiences via our newsletter.
  7. Security: We process data to prevent fraud, protect information systems, and verify payments, providing a secure environment for all platform users.

Section IV - Specific types of data to be collected for processing and storage

Art. 5 (1) The controller shall process the following categories of data relating to you and through which you can be individually identified:

  1. Identification details (first name, last name, telephone, e-mail, delivery address)

Processing activities:

  1. Create a user profile
  2. Order processing for vouchers
  3. Delivery of physical vouchers
  4. Assistance with reservations

Legal basis: performance of a contract (Article 6(1)(b) GDPR)

  1. Payment details (transaction information, billing details, card number) 

 Processing activities:

  1. Payment processing
  2. Issue of supporting documents
  3. Accounting

Legal basis: legal obligation (Article 6(1)(c) GDPR)

  1. User behavior data (order history, preferred experience categories, frequency of visits)

Processing activities:

  1. Customizing suggestions
  2. Improving the platform
  3. Analysis of customer satisfaction

Legal basis: Legitimate interest (Article 6(1)(f) GDPR)

  1. Marketing data (email, experience preferences)

 Processing activities:

  1. Sending a newsletter
  2. Personalized promotional offers
  3. Notifications about new experiences

Legal basis: explicit consent (Article 6(1)(a) GDPR)

  1. Security data (IP address, account access data)

Processing activities:

  1. Fraud prevention
  2. Protection of information systems
  3. Verification of users Legal basis: Legitimate interest (Article 6(1)(f) GDPR)
  1. Details of voucher recipients (name, surname, telephone number, e-mail address of the recipient)

Processing activities:

  1. Sending electronic vouchers
  2. Assistance with activation
  3. Expiry reminder

Legal basis: Legitimate interest (Article 6(1)(f) GDPR)

Section V - Retention period of your data

Art. 6 (1) The trader shall keep the personal data he has collected only for the period necessary to achieve the purposes set out in this Policy and where he is entitled or obliged by law to keep them for a longer period. 

(2) The time limits we observe or are obliged to observe about the storage of personal data are as follows:

  1. Your data - up to 5 years;
  2. Data on orders placed and contracts concluded - up to 5 years; 
  3. User experience data - up to 2 years from the last visit to the site;
  4. Sending of a newsletter - until unsubscribed by the data subject, 

(3) The determining factors for the duration of the storage period are various circumstances, including but not limited to the duration of the provision of services, if necessary for the establishment, exercise, or defense of our legal claims, or the existence of a legal obligation to store the relevant data. 

Section VI - Rights of users about the processing and storage of their data

Art. 7 (1) The user can withdraw consent to processing personal data by filling in the form in the " Applications " section. This right applies if the user does not wish his data to be processed by the Controller for any or all purposes.

(2) After withdrawing consent, your Gift Come True platform account may be deactivated, but you will always have the option to create a new one.

(3) If you have an active service contract with Gift Come True, consent may be withdrawn after the expiration of that contract.

(4) To stop receiving marketing emails from Gift Come True, use the "Unsubscribe" option at the end of the message or contact us directly.

(5) Withdrawal of consent to future processing shall not affect the lawfulness of the processing carried out until then, nor the data that the Data Controller must store by law.

Art. 8 (1) You have the right to request and receive confirmation from Gift Cation whether we process your data, precisely what data, and the details of their processing.

(2) Upon request, Gift Come True will provide a copy of your processed personal data in an appropriate format.

(3) Access to your data stored by the Data Controller is generally free, but we reserve the right to charge an administrative fee for repeated or excessive requests.


Art. 9 (1) GiftComeTrue users have the right to request that inaccurate personal data be corrected or incomplete ones completed.

(2) You can correct your details via your Gift Come True platform account or send the form in Appendix 3 to our contact email.

Art. 10 (1) You have the right to request the Data Collector to delete the personal data stored about you, which must be done within 72 hours.

(2) To exercise the right to delete, you need to send an email request using the form in Appendix 4 and identify yourself as the account holder (if you have one).

(3) The Data Collector will delete the personal data it processes after confirming your identity.

(4) If an order is ongoing or an experience voucher is unused, the data can be deleted after the voucher is finalized or used.

(5) The exercise of the right to erasure ("right to be forgotten") does not affect the lawfulness of the then processing of the data by GiftComeTrue, nor those that must be kept by law.

Art. 11 (1) You have the right to receive from the Data Collector the personal data we store about you in machine-readable format. For this purpose, fill in form No. 4 of the "Attachments" and send it to our email address.

(2) The Data Collector may either provide your data directly to you in a readable format or transfer it to another controller you designate.


Art. 12 (1) In case of an identified security breach of your data that threatens your rights and freedoms, The Data Collector will notify you of the incident and the measures taken.

(2) The obligation to notify under par. (1) shall be waived if The Data Collector has taken appropriate technical and organizational data protection measures in good time.

Section VII - Persons who have access to users' data

Art. 13 (1) To provide you with the full functionality of the Gift Come True platform and to fulfill our contractual obligations with you, in some cases, we need to share your data with the following categories of recipients:

  • Employees of the Data Collector handling customer inquiries and reservations for experiences
  • Our accounting and legal teams, incl. Outside commercial firms who look after these matters;
  • Support and development specialists for our technology platform, including marketing experts
  • Hosting service providers,
  • Public authorities and regulators, where legally required based on an official act
  • Merchants who provide the service on an experience purchased by the consumer. 

(2) The controller requires these recipients to process their data following the highest lawfulness, security, and confidentiality standards.

(3) Recipients who have access to your data are bound to the Controller by strict confidentiality agreements to protect your personal information.

(4) The controller only passes on to the merchant service providers the minimum necessary data to carry out the specific experience for which you have purchased a voucher—for example, your name and contact telephone number or delivery address (in cases where a physical product needs to be sent to the customer). These merchants do not have access to your complete profile on the platform or to any other data that is not necessary to perform their obligations.

(5) The controller does not share, sell, or otherwise provide your data to third parties for marketing or purposes other than those necessary for operating the platform and performing the contract with you.

Section VIII - Storage of personal data

Art. 14 (1) The controller stores and processes your data mainly within the EU/EEA. Sometimes, we may transfer your data outside the EU/EEA, always ensuring appropriate safeguards for its protection.

(2) When transferring data outside the EU/EEA, we adhere to strict principles: We only use trusted suppliers committed to high data protection standards, negotiate strict clauses requiring adequate protection, and implement technical and organizational measures such as encryption and access control.

(3) If we determine that one of these measures is insufficient to provide adequate protection, we will, on a case-by-case basis, adopt additional technical and/or organizational security measures per the European Commission's recommendations. You can contact us anytime using the contact details listed above to learn more about the countries where we transfer your data and the safeguards we have regarding these transfers.

Art. 15 The controller uses the following tools which may process certain of your data:

  1. Google Analytics & Google Tag Manager - to analyze user behavior to improve our services. Google Privacy Policy
  2. LinkedIn Insight Tag - to measure the effectiveness of our LinkedIn ads. LinkedIn Privacy Policy
  3. MailerLite - to send email newsletters and marketing messages to consenting users. MailerLite Privacy Policy
  4. Adform - for personalized online ads and measuring their effectiveness. Adform Privacy and GDPR

Section IX - Final Provisions

Art. 16 The controller shall provide easily accessible mechanisms for exercising your rights as a data subject. You may request and inquire about your data using the forms in the "Applications" section or by emailing us directly.

Art. 17 (1) Upon termination of the relationship between Gift Come True and a user, the stored personal data will be deleted or anonymized within a reasonable period unless there is a legal obligation or legitimate interest to retain them.

(2) Gift Come True may retain specific data after termination of the relationship to defend against legal claims, establish and enforce rights, ensure the platform's security, or other lawful purposes.

Art. 18 In case of inconsistency between this Policy and mandatory provisions of the applicable legislation, the statutory provisions shall prevail. The invalidity of any particular clause shall not affect the validity of the rest of the Policy.

Art. 19 (1) Gift Come True conducts regular audits and data protection impact assessments to identify and minimize risks to your data. The results are reflected in updates to this Policy.

(2) Any amendment or modification of this document shall be effective against the data subject in one of the following events, whichever is the earliest:

  1. after being expressly notified by the Controller and if the data subject does not declare within the 14 days granted to him that he rejects them or
  2. after their publication on the website of the Controller and if the data subject does not declare within 14 days of their publication that he rejects them or
  3. By the data subject's explicit acceptance of it through a user profile on the Controller's platform or by any other action that may constitute explicit consent.

Art. 20 The controller shall implement appropriate technical and organizational measures, such as pseudonymization, encryption, access control, and logging of processing activities, to ensure security levels relevant to the risks to the rights and freedoms of data subjects.

Art. 21 The Bulgarian and European legislation regarding personal data protection shall apply to issues not covered by this Policy.

Art. 22 This Privacy Policy shall enter into force as of 01.12.2024. 

Section X - Annexes

Art. 23 You can exercise all your rights regarding data protection through the forms attached below or the functionalities in your profile. 

  1. Withdrawal of consent form for processing purposes - Annex 1 
  2. Request "to be forgotten" - for deletion of personal data related to me - Annex 2 
  3. Request for portability of personal data - Annex 3 
  4. Request for correction of data - Annex No 4