Privacy Policy

1. Data Controller

The data controller responsible for the processing of personal data is:

• Company name: Human Talent & Management EOOD (Хюман Талънт енд Мен. ЕООД)
• Registered address: 4A, Saborna Str., fl. 1, office 1, CP 1000, Sofia, Bulgaria
• Contact email: info@bulgaria360.eu
• Website: https://bulgaria360.eu

2. Personal Data We Collect

We collect the following types of personal data:

2.1 Data provided directly by the user

• Identification data: first name, surname, date of birth, nationality, passport or identity document number.
• Contact data: email, telephone, WhatsApp number, postal address.
• Business data: company name, tax identification number, business activity, details of partners and legal representatives.
• Billing data: billing address, tax details.
• Documents: copies of passports, powers of attorney and other legal documents required for company incorporation.

2.2 Data collected automatically

• Browsing data: IP address, browser type, operating system, pages visited, time spent on site.
• Cookies: session identifiers, user preferences (see our Cookie Policy).
• Chatbot data: conversations held with our virtual assistant Georgi.

3. Purposes of Processing

We process your personal data for the following purposes:

• Provision of services: company incorporation in Bulgaria, accounting management, legal and tax advisory, document translation.
• Commercial management: preparation and sending of quotations, follow-up on commercial proposals.
• Communications: sending notifications about the status of your process, document updates, reminders.
• Payment management: payment processing via Stripe, invoice issuance.
• Service improvement: platform usage analysis, user experience optimisation.
• Legal compliance: tax, accounting and regulatory obligations applicable in Bulgaria and the EU.
• Customer support: responding to enquiries via chat, email or WhatsApp.

4. Legal Basis for Processing

The processing of your data is based on the following legal grounds under the General Data Protection Regulation (GDPR):

• Performance of a contract (Art. 6(1)(b) GDPR): processing is necessary for the provision of the contracted services.
• Consent (Art. 6(1)(a) GDPR): for sending commercial communications, use of non-essential cookies and processing of chatbot data.
• Legitimate interest (Art. 6(1)(f) GDPR): for improving our services and fraud prevention.
• Legal obligation (Art. 6(1)(c) GDPR): for compliance with tax and accounting obligations.

5. Data Recipients

Your personal data may be disclosed to the following recipients:

• Service providers in Bulgaria: document managers, notaries, sworn translators and legal advisers necessary for the incorporation of your company.
• Payment processors: Stripe, Inc. for secure payment processing.
• Email services: Mailjet SAS for sending transactional communications.
• Cloud storage: Amazon Web Services (AWS) for secure document storage.
• Artificial intelligence: OpenAI, Inc. for the operation of the virtual assistant (only conversation data, no personally identifiable data).
• Public authorities: Bulgarian official bodies when required by law for company registration.

6. International Transfers

Some of our service providers are located outside the European Economic Area (EEA). In such cases, we ensure that transfers are carried out with appropriate safeguards:

• Stripe, OpenAI, AWS (USA): adherent to the EU-US Data Privacy Framework and/or standard contractual clauses approved by the European Commission.

7. Data Retention Periods

• Client data: for the duration of the contractual relationship and an additional 5 years due to legal obligations.
• Billing data: 10 years in accordance with Bulgarian tax legislation.
• Prospect data: 2 years from the last contact.
• Chatbot conversations: 1 year.
• Browsing data and cookies: as specified in our Cookie Policy.

8. Data Subject Rights

Under the GDPR, you have the following rights:

• Right of access: to obtain confirmation of whether your data is being processed and to access it.
• Right to rectification: to request the correction of inaccurate or incomplete data.
• Right to erasure: to request the deletion of your data when it is no longer necessary.
• Right to restriction: to request the restriction of processing in certain circumstances.
• Right to data portability: to receive your data in a structured, commonly used format.
• Right to object: to object to the processing of your data in certain circumstances.
• Right to withdraw consent: at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise these rights, you may send an email to info@bulgaria360.eu specifying your request and attaching a copy of your identity document.

You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) or with the data protection authority in your country of residence.

9. Security Measures

We implement appropriate technical and organisational measures to protect your personal data:

• Data encryption in transit (HTTPS/TLS) and at rest.
• Secure authentication with password hashing (bcrypt).
• Role-based access control (RBAC).
• HTTP security headers (CSP, HSTS, X-Frame-Options).
• Protection against automated attacks (reCAPTCHA, rate limiting).
• Application execution with a non-privileged user.
• Regular database backups.

10. Minors

Our services are intended for persons aged 18 and over. We do not knowingly collect data from minors. If we become aware that we have collected data from a minor, we shall delete it immediately.

11. Amendments

We reserve the right to amend this privacy policy to reflect legislative changes or changes to our services. Any amendments shall be published on this page with the date of update. We recommend that you review it periodically.