Privacy Policy

This Privacy Policy sets out the principles and practices that govern how the Administrator collects, uses, stores, protects, and discloses personal data in connection with the services offered through our digital platform. We are committed to maintaining the highest standards of data protection and ensuring full compliance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and all applicable national legislation. The protection of your personal information is a fundamental part of our operational philosophy, and we implement robust technical and organisational safeguards to ensure its confidentiality, integrity, and availability.

By engaging with our website, accessing our services, or communicating with us in any form, you entrust us with certain personal data, and we take this responsibility seriously. This Policy aims to provide transparent and accessible information about the types of personal data we process, the legal grounds for such processing, and your rights as a data subject. We strive to ensure that personal data is processed lawfully, fairly and in a manner that is understandable to every user.

Furthermore, this document explains the circumstances under which your data may be shared with third parties, including service providers and regulatory authorities, and the safeguards in place to protect your information during any such transfer. We emphasise our commitment to minimising data collection, limiting retention periods, and adopting a “privacy by design and by default” approach in all aspects of our business operations. By continuing to use our platform, you acknowledge and accept the practices outlined in this Privacy Policy.

SECTION I – General Information

Art. 1. Contact details of the Administrator responsible for processing personal data

Name: DEQVISION Ltd.
UIC: 207850512
Registered seat and business address: Plovdiv, Zapaden District, 59 Georgi Kirkov St., Fl.2
Correspondence address: Plovdiv, Zapaden District, 59 Georgi Kirkov St., Fl. 2
Telephone: +359895414977
Email: marketing@deqvision.com

(2) The Administrator has not appointed a Data Protection Officer (DPO). This is due to the fact that we process a limited amount of personal data and our activities do not fall within the categories for which the GDPR mandates the designation of a DPO. For this reason, no contact details for such a person are provided.

Art. 2. Contact details of the competent supervisory authority

Name: Commission for Personal Data Protection
 Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Correspondence address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Telephone: +359 2 91 53 518
Website: www.cpdp.bg

SECTION II – Frequently Used Terms

Art. 3. For the purposes of this Privacy Policy, the following terms shall have the following meaning:

“Personal data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing of personal data” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making the data available, alignment or combination, restriction, erasure or destruction.

“Data Controller” (Administrator) means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Administrator.

“Data subject” means an identified or identifiable natural person to whom the personal data relates.

“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action, by which he or she signifies agreement to the processing of personal data relating to him or her.

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Legitimate interest” means an interest pursued by the Administrator or by a third party, sufficiently justified to warrant the processing of personal data, provided that such interest does not override the interests, fundamental rights and freedoms of the data subject.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person’s professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Cookies” means small text files stored on your device (computer, tablet, smartphone, etc.) when you visit our website. Cookies help the Administrator ensure the proper functioning of the website, improve your user experience, and provide personalised content and advertising.

SECTION III – Legal Grounds for Processing Personal Data

Art. 4. The Administrator processes your personal data on the following legal bases pursuant to Art. 6(1) GDPR:

  1. Consent – for receiving marketing communications, newsletters and personalised recommendations.
  2. Contract – for the provision of services requested by you (video audits, consultations, access to materials).
  3. Legal obligation – for meeting accounting and tax requirements.
  4. Legitimate interest – for analysing service performance and improving service quality.

(2) The Administrator clearly distinguishes between personal data strictly necessary for contractual or legal compliance (e.g., name of a legal representative or individual, address, telephone, email) and data that is provided voluntarily (e.g., marketing phone number, service preferences). Refusal to provide mandatory information may prevent the Administrator from delivering the requested service.

(3) If the Administrator intends to process personal data for a purpose different from the original one, a compatibility assessment is carried out. Processing continues only if the new purpose is compatible (e.g., archiving or statistical analysis). Otherwise, new consent is required.

Art. 5. (1) Processing of your personal data is carried out strictly on one of the following legal grounds, each linked to a specific processing purpose:

  1. Performance of a Contract (Art. 6(1)(b) GDPR) – processing contact details, names, and payment data necessary for entering into and performing consultancy service agreements or purchases made through the online store.
  2. Legal Obligation (Art. 6(1)(c) GDPR) – processing invoicing details, payment information and correspondence required for compliance with accounting and tax legislation.
    Legitimate Interest (Art. 6(1)(e) GDPR) – processing technical data (IP addresses), security data and logs for network security, fraud prevention and service improvement.
  3. Consent (Art. 6(1)(a) GDPR) – processing of email addresses, preference data, marketing data and cookies when not essential for provision of core services.

(2) The Administrator processes the following categories of personal data for the respective purposes:

Identification data (mandatory):
 Examples: name, surname, email, telephone.
Source: provided directly by you during registration or service request.
Purpose: identification and communication concerning the provision of services.

Technical data (automatically collected):
 Examples: IP address, browser type, operating system, cookie data, time of visit.
Source: collected automatically upon visiting the website.
Purpose: technical operation and usage analytics.

Communication data (optional):
 Examples: content of chat messages, recordings from video consultations, feedback.
Source: communications exchanged during service provision.
Purpose: ensuring high-quality service and improving service processes.

Payment data (processed by a third party):
 Examples: card number, expiry date, CVV, cardholder name.
Source: provided directly by you when making a payment.
Purpose: processing payments for requested services.
Processing: performed directly by our payment service provider, Stripe Inc.

(3) The Administrator does not collect or process special categories of personal data under Art. 9 GDPR.

(4) The services of the Administrator are not intended for individuals under 18 years of age. The Administrator does not knowingly collect data from children or minors. If such processing is detected, the data will be deleted without undue delay.

(5) Provision of core services is not conditioned on consent for processing that is not strictly necessary (e.g., marketing messages). Refusal to give optional consent will not limit essential website functionality.

Art. 6. (1) When processing your personal data, we adhere to the following principles:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Storage limitation
  5. Accuracy
  6. Integrity, confidentiality and security

(2) Before relying on legitimate interest, the Administrator performs a Legitimate Interest Assessment (LIA) demonstrating that:

  1. The interest is legitimate;
  2. Processing is necessary and cannot be achieved by less intrusive means;
  3. The processing is proportionate and poses low risk to your rights and freedoms, while the Administrator’s interest in ensuring security and service continuity prevails.

SECTION IV – Data Retention Periods and Security Measures

Art. 7. (1) The Administrator retains your personal data only for the time necessary to fulfil the purposes set out in this Policy or for as long as required by law. In determining retention periods, the following factors are considered:

  1. Contractual relationships and legal claims – duration of marketing consultations and video audits; need to protect against disputes or claims;
  2. Statutory requirements – obligations to archive accounting documents and business correspondence;
  3. Quality assurance – tracking the effectiveness of recommended marketing strategies and ensuring continued support;
  4. Technical possibilities – opportunities for anonymisation or pseudonymisation for analytical purposes.

(2) Specific retention periods:

  1. Financial data and service documentation: 5 years from the last transaction (as required by accounting legislation);
  2. Marketing communications and newsletter subscriptions: until consent is withdrawn or 24 months of inactivity;
  3. Tracking technologies (cookies, pixels): 6 to 24 months depending on their purpose;
  4. Recordings from consultations and chat communications: 12 months after completion of service provision.

Art. 8. The retention periods result from a careful assessment of legal obligations, business needs, and your fundamental rights as a data subject. The Administrator prioritises the principle of minimisation of storage duration.

Art. 9. (1) Upon expiry of the applicable retention period, the Administrator promptly deletes or anonymises your personal data.

(2) Deletion is carried out through certified secure destruction methods ensuring irreversibility and preventing unauthorized access.

(3) Where full deletion is technically impossible or conflicts with justified business interests, anonymisation techniques are applied, eliminating any possibility of identifying you.

(4) Retention periods of the payment processor Stripe follow Stripe’s own retention policies, with only the last four digits of the card stored for accounting purposes.

Art. 10. (1) The Administrator implements comprehensive technical and organisational measures ensuring an appropriate level of security in relation to the risks for individuals.

(2) Measures include:

  1. Encryption – TLS/SSL encryption for all communications between your browser and our website;
  2. Access control – Multi-Factor Authentication (MFA) for access to critical systems;
  3. Pseudonymisation / anonymisation – applied whenever feasible for analytics;
  4. Regular testing – periodic penetration testing and security audits.

(3) Organisational measures include restricted access on a strictly “need-to-know” basis, mandatory staff training, and documented procedures for processing, storage and deletion.

(4) In the event of a high-risk personal data breach, you will be notified without undue delay, including information on:

  1. the nature and scope of the incident;
  2. contact details of our responsible data protection contact;
  3. potential consequences and recommended measures;
  4. actions undertaken to mitigate the impact.

(5) The Administrator maintains systematic records of all granted or withdrawn consents in compliance with the accountability principle under Art. 5(2) GDPR, including: date, time, method of consent and information provided to the data subject.

(6) The Administrator uses the CookieYes Consent Management Platform (CMP) to manage cookie consent and maintain related records.

(7) Competent authorities (CPDP) will be notified within 72 hours in accordance with GDPR.

SECTION V – Parties with Access to Your Personal Data

Art. 11. (1) In connection with the performance of the contract by the Administrator and the provision of full website functionality, your personal data may be shared with the following categories of recipients who process data:

  1. Staff responsible for handling service requests, delivering materials, or coordinating consultations;
  2. Staff in the accounting and legal departments;
  3. Hosting service providers;
  4. State and regulatory authorities.

Purposes of processing:

  1. Processing order-related data;
  2. Processing accounting documentation in compliance with applicable legislation;
  3. Protecting the legitimate and legal interests of the company in connection with its commercial activities;
  4. Provision of information society services, including delivery of the digital service;
  5. Regulatory reporting obligations and handling complaints submitted to competent authorities.

(2) All parties processing personal data strictly comply with the requirements for lawful and secure processing and storage.

(3) The Administrator acts as the sole controller of your data. However, in certain circumstances involving third-party platforms, joint controllership under Art. 26 GDPR may arise:

  1. Joint controllership with Google LLC for data collected via Google Analytics or Google Ads, where Google determines the technical means and the Administrator determines the purposes of processing;
  2. Other specific cases, such as HubSpot (CRM and marketing), Stripe Inc. (payments), and Webflow (hosting and CMS). These entities act as data processors, following the Administrator’s documented instructions and subject to Data Processing Agreements (DPAs) included in their terms of service.

SECTION VI – Data Subject Rights. Withdrawal of Consent

Art. 12. As a data subject, you have the full range of rights provided under the General Data Protection Regulation (GDPR), which you may exercise at any time with respect to the Administrator.

Art. 13. You may exercise the following fundamental rights:

  1. The right to access your personal data and related information;
  2. The right to request rectification of inaccurate or incomplete data;
  3. The right to request erasure (“right to be forgotten”) under specific circumstances;
  4. The right to request restriction of processing;
  5. The right to data portability;
  6. The right to object to processing, including profiling;
  7. The right not to be subject to automated decision-making.

(2) When exercising the right to data portability, we will provide your data in a structured, commonly used and machine-readable format (including, but not limited to, CSV, XML, or JSON). If technically feasible, you may request direct transmission of the data to another controller.

Art. 14. (1) You have the right to obtain confirmation as to whether personal data concerning you is being processed, and, where that is the case, access to the data and information about: the purposes of processing; the categories of data; the recipients; and the retention periods.

(2) When exercising your right of access, we will provide a copy of the personal data undergoing processing. A reasonable administrative fee may apply for additional copies. If the request is submitted electronically, the information will be provided in electronic format unless you request otherwise.

Art. 15. (1) You have the right to request the rectification of inaccurate personal data or completion of incomplete data by providing an additional statement.

(2) Upon rectification, the Administrator will notify all recipients to whom your data has been disclosed, unless this proves impossible or requires disproportionate effort.

Art. 16. (1) You may request the erasure of your personal data when:

  1. The data is no longer necessary for the original purposes.
  2. You withdraw your consent, and no other legal basis exists;
  3. You object to processing.
  4. Processing is unlawful;
  5. Erasure is required for compliance with a legal obligation.

(2) The right to erasure does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.

Art. 17. (1) You may request restriction of processing where:

  1. You contest the accuracy of the data;
  2. The processing is unlawful and you oppose erasure;
  3. The data is required for legal claims;
  4. You have objected to processing pending the verification of overriding grounds.

(2) When processing is restricted, the data may only be processed for storage, with your consent, or for legal claims.

Art. 18. (1) For data processed based on consent or contract through automated means, you have the right to receive the data in a structured, commonly used and machine-readable format and to transmit it to another controller.

(2) You may request direct transmission to another controller where technically feasible.

Art. 19. (1) You have the right to object to processing based on legitimate interest, including profiling. In such cases, processing will cease unless we demonstrate compelling legitimate grounds prevailing over your interests, rights and freedoms.

(2) Where personal data is processed for direct marketing purposes, you have an absolute right to object at any time. Processing for such purposes will cease immediately.

Art. 20. We do not use automated decision-making systems that produce legal effects concerning you. Should such systems be introduced, this Policy will be updated and you will be notified.

Art. 21. (1) To exercise your rights, you may submit a request via email, clearly indicating the right you wish to exercise.

(2) You must identify yourself appropriately to prevent unauthorised access to your data.

(3) The Administrator will provide information on actions taken without undue delay and in any event within one (1) month of receiving your request. This period may be extended by two months where necessary, and you will be informed accordingly.

Art. 22. (1) The Administrator applies the principle of Privacy by Design and by Default. For new technologies or processing operations likely to result in high risk to individuals (e.g., large-scale profiling), a Data Protection Impact Assessment (DPIA) is performed under Art. 35 GDPR.

(2) You may object to marketing communications at any time using the “Unsubscribe” link in any email or by contacting us directly.

SECTION VII – International Data Transfers

Art. 23. (1) As a general rule, your personal data is stored and processed within the European Union (EU) and the European Economic Area (EEA).

(2) Where we determine that standard safeguards may not provide adequate protection, the Administrator adopts additional technical and/or organisational measures in line with European Commission recommendations.

Art. 24. (1) In some cases, your personal data may be processed outside the EEA when using external service providers or technological platforms located in third countries.

(2) Such transfers occur only on a lawful basis and with guarantees ensuring a level of protection equivalent to that in the EEA.

Art. 25. (1) Personal data may be transferred to the following non-EEA countries:

United States of America (USA) – in connection with:

  1. Analytical tools such as Google Analytics;
  2. Advertising platforms including Google Ads and Meta/Facebook Ads;
  3. HubSpot, used for CRM, client communications and marketing.

(2) In this context, specific technical and behavioural data (e.g., IP address, device identifiers, interaction data) may be transferred to Google LLC, acting as a data recipient outside the EEA.

(3) Transfers to Google LLC are carried out on the basis of valid legal mechanisms, including Standard Contractual Clauses (SCCs) and, where applicable, Google’s certification under the EU–US Data Privacy Framework.

(4) Additional technical safeguards, such as IP masking and limiting the association of behavioural data with other identifiers, are applied to protect the rights of data subjects.

SECTION VIII – Cookies and Tracking Technologies

Art. 26. To optimise website functionality and provide a personalised user experience, our platform uses cookies and similar tracking technologies activated during site navigation. These tools enable us to identify your device and store information about your preferences and usage patterns.

Art. 27. (1) Upon your first visit, you will be presented with a clear notification regarding our use of cookies, together with options for managing your preferences.

(2) Each section of the website provides access to a privacy control panel, allowing you to modify or withdraw cookie permissions at any time.

(3) Additionally, you may restrict or delete cookies through your browser settings according to your personal preferences.

SECTION IX – Final Provisions

Art. 28. If your rights under this Policy or applicable data protection legislation have been violated, you may file a complaint with the Commission for Personal Data Protection:

Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Telephone: 02/91-53-518
Website: www.cpdp.bg

Art. 29. (1) The Administrator reserves the right to update or amend this Privacy Policy at any time.

(2) Any change will be published prominently on the website, and users will be appropriately informed (e.g., via on-site notice or email).

(3) A revision becomes effective for you upon the earliest of:

  1. receiving direct notification and not objecting within 14 days; or
  2. 14 days after publication of the updated Policy on the website.

(4) Continued use of the website or our services after the effective date constitutes unambiguous acceptance of the updated terms.

Art. 30. (1) For all matters not explicitly regulated by this Policy, Bulgarian legislation and Regulation (EU) 2016/679 (GDPR) shall apply.

(2) Any disputes between the Administrator and the data subject will be resolved amicably. If agreement cannot be reached, the dispute shall be referred to the competent Bulgarian court at the Administrator’s registered seat.

Art. 31. (1) If any provision of this Policy is declared unlawful, invalid or unenforceable by a competent court, that provision shall be removed from the document.

(2) All remaining provisions shall continue to apply and remain binding upon the Administrator and the data subjects.

Art. 32. This Privacy Policy is approved and enters into force as of 10 November 2025.