Privacy policy

PERSONAL DATA PROCESSING POLICY

Information about the Personal Data Controller:

Hostado Solutions LTD is a company registered in the Commercial Register of the Registry Agency of Bulgaria under UIC 208502081.

We process your personal data on the following legal grounds:

  • The contract concluded between us and you, in order to fulfill our obligations under it;
  • Your explicit consent – the purpose is specified in each particular case;
  • Where processing is required by law.

In the following sections, you will find information regarding the processing of your personal data depending on the legal basis on which we process them.

FOR THE PERFORMANCE OF A CONTRACT OR IN THE CONTEXT OF PRE-CONTRACTUAL RELATIONS

We process your personal data in order to fulfill our contractual and pre-contractual obligations and to exercise the rights arising from contracts concluded with you.

Purposes of processing:

  • Verification of your identity;
  • Management and execution of your request and the performance of a concluded contract;
  • Preparation and issuance of invoices for the services you use with us;
  • Retention of correspondence related to orders placed, request processing, problem reporting, etc.;
  • Creation of a user profile;

Based on the contract concluded between us, we process information regarding the type and content of the contractual relationship, as well as any other information related to the contractual relationship, including:

  • Personal contact data – contact address, email, phone number;
  • Identification data – full name, Personal Identification Number or Foreigner’s Personal Number, permanent address;
  • Data regarding orders placed;
  • Email, letters, information regarding your requests for troubleshooting, complaints, applications, grievances;
  • Information about credit or debit cards, bank account number or other banking and payment information related to payments made;

The processing of the above personal data is mandatory for us to be able to conclude and perform the contract with you.

We may provide your personal data to third parties, with the primary purpose of offering you high-quality, fast, and comprehensive services. We provide personal data to the following categories of recipients (personal data controllers): entities providing consultancy services in various fields related to Hostado.

The data collected on this basis is deleted 5 years after termination of the contractual relationship, regardless of whether due to contract expiration, termination, or other grounds. This term is determined by the 5-year statutory limitation period for possible claims arising from the contract.

FOR THE FULFILLMENT OF LEGAL OBLIGATIONS

It is possible that a legal obligation requires us to process your personal data. In such cases, we are obliged to carry out the processing, for example:

  • Obligations under the Measures Against Money Laundering Act;
  • Fulfillment of obligations related to distance selling, off-premises sales, as provided for in the Consumer Protection Act;
  • Providing information to the Consumer Protection Commission or third parties, as provided by the Consumer Protection Act;
  • Providing information to the Commission for Personal Data Protection in connection with obligations under data protection legislation;
  • Obligations under the Accounting Act and the Tax and Social Insurance Procedure Code and other related regulations regarding lawful accounting;
  • Providing information to the court and third parties within legal proceedings, in compliance with the applicable legal requirements;
  • Verification of age in online purchases.

The data collected under statutory obligations is deleted once the obligation for collection and retention has been fulfilled or no longer applies. For example:

  • Under the Accounting Act – retention and processing of accounting data (11 years);
  • Obligations to provide information to the court, competent state authorities, and other grounds provided under current legislation (5 years).

When required by law, we may provide your personal data to the competent state authority, individual, or legal entity.

WITH YOUR CONSENT

We process your personal data on this basis only after your explicit, unambiguous, and voluntary consent. We will not impose any unfavorable consequences on you if you refuse the processing of your personal data.

Consent is a separate legal ground for processing your personal data, and the purpose of processing is specified therein. It does not overlap with the purposes listed in this policy. If you provide us with the relevant consent, until its withdrawal or the termination of any contractual relationship with you, we may prepare tailored offers for products/services.

On this basis, we only process the data for which you have given your explicit consent. The specific data is determined for each individual case. Typically, the data includes:

  • Email;
  • Phone;
  • Address;
  • Names;

On this basis, we may provide your data to marketing agencies and third parties.

Consent may be withdrawn at any time. Withdrawal of consent does not affect the performance of contractual obligations. If you withdraw your consent for processing your personal data in one or all of the ways described above, we will no longer use your personal data for the specified purposes.

The data collected on this basis is deleted upon your request or 1 year after its initial collection.

PROCESSING OF ANONYMIZED DATA

We may process your data for statistical purposes, meaning analyses where the results are only aggregated and, therefore, the data is anonymous. Identifying a specific individual from this information is impossible.

How We Protect Your Personal Data

To ensure adequate protection of the company’s and our clients’ data, we apply all necessary organizational and technical measures provided for under the Personal Data Protection Act.

For maximum security during processing, transfer, and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.

User Rights

Every user of the website enjoys all rights relating to the protection of personal data under Bulgarian legislation and EU law. Each user has the right to:

  • Be informed (regarding the processing of their personal data by the controller);
  • Access their personal data;
  • Rectification (if the data is inaccurate);
  • Erasure of personal data (the “right to be forgotten”);
  • Restriction of processing by the controller or processor;
  • Data portability between different controllers;
  • Object to the processing of their personal data;
  • Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them in a similar way;
  • Seek protection through judicial or administrative proceedings if their data subject rights have been violated.

The user may request erasure if one of the following applies:

  • The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • The user withdraws their consent on which the processing is based and there is no other legal ground for the processing;
  • The user objects to the processing and there are no overriding legitimate grounds for the processing;
  • The personal data has been unlawfully processed;
  • The personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the controller;
  • The personal data has been collected in relation to the provision of information society services to children, where consent was given by the holder of parental responsibility over the child.

The user has the right to restrict the processing of their personal data by the controller where:

  • The accuracy of the personal data is contested. In this case, processing is restricted for a period enabling the controller to verify the accuracy of the personal data;
  • The processing is unlawful, but the user does not want the personal data to be erased and requests the restriction of its use instead;
  • The controller no longer needs the personal data for the purposes of the processing, but the user requires it for the establishment, exercise, or defense of legal claims;
  • The user has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the user.

Right to Data Portability

The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another controller without hindrance, where the processing is based on consent or on a contractual obligation and is carried out by automated means. Where technically feasible, the data subject has the right to obtain the direct transfer of personal data from one controller to another.

Right to Object

Users have the right to object to the controller to the processing of their personal data. The controller is obliged to cease the processing unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. If the objection concerns processing for direct marketing purposes, the processing must cease immediately.

Complaint to the Supervisory Authority

Every user has the right to lodge a complaint against unlawful processing of their personal data with the Commission for Personal Data Protection or with the competent court.

 

Last updated: 09.09.2025