PERSONAL DATA PROTECTION POLICY

Information about the Administrator of personal data:

"Grow Easy Ads" Ltd is a commercial company /also referred to as "the company"/ "the agency"/, registered on the grounds of the Commercial Law of the Republic of Bulgaria and in accordance with the rules of the Law on the Commercial Register and the Register of Non-Profit Legal Entities, with UIC: 205775331, with registered office and addres in Sofia, p.c. 1000, Vazrazhdane district, "Pirotska" Str. №9, 4th floor, and is represented by the manager of the company – Kristian Ivov Milenov, with internet address: www.groweasy.bg, e-mail: office@groweasy.bg.

The company has the following business activities as per the Articles of association: Provision of advertising, information, programming and consulting services; purchase of goods or other items for the purpose of resale in original, processed or processed form; sale of goods of its own production; commercial representation and brokerage, commissions, forwarding and transportation transactions, warehouse transactions, licensing transactions, commodity control, intellectual property transactions, hotel, tourist, impresario or other services, purchase, as well as any other activity not prohibited by law.

DEFINITIONS

As per the definitions of the applicable legislation and this Data Protection Policy: "Personal data" is any information related to an identified natural person or a natural person who can be identified ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifying element such as a name, an identification number /personal identification number/, location, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Data processing” means any operation or set of operations that is performed with personal data by the Administrator, whether or not by automated means, which may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available on the data.

“Basic data” means names, telephone number, email address;

“Data subject” means any living natural person to whom specific personal data relate;

“Network/Traffic Data” means data processed in an electronic communications network for the purpose of transmitting, distributing or exchanging electronic communications content, including data used to trace and identify the source of the communication, location and device type data, generated in the context of the provision of electronic communications services, as well as date, time, duration and type of communication, data on service consumption, etc.;

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Controller/Administrator” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its determination may be laid down in Union or Member State law;

“Processor” means a natural or legal person, public authority or other body which processes personal data on behalf of the controller;

“Consent of the data subject“ means any freely given, specific, informed and unambiguous indication of the data subject’s affirmation, by which the subject, by a statement or by a clear affirmative actions, signifies agreement to personal data relating to him or her being processed;

“Profiling“ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain aspects relating to a natural person, in particular to analyse or predict aspects relevant to the lawful processing of personal data concerning that person;

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

“Recipient” means a natural or a legal person, public authority, agency or other body to whom personal data are disclosed.

“Third party” means any natural or legal person/company, public authority, agency or other entity other than the data subject, the controller, the processor and the persons under the direct authority of the controller or the processor who are authorized to process the personal data.

“Partners” are natural or legal persons with which Grow Easy Ads Ltd has concluded partnership agreements and which provide various products and services.

GROUNDS AND PURPOSES FOR WHICH WE USE YOUR PERSONAL DATA.

We process your personal data on the following grounds:

  • A contract concluded between us in order to fulfill our obligations under it;
  • Your explicit consent - the purpose is specified for each specific case;
  • When required by law.

In the following paragraphs you will find detailed information regarding the processing of your personal data depending on the legal basis on which we process them.

FOR THE PERFORMANCE OF OBLIGATIONS UNDER A CONTRACT OR IN THE CONTEXT OF PRE-CONTRACTUAL RELATIONS.

We process your personal data in order to fulfill contractual and pre-contractual obligations and to exercise the rights under contracts concluded with you.

Purposes of processing:

  • establishing your identity;
  • managing and fulfilling your request/inquiry and fulfilling a concluded contract;
  • preparing a proposal in order to conclude a contract;
  • preparing and sending an invoice for the services you use with us;
  • providing you with the necessary comprehensive service, as well as collecting the amounts due for the services provided and used;
  • maintaining correspondence with regard to orders placed, processing requests, reporting problems, etc.;
  • notifying you of anything related to the services you use with us;
  • identifying and/or preventing illegal actions or actions in conflict with our terms for the relevant services;

Data that we process on this basis: Based on the contract concluded between us, we process information about the type and content of the contractual relationship, as well as any other information related to the legal interaction, including:

  • personal contact data - telephone number, e-mail;
  • identification data - names;
  • other information in relation to your actions on our website;
  • feedback from you regarding the work with our website and/or the services/products provided by us.

The processing of the specified personal data is mandatory for us in order to be able to conclude the contract with you and fulfill it. Without you providing us with the data stated above, we would not be able to fulfill our obligations under the contract.

We provide personal data to third parties. We provide your personal data to third parties, as our main goal is to offer you high quality, fast and comprehensive service. We do not provide your personal data to third parties before we ensure that all technical and organizational measures have been taken to protect this data, and we strive to exercise strict control to fulfill this purpose. In this case, we remain responsible for the confidentiality and security of your data. We provide personal data to the following categories of recipients (personal data administrators):

  • postal operators and courier companies;
  • persons who, by assignment, maintain equipment, software and hardware used for processing personal data and necessary for the company's activities;
  • persons performing consulting services in various fields - accounting services, legal consultations and others.

When do we delete the data collected on this basis? We delete the data collected on this basis 5 years after the termination of the contractual relationship, regardless of whether due to the expiration of the contract, unilateral terminaton or other reason resulting in the termination of the relation between you and our company.

FOR FULFILMENT OF REGULATORY OBLIGATIONS.

The applicable law may provide for an obligation to process your personal data. In these cases, we are obliged to carry out the processing, such as:

  • obligations under the Anti-Money Laundering Measures Act;
  • fulfillment of obligations in relation to distance selling, off-premises selling, provided for in the Consumer Protection Act;
  • provision of information to the Consumers Protection Commission or third parties, provided for in the Consumer Protection Act;
  • provision of information to the Personal Data Protection Commission in relation to obligations provided for in the legal framework for the protection of personal data;
  • obligations provided for in the Accountancy Act and the Tax and Social Security Procedure Code and other applicable legal acts, in relation to keeping legal accounting;
  • provision of information to the respective court and third parties, within the framework of proceedings before a court, in accordance with the requirements of the legal acts applicable to the proceedings;

When do we delete the personal data collected on this basis? We delete data collected pursuant to a statutory obligation after the obligation to collect and store it has been fulfilled or has lapsed. For example:

  • under the Accountancy Act for the storage and processing of accounting data (10 years),
  • obligations to provide information to a court, competent state authorities, etc. grounds provided for in applicable legislation (5 years).

Provision of data to third parties. When a statutory obligation is provided for us, we may provide your personal data to the competent state authority, natural or legal person.

AFTER YOUR CONSENT:

We process your personal data on this basis only after your explicit, unambiguous and voluntary consent. We will not apply any adverse consequences for you if you refuse to process your personal data. Consent is a separate ground for processing your personal data and the purpose of the processing is specified therein, and does not cover the purposes listed in this Policy. If you give us the relevant consent and until its withdrawal or termination of any contractual relations with you, we prepare suitable product/service offers for you by performing detailed analyses of your basic personal data; Detailed analysis is a method of performing analysis that allows processing of large volumes of data through statistical models and algorithms and others that include the use of personal data, as well as processes of pseudonymization and anonymization in order to extract information about trends and various statistical indicators.

Data that we process on this basis: On this basis we only process the data for which you have given us your explicit consent. The specific data is determined for each individual case. Typically, the data includes:

  • Email;
  • Telephone;
  • Two names;

Provision of data to third parties. On this basis, we may provide your data to partner agencies (in the event of a subcontracting clause in the contract), Facebook, Google and/or other similar organizations.

Withdrawal of consent. The consents given can be withdrawn at any time. The withdrawal of consent has no impact on the performance of contractual obligations. If you withdraw your consent to the processing of personal data in any or all of the ways described above, we will not use your personal data and information for the purposes specified above. The withdrawal of consent does not affect the lawfulness of the processing based on a given consent before its withdrawal. To withdraw the given consent you only need to use our contact details on the website and send us a withdraw claim.

When do we delete the data collected on this basis? We delete the data collected on this basis upon your request or 6 months after the termination of the basis for this collection

PROCESSING OF ANONYMOUS DATA.

We process your data for statistical purposes, that is, for analyses in which the results are generalized and therefore the data is anonymous. Identification of a specific person from this information is not possible. Your data can also be anonymized. Anonymization is an alternative to deleting data. With anonymization, all personally identifiable elements /elements that allow you to be identified/ are irreversibly deleted. There is no statutory obligation to delete anonymized data, as they do not constitute personal data.

Why and how do we use automated algorithms? For the processing of your personal data, we use partially automated algorithms and methods in order to constantly improve our products and services to adapt them to your needs in the best possible way. This process is called profiling.

How do we protect your personal data? To ensure adequate protection of the company's and its clients’ data, we implement all necessary organizational and technical measures provided for in the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data. The company has established internal rules to prevent abuse and security breaches. For the purpose of maximum security in the processing, transfer and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.

Personal data that we have received from 3rd parties. We may receive personal data about you from our other clients/partners/users of services/products.

User Rights. Each User of our website shall have all rights of protection of personal data in accordance with Bulgarian legislation and European Union law. The User can exercise his rights through the contact form or by sending a message to our email.

Each User has the right to:

  • Information (in relation to the processing of his/her personal data by the administrator);
  • Access to his/her own personal data;
  • Correction (if the data is inaccurate);
  • Erasure of personal data (the “right to be forgotten”);
  • Restriction of processing by the administrator or processor of personal data;
  • Portability of personal data between individual administrators;
  • Objection to the processing of his/her personal data;
  • The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or significantly affects him/her in a similar way;
  • Right to judicial or administrative defense in the event that the data subject's rights have been violated.

The User may request erasure if one of the following conditions is met:

  • The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • The user withdraws his/her consent on which the processing of the data is based and there is no other legal basis for the processing;
  • The user objects to the processing and there are no overriding legitimate grounds for the processing;
  • The personal data have been processed unlawfully;
  • The personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;

The user has the right to restrict the processing of his/her personal data by the controller where:

  • The user contests the accuracy of the personal data. In this case, the restriction of the processing shall be for a period enabling the controller to verify the accuracy of the personal data;
  • The processing is unlawful but the user does not wish the personal data to be erased but requests the restriction of their use instead;
  • The Administrator no longer needs the personal data for the purposes of the processing, but the User requires them for the establishment, exercise or defense of legal claims;
  • objects to the processing pending verification of whether the legitimate grounds of the Controller override the interests of the User.

Right to portability. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and electronically-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where the processing is based on consent or a contractual obligation and the processing is carried out by automated means. When exercising the right to data portability, the data subject shall also have the right to obtain the direct transmission of the personal data from one controller to another, where technically feasible.

Right to object. Users shall have the right to object to the processing of their personal data to the controller. The controller shall be obliged to cease processing unless there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. If you object to the processing of personal data for direct marketing purposes, the processing shall cease immediately.

Complaint to the supervisory authority Each User has the right to file a complaint against unlawful processing of his/her personal data with the Personal Data Protection Commission or the competent court.

Maintaining a register We maintain a register of the processing activities for which we are responsible. This register contains all the information listed below:

  • the name and contact details of the controller
  • the purposes of the processing;
  • a description of the categories of data subjects and the categories of personal data;
  • the categories of recipients to whom the personal data are or will be disclosed;
  • including recipients in third countries or international organizations;
  • where possible, the deadlines for erasure of the different categories of data;
  • where possible, a general description of the technical and organizational security measures.

This Personal Data Protection Policy /Privacy Policy/ was adopted and approved on 11.12.2024 from the manager of "Grow Easy Ads" Ltd, UIC: 205775331 – Kristian Ivov Milenov.