Privacy Policy

General

The current privacy policy is an integral part of the General Terms of DXA Soft and covers matters related to personal data, including what information we collect as the Administrator of personal data, how we use it, and what rights users have in this regard.

Administrator's identification:

DXA Soft

Headquarters and management address:

Plovdiv, Stamat Ikonomov 13 B

Company ID:

207601071

VAT number:

BG207601071

Responsible person:

Hristo Dimitrov, Dejan Pandurski, Aleksandar Chernozemski

DXS Soft treats as personal data any information that identifies a specific individual or relates to an individual through which that person can be identified. Processing of personal data constitutes an action or a set of actions that can be carried out concerning personal data using automatic or other means.

I. How do we collect information about you?

1. We collect personal data with explicit consent from the concerned individual. When you register on our website or use any of the forms, you voluntarily provide us with specific information, which we process and store. This information may include: name, middle name, surname, email address, phone number, comments, and any other information you provide us. You may choose to share location data or photos with us. We may prefer to limit the volume of data we store and process, depending on the processing purposes. In contractual relationships, for the fulfillment of the contract, we necessarily obtain the following personal data: name, middle name, surname, personal identification number, address, email, phone number.
2. In case you decide to purchase a product or order a specific service through the dxasoft.com website, we collect information about the address, phone number, and details of the product or service you have ordered.
3. When connecting your profile with your Facebook or Google profile or with other third-party services, we receive information from those profiles (for example, friends or contacts). The information we receive from these services depends on the settings and privacy statements, so each individual should verify what they are.
4. Additionally, we collect technical information when you use our website. Each time you use the site or any other internet service, the system automatically generates and records specific information. Here are some of the categories of information we collect:
   1. Data in log files: When you use the site, our servers record information ('log data'), including information that your browser automatically sends when you visit a website or use your mobile application. This log data includes the internet protocol address, the address and activity of the websites you visit, searches, browser type and settings, date and time of your request, how you used the site, cookie data, and device data. If you wish to receive more details about the information we collect, please contact us using the contact form.
   2. Cookie data: We also use "cookies" (small text files sent from your computer each time you visit our website) or similar data capture technologies. When using "cookies" or similar technologies, we employ session cookies (which continue until you close your browser) or persistent cookies (which continue until you or your browser delete them). For instance, we use cookies to store your language preferences or other settings, so you don't have to adjust them each time you visit the site. Some of the cookies we use are linked to your profile (including information about you, such as the email address you provided), while others are not. For more detailed information about how we use cookies, please review our "cookie" policies.
   3. Device information: In addition to data in the log, we collect information about the device you use to access our website, including device type, operating system, settings, unique device identifiers, and crash data that help us understand when something breaks. Whether we collect part or all of the information often depends on the type of device you use and its settings. For example, there are different types of information depending on whether you use a Mac, a computer, an iPhone, or an Android phone. To learn more about what information your device makes available to us, please check the manufacturer's device policies or software provider.

II. What we do with the information we collect. Purposes and processing time:

Objectives

DXA Soft processes and stores the above-mentioned personal data solely for the purpose of fulfilling its contractual obligations, specifically for processing user requests, conducting deliveries, as well as for the following purposes:

1. Based on Article 6, point 1, letter b of the Regulation – for the establishment of pre-contractual relations;
2. Based on Article 6, point 1, letter b of the Regulation – for the fulfillment of already arising contractual obligations.
3. Based on Article 6, paragraph 1, letter a and Article 7 of the Regulation – for non-personalized advertising;
4. Based on Article 6, paragraph 1, letter a and Article 7 of the Regulation – for personalized advertising;
5. Based on Article 6, paragraph 1, letter e – for marketing purposes.
6. Based on Article 6, paragraph 1, letter e of the Regulation – for retargeting related to marketing, remarketing, or optimization purposes.

Duration

Data is stored and processed as long as the user account is active and for 1 year after its deactivation or deletion, and as long as it is necessary for providing our services. In the event of a corresponding request, the information is promptly destroyed.

III. Rights you may exercise regarding your personal data:

All rights are exercised, and respective requests and notifications concerning data subjects' rights are submitted through the CONTACT FORM FOR QUERIES RELATED TO PERSONAL DATA via email or by mail to the management address indicated above. Requests are made in a manner that allows the identity of the applicant to be identified. With respect to some rights, technical options for their exercise may be applicable, such as an Unsubscribe button. In all cases, the administrator must respond to the request or address the declared right to the provided contact address or email in a period of one month from receiving it.

According to the General Data Protection Regulation, the data subject has the right to:

• Information (regarding the processing of their personal data by the administrator). When there is a risk of a breach of the security of your personal data, the administrator is obliged to inform you about the nature of the breach, the measures taken to address it, and whether the supervisory authority has been notified of the breach.
• Access to your own personal data and the right to withdraw consent for processing. As a data subject, you have the right to request confirmation of whether your personal data is being processed and, if so, access to your data and the following information: the purpose of processing data, the types of personal data processed, recipients of the data, and the processing period. Access requests should be drafted in written or electronic form and addressed to the administrator. Additionally, you have the right to withdraw your consent for processing your personal data at any time.
• Rectification (if data is inaccurate). As a data subject, you have the right to request correction of your inaccurate/outdated personal data. To achieve this, a separate request should be submitted. Your request will be answered by the administrator in writing, sent to the provided email address.
• Erasure of personal data (the right to be forgotten). As a data subject, you have the right to be forgotten, meaning to request the deletion of your personal data without undue delay. The administrator should erase your data from all systems and records where it is stored, including notifying all third parties/processors to whom the data has been provided. Requests for erasure can be made under the grounds provided in the Regulation, including when: personal data is no longer necessary for the purposes for which it was collected; you have withdrawn your consent; you have objected to the processing; the processing is unlawful; the personal data needs to be deleted to comply with a Union or Member State law; personal data was collected concerning the offer of information society services. The administrator may refuse to delete personal data based on reasons specified in the Regulation, such as when processing is for: exercising the right of freedom of expression and information; performing a legal obligation or task carried out in the public interest or in the exercise of official authority; for public health purposes; archiving for purposes in the public interest, scientific or historical research, or statistical purposes; or establishing, exercising, or defending legal claims.
• Restriction of processing by the administrator or data processor. As a data subject, you have the right to request that the administrator of your personal data restricts its processing. Restrictions are allowed in the following cases: - when you believe your personal data is inaccurate, in which case the restriction is applied until the administrator verifies its accuracy; - when the processing of your personal data is unlawful, but you do not want it to be deleted, but only to be restricted in use; - when the administrator no longer needs your personal data for the purposes of processing, but you, as the data subject, require it to establish, exercise, or defend legal claims; - when you have objected to the processing pending the verification of the legitimate grounds of the administrator overruling your interests. To achieve this, a request must be made if any of the above conditions are met.
• Data portability, including between different administrators. The data subject has the right to data portability – to receive the personal data that concerns them and that they have provided to the administrator in a structured, commonly used, and machine-readable format and have the right to transfer this data to another administrator without hindrance from the initial administrator to whom the personal data was provided, when the processing is based on consent or a contractual obligation and is carried out by automated means. When exercising the right to data portability, the data subject has the right to obtain a direct transfer of personal data from one administrator to another when technically feasible.
• Objection to the Processing of Personal Data: As a data subject, you have the right to object to the processing of your personal data at any time, including when it concerns direct marketing purposes. The administrator should provide reasons whether they accept the objection or why they continue processing personal data if the objection is rejected.
• Right Not to Be Subject to Solely Automated Decision-Making: The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, that significantly affects the data subject or results in legal implications. The data subject has the right to challenge automated decisions at any time.
• Right to Judicial or Administrative Protection: As a data subject, you have the right to file a complaint against the processing of your personal data or the infringement of your rights concerning data protection to the competent supervisory authority - Commission for Personal Data Protection, address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2 (www.cpdp.bg). Additionally, a person who has suffered material or immaterial damage due to a breach of this regulation has the right to receive compensation from the data controller or processor for the damages caused.
• Security: We have implemented numerous technical, legal, and organizational measures to protect the personal data of every individual. To prevent unauthorized access, we employ encryption procedures in specific areas. Moreover, we use SSL protocols to prevent data abuse by third parties. We do not share data with third parties except when necessary for delivering ordered goods.
  It is possible that we use third-party services that act as processors of personal data for the aforementioned processing purposes. These entities process personal data on our behalf and are obliged to comply with the current provisions for personal data protection. These entities are carefully selected by us and have access only to the data necessary for providing the services for which they are engaged, within the scope of the consent expressed to us. In case these entities are outside the EU and do not meet the necessary GDPR requirements, based on their status as a regulatory act, we will ensure data protection through contractual or other legal instruments. Additionally, personal data may be provided to state or municipal authorities exercising various controls within the law.
• Advertisement: By confirming the account registration request, confirming a service or product order, the user explicitly consents to the processing and transfer of their personal data for one or more of the following purposes:
  1. Including the user's feedback and opinions in marketing research through electronic methods - via email or messenger.
  2. Receiving electronic communications for product, service, and other promotional messages on all owned devices.
  3. Receiving personalized advertising tailored to the user's preferences. Personalization is based on an assessment of the user's behavior data.
  4. Receiving non-personalized advertisements. Users will receive information about current products, services, initiatives, and other promotional messages.
• Declaration: In the process of processing personal data, DXA Soft adheres to the principles of European and national legislation related to the protection of individuals' personal data. By applying a package of organizational, technical, and legal measures, we aim to ensure a high level of security for personal data, protecting against unauthorized processing, destruction, or damage.

The individuals have the right to file a COMPLAINT against the controller and/or processor of personal data for violations of their rights under Regulation (EU) 2016/679 and/or the Personal Data Protection Act, or to lodge a REPORT of a breach of legislation when your rights are not affected.
The complaint or report must contain:

• Details of the complainant - name, correspondence address, permanent address, contact phone, email (if available).
• Nature of the complaint or report.
• Date of becoming aware of the alleged breach.
• Identification of the person against whom the complaint or report is made.
• Any other information or documents as provided for by law or in the Rules of Procedure of the Commission for Personal Data Protection and its administration.
• Date and signature (for electronic documents - a qualified electronic signature, for paper documents - handwritten).

You can file a complaint or report to the Commission for Personal Data Protection in one of the following ways:

• In person with a physical document - at the Commission for Personal Data Protection's registry office, located at: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592.
• By mail at the address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Commission for Personal Data Protection.
• By fax at 029153525.
• Via email to CPDP's email address: kzld@cpdp.bg. IMPORTANT! When submitting a complaint via email, it must be in the form of an electronic document, signed with a qualified electronic signature (QES). Complaints that are scanned or photographed and sent to their email without a QES signature will not be considered by the CPDP.
• Through the Secure Electronic Delivery System maintained by the State e-Government Agency.