Privacy Policy

Introduction

CompanyBook.bg ("we", "us" or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use and protect your data when you use our website and services.

Company Information

Information We Collect

We collect various types of information to provide and improve our services:

1. Data You Provide Voluntarily

• Contact Forms: When you fill out a contact or subscription form, we collect name, email address, phone number and UIC (if applicable).
• Inquiries: Content of your messages and correspondence with us.
• User Accounts: When you create a user account, we collect:
  • Name (required)
  • Email address (required)
  • Password (stored as cryptographic hash using bcrypt - never in plain text)
  • Phone number (optional)
  • Company UIC (optional)
  • Registration date
  • Email verification status
• Privacy Violation Reports: When you submit a privacy violation report, we collect:
  • Your name (required)
  • Your email address (required)
  • UIC of the affected company (required)
  • Issue type (required)
  • URL of the problematic document (required)
  • Problem description (required)
  • Date and time of report submission

  This data is used exclusively to investigate and resolve the reported issue. Reports are retained for 12 months, after which they are automatically deleted. You have the right to request deletion of your report at any time.

2. Automatically Collected Data

• Cookies and Tracking Technologies: We use cookies for traffic analysis and improving your experience.
• Google Analytics: We collect anonymized visit data, including IP address (anonymized), browser, operating system, pages visited and time spent.
• Server Logs: IP address, browser type, timestamps and URLs.

3. Data from Public Sources

CompanyBook.bg provides access to publicly available data from the Registry Agency, published on data.egov.bg under CC-BY license. This data includes:

• Legal entity name, UIC, address
• Management and ownership information
• Contact data (phone and email), voluntarily declared by companies
• Data on related individuals (names, roles)

Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases according to Regulation (EU) 2016/679 (General Data Protection Regulation):

• Consent (Art. 6(1)(a) GDPR): When you fill out a contact form or accept cookies, you give explicit consent for processing your information.
• Contract Performance (Art. 6(1)(b) GDPR): Your user account data is necessary to provide the services you requested (e.g., document downloads, access to financial data).
• Legitimate Interest (Art. 6(1)(f) GDPR): For responding to inquiries, improving our services, and using the session_token cookie to authenticate your identity.
• Legal Obligation (Art. 6(1)(c) GDPR): For compliance with applicable law.

How We Use Your Information

We use your personal information for the following purposes:

• Responding to your inquiries and questions
• Managing your user account and providing services
• Authenticating your identity when logging into your account
• Sending email notifications regarding your requests, email verification, and password reset
• Providing access to documents and financial data (for registered users)
• Generating and managing API keys for access to our REST API
• Improving the functionality and content of our website
• Analyzing traffic and user behavior (through Google Analytics)
• Measuring advertising campaign effectiveness and tracking conversions (through Google Ads)
• Ensuring security and preventing fraud
• Complying with legal requirements

Data Storage and Security

Your personal information is stored securely using industry security standards:

• Infrastructure: Our website is hosted on Cloudflare Pages with HTTPS encryption.
• Database: User account data is stored in a secure MongoDB database with automatic deletion of expired sessions.
• Password Security: Passwords are never stored in plain text. We use bcrypt hashing with cost factor 12 for cryptographic password protection.
• Session Security: Session tokens are hashed with SHA-256 before storage in the database. Only the hashed version is stored, and the original token is sent only as an HttpOnly, Secure, SameSite=Strict cookie.
• Email Services: We use Resend (based in USA) for sending verification, password reset, and contact form emails.
• API: Our API is hosted on Cloudflare Workers with modern security.
• Security Measures: We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure or destruction.

Third Party Services

We share your data with the following service providers that help us manage our website:

• Google Analytics: For traffic analysis (data processed in USA and EU). Google is certified under Data Privacy Framework for data transfers.
• Google Ads: For measuring advertising campaign effectiveness and conversion tracking (data processed in USA and EU). Google is certified under Data Privacy Framework for data transfers.
• Cloudflare: For hosting and CDN services (data may be processed in USA and EU).
• Resend: For sending transactional emails (email verification, password reset, contact forms). Data is processed in USA. Resend processes only your name and email address for the purposes of email delivery.

These providers are contractually obligated to protect your data and use it only for purposes we specify. International data transfers to USA are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and/or Data Privacy Framework.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to improve your site experience and analyze traffic.

When you first visit our website, you will see a cookie consent banner. You can choose to:

• Accept All Cookies: Allows us to use both necessary and analytical cookies.
• Accept Only Necessary Cookies: Allows only essential cookies required for website functionality.
• Manage Preferences: You can customize which types of cookies you want to accept.

Types of Cookies We Use:

You can change your cookie preferences at any time by clicking "Cookie Settings" in the footer of our website.

Your GDPR Rights

If you are located in the European Union or Bulgaria, you have the following rights regarding your personal data under Regulation (EU) 2016/679:

• Right of Access (Art. 15 GDPR): You can request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16 GDPR): You can request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17 GDPR): You can request deletion of your personal data ("right to be forgotten").
• Right to Restriction (Art. 18 GDPR): You can request restriction on how we use your data.
• Right to Data Portability (Art. 20 GDPR): You can request a copy of your data in machine-readable format.
• Right to Object (Art. 21 GDPR): You can object to processing of your data.
• Right to Withdraw Consent: You can withdraw your consent at any time.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Commission for Personal Data Protection (CPDP) or your local supervisory authority.

To exercise any of these rights, please contact us through the contact form on our website. If you have a user account, you can also manage your data directly from your account settings. We will respond to your request within one month.

Note for registered users: You can update your personal information (name, phone, UIC) from your account page. For account deletion or exporting all your data, please contact us.

Commission for Personal Data Protection (CPDP)

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection:

Children's Privacy

Our services are not directed to persons under 18 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us through the contact form on our website and we will delete the information.

Data Retention Period

We retain your personal data only as long as necessary for the purposes for which it was collected:

• User Account Data: Until account deletion or upon request for deletion from you
• Authentication Sessions: Up to 30 days (with "Remember Me" option) or until browser closes. Expired sessions are automatically deleted.
• Email Verification Tokens: 48 hours
• Password Reset Tokens: 15 minutes
• Contact Form Data: Up to 2 years after last communication
• Analytics Cookies: Up to 2 years (_ga), 24 hours (_gid)
• Server Logs: Up to 90 days

After the retention period expires, data is automatically deleted or anonymized for statistical purposes.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes, we will update the "Last updated" date at the top of this page.

We recommend you periodically review this Privacy Policy. If we make material changes, we will notify you via email (if you have provided an email address) or by posting a notice on our website.

Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we process your personal information, please contact us through the contact form on our website homepage.

Legal Compliance

This Privacy Policy is developed in accordance with:

• Regulation (EU) 2016/679 (GDPR) - General Data Protection Regulation
• Personal Data Protection Act (PDPA) - Bulgarian data protection legislation
• Electronic Commerce Act
• Directive 2002/58/EC - Privacy and Electronic Communications Directive