Privacy Policy

1. Data Controller

The data controller responsible for your personal data is: Dzhukelov Solutions X EOOD, UIC 206958289, Address: Pazardzhik, 4400, Bulgaria, Email: privacy@finsense.bg, Phone: +359 888 133 388.

2. Personal Data We Collect

• Account data: name, email address, phone number, company name, country, and password (hashed).
• Billing data: payment method details (processed and stored by Stripe; we do not store full card numbers), billing address, VAT number, invoice history.
• Usage data: IP address, browser type, device information, pages visited, features used, session duration, and access timestamps.
• Financial data: any financial records, transactions, invoices, payroll data, and documents you create or upload through the Service.
• Communication data: messages you send to our support team, feedback, and survey responses.

3. Legal Basis for Processing

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you subscribed to.
• Legitimate interests (Art. 6(1)(f) GDPR): Service improvement, security, fraud prevention, and analytics.
• Legal obligation (Art. 6(1)(c) GDPR): Tax and accounting requirements, responding to legal requests.
• Consent (Art. 6(1)(a) GDPR): Marketing communications and non-essential cookies. You may withdraw consent at any time.

4. How We Use Your Data

We use your personal data to: provide, maintain, and improve the Service; process payments and manage subscriptions; send transactional notifications (account, billing, security alerts); provide customer support; detect and prevent fraud, abuse, and security incidents; comply with legal and regulatory obligations; generate anonymized, aggregated analytics to improve the Service. We do NOT sell your personal data to third parties.

5. Data Sharing and Third Parties

• Stripe (Ireland): Payment processing — PCI DSS Level 1 certified.
• Cloud hosting provider (EU): Server infrastructure — data stored exclusively within the European Union.
• Email service provider: Transactional and support emails.
• We may disclose data if required by law, court order, or governmental request. We will notify you of such requests unless legally prohibited from doing so.

6. International Data Transfers

Your data is stored and processed exclusively within the European Union. We do not transfer personal data outside the EU/EEA. If this changes in the future, we will ensure appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are in place and update this policy accordingly.

7. Data Retention

We retain your data for as long as your account is active plus 30 days after account closure to allow data export. Billing records are retained for 10 years as required by Bulgarian tax law. Support communications are retained for 3 years. Server logs are retained for 12 months. Anonymized analytics data may be retained indefinitely. You may request earlier deletion of your data, subject to legal retention requirements.

8. Data Security

We implement technical and organizational measures to protect your data, including: TLS/SSL encryption for all data in transit; AES-256 encryption for sensitive data at rest; bcrypt password hashing; role-based access controls; regular security audits and vulnerability assessments; automatic session expiration and brute-force protection; full audit trail of all data modifications.

9. Your Rights Under GDPR

• Right of access (Art. 15): Request a copy of your personal data.
• Right to rectification (Art. 16): Correct inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten").
• Right to restriction (Art. 18): Restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (CSV/JSON).
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to withdraw consent: Withdraw consent for marketing or non-essential cookies at any time.
• To exercise any of these rights, contact us at privacy@finsense.bg. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Commission for Personal Data Protection of Bulgaria (CPDP) at www.cpdp.bg or your local EU supervisory authority.

10. Cookies

We use cookies and similar technologies as described in our Cookie Policy. You can manage your cookie preferences at any time through the cookie settings on our website.

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated via email or a prominent notice at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact & DPO