Data protection policy

  1. General provisions

    The Be Free LTD, registration number 205748672, a limited liability company incorporated and existing under the laws of Bulgaria, with legal address - Bulgaria, Sofia, 1000, Vazrajdane district, 25, Bratya Miladinovi Str., fl. 3, app. 6. (the Company, as Data Controller), within its business activity on the Online Platform (the Online Platform) receives from its users – individuals (the Client, or Data subject) and use certain personal data about them.

    All personal data provided by the Client to the Company is processing under the Data protection policy.

    Data protection policy (the Policy) has been developed by the Company in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the GDPR).

    Contact details of the Company are available on the Company`s website: (the Website).

    Contact details of the coordinator on personal data protection issues:

    The Company ensures, within the framework of applicable law (GDPR, national law), the confidentiality of personal data and has implemented appropriate technical and organisational measures to protect personal data from unauthorized access, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, personal data transmitted, stored or otherwise processed.

    The Company may use data processors for processing personal data. In such cases, the Company takes needed steps to ensure that such data processors process personal data under the instructions of the Company and in compliance with applicable law (GDPR, national law) and requires adequate security measures.

    The Policy applies if the Client uses, has used or has expressed an intention to use or is in other way related to any of the services or goods provided by the Company, including to the relationship with the Client established before this Policy entered into force.

  2. Personal data processing principals

    Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the Client.

    Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

    Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

    Personal data shall be accurate and, where necessary, kept up to date.

    Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

    Personal data shall be processed in a manner that ensures appropriate security of the Personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.

    Personal data shall be processed in accordance with the rights of Data subjects under the GDPR.

    Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of the Client in relation to the processing of personal data. In the absence of the above stated in this clause, a transfer of personal data to a third country or an international organisation shall take place only under the conditions defined by the GDPR as derogation for specific situations.

  3. Categories of personal data

    Personal data may be collected from the Client and from the Client’s use of the services. Personal data categories which the Company primarily, but not only, collects and processes are:

    • Identification data such as name, personal identification code, date of birth, gender, data regarding the identification document (such as passport, ID card);
    • Contact data such as address, telephone number, email address, language of communication;
    • Financial data such as bank account number, name of the bank;
    • Data obtained and/or created while performing an obligation arising from law such as data resulting from enquiries made by investigative bodies, tax administrator, courts;
    • Communication data collected when the Client registers on the Website, communicates with the Company via e-mail, messages and other communication mechanisms such as social media, data related to the Client’s visit at the Company’s web sites or communicating through other the Company’s channels (such as Client account etc.);
    • Data related to the services and goods such as the performance of the agreements or the failure thereof, executed transactions, concluded agreements, submitted applications, requests and complaints;
    • Data about habits, preferences and satisfaction such as the activeness of using the services, services used, personal settings, survey responses, Client satisfaction, the history of the actions using the account by the Client;
    • Data about participation in events arranged by the Company, such as a video and photo material etc.
  4. Lawful ground and purposes for personal data processing

    All data processed by the Company will be done on the following lawful ground and purposes:

    contractual basis for the conclusion and performance of a contract (identification of the Client; delivery of products and provision of services; client support service; handling and processing of the objections, complaints; billing administration etc.);

    consent basis – in case of the improvement of services, developing new products and services; advertising of services or commercial purposes; the Client loyalty increasing, satisfaction measurements etc.;

    legitimate interests - in order to protect the Client's and/or the Company`s interest; to provide evidence relating to the contracts and their performance (recordings, submitted documents and other information); prevent, limit and investigate dishonest or unlawful use of the services and products provided by the Company; conduct commercial activity.

    The processing of personal data for the purpose of providing information to public authorities and subjects of operational activities is carried out on the basis of the fulfilment of the obligations defined by the law, in cases and to the extent established by external regulations.

    Where the Company intends to further process the personal data for a purpose other than that for which the personal data were collected, the Company shall provide the Client prior to that further processing with information on that other purpose and with any relevant further information.

  5. Profiling and automated decision - making

    Profiling means any form of automated processing of personal data, through the use of personal data for the purpose of assessing certain Client related personal aspects, in particular to analyse or predict aspects in relation to the Client's personal preferences, interests, behaviour and location.

    The Company can apply automated decision - making regarding to the Client. The Client will be informed about such activities of the Company separately in accordance with regulatory enactments.

    Automated decision - making that creates legal consequences for the Client may only be made in the course of the conclusion or execution of the agreement between the Company and the Client, or on the basis of the Client's consent.

  6. Recipients of personal data

    Personal data is shared with other recipients, such as:

    • Authorities (such as law enforcement authorities, tax authorities, supervision authorities and financial intelligence units etc.);
    • Auditors, legal and financial consultants, or any other processor authorized by the Company;
    • Debt collectors upon assignment of claims, courts, out-of-court dispute resolution body and bankruptcy or insolvency administrators;
    • Other persons related to provision of services of the Company (product suppliers, goods sellers, credit institutions and financial institutions, etc.).
  7. Personal data retention

    Personal data will be processed no longer than necessary.

    The retention period may be based on agreement with the Client, the legitimate interest of the Company or applicable law (such as laws related to bookkeeping, statute of limitations, civil law, etc.). After the circumstances specified herein are terminated, the Client's personal data is deleted.

  8. Data subject rights

    Data subject has rights regarding his/her personal data processing. Such rights are in general to:

    • Require his/her personal data to be corrected if it is inadequate, incomplete or incorrect;
    • Object to processing of his/her personal data, if the use of personal data is based on a legitimate interests, including profiling for direct marketing purposes (such as receiving marketing offers or participating in surveys);
    • Require the erasure of his/her personal data, for example, that is being processed based on the consent, if he/she has withdrawn the consent. Such right does not apply if personal data requested to be erased is being processed also based on other legal grounds such as agreement or obligations based on applicable law;
    • Restrict the processing of his/her personal data under applicable law, e.g. during the time when the Company assesses whether the Client is entitled to have his/her data erased;
    • Receive information if his/her personal data is being processed by the Company and if so then to access it;
    • Receive his/her personal data that is provided by him-/herself and is being processed based on consent or in order to perform an agreement in written or commonly used electronical format and were feasible transmit such data to another service provider (data portability);
    • Withdraw his/her consent to process his/her personal data. The withdrawal of the consent does not affect the processing of personal data performed at the time when the Client's consent was valid. Withdrawal of the consent cannot interrupt the processing of personal data performed on the other legal basis;
    • Not to be subject to fully automated decision-making, including profiling, if such decision-making has legal effects or similarly significantly affects the Client. This right does not apply if the decision-making is necessary in order to enter into or to perform an agreement with the Client, if the decision-making is permitted under applicable law or if the Client has provided his/her explicit consent;
    • Lodge complaints pertaining to the use of personal data to the supervisory authority according to the article 77 of the GDPR, if he/she considers that processing of his/her personal data infringes his/her rights and interests under applicable law.

    The Client may submit a request for the exercise of his or her rights regarding the processing of personal data, including information on possible personal data protection breaches:

    • by e-mail, indicated the Client`s registration number and user name to identify the Client, and send to e-mail;
    • on the Company's Website in the created Client Account.

    Upon receiving the Client's request for the exercise of its rights, the Company verifies the Client's identity, evaluates the request and executes it in accordance with regulatory enactments.

    The Company shall respond to the Client's request in writing or by other means, including, if necessary, in electronic form (by e-mail or by sending it to the Client Account) taking into account, as far as possible, the manner in which the Client is provided with the response. When requested by the Client, the information may be provided orally, provided that the identity of the Client is proven.

    The Company shall provide information on action taken on a request to the Client without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Company shall inform the Client of any such extension within one month of receipt of the request, together with the reasons for the delay.

    If the Company does not take action on the request of the Client, the Company shall inform the Client without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

  9. Validity and amendments

    The Policy is available on the Website.

    The Company is entitled to unilaterally amend the Policy at any time, in compliance with the applicable law, by notifying the Client of any amendments via the Website.