The controller of personal data collected and processed through the Website is:
| Name | Dimitrova, Cholakov & Partners LLC |
|---|---|
| UIC | 204566706 |
| Legal form | Law firm, registered with the Sofia Bar Association register of law firms |
| Trade name | Innovires |
| Registered address | 25 Vitosha Blvd., fl. 2, office 4, Sofia 1000, Bulgaria |
| office@innovires.com | |
| Phone | +359 888 787 414 |
| Website | innovires.com |
In this Policy, "the Firm", "We" or "Innovires Legal" refer to the above-mentioned controller.
In accordance with Articles 37–39 of the GDPR, the Firm has designated a Data Protection Officer (DPO) whom you may contact on all matters related to the processing of your personal data and the exercise of your rights under the Regulation:
| Name | Atty. Yordan Cholakov |
|---|---|
| office@innovires.com | |
| Correspondence address | 25 Vitosha Blvd., fl. 2, office 4, Sofia 1000, Bulgaria |
When processing personal data, the Firm strictly complies with the principles set out in Article 5 of the GDPR:
Through the Website and its associated functionalities, we process personal data of the following categories of individuals:
Below is detailed information about the categories of personal data we process, the purposes and the applicable legal bases for each processing activity:
| Data category | Processing purpose | Legal basis | Source |
|---|---|---|---|
| Name, email address, phone number, company name, selected service, free-text message | Processing enquiries submitted through the Website contact form; providing feedback; assessing applicable legal services | Legitimate interest of the controller (Art. 6(1)(f) GDPR) — responding to an enquiry initiated by the data subject | Directly from the subject — via the contact form |
| Email address | Sending a periodic newsletter with expert analyses, news and practical advice in the field of law | Consent of the data subject (Art. 6(1)(a) GDPR) | Directly from the subject — via the subscription form on the Website or in a pop-up window |
| IP address, browser type and version, operating system, date, time and duration of visit, pages visited, traffic source (referrer) | Ensuring the technical functionality and security of the Website; analysing traffic and user behaviour to improve services | Necessary cookies — legitimate interest (Art. 6(1)(f)); analytical cookies — consent (Art. 6(1)(a)) | Automatically — via cookies and server logs |
| Cookie preference (accept/reject), newsletter subscription status | Remembering the user's choice; preventing re-display of the subscription pop-up | Legitimate interest (Art. 6(1)(f)) — fulfilling the user's expressed preference | Automatically — via cookies (localStorage) |
| Name, personal ID number, address, email, phone, bank account (upon established legal relationship) | Concluding and performing a contract for the provision of legal services; issuing accounting and tax documents; bookkeeping; fulfilling statutory obligations | Performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR) — Accountancy Act, TSIPC, Bar Act | Directly from the subject — upon entering into a contract |
Pursuant to Article 6 of the GDPR, every processing of personal data must be based on at least one of six legal bases. The applicable bases for the Website's activities are:
Applied for: newsletter subscription; activation of analytical cookies. Consent is freely given, specific, informed and unambiguous. It may be withdrawn at any time — via the unsubscribe link in each newsletter message or by changing cookie settings (the "Cookies" link in the Website footer). Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Applied for: providing legal services where the data subject is a party to a contract with the Firm or has taken steps to conclude one.
Applied for: retention of accounting documents (Accountancy Act); providing information to public authorities (NRA, CPDP, courts); compliance with the requirements of the Bar Act and the Tax and Social Insurance Procedure Code (TSIPC).
Applied for: processing enquiries via the contact form; ensuring the technical functionality of the Website; protecting the Website against abuse. We carry out a balancing test (Legitimate Interest Assessment — LIA) for each processing activity based on legitimate interest to ensure that the Firm's interests do not override the rights and freedoms of data subjects.
We retain your personal data only for the period necessary to fulfil the purposes for which they were collected, or for a longer period where required by law:
| Data category | Retention period | Basis for period |
|---|---|---|
| Contact form data | Up to 12 months after the last contact | Legitimate interest — evaluation and follow-up period. If a legal relationship arises — according to contractual terms. |
| Newsletter email | Until withdrawal of consent (unsubscription) | Art. 7(3) GDPR — right to withdraw at any time |
| Cookies — necessary | gdpr_consent: 1 year; nl_popup_seen: 7 days; nl_subscribed: 1 year | Technically necessary period for functionality |
| Cookies — analytical (Google Analytics) | _ga: 2 years; _ga_*: 2 years | Standard provider period; deactivated without consent |
| Contractual relationship data | 10 years after contract termination (accounting documents); 5 years (general limitation under the OCA); 50 years (for employment contracts, if applicable) | Accountancy Act (Art. 12); Obligations and Contracts Act (Art. 110–120); Labour Code |
| Data in legal disputes | Until final resolution of the dispute and expiry of limitation periods | Legitimate interest — protection of the Firm's rights |
After the applicable periods expire, data is irreversibly deleted or anonymised. Upon anonymisation, the data loses its personal data status and the periods no longer apply.
The Firm does not sell, rent or provide your personal data to third parties for their own marketing or commercial purposes.
Data may be shared with the following categories of recipients, subject to appropriate legal, technical and organisational safeguards:
The Firm has concluded or will conclude a Data Processing Agreement (DPA) with each data processor, in accordance with the requirements of Article 28 of the GDPR.
| Processor | Role | Location | Safeguards |
|---|---|---|---|
| Formspree Inc. | Technical processing of contact form and newsletter data | USA | EU-US Data Privacy Framework; DPA |
| Hostinger International Ltd. | Website hosting; file storage | Lithuania / EU | Processor within the EEA; DPA |
| Google LLC (Google Analytics) | Analytical processing of visit data (only with consent) | USA / Ireland | EU-US Data Privacy Framework; DPA; IP anonymisation |
Some of the data processors (Formspree Inc., Google LLC) are established in the United States. Data transfers to these processors are carried out on the basis of:
The Firm monitors the validity of the above mechanisms and will take immediate measures in the event of a change in the legal framework.
The Firm does not carry out automated decision-making, including profiling, within the meaning of Article 22 of the GDPR, that produces legal effects concerning you or similarly significantly affects you.
In accordance with Article 32 of the GDPR, the Firm implements appropriate technical and organisational measures to ensure a level of security appropriate to the risks. These measures include, but are not limited to:
In the event of a personal data breach, the Firm will:
As a data subject, you have the following rights under Chapter III of the GDPR:
| Right | Description | Basis |
|---|---|---|
| Access | To obtain confirmation of whether we process your personal data, information about the processing and a copy of the data | Art. 15 GDPR |
| Rectification | To request correction of inaccurate personal data or completion of incomplete data | Art. 16 GDPR |
| Erasure | To request deletion of data where the legal basis has ceased to exist, consent has been withdrawn or data has been processed unlawfully | Art. 17 GDPR |
| Restriction | To request temporary restriction of processing — e.g. when contesting the accuracy of data | Art. 18 GDPR |
| Portability | To receive the data you have provided to us in a structured, commonly used and machine-readable format and to transfer it to another controller | Art. 20 GDPR |
| Objection | To object to processing based on legitimate interest, including for direct marketing purposes | Art. 21 GDPR |
| Withdrawal of consent | To withdraw your consent at any time, without affecting the lawfulness of processing carried out before the withdrawal | Art. 7(3) GDPR |
| Complaint | To lodge a complaint with the supervisory authority (CPDP) if you believe that processing violates the GDPR | Art. 77 GDPR |
A request to exercise any of the above rights may be submitted:
Content of the request: the data subject's name; contact details (address, phone or email); description of the request and the specific right you wish to exercise.
Identification: To protect your data from unauthorised access, we may request confirmation of your identity. Where a request is submitted by a representative — a notarised power of attorney shall be attached.
Response deadline: We provide information regarding the actions taken within one month of receiving the request. Where necessary, given the complexity or number of requests, the deadline may be extended by an additional two months, of which you will be notified within the first month with reasons for the delay.
Fees: Exercising your rights is free of charge. For manifestly unfounded or repetitive requests, the Firm may impose a reasonable fee based on administrative costs, or may refuse to comply with the request.
If you believe that the processing of your personal data violates the Regulation, you have the right to lodge a complaint with the competent supervisory authority:
| Authority | Commission for Personal Data Protection (CPDP) |
|---|---|
| Address | 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria |
| Phone | +359 2 915 3518 |
| kzld@cpdp.bg | |
| Website | www.cpdp.bg |
Without prejudice to your right to lodge a complaint with the CPDP, you also have the right to an effective judicial remedy against a controller or processor (Art. 79 GDPR), as well as the right to compensation for damages suffered (Art. 82 GDPR).
The Website and the Firm's services are not directed at persons under the age of 16. We do not knowingly collect personal data from children. If we discover that we have processed data of a person under 16 without the consent of the holder of parental responsibility, we will take immediate measures to delete it.
The website innovires.com uses cookies. Detailed information about the types of cookies, their purposes, retention periods, management methods and the legal bases for their use is provided in our Cookie Policy, which is an integral part of this Policy.
The Website may contain hyperlinks to websites operated by third parties. The Firm is not responsible for the privacy policies and practices of these sites. We recommend that you review the privacy policy of every website you visit.
The Firm may update this Policy periodically to reflect changes in legislation, technical standards or business practices. In the event of material changes, we will publish a clear notice on the Website.
The date of last update and the version number are indicated at the beginning of this document. We recommend that you check this page periodically for current information.
For all questions related to the processing of personal data and this Policy, you can contact us:
| Controller | Dimitrova, Cholakov & Partners LLC |
|---|---|
| Email (general) | office@innovires.com |
| Email (DPO) | office@innovires.com |
| Phone | +359 888 787 414 |
| Address | 25 Vitosha Blvd., fl. 2, office 4, Sofia 1000, Bulgaria |
| Website | innovires.com |