Privacy & Cookie Policy

Privacy and Data Protection Policy

SIRMA GROUP HOLDING JSC is a public company registered in the Commercial Register at the Registry Agency with UIC 20010236, with registered office and address: 135 Tsarigradsko Shosse Blvd., Sofia 1784, tel: +359 2 9768310, email: office@sirma.com, website: sirma.com

With this Privacy and Data Protection Policy, SIRMA GROUP HOLDING JSC takes into account the privacy of the person and strives to protect against unauthorized processing of the personal data of the individuals.

This document contains information on how we process personal data, the type of personal data that is collected, the purpose of using the collected personal data, the access of third parties to such data, the security measures to be taken with regard to the collection of personal data, as well as the options you own in connection with the use of the personal data you provide. All personal data is collected and processed in accordance with the laws in force in Bulgaria regulating personal data protection.

Terms Used

  • “Personal data” means any information by which an individual is identified or can be identified.
  • “Data subject” is a natural person who is identified or identifiable on the basis of certain information.
  • “Processing” means any operation or set of operations performed with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission, dissemination or other means by which data become available, arranged or combined, restricted, deleted or destroyed.
  • “Administrator” means a natural or legal person, a public authority, an agency or other entity which, alone or jointly with others, defines the purposes and means of processing personal data. In this case, the data controller is SIRMA GROUP HOLDING JSC.
  • “Personal data processor” means a natural or legal person, a public authority, an agency or other entity that processes personal data on behalf of the controller. “Personal data processing” in this policy shall mean an employee of SIRMA GROUP HOLDING JSC.

SIRMA GROUP HOLDING JSC handles personal data when using the above-mentioned web sites. Personal data processed by SIRMA GROUP HOLDING JSC are provided directly by you or collected automatically.

The legal basis on which SIRMA GROUP HOLDING JSC handles personal data is your voluntary consent. For the purposes listed below, you should explicitly agree to each individual goal by ticking it in a CheckBox box that appears as a square box with accompanying text. When a choice is made, a check box appears in the context of which you have already agreed that your personal data will be processed by SIRMA GROUP HOLDING JSC. When no choice is made, the box is empty.

Personal Data You Provide

Personal data you provide directly is processed and used for the purposes set out in this Policy. The provision of your personal data when using the sites is optional unless you wish to make a voluntary registration. The personal data we collect on your voluntary registration is: name and surname, email address, and/or others, depending on the site you wish to sign up for. This is information you should provide in order to be able to sign up for the site and through which you can be personally identified.

When you provide publicly personal information on our sites, you should keep in mind that it may be viewed by other visitors on the same sites and we are unable to prevent further use by them.

The purposes of collecting the specified personal data are described below in this privacy and data protection policy.

How Do We Use Social Media?

We can integrate more social media services (such as social media messages) through which you can interact with us or your acquaintances in connection with our services. We can also maintain social media accounts and offer apps on various social media sites. Every time you contact us through social media, the provider of the relevant social media can allow you to share information with us. If you choose to share, you will be generally notified by the provider of which information will be shared. For example, when you sign up for your account with your social media account, certain information (as authorized by the social media provider) can be shared with us. This may include your address, age, or profile photos saved in your account.

Sign in with Google

Our application offers you the option to create an account and sign in using your Google account through the Google Sign-In service (“Google Sign-In”). This section describes what data we receive from Google when you use this feature, how we use it, how we store it, and your rights in connection with it.

What Data We Receive from Google

When you choose to sign in with your Google account, Google shares with us only the information you authorize during the OAuth consent screen. For the standard Sign in with Google feature, this includes:

  • Your Google account name (first name and last name)
  • Your Google account email address
  • Your Google account unique identifier (a numeric user ID assigned by Google)
  • Your Google account profile picture URL (if publicly available on your account)

We do not receive your Google password, payment information, contacts, calendar data, Gmail messages, Google Drive files, or any other Google product data. We request only the minimum information needed to create and identify your account.

How We Use This Data

We use the data received from Google exclusively for the following purposes:

  • To create and uniquely identify your account in our application
  • To display your name within the application interface
  • To send you account-related communications to your email address
  • To authenticate you on subsequent sign-ins without requiring you to re-enter credentials

We do not use your Google account data for advertising, profiling, or any purpose other than account management and authentication as described above.

The legal basis for processing your Google account data for account creation, identification, communication, and authentication is the performance of a contract to which you are a party, namely the provision of our application services upon your voluntary registration (Article 6(1)(b) of the GDPR). The retention of a pseudonymized technical record (one-way salted hash of your Google user identifier) for the purpose of preventing re-registration abuse is based on the legitimate interest of SIRMA GROUP HOLDING JSC in maintaining the security and integrity of its services (Article 6(1)(f) of the GDPR). You have the right to object to processing based on legitimate interest at any time by contacting us at gdpr@sirma.com.

How We Store This Data

Your name, email address, and Google user identifier are stored in our application database, which is located within the European Union and is protected by encryption at rest. Your Google profile picture is not stored by us; it is loaded directly from Google’s servers when displayed in the application. This may involve the transfer of data to servers located outside the European Economic Area (EEA). Such transfers are subject to appropriate safeguards, including Google’s compliance with Standard Contractual Clauses (SCCs) approved by the European Commission or other applicable transfer mechanisms under Articles 44–49 of the GDPR.

We do not store Google OAuth access tokens or ID tokens beyond the duration of the authentication session. Once your identity is confirmed and your session is established, raw Google tokens are discarded.

How Long We Retain This Data

We retain your name, email address, and Google user identifier for as long as your account remains active. If you request deletion of your account (either through the in-app account deletion feature or by contacting us), your account will be marked as pending deletion and you will receive a confirmation email with the effective deletion date. A 30-day grace period begins from the date of your request, during which you may cancel the deletion by logging back in. After the 30-day grace period expires, all personally identifiable information — including your name, email address, Google user identifier, and profile picture URL — is automatically and permanently purged. Following the purge, a pseudonymized technical record containing only a one-way salted hash of your Google user identifier (which cannot practically be used to identify you) is retained for an additional 90 days solely for the purpose of preventing re-registration abuse. After this 90-day period, the anonymized record is also permanently deleted. Retention beyond these periods applies only where required by applicable law.

How We Share This Data

We do not sell, rent, or share your Google account data with third parties, advertising platforms, data brokers, or information resellers. We do not use your Google account data to serve you personalized or interest-based advertising.

Your Google account data may be accessed by our employees or authorized processors solely for the purposes of operating and maintaining the application, investigating security issues, or complying with applicable law. All such persons are bound by confidentiality obligations and must comply with the Google API Services User Data Policy.

Categories of recipients who may access your Google account data include:

  • (a) Cloud infrastructure and hosting providers located within the European Union that store and process data on our behalf
  • (b) Technical service providers engaged in application maintenance and support
  • (c) Competent authorities where disclosure is required by applicable law

A current list of sub-processors is available upon request by contacting gdpr@sirma.com.

Compliance with Google API Services User Data Policy

Our use of data received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • Data obtained from Google APIs is used only to provide or improve user-facing features that are clearly visible within our application.
  • We do not transfer or sell Google user data to third parties except as necessary to provide our services to you, for security purposes, or as required by law.
  • We do not use Google user data to serve advertisements, including retargeted, personalized, or interest-based advertising.
  • We do not allow humans to read your Google user data unless you have expressly consented to a specific review, it is necessary for security purposes, or it is required by applicable law.
  • Employees, contractors, and service providers who have access to Google user data are bound by the same obligations described in this policy.

Disconnecting Your Google Account

You can disconnect your Google account from our application at any time by accessing your account settings and selecting the option to unlink or remove your Google Sign-In connection. After disconnecting, you will need to set a password or use another authentication method to access your account, if available.

You can also revoke our application’s access to your Google account at any time through your Google Account security settings at https://myaccount.google.com/permissions.

Revoking access in your Google Account settings does not automatically delete your account or data in our application. To request full deletion of your account and all associated personal data, please use the account deletion feature available in the application settings. The deletion option is accessible within two clicks from your account settings. Upon initiating deletion, you will see a confirmation dialog explaining what data will be deleted and the 30-day grace period before permanent purge. You may also contact us at gdpr@sirma.com to request deletion or for any questions regarding your data.

Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) has been conducted for the Google Sign-In feature in accordance with Article 35 of the GDPR. The assessment evaluates the risks associated with the processing of Google account data and confirms that appropriate technical and organizational measures are in place to mitigate identified risks. A summary of the DPIA is available upon request by contacting gdpr@sirma.com.

Personal Data Collected Automatically

When you visit our web page, our web server automatically recognizes and collects your IP address that has been determined by your ISP and does not personally identify you.

Summary Information – Log Files – Like many other sites, we get information from log files: IP address; ISP (Internet Service Provider); the browser you use when visiting a site (such as Google Chrome, Internet Explorer and Mozilla Firefox); the time spent on a site, and which pages you’ve visited on the site.

Cookies: This is a small amount of information the web server sends to the web browser, allowing the server to collect feedback from the browser. You can choose to delete our or third-party cookies using the options of each browser. This may affect interaction with our or other sites.

You can find more information about cookies at: http://www.allaboutcookies.org/faqs/cookies.html

We use the following types of cookies:

  • Statistics cookies that anonymously remember your computer or mobile device when you visit our websites. They follow the search method and help us build an account of how our readers use the website. We may use this information to display ads that might be of particular interest to our and other websites.
  • Service cookies that help us make our websites as effective as possible. They allow you to remember the registration and login data, and to keep your preferred settings.
  • Third-party advertising and analytics that are placed on behalf of independent advertisers advertising on our sites. These cookies can be placed in the ad or elsewhere on our sites. These cookies are anonymous — they cannot identify you. They are used for statistical analysis, allowing the advertiser to count how many people saw their ad or have seen it more than once. They can also allow the advertiser to adjust the ad to you when you visit other websites.

We do not have access to third-party cookies, and third-party organizations do not have access to ours. Third-party cookies have their own strict confidentiality rules.

Web beacons are files that allow a website to collect information about the number of users who have visited it and have access to their cookies. More information about web beacons can be found at: http://www.allaboutcookies.org/faqs/beacons.html

Purposes of Processing Your Personal Data

Sirma Group Holding JSC processes your personal data only for the purposes described below:

  • For registering and managing your account, including troubleshooting
  • To measure and track statistical dependencies on user behavior on Sirma Group Holding JSC site in order to improve our products
  • Send you a regular newsletter that you have explicitly subscribed to
  • For marketing purposes related to activities on the relevant website
  • Send you marketing messages and information to third parties when we have expressly agreed to do so

Recognition and IP address collection allows:

  • Disclosure of users’ identity when required by law, legal procedures or to comply with these terms
  • Analyzing traffic to sites and preventing malicious attacks
  • To show you an ad related to your location or service information such as the weather forecast of your location or closest to it

Processing of Personal Data of Persons Under the Age of 16

We understand the importance of taking additional precautions to protect children’s safety. Accordingly, children under the age of 16 are not allowed to create profiles on the site of Sirma Group Holding JSC without the explicit consent of their parent/guardian. We will delete each account at Sirma Group Holding JSC which is created by a child under the age of 16 without the permission of a parent/guardian, as soon as we are informed about it.

If you are under the age of 16, please do not send any information about yourself, including, but not limited to, name, address, telephone number, email address, and more. If we learn that we have collected personal information from a child under the age of 16 without the consent of a parent/guardian, we will delete this information as quickly as possible. If you feel we may have information from or for a child under 16, please contact us at the contacts listed below.

What We Do to Protect Your Personal Information

We are making serious efforts to ensure the security of our websites. The data you provide us is protected by SSL technology. SSL is a standard method in the area of personal data encryption so that it can be securely transferred over the Internet.

The password you provide when signing up for our websites is encrypted to provide protection against unauthorized access to your personal information.

Keeping the privacy and security of your personal information is of the highest priority and restricting access to it only to those employees of Sirma Group Holding JSC who need to contact it in order to fulfill their role and to enable our services being provided to you. We will keep your information confidential unless disclosure is required by law or for technical purposes.

We store your personal information for as long as necessary to ensure the effective operation of our websites. In general, we store your personal information while your profile is on a site or until you explicitly want to delete the data. If you request deletion of your account, your personally identifiable information will be permanently purged within 30 days of your request, as described in the “How long we retain this data” subsection under “Sign in with Google.” The information provided and collected by you will not be sold or made available for use to any person without your personal consent.

Information can be provided in case of a request by the respective government bodies and institutions, in order and in cases determined by the Bulgarian legislation in force. We make every possible effort to protect your personal information, but nevertheless, when sharing information on the Internet, you should keep in mind that the transmission of information over the Internet can never be completely secure and that security cannot be fully guaranteed.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, SIRMA GROUP HOLDING JSC will notify the Bulgarian Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware of the breach, in accordance with Article 33 of the General Data Protection Regulation (GDPR).

Where a breach is likely to result in a high risk to your rights and freedoms (for example, a breach involving unauthorized access to your Google account email address or user identifier), we will notify you directly without undue delay. The notification will describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it, including steps you can take to protect yourself.

To report a suspected data security issue or to receive more information about a breach that may have affected your data, please contact us at: gdpr@sirma.com

Your Rights with Respect to Your Personal Data

You have certain rights under the applicable law with regard to the personal data we hold for you, namely:

  1. Right of access — You are authorized to request access and receive personal data which is stored for you, as well as information regarding the purposes of the processing, the categories of personal data, the recipients to which your personal data may be disclosed, and others.

  2. Right to rectification — You have the right at any time to request correction of inaccurate data relating to you, as well as supplementing incomplete data if appropriate and/or necessary for the purpose with which the data are processed.

  3. Right to withdraw consent — You may at any time withdraw your consent to the use of your personal data that you provided at a previous time. In this case, withdrawing your consent to the use or processing of your personal information may result in the inability to take advantage of certain products or services provided by the above sites.

  4. Right to erasure (“right to be forgotten”) — If you do not wish Sirma Group Holding JSC to process your personal data, you may at any time ask for your personal information to be deleted for one of the following reasons:

    • 4.1. Your data is no longer necessary for the purposes for which it was collected or otherwise processed.
    • 4.2. If you have withdrawn your consent to the processing of your personal data.
    • 4.3. If your personal data is being processed unlawfully.
    • 4.4. In case you have objected to the processing of your personal data.
    • 4.5. Other cases provided for in the legislation governing the protection of personal data.

    You can exercise your right to erasure directly through the account deletion feature in the application settings. The in-app deletion process allows you to request deletion of your account and all associated personal data within two clicks. Upon requesting deletion, your account enters a 30-day grace period before permanent purge, during which you may cancel the request by logging back in. You may also exercise this right by submitting a written application to gdpr@sirma.com as described below.

  5. Right to restriction of processing — In many cases, you have the right to request, instead of deleting the data, to restrict the processing of your personal data.

  6. Right to object — Right of objection to Sirma Group Holding JSC against the processing of your personal data, provided there is a legal basis for that.

All listed rights can be exercised by submitting a free written application to the following email address: gdpr@sirma.com, sent from your registered email address, containing at least the following:

  • Username, email and other identification data of the individual concerned
  • A description of the request
  • Referencing the domain of a site to which this request relates
  • The preferred form for providing information

The submission of the application is completely free of charge. The time limit for processing the application shall be one month as from the date of receipt of the application.

In addition to the above rights, Sirma Group Holding JSC gives you the right to make some of the following changes in relation to the processing of your personal data yourself:

  • In your profile, you can edit and delete personal data that is not mandatory for use of the site and that you do not want to be publicly available.
  • You can manage your subscription preferences from your profile settings and opt-out of receiving a specific email newsletter by selecting the write-off option at the end of each email received.

More information about personal data protection can be found on the Commission for Personal Data Protection website: https://www.cpdp.bg/?p=element&aid=1115

AI is easy with Sirma

Join organizations moving beyond static automation to self-evolving enterprise intelligence.