Privacy Policy

Last updated: 14.05.2026  |  БГ / EN

⚠️ Important: This document is an automatically generated draft. Before the real launch it must be reviewed by a practicing lawyer specializing in e-commerce and GDPR. Do not rely on it for legal decisions without professional legal review.

1. Data controller

The data controller is the operator of UGCBG.eu (legal entity details to be updated after incorporation). This policy explains how and why we process your personal data, in accordance with Regulation (EU) 2016/679 (GDPR) and the Bulgarian Personal Data Protection Act.

Data Protection Officer (DPO): dpo@ugcbg.eu

2. Data we collect

CategorySpecific data
Registrationname, email, password (bcrypt-hashed), user type, registration date
Profileavatar, bio, city, phone, website, social-network links, niches, rate card
KYC / Verificationname from ID, document type, selfie (for creators with high payouts)
PaymentsIBAN, account holder, company code/personal ID for invoicing (brands), Stripe Customer ID
Activitycampaigns, applications, messages, ratings, portfolio
TechnicalIP address, user-agent, login log, cookies, pages
AnalyticsGoogle Analytics (anonymised IP), page views

3. Purposes and legal bases

  • Registration and service provision — basis: performance of a contract (Art. 6(1)(b) GDPR).
  • Payment processing and invoicing — basis: performance of a contract + legal obligation (accounting, VAT).
  • KYC and anti-fraud — basis: legal obligation + legitimate interest.
  • Marketing emails (newsletter) — basis: consent; you may withdraw at any time with one click in the email.
  • Analytics and product improvement — basis: consent (for non-essential cookies) or legitimate interest.
  • Security / incident reports — legitimate interest.

4. Recipients (third parties)

  • Stripe Inc. (USA) — payment processing and escrow. Under Standard Contractual Clauses (SCC).
  • SMTP / email provider (EU) — sending transactional and marketing emails.
  • Hosting (Hetzner Online GmbH) — Germany, EU.
  • Google Analytics (USA) — anonymised analytics, only after cookie consent. SCC.
  • Lawyers, accountants, auditors — when necessary, under NDA.
  • Government authorities — only on explicit legal request (NRA, CPDP, court, prosecutor).

5. International transfers

Stripe and Google Analytics process data in the USA. We rely on the EU Commission's Standard Contractual Clauses (SCC) and the Data Privacy Framework (DPF) where applicable. Request more information at dpo@ugcbg.eu.

6. Retention periods

  • Active account: for the lifetime of the account.
  • Deleted account: profile data — up to 30 days after deletion request (backup window).
  • Accounting documents (invoices, payments): 10 years (Bulgarian tax law).
  • Login logs and failed attempts: 90 days.
  • Chat / messages: 5 years after the last message (dispute resolution).
  • Marketing emails: until consent withdrawal.
  • Cookie consent record: 12 months.

7. Your rights

You have the right to:

  • Access the data we hold about you (Art. 15).
  • Rectification of inaccurate data (Art. 16).
  • Erasure ("right to be forgotten") in the cases listed in Art. 17.
  • Restriction of processing (Art. 18).
  • Data portability in a machine-readable format (Art. 20).
  • Object to processing based on legitimate interest or direct marketing (Art. 21).
  • Withdraw consent at any time (without retroactive effect).
  • Lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP), www.cpdp.bg.

Send requests to dpo@ugcbg.eu. We reply within one month.

8. Security

We apply technical and organisational measures: HTTPS/TLS, bcrypt password hashing, CSRF protection, rate limiting, isolated KYC storage, periodic backups, access logging.

9. Cookies

See the Cookie Policy.

10. Changes to this policy

We may update this policy. Material changes will be announced by email with 30 days' notice.

11. Contact

DPO: dpo@ugcbg.eu
Supervisory authority: Commission for Personal Data Protection — Sofia, 2 Tsvetan Lazarov Blvd, Bulgaria.