Privacy Policy

1. Data Controller

"ЕЙ АЙ ГРУП" ЕООД / AI GROUP LTD is the Data Controller for all personal data processed through the DPP Platform.

Registered address: Blagoevgrad, zh.k. Elenovo, bl. 95, vh. B, 2700, Bulgaria
Company Registration Number (EIK): 206987757 | VAT: BG206987757
Managing Director: Elena Kirilova Ivanova
Data Protection Officer (DPO): dpo@d-pass.eu

2. What Personal Data We Collect

2.1 Account Data (Tenants)

• Name, email address, phone number
• Company name, VAT number, registration number
• Billing address and payment information (processed by Stripe)
• IP address and login timestamps

2.2 DPP Data (Public)

• Product information uploaded by tenants
• Access logs (IP, user agent, timestamp, viewed fields)
• QR code scan analytics (anonymous aggregation)

2.3 Automatically Collected Data

• Browser type, device information, OS
• Referring website, pages visited
• Cookies and local storage (see Cookie Policy)

3. Legal Basis for Processing

We process personal data based on:

• Contract performance (Art. 6(1)(b) GDPR) — Account management, service delivery, billing
• Legal obligation (Art. 6(1)(c) GDPR) — Tax records, EU ESPR compliance, audit trails
• Legitimate interest (Art. 6(1)(f) GDPR) — Fraud prevention, platform security, analytics
• Consent (Art. 6(1)(a) GDPR) — Marketing communications, non-essential cookies

4. How We Use Your Data

5. Data Retention

• Account data: Retained while account is active + 2 years after deletion (for legal/tax purposes)
• DPP data: Minimum 10 years per EU ESPR Regulation 2024/1781
• Audit logs: 10 years
• Payment records: 10 years (Bulgarian tax law)
• Access logs: 2 years

6. Data Sharing & Recipients

We do not sell your personal data. We share data only with:

• Stripe — Payment processing (data processed in EU/US under SCCs)
• Hosting provider — Hetzner / OVH (EU-based servers)
• Legal authorities — When required by law or court order

7. International Data Transfers

All primary data is stored on servers within the European Union (Germany/France).

Some third-party services (e.g., Stripe) may process data outside the EU. In such cases, we rely on Standard Contractual Clauses (SCCs) and adequacy decisions to ensure GDPR-compliant transfers.

8. Your GDPR Rights

Under the GDPR, you have the following rights:

• Right to access — Request a copy of your personal data
• Right to rectification — Correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — Request deletion, subject to legal retention
• Right to restriction — Limit processing in certain circumstances
• Right to data portability — Receive data in structured, machine-readable format
• Right to object — Object to processing based on legitimate interest
• Right to withdraw consent — Withdraw consent at any time

To exercise your rights, contact our DPO at dpo@d-pass.eu or use the GDPR Export feature in your dashboard.

You also have the right to lodge a complaint with the Commission for Personal Data Protection of Bulgaria or your local supervisory authority.

9. Data Security

We implement appropriate technical and organizational measures:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Ed25519 cryptographic signatures for DPP integrity
• Role-based access control (RBAC)
• Regular security audits and penetration testing
• Automated backups with geo-redundancy

10. Children's Privacy

The Platform is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this Privacy Policy. Material changes will be notified via email or Platform notice at least 30 days in advance.

12. Contact

Data Protection Officer: dpo@d-pass.eu
General legal: legal@d-pass.eu