Privacy Policy

One of OPNCard Ltd.'s key priorities is the protection of personal data and the privacy of visitors to our website. This Privacy Policy is intended to clearly and comprehensibly inform you how we process your personal data, on what legal grounds, for what purposes, and what rights you have in relation to such processing.

If you have any questions or would like further information about this Privacy Policy, you can contact us by email at: (contact email).

Who are we?

OPNCard LTD is a company registered and operating under the Bulgarian legislation, with registered address: res. area Ovcha Kupel 418, entrance B, floor 9, apartment 60, Sofia city, Bulgaria, registered in the Commercial register of the Registry Agency under UIC 208638316.

We are a Data Controller of the collected personal data according to the General Data Protection Regulation (GDPR) and we adhere to the provisions of the European and the Bulgarian legislation.

What is personal information?

When using the term "personal information" or "Personal Information" we refer to information relating to you, which can be used to personally identify you (either directly or indirectly), such as your name, e-mail address, company name, address, office address, phone number, CVs, resumes and other information about yourself or your business. Personal Information can also include information about you that is available on the internet, such as profiles at any of the social medias, such as but not limited to Facebook, LinkedIn, X, TikTok and Google, or publicly available information that we acquire from service providers.

Information about Children

The Website is not intended for or targeted at children under 16 years old, and we do not knowingly or intentionally collect or maintain information about children under 16 years old. If you believe that we have collected information about a child under 16 years old, please contact us at any of the emails provided, so that we may delete the information. In addition, we kindly ask any child under the age of 16 not to submit any personal information to us or use the Website.

What personal information we might collect and use

The types of information that we may collect from you, depending on how you use our Website or contact us, include:

• your names;
• your email address;
• your position and company details;
• Your phone number;
• Your website;
• Your social media profiles;
• Your photo;
• Your personal/company brand logo, where it contains personal data;
• your CV, motivation letter or additional supporting documentation (portfolio, projects description, related pictures, etc.) you elect to provide, where you apply for a role at our company;
• any other information that you choose to provide us when filling out a contact form on our Website;
• your IP address.

With digital business cards, we only process the personal data that you decide to provide us with in order to create the business card, maintain it, and show it to the people you choose to share it with. We, as the provider, are not responsible for the way third parties use this information once they have accessed the business card from you.

How do we collect information and how we use your Personal Information

Visitors to our Website

When entering our Website, we will collect information necessary for the operation of the Website and for us to comply with security and legal requirements in relation to operating our Website. We also collect information about your activities during your visit such as date and time of visits, the pages viewed, time spent at our Website, and the Website visited just before our own, as well as your IP address and your browser so that we can better address your queries and to collect statistics to help us improve your browsing experience in the future.

Information from the "Contact Form" section of our Website

We may collect your Personal Information, which you choose to provide when you fill in contact forms on our Website, including your name and e-mail. We may use this Personal Information to respond to your queries, and/or provide the services and/or information that you have requested.

Information from Profiles in the Website

We collect Personal Information directly from you when you choose to create an account on our website and request the creation of a digital business card. This typically happens when you register a profile, complete the required fields to generate your business card, or update your information in your account settings.

The Personal Information you provide may include your name, job title, company/organisation, business contact details (such as telephone number and email address), business address or location, and links to your professional social media profiles. Where you choose to upload it, we may also process a profile photo to display on your digital business card.

We use this information for the purpose of creating, generating and maintaining your digital business card, enabling you to manage and update your card information through your account, and providing the service you have requested. We may also use your Personal Information to administer your account, communicate with you regarding your profile or your service request, and ensure the technical operation and security of our platform.

You are responsible for ensuring that the Personal Information you submit is accurate and up to date and that you only provide information that you are entitled to share.

Depending on your chosen settings, your digital business card may be accessible via a public link or QR code and may be viewed by anyone you share it with. The information displayed on your card is determined by you and may include your name, job title, contact details, social media links and profile photo (if uploaded) and other. You are responsible for ensuring that you only publish information that you wish to make publicly available.

Information from requests via e-mail

When you contact us via e-mail in connection with a request such as request for information, to order a product or service, to provide you with support, to offer us a proposal we collect information necessary to respond to your request and to be able to contact you. For instance, we collect your name and contact information and details about your request. We may use this Personal Information to respond to your queries, and/or provide the services and/or information that you have requested.

We use Transport Layer Security (TLS) to encrypt and protect web and email traffic. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.

Recruitment

In connection with a job application, inquiry, registration for and/or participation in a Training, whether advertised on our Website or otherwise, you may provide us with Personal Information about yourself, including your name, family name, e-mail, CV, motivation letter or additional supporting documentation (portfolio, projects description, related pictures, etc.) you elect to provide, where you apply for a role at our company on our Website or via email, social media sites or other sites as well as any other information that you choose to provide to us when filling out a contact form on our Website or by contacting us via e-mail.

We may use this information in order to address your inquiry or consider you for employment purposes. All of the information you provide during the process will only be used for the purpose of recruiting for the relevant currently vacant position that you have applied for and shall be kept for a period of no more than 6 months.

We may also obtain information about job applicants from other sources, to the extent permitted by applicable law, such as through your contact with us, including your interactions with us, or from third parties such as employment agencies and other Website on the Internet. For example, you may choose to provide us with access to certain personal data stored by third parties such as LinkedIn profile or other social media profiles.

Other business purposes for personal data processing

We may also use your Personal Information for other business purposes such as:

• record keeping, statistical analysis, internal reporting and research purposes;
• to ensure network and information security;
• to notify you about changes to our services;
• to investigate any complaint you make;
• to provide evidence in any dispute or anticipated dispute between you and us;
• to customise various aspects of our Website to improve your experience;
• to host, maintain and otherwise support the operation of our Website;
• for the detection and prevention of fraud and other criminal offences and for risk management purposes;
• for business and disaster recovery (e.g. to create back-ups);
• for document retention/storage;
• for database management;
• to protect our rights, property, and/or safety, our personnel and others; and
• to ensure the quality of the services we provide to our users.

Legal basis for collection and use of personal information

We process your personal data on the following legal bases under Article 6 GDPR:

• Performance of a contract (Art. 6(1)(b)) – to create and manage your account, generate and maintain your digital business card, and provide the requested services;
• Legal obligation (Art. 6(1)(c)) – to comply with accounting, tax and other legal requirements;
• Legitimate interests (Art. 6(1)(f)) – to ensure the security of our platform, prevent fraud and misuse, maintain logs and improve our services;
• Consent (Art. 6(1)(a)) – where we rely on your consent, for example for non-essential cookies/analytics or marketing communications (if applicable). You may withdraw your consent at any time.

Retention of personal information

We retain personal data only for as long as necessary for the purposes described in this Policy. In general:

• Account and business card data: for as long as your account is active, and up to 12 months after account deletion;
• Contact form inquiries: up to 12 months after resolving your request or question;
• Technical logs and security data: up to 9 months;
• Recruitment data: up to 6 months;
• Accounting and transaction data: for the legally required retention period.

How and when do we share information with third parties?

Some services that we provide require the involvement of third parties. We have carefully selected these third parties and taken steps to ensure that your Personal Information is adequately protected.

Google Analytics

Our Website uses Google Analytics, a web analysis service provided by Google Inc. ("Google"). Google Analytics works using cookies. We use Google Analytics only after you provide your consent via our cookie banner.

Google Analytics cookies collect your IP address. We use the information collected by Google Analytics cookies to find out about how visitors use our Website.

The IP address sent by your browser in connection with Google Analytics will not be combined by Google, with other data.

If you so choose, you can opt out by turning off cookies in the preferences settings in your browser, or by downloading and installing the Google Analytics Opt-out Browser Add-on from http://tools.google.com/dlpage/gaoptout. However, please note that you may not then be able to make full use of all the Website's functions.

Third party service providers

We also share your Personal Information with our third party service providers based in the European Economic Area ("EEA") who we engage to provide support services in relation to our Website for the purposes of: hosting and maintaining our Website; providing data storage; assisting us with database management, and in order to assist us with related tasks or processes.

We may also share your Personal Information with any other third party if we are under a duty to disclose or share your Personal Information in order to comply with any legal obligation, or to protect the rights, property and/or safety of OPNCard LTD, our personnel or others; or with any other third party for the purposes of acting in accordance with the requirements of a court, regulator or government agency.

International transfers

Some of the third parties described in this privacy policy, which provide services to us, may be based in other countries outside the European Economic Area ("EEA"). In case we are required to undertake any transfer of personal information outside the EEA, we take all reasonable necessary steps to ensure that your personal information is treated securely and in accordance with this Privacy Policy and an adequate level of protection is applied to it, in particular through the implementation of the European Commission-approved standard contractual data protection clauses, binding corporate rules for transfers to data processors, or other appropriate legal mechanisms to safeguard the transfer.

Your rights in the collection, processing and storage of your personal data

Withdrawal of consent

Where we process your personal data based on consent, you may withdraw it at any time by contacting our team. Where processing is based on other legal grounds, you may exercise your other rights (e.g., objection, erasure) explained in this Policy as applicable.

The withdrawal of consent does not affect the legality of the processing of personal data, which the Controller has carried out up to this point.

Right of access

You have the right to request and receive confirmation from the Company as to whether personal data related to you is being processed by sending a request in free text by email.

Right to rectification or completion

You may at any time correct or complete inaccurate or incomplete personal data relating to you by sending a free text email.

Right to erasure ("to be forgotten")

You have the right to request the deletion of some or all of your personal data, and we will delete it without undue delay, where any of the following grounds apply:

• the personal data are no longer necessary for the purposes for which they were collected;
• You withdraw your consent and there is no other legal basis for the processing;
• You object to the processing and there are no overriding legal grounds;
• personal data were processed illegally;
• personal data must be deleted to comply with a legal obligation;
• the personal data were collected in connection with the provision of information society services.

The Controller is not obliged to delete the personal data if it stores and processes them:

• to exercise the right to freedom of expression and the right to information;
• to comply with a legal obligation;
• for reasons of public interest in the field of public health;
• for the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes;
• for the establishment, exercise or defense of legal claims.

Right to limitation

You have the right to request us to restrict the processing of data related to you by sending us a request in free text by email.

Right of portability

You have the right to ask us to provide you with your personal data in a structured, commonly used and machine-readable format and to transfer it to another Controller or to ask us to directly transfer your personal data to a Controller specified by you, when this is technically feasible.

Right to receive information

You can ask us to inform you about all recipients to whom the personal data for which correction, deletion or restriction of processing has been requested has been disclosed. We may refuse to provide this information if it would be impossible or would require a disproportionate effort.

Right to object

You can object at any time to the processing of personal data by us that relates to you, including if it is processed for the purposes of profiling or direct marketing.

Breach of your rights

In the event of a breach of your rights under the above or applicable data protection legislation, you have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection as follows:

Name: Personal Data Protection Commission
Address: Sofia 1592, "Prof. Tsvetan Lazarov" No. 2
Phone: +359 2 915 3 518
Website: www.cpdp.bg

The present policy is adopted on January 2026.