Privacy Policy

1 Who We Are

This Privacy Policy applies to Sybrelix EOOD (referred to as "Sybrelix", "we", "our", or "us"), a company registered in Bulgaria providing influencer marketing and digital marketing services.

Registered Data Controller:
Sybrelix EOOD
ul. Stefan Stambolov 22
Veliko Tarnovo 5000, Bulgaria
UIC: 207891456
Email: privacy@sybrelix.com
Phone: +359 62 600 800

Sybrelix EOOD is registered with the Commission for Personal Data Protection of the Republic of Bulgaria (CPDP) as a data controller.

2 Data We Collect

We collect personal data in the following categories:

2.1 Data You Provide Directly

• Identity data: first name, last name, job title, company name
• Contact data: email address, telephone number, postal address
• Business data: budget information, campaign briefs, marketing objectives
• Communication data: messages sent via our contact form, email, or phone
• Financial data: billing information, invoice details (for clients)

2.2 Data Collected Automatically

• Technical data: IP address, browser type and version, device type, operating system
• Usage data: pages visited, time spent, links clicked, referral source
• Cookie data: as described in Section 8 below

2.3 Data from Third Parties

• Publicly available social media data (for influencer research purposes only)
• Business contact information from professional directories where lawfully obtained

We do not collect special category data (health, biometric, racial origin, political opinions, religious beliefs, etc.) unless specifically required and with your explicit consent.

3 How We Use Your Data

We never sell, rent, or trade your personal data to third parties for their own marketing purposes.

4 Legal Basis for Processing

Under the GDPR (Regulation (EU) 2016/679), we rely on the following legal bases:

• Consent (Art. 6(1)(a)): When you sign up for our newsletter or opt in to marketing communications. You may withdraw consent at any time.
• Contract (Art. 6(1)(b)): When processing is necessary to fulfil our service agreement with you as a client.
• Legal obligation (Art. 6(1)(c)): When required to comply with Bulgarian or EU law (e.g., tax and accounting obligations).
• Legitimate interests (Art. 6(1)(f)): For website analytics, security, fraud prevention, and responding to pre-contractual enquiries. We have assessed that these interests are not overridden by your data protection rights.

5 Data Sharing & Transfers

5.1 Third-Party Service Providers

We share data only with trusted processors who assist in delivering our services, subject to binding data processing agreements:

• Email and CRM platforms (e.g., for client communications)
• Cloud hosting providers (for website and data storage)
• Analytics platforms (for website performance measurement)
• Accounting software (for invoicing and financial records)

5.2 Legal Disclosure

We may disclose personal data to public authorities, courts, or law enforcement where required by applicable law, court order, or to protect the rights and safety of individuals.

5.3 International Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place, including the use of Standard Contractual Clauses (SCCs) as approved by the European Commission under GDPR Art. 46(2)(c).

6 Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law:

• Client data: Duration of the contract plus 5 years (statutory accounting and tax requirements under Bulgarian law)
• Prospect/enquiry data: 24 months from the date of last contact, unless a contract is concluded
• Marketing consent records: Until consent is withdrawn, plus 1 year
• Website analytics data: 26 months (aggregated, anonymised where possible)
• Security logs: 90 days

After the applicable retention period, personal data is securely deleted or anonymised.

7 Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten") where applicable.
• Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent: Withdraw any previously given consent at any time without affecting the lawfulness of prior processing.
• Right not to be subject to automated decisions: We do not make solely automated decisions that produce legal effects concerning you.

7.1 Right to Lodge a Complaint

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Commission for Personal Data Protection of Bulgaria (CPDP):

Website: www.cpdp.bg
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Phone: +359 2 915 3580

8 Cookies

Our website uses cookies and similar tracking technologies. A cookie is a small text file placed on your device.

Types of Cookies We Use

• Strictly necessary cookies: Required for the website to function (session management, security). These cannot be disabled.
• Analytical/performance cookies: Allow us to count visits and understand how users interact with the website. All data is aggregated and anonymised where possible.
• Functional cookies: Remember your preferences (e.g., language settings) to improve your experience.
• Marketing cookies: Used to deliver relevant advertisements. Only activated with your explicit consent.

You can manage cookie preferences at any time by adjusting your browser settings or using our cookie preference centre (where available). Disabling non-essential cookies will not affect the core functionality of the website.

For full details, see our Cookie Policy.

9 Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• TLS/SSL encryption for all data in transit
• Access controls and role-based permissions for staff
• Regular security assessments and vulnerability testing
• Staff training on data protection and security best practices
• Incident response procedures including mandatory breach notification under GDPR Art. 33

In the event of a personal data breach that is likely to result in high risk to your rights and freedoms, we will notify you without undue delay as required by law.

10 Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at privacy@sybrelix.com and we will promptly delete such data.

11 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will indicate the "Last Updated" date at the top of this page.

For material changes, we will notify you by email (if you are a client or have subscribed to our communications) or by a prominent notice on our website at least 14 days prior to the change taking effect.

Your continued use of our website or services after the effective date constitutes acceptance of the updated policy.

12 Contact Us

For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact our Data Protection contact: