Privacy Policy
Last updated: April 13, 2026 · Version 1.0
This Privacy Policy describes how "VIDMind" EOOD (UIC 207691138), operator of the Ovreme platform (ovreme.bg), collects, processes and protects your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and the Bulgarian Personal Data Protection Act.
1. Data Controller
"VIDMind" EOOD
UIC: 207691138
Email: info@ovreme.bg
2. What Data We Collect
For Customers (booking an appointment)
| Data | Purpose | Legal Basis |
|---|---|---|
| Name | Identification for the booking | Consent (Art. 6.1.a) |
| Email address | Confirmation, reminders, cancellation | Consent (Art. 6.1.a) |
| Phone (optional) | Contact for changes | Consent (Art. 6.1.a) |
| Notes (optional) | Special requirements | Consent (Art. 6.1.a) |
| IP address | Consent audit trail | Legitimate interest (Art. 6.1.f) |
For Merchants (registered businesses)
| Data | Purpose | Legal Basis |
|---|---|---|
| Business name, email | Account and communication | Contract (Art. 6.1.b) |
| UIC (for verification) | Business verification | Legitimate interest (Art. 6.1.f) |
| Working hours, services | Platform functionality | Contract (Art. 6.1.b) |
| IP address at registration | Consent audit trail | Legitimate interest (Art. 6.1.f) |
3. Data Processing Roles (DPA)
The Merchant is the Data Controller for their customers' personal data — they determine the purposes and means of processing.
Ovreme (VIDMind EOOD) is the Data Processor — processes customer data solely on behalf of and under the instructions of the Merchant for the following purposes:
- Storage and management of bookings;
- Sending confirmations, reminders and notifications;
- Providing the technical infrastructure.
The Operator does not use Merchant customer data for its own marketing or analytical purposes.
4. Data Retention
| Data | Retention Period |
|---|---|
| Booking data (name, email, phone, notes) | Up to 24 months after the booking date, then automatically anonymized |
| Merchant data | While the account is active + 30 days after deletion |
| Consent records (timestamp, IP, version) | 5 years (to prove consent was given) |
5. Technical Safeguards
- Encryption at rest: Customer personal data (name, email, phone, notes) is encrypted using AES-256-GCM. The encryption key is stored separately from the database.
- Encryption in transit: TLS/HTTPS for all connections.
- Passwords: Hashed with bcrypt — cannot be recovered.
- Anonymization: Automatic anonymization of bookings older than 2 years.
6. Your Rights
Under GDPR, you have the following rights:
- Right of access (Art. 15) — obtain a copy of the data we hold about you;
- Right to rectification (Art. 16) — request correction of inaccurate data;
- Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten");
- Right to restriction (Art. 18) — request temporary suspension of processing;
- Right to data portability (Art. 20) — receive your data in a machine-readable format (CSV/JSON);
- Right to object (Art. 21) — object to processing based on legitimate interest;
- Right to withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal.
To exercise these rights, contact us at info@ovreme.bg. We respond within 30 days.
7. Sub-processors
| Sub-processor | Location | Purpose | Data scope |
|---|---|---|---|
| JumpLine / jump.bg (Delta HighTech Ltd.) | Bulgaria (EU) | Server infrastructure hosting and email notifications (SMTP) | Entire database (encrypted at rest); recipient email address + notification content |
| Anthropic PBC | United States | AI content generation provider (page builder) | Text prompts entered by the Merchant for marketing page content. Does not process end-user personal data (names, emails, phone numbers, bookings) |
| Google LLC | United States | Two-way Google Calendar synchronization (optional, opt-in by the Merchant) | Date, time, and service name for bookings of Merchants who have activated sync. Customer personal data is synchronized only if the Merchant has explicitly configured it |
| DSK Bank AD | Bulgaria (EU) | Card payments via virtual POS terminal (vPOS) | Payment metadata (amount, currency, order identifier). Card data is processed directly by DSK and does not transit through Ovreme |
| Mobica Bulgaria | Bulgaria (EU) | SMS notifications (optional) | Recipient phone number + notification text |
Data transfers outside the EU/EEA: The sub-processors Anthropic PBC and Google LLC are established in the United States. Data transfers to them are carried out on the basis of Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR, adopted by Commission Implementing Decision (EU) 2021/914. All other sub-processors are within the EU/EEA.
Note for Merchants: Activating the AI content generation (page builder) and Google Calendar synchronization features is at your discretion and results in transferring the relevant data to providers in the United States. You may use the platform without these features.
8. Cookies
The platform uses only strictly necessary cookies:
- slotify_session — Merchant session (authentication);
- csrf_token — CSRF protection;
- lang — preferred language.
We do not use analytics, advertising or tracking cookies. We do not use Google Analytics, Facebook Pixel or similar services.
9. Automated Decision-Making
The platform does not perform profiling or automated decision-making within the meaning of Art. 22 GDPR.
10. Complaints
If you believe the processing of your personal data violates GDPR, you have the right to lodge a complaint with:
Commission for Personal Data Protection (Bulgaria)
Address: 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia
Web: www.cpdp.bg
Email: kzld@cpdp.bg
11. Changes
When this Policy is updated, registered Merchants will be notified by email. The current version is always available on this page.
12. Contact
- Email: info@ovreme.bg
- Operator: "VIDMind" EOOD, UIC 207691138