Privacy Policy
Last updated: March 4, 2026
1. Data Controller
The data controller is Firmify ("we", "us"), operator of the website firmify.bg.
Contact for personal data protection inquiries: privacy@firmify.bg
2. What Data We Collect
We collect the following categories of personal data:
2.1. Account Data
- Email address
- Password (hashed with bcrypt, never stored in plain text)
2.2. Company Data
- Company name, registered address, type of activity
- Names of owners, partners and managers
- Addresses of individuals (owners, managers)
- Capital amount and share distribution
2.3. Personal Identification Number (EGN)
EGN is collected because it is a mandatory element of Commercial Register documents. EGN is encrypted with AES-256-GCM when written to the database. Only the last 4 digits are displayed in the user interface. Full decryption occurs only when generating documents.
2.4. Payment Data
Payment data (card number, date, CVC) is processed exclusively by Stripe (stripe.com). Firmify does NOT store credit or debit card numbers. We only store the Stripe session ID and payment status.
2.5. Technical Data
- IP address (in server logs)
- Authentication cookies (JWT)
- Google Analytics data (anonymized, only with consent)
3. Purposes and Legal Basis for Processing
| Purpose | Legal Basis (GDPR) |
|---|---|
| Account creation and management | Performance of contract (Art. 6(1)(b)) |
| Document generation | Performance of contract (Art. 6(1)(b)) |
| Payment processing | Performance of contract (Art. 6(1)(b)) |
| Sending reminders (VAT, annual report) | Legitimate interest (Art. 6(1)(f)) |
| Website analytics (Google Analytics) | Consent (Art. 6(1)(a)) |
| Error monitoring (Sentry) | Legitimate interest (Art. 6(1)(f)) |
4. Cookies
Firmify uses the following cookies:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
token | Authentication (JWT) | Essential | 7 days |
cookie_consent | Cookie preference storage | Essential | 1 year |
_ga, _ga_* | Google Analytics | Optional | 2 years |
Analytics cookies are loaded only after your explicit consent via the cookie banner.
5. Data Processors (Subprocessors)
- Stripe, Inc. — Stripe, Inc. — payment processing (PCI DSS Level 1 certified). Privacy policy: stripe.com/privacy
- Google LLC — Google LLC — Google Analytics 4 (traffic analysis, consent-only)
- Sentry — Sentry — error monitoring (technical data, no personal data)
6. Retention Periods
- Drafts and unsubmitted applications: up to 90 days after last update
- Submitted applications, company data and EGN: up to 5 years from the date of submission
- Signed documents and audit records: at least 5 years per applicable traceability and commercial documentation requirements
- Unsigned generated documents: up to 6 months after the last relevant activity
- Payment data (Stripe ID and accounting records): up to 10 years per applicable accounting and tax legislation
- Accounts without active organizations: up to 12 months of inactivity
- Server logs: up to 90 days
Where the law requires longer retention, a deletion request may be limited for the relevant period.
7. Your Rights (GDPR)
As a data subject, you have the right to:
- Access — to receive a copy of your personal data
- Rectification — to request correction of inaccurate data
- Erasure — to request deletion of your data ("right to be forgotten")
- Restriction — to request restriction of processing
- Portability — to receive your data in a structured, machine-readable format
- Objection — to object to the processing of your data
- Withdrawal of consent — at any time for processing based on consent (e.g. analytics cookies)
To exercise your rights, please contact us at: privacy@firmify.bg
8. Data Security
We implement the following security measures:
- EGN encryption with AES-256-GCM (separate encryption key)
- Password hashing with bcrypt
- HTTPS for all communications
- JWT in HTTP-only cookie (XSS protection)
- Database not accessible outside the internal Docker network
9. Data Transfer Outside the EU
Stripe and Google may process data in the USA. Both companies provide adequate safeguards through Standard Contractual Clauses (SCC) and/or the EU-US Data Privacy Framework.
10. Right to Complain
If you believe that the processing of your personal data violates the GDPR, you have the right to file a complaint with the Commission for Personal Data Protection (CPDP):
- Website: www.cpdp.bg
- Address: 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia
11. Changes to the Policy
Firmify may update this Privacy Policy. In case of significant changes, you will be notified by email or by a notification in the Platform. The date of the last update is indicated at the beginning of the document.
12. Contact
For personal data protection questions: privacy@firmify.bg
For general questions: support@firmify.bg