Privacy Policy

    Pricemind Privacy Policy

    How we collect, use, disclose and protect your personal data.

    Effective date: 12 July 2025  ·  Controller: Stellion OOD

    This Privacy Policy explains how Stellion OOD ("Pricemind", "we", "us", "our") collects, uses, discloses and protects personal data when you visit our websites, use our platform, APIs and related services (collectively, the Services).

    We process personal data in accordance with the EU/EEA GDPR, the UK GDPR, the Swiss FADP, and, where applicable, the CCPA/CPRA and Brazil's LGPD.

    1) Identity and contact details of the controller

    Controller

    Stellion OOD (EIK/UIC: 206104538)

    Registered address

    Cherni Vrah blvd 107, Sofia, Bulgaria, 1407

    Contact (privacy)

    [email protected]

    DPO

    Petar Atanasov

    As we are established in the EU, you may lodge complaints with your local authority. In Bulgaria: Commission for Personal Data Protection (CPDP).

    2) Scope and roles

    This Policy covers personal data processed when:

    • you browse our websites (pricemind.io, pricemind.ai) and web apps (app.pricemind.io);
    • you create and use an account;
    • you interact with our APIs, integrations, support and communications;
    • you receive marketing from us.

    Controller vs Processor. For account, billing, telemetry and marketing data, Pricemind acts as a controller. For data customers upload/collect via the Services, Pricemind acts as a processor, governed by our Data Processing Addendum (DPA).

    3) Categories of personal data we process

    Account and profile data: name, surname, employer/company, job title, email, password hash, user role, language preferences.
    Organisation/Billing data: company legal details, VAT/TAX ID, billing contact, addresses, invoices, transaction details.
    Usage & event data: product telemetry, feature interactions, timestamps, session IDs, IP address, device/user agent, cookie IDs, approximate location.
    Support & communications: messages, tickets, call/chat recordings, attachments, feedback, survey responses.
    Marketing data: newsletter opt-ins, marketing preferences, campaign engagement, lead source.
    Job applicant data: CV/resume, contact details, interview notes, references.
    Incidentally processed content: URLs, product data, exports submitted to the Services.

    Sensitive data: We do not intentionally collect special categories of data (e.g., health, religion). Please do not submit such data to the Services.

    4) Sources of data

    Directly from you

    Registration, contracts, support, forms

    Automatically

    Telemetry, cookies, server logs

    Third parties

    Payment processors, SSO, marketing partners

    5) Purposes and legal bases (EEA/UK/CH)

    PurposeExamplesLegal basis
    Provide & operate Servicesaccount creation, authentication, uptimeContract (Art. 6(1)(b))
    Billing & administrationinvoicing, payment, tax complianceContract; Legal obligation
    Security & abuse preventionlogging, rate‑limiting, fraud preventionLegitimate interests (Art. 6(1)(f))
    Product analyticstelemetry, A/B testing, diagnosticsLegitimate interests; Consent
    Support & communicationstickets, service noticesContract; Legitimate interests
    Marketingnewsletters, event updatesConsent; Legitimate interests (B2B)
    Legal & compliancerecord‑keeping, regulatory requestsLegal obligation
    Recruitmentevaluate candidates, interviewsPre‑contractual steps; Consent

    You may withdraw consent at any time, without affecting lawfulness prior to withdrawal.

    7) Disclosures and recipients

    We do not sell personal data.

    We disclose personal data only to:

    • Service providers: cloud hosting, CDNs, email/SMS, payment processors, analytics, security.
    • Integration partners: SSO/IdP, CRMs, data warehouses you choose to connect.
    • Corporate transactions: mergers, acquisitions, or asset sales under appropriate safeguards.
    • Legal and safety: to comply with laws or protect rights, property or safety.
    • Aggregated data: usage statistics that do not identify individuals.

    8) International data transfers

    We may transfer personal data outside the EEA/UK/Switzerland using adequacy decisions or Standard Contractual Clauses (SCCs) plus supplementary measures. Copies available upon request.

    9) Data retention

    Account/profileAccount lifetime + 24 months
    Billing/financialUp to 10 years (statutory)
    Telemetry & security logs12–18 months
    Support tickets24 months after closure
    Backups30–45 days rolling
    Recruitment data12 months (or longer with consent)

    10) Security

    Encryption in transit (TLS 1.2+)
    Encryption at rest
    Least‑privilege, role‑based access
    Network segmentation & firewalling
    Logging and monitoring
    Secure development practices
    Vulnerability management
    Regular backups & tested restore

    11) Your rights (EEA/UK/CH)

    Access

    Obtain a copy of your data

    Rectify

    Correct inaccurate data

    Erase

    Right to be forgotten

    Restrict

    Limit processing

    Object

    To legitimate interests or marketing

    Portability

    Receive data in portable format

    Contact [email protected] to exercise your rights. We respond within one month.

    12) California residents (CCPA/CPRA)

    Categories collected: identifiers, commercial info, internet activity, professional info, geolocation, inferences.
    "Sale"/"Sharing": We do not sell or share personal information for cross‑context behavioural advertising.
    Your CPRA rights: know/access, correct, delete, portability, opt‑out of sale/sharing, non‑discrimination.

    13) Children's data

    The Services are not directed to children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided personal data, contact us to delete it.

    14) Automated decision‑making

    We do not perform automated decision‑making that produces legal or similarly significant effects (GDPR Article 22).

    15) Customer responsibilities (processor role)

    If your organisation uses the Services to process personal data, you are responsible for ensuring lawful basis and required notices. Our DPA governs such processing.

    16) Sub‑processors

    ProviderPurposeLocationTransfer
    Postmark (ActiveCampaign)Transactional emailUnited StatesSCCs/UK Addendum
    Hetzner CloudCloud infrastructure & storageEU (Germany, Finland)EU region only

    17) Changes to this Policy

    We may update this Policy from time to time. Material changes will be notified via the Service or email. The "Effective date" at the top indicates the latest version.

    18) Contact

    Stellion OOD

    Cherni Vrah blvd 107, Sofia, Bulgaria, 1407

    UIC: 206104538

    Email: [email protected]

    For EEA/UK/CH data subjects: you may also contact your local data protection authority. In Bulgaria: Commission for Personal Data Protection (CPDP).

    Annexes

    Annex C — Key definitions

    • Personal data: any information that identifies or can reasonably be linked to an individual.
    • Processor/Sub‑processor: entity that processes personal data on behalf of a controller.
    • SCCs: Standard Contractual Clauses approved by the European Commission.
    • Legitimate interests: our interest in conducting and managing our business while respecting your rights.