Pricemind Privacy Policy

1) Identity and contact details of the controller

• Controller: Stellion OOD (EIK/UIC: 206104538)
• Registered address: Cherni Vrah blvd 107, Sofia, Bulgaria, 1407
• Contact (privacy): [email protected]
• Data Protection Officer (if appointed): Petar Atanasov. If no DPO is appointed, contact us at the address above.
• EU establishment / supervisory authority: As we are established in the EU, you may lodge complaints with your local authority. In Bulgaria, this is the Commission for Personal Data Protection (CPDP).

2) Scope and roles

This Policy covers personal data processed when:

• you browse our websites (e.g., pricemind.io, pricemind.ai) and web apps (e.g., app.pricemind.io);
• you create and use an account;
• you interact with our APIs, integrations, support and communications;
• you receive marketing from us.

Controller vs Processor. For customer account, billing, product telemetry and marketing data, Pricemind acts as a controller. For data that customers upload to/collect via the Services (e.g., product catalogues, URLs to monitor, exports that may contain personal data), Pricemind acts as a processor on behalf of the customer. Our processing as processor is governed by our Data Processing Addendum (DPA), which includes Standard Contractual Clauses where relevant.

3) Categories of personal data we process (as controller)

We collect and process the following categories (depending on your use):

• Account and profile data: name, surname, employer/company, job title, email, password hash, user role, language preferences.
• Organisation/Billing data: company legal details, VAT/TAX ID, billing contact, addresses, purchase orders, invoices, transaction details (payment processing is handled by our provider; we do not store full card numbers).
• Usage & event data: product telemetry, feature interactions, timestamps, session identifiers, IP address, device/user agent, referral URLs, cookie IDs, approximate location inferred from IP (city/country level).
• Support & communications: messages, tickets, call/chat recordings (if applicable), attachments, feedback, survey responses.
• Marketing data: newsletter opt-ins, marketing preferences, campaign engagement, lead source.
• Job applicant data (if you apply): CV/resume, contact details, interview notes, references.
• Incidentally processed content: data you or your organisation submit to the Services (URLs, product data, exports). As controller we discourage including personal data in such content; where included, our role is typically processor.
• Sensitive data: We do not intentionally collect special categories of data (e.g., health, religion). Please do not submit such data to the Services.

4) Sources of data

• Directly from you/your organisation (registration, contracts, support, forms, uploads).
• Automatically via the Services (telemetry, cookies/SDKs, server logs, security logs).
• Third parties (payment processors, identity providers/SSO, integration partners, publicly available sources, marketing partners, anti‑fraud tools).

5) Purposes and legal bases (EEA/UK/CH)

You may withdraw consent at any time, without affecting lawfulness prior to withdrawal.

7) Disclosures and recipients

We do not sell personal data.

We disclose personal data only to:

• Service providers (processors/sub‑processors): cloud hosting and storage, content delivery networks, email/SMS providers, payment processors, customer support, logging/monitoring, analytics, security and fraud‑prevention, professional services.
• Integration partners you choose to connect (e.g., SSO/IdP, CRMs, data warehouses). These are separate controllers in most cases.
• Corporate transactions: if we undergo a merger, acquisition or asset sale, data may be transferred under appropriate safeguards.
• Legal and safety: to comply with laws, court orders or to protect rights, property or safety of Pricemind, users or the public.
• Aggregated/De‑identified data: we may publish usage statistics that do not identify individuals.

We contractually require processors to safeguard data and process it only on our documented instructions.

8) International data transfers

We may transfer personal data outside your country, including outside the EEA/UK/Switzerland. Where we do, we rely on adequacy decisions or implement Standard Contractual Clauses (SCCs)(and UK addendum where applicable) plus supplementary measures. Copies of SCCs can be made available upon request, subject to redactions.

9) Data retention

We retain personal data only as long as needed for the purposes above or as required by law. Typical periods:

• Account/profile data: for the account lifetime, then 24 months after closure (to manage queries and backups), unless deletion is requested earlier.
• Billing/financial records: up to 10 years to comply with accounting/tax laws (e.g., in Bulgaria).
• Product telemetry and security logs: 12–18 months.
• Support tickets & communications: 24 months after closure.
• Backups: rolling backups typically retained 30–45 days.
• Recruitment data: 12 months (or longer with consent).

When data is no longer required, we delete or irreversibly anonymise it.

10) Security

We implement appropriate technical and organisational measures, including but not limited to: encryption in transit (TLS 1.2+); encryption at rest where supported; least‑privilege, role‑based access; network segmentation and firewalling; logging and monitoring; secure development practices; vulnerability management; employee confidentiality obligations; regular backups and tested restore procedures. No system is 100% secure; we continuously improve our controls.

11) Your rights (EEA/UK/CH)

Subject to conditions and exceptions, you have the right to:

• Access your personal data and obtain a copy;
• Rectify inaccurate or incomplete data;
• Erase data ("right to be forgotten");
• Restrict processing;
• Object to processing based on legitimate interests or to direct marketing;
• Portability of data you provided to us;
• Withdraw consent at any time.

To exercise rights, contact [email protected]. We may request information to verify your identity and will respond within one month (extendable in complex cases). You also have the right to lodge a complaint with a supervisory authority.

12) California residents (CCPA/CPRA)

If you are a California resident, the following applies in addition to the rest of this Policy:

• Categories collected: identifiers (e.g., name, email, IP, device IDs), commercial information (transactions), internet/network activity (telemetry, logs), professional information (role/company), geolocation (approximate), inferences (limited product usage segmentation). We do notknowingly collect sensitive personal information.
• Sources: you, your organisation, your device, our service providers/partners.
• Business/commercial purposes: as described in Section 5.
• Disclosure for business purposes: to service providers and contractors described in Section 7.
• “Sale”/“Sharing”: We do not sell personal information. We do not share personal information for cross‑context behavioural advertising without your consent via the cookie banner. You may opt out at any time via cookie settings and, where supported, Global Privacy Control (GPC) signals.
• Your CPRA rights: know/access, correct, delete, data portability, opt‑out of sale/sharing, limit use/disclosure of sensitive personal information, and non‑discrimination. Submit requests to [email protected]. We will verify and respond as required by law.

13) Children’s data

The Services are not directed to children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided personal data, contact us to delete it.

14) Automated decision‑making

We do not perform automated decision‑making that produces legal or similarly significant effects on individuals within the meaning of GDPR Article 22.

15) Customer responsibilities (when we act as processor)

If your organisation uses the Services to process personal data, you are responsible for ensuring you have a lawful basis and have provided required notices to affected individuals. Our DPA (and, where relevant, SCCs/UK Addendum) governs such processing, including sub‑processors and security standards.

16) Sub‑processors

We maintain a list of sub‑processors used for the Services (e.g., hosting, storage, analytics, support). We will provide prior notice of changes as set out in the DPA. See our Data Processing Agreement — Annex III for the current list. A copy is also included in Annex D below.

17) Changes to this Policy

We may update this Policy from time to time. Material changes will be notified via the Service or email. The "Effective date" at the top indicates the latest version. Continued use of the Services after changes indicates acceptance.

18) Contact

Annex A — Retention schedule (summary)

• Account/profile data: life of account + 24 months
• Billing/finance: up to 10 years (statutory)
• Telemetry & security logs: 12–18 months
• Support/tickets: 24 months after closure
• Backups: 30–45 days rolling
• Recruitment: 12 months (or longer with consent)

Annex C — Key definitions

• Personal data / personal information: any information that identifies or can reasonably be linked to an individual.
• Processor/Sub‑processor: entity that processes personal data on behalf of a controller/processor.
• SCCs: Standard Contractual Clauses approved by the European Commission for international transfers.
• Legitimate interests: our interest in conducting and managing our business to give you the best service while respecting your rights and freedoms.

Annex D — Authorised Sub‑processors (at policy effective date)