PRIVACY POLICY

This Privacy Policy is intended to inform you about the manner in which we collect, use and protect your personal data when using the NAPPlus platform (https://napplus.bg). The processing of personal data is carried out in full compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR) and applicable Bulgarian law.

1. WHO PROCESSES YOUR DATA

The controller of personal data within the meaning of the GDPR is:

2. CATEGORIES OF PERSONAL DATA

Depending on the manner of interaction with the platform, we process the following categories of personal data:

2.1. Registration and identification data

When creating a user account, we collect: first and last name, email, phone number, company name, UIC and correspondence address.

2.2. Billing data

For the purposes of issuing invoices, we process: company data, UIC, VAT number (if available), registration address and correspondence address.

2.3. Payment data

Payments are processed by Stripe. We do not store bank card data. Stripe acts as an independent data controller in accordance with its own privacy policy.

2.4. Technical data

When visiting the platform, the following are automatically collected: IP address, browser type and operating system, date and time of access, pages visited and actions on the platform.

2.5. Data from integrated systems

When connecting your online store with NAPPlus, the platform gains access to data on orders, products and customers, necessary for the generation of XML files and digital cash receipts.

3. PURPOSES AND LEGAL BASES FOR PROCESSING

We process your personal data for the following purposes:

3.1. Performance of a contract (Art. 6(1)(b) of the GDPR)

Provision of the platform's services, management of user accounts, processing of payments, technical support and communication in connection with the service.

3.2. Compliance with legal obligations (Art. 6(1)(c) of the GDPR)

Issuance and storage of accounting documents pursuant to the Accountancy Act, compliance with tax legislation and the requirements of Ordinance No. N-18.

3.3. Legitimate interest (Art. 6(1)(f) of the GDPR)

Ensuring the security of the platform, prevention of abuse, improvement of services and analysis of the use of the platform.

3.4. Consent (Art. 6(1)(a) of the GDPR)

Sending of marketing messages and newsletters, use of analytical and advertising cookies. Consent may be withdrawn at any time.

4. COOKIES AND TRACKING TECHNOLOGIES

The platform uses cookies and similar technologies for various purposes:

4.1. Essential cookies

Necessary for the functioning of the platform – maintaining a session, remembering settings, authentication. These cookies do not require consent.

4.2. Analytical cookies

We use Google Analytics to collect statistical information about the use of the platform. IP addresses are anonymized. These cookies are activated only after your consent.

4.3. Marketing cookies

We use Google Ads and Meta Pixel for personalized advertising and remarketing. These cookies are activated only after your express consent.

4.4. Cookie management

Upon your first visit to the platform, you will see a consent banner through which you can choose which categories of cookies to allow. You can change your preferences at any time through your browser settings or through the link at the bottom of the page.

5. RECIPIENTS OF DATA AND TRANSFER

Your personal data may be provided to the following categories of recipients:

5.1. Service providers

Hosting providers, payment operators (Stripe), email service providers. These parties process data only on our instructions and in accordance with concluded data processing agreements (DPA).

5.2. Analytics and advertising partners

Google (Analytics, Ads), Meta (Facebook Pixel). These companies act as independent data controllers in accordance with their own policies.

5.3. State authorities

Where there is a legal obligation, we may provide data to the NRA (National Revenue Agency), judicial authorities or other competent institutions.

5.4. International transfer

Some of our providers (Google, Meta, Stripe) are based in the USA. The transfer of data to these companies is carried out in compliance with the EU-US Data Privacy Framework or standard contractual clauses approved by the European Commission.

6. RETENTION PERIOD

We store your personal data for the following periods:

• Registration data – until termination of the account plus 2 years for archival purposes.
• Accounting documents – 10 years pursuant to the Accountancy Act.
• Data from integrations (orders, XML files) – until termination of the subscription plus 2 years archive.
• Technical logs – up to 12 months.
• Marketing consents – until withdrawal of consent.

7. YOUR RIGHTS

Under the GDPR you have the following rights:

• Right of access – to obtain information on whether and what data of yours we process, as well as a copy of it.
• Right to rectification – to request correction of inaccurate or incomplete data.
• Right to erasure – to request deletion of your data under certain conditions.
• Right to restriction – to request temporary suspension of processing.
• Right to portability – to receive your data in a machine-readable format.
• Right to object – to object to processing based on legitimate interest or for direct marketing.
• Right to withdraw consent – at any time, without this affecting the lawfulness of processing already carried out.

To exercise your rights, you can contact us at support@napplus.bg. We will respond within 30 days of receipt of the request.

8. SECURITY MEASURES

We apply technical and organizational measures to protect your data:

Technical measures

SSL/TLS encryption of all connections, firewalls, intrusion detection systems, regular software updates, encryption of sensitive data in the database.

Organizational measures

Restricted access only for authorized persons, confidentiality obligations, data processing agreements with subcontractors, regular security reviews.

Incident response

In the event of a security breach, we will notify the Commission for Personal Data Protection within 72 hours and the affected individuals, where required by law.

9. RIGHTS TO COMPLAIN

If you consider that we are processing your data in violation of the GDPR, you have the right to lodge a complaint with:

10. UPDATES TO THE POLICY

We reserve the right to update this Privacy Policy in the event of changes in legislation, our practices or services. The updated version will be published on this page with a new effective date. We recommend that you periodically review the policy.

VERSION HISTORY

Version 1.0 – 03.07.2025 – Initial version

CONTACT FOR QUESTIONS REGARDING PERSONAL DATA

© NAPPlus 2026. All rights reserved.