Effective Date: 05.05.2023

THIS PRIVACY NOTICE

This Privacy Notice governs how MyCFO Ltd., VAT number 206166098 (referred to as “We,” “Us,” or “Our”) processes personal data. “Personal Information” or “Personal Data” means any information that allows someone to identify you directly or indirectly. “Processing” of personal data means any collection, use, sharing, and storage of personal data.

The Privacy Policy describes the processing of personal data in connection with the following services:

– Digital accounting services and financial management – The company provides digitized accounting and financial services (Digital Accounting). The service is available as an Android, iOS, and web application accessible at https://mycfo.bg (the Site).

– Accounting services – The company provides accounting services to its clients.

– Financial Consulting – The company provides financial analysis (“CFO as a Service”) and consulting services to its clients.

PERSONAL INFORMATION WE COLLECT

We process personal data of the following categories of data subjects:

Third Parties Third parties refer to all individuals or representatives of legal entities whose data is provided by the Company’s clients.
Clients Clients refer to individuals or representatives of legal entities who use the services provided by the Company.
Email Newsletter Subscribers Email newsletter subscribers refer to individuals who have subscribed to receive the Company’s email newsletter.
Website Visitors Website visitors refer to all individuals who have visited the Company’s website (https://mycfo.bg)
Social Media Users Social media users refer to individuals who use social media platforms such as Facebook, Instagram, LinkedIn, and others.

We process the following categories of personal data:

Category Description Collection Notes
Identification Data Personal data includes names, identification numbers, identity document data, etc. The data is processed for the purpose of identifying data subjects during the course of a specific activity. Identification may be necessary for contract signing, customer service, etc. Data collected personally from the data subject  
Email Newsletter Subscribers Data Personal data includes email addresses, names, and information on whether the sent messages have been read and/or opened. Personal data is processed to send our email newsletter to interested individuals. The data subject can refuse to provide the data without any adverse consequences and can unsubscribe from receiving the email newsletter at any time by clicking on a button/link with the text “unsubscribe” or similar. Data collected personally from the data subject.  
Website Behavior Data Personal data includes visited pages, duration of user sessions, and other related information. The data is collected to improve the customer experience for website visitors and attract new customers. The data subject can refuse the processing of personal data by using our cookie banner. Automatically collected data  
Financial Analysis Data Personal data includes all financial information provided by the client, including but not limited to income and expense data, data on key employees and clients, etc. The data is processed to provide financial analysis services and consultancy to the Company.

Data collected personally from the data subject.

Data collected from third parties.

– Clients
Employee Personal Data and HR Data

Personal data includes data related to remuneration, insurance contributions, sick leave, vacation data, employee health data reflected in a medical certificate upon employment, and other data necessary for compliance with legal requirements applicable to the Company. Personal data is processed to fulfill legal requirements for employers to store certain employee data and declare it to state institutions such as the National Revenue Agency, the National Social Security Institute, etc.

Paragraph 1 of Article 9 of the GDPR does not apply as the processing is necessary for the purposes of preventive or occupational medicine, the assessment of the employee’s working capacity, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services based on Union or Member State law or pursuant to a contract with a healthcare professional, subject to the conditions and safeguards referred to in paragraph 3.

Data collected from third parties.  
Social Media Data Personal data includes any interactions between the data subject and our pages and profiles on social media platforms, such as likes, shares, comments, personal messages, etc. We process data when using social media platforms like Facebook, Instagram, LinkedIn, etc., to communicate with our clients and a wider audience and promote our offered services. Data collected personally from the data subject.  
Client Accounting Data Processed personal data includes data about invoice issuers and recipients, identifiers, addresses, data about provided and received services, their value, data about payments made, and any other information that the client is required to process in connection with proper accounting practices. The Company processes personal data to fulfill its contractual obligations to its clients by providing accounting services Data collected from third parties.  

PURPOSE AND LEGAL BASIS FOR PROCESSING

We process personal data for the following purposes:

Purpose Legal Basis Categories of personal data:
We process personal data from the behavior of visitors to our website to improve the customer experience. Consent – Data about website behavior
The company processes personal data in the internal accounting management. Compliance with a legal obligation – Accounting data of the company
The company processes personal data in maintaining a profile and page on social media to build its brand and promote its services. Legitimate interest – Data from social media
The processing of personal data is carried out to provide comprehensive accounting services to the clients of the company. Contractual necessity

– Identification data

– Data for financial analysis

– Data regarding HR and personnel of the clients

– Accounting data of the clients

The company processes personal data for promoting the presented services and attracting new clients through personalized advertising. Consent

– Data of individuals subscribed to the email newsletter

– Data about website behavior

DATA RETENTION PERIODS

Personal data is only stored for as long as necessary to achieve the purpose for which it is processed. A complete list of the purposes for which we process personal data can be found above.

The appropriate retention period for personal data is determined based on the quantity, nature, and sensitivity of the processed personal data, the potential risk of harm from unauthorized use or disclosure of personal data, whether the purposes of the processing can be achieved through other means, as well as based on applicable legal requirements (such as applicable limitation periods).

Personal data is stored according to one or more of the following retention periods:

 

 

Data Retention, Automatically Deleted We automatically delete certain data after a specific period of time has elapsed.
Data Retention, Personally Deletable by the Data Subject In some cases, we provide the data subjects with the ability to delete their personal data themselves.
Data Retention, Deletable by the Data Administrator The data administrator may independently delete personal data in certain cases.
Data Retention until Deletion Request is Sent by the Data Subject We delete certain data upon receiving a deletion request from the data subject.
Profile Data Retention When you delete your profile, we erase all information associated with the profile unless we have another legitimate basis for retaining the information.
Data Retention for Establishment, Exercise, or Defense of Legal Claims We retain some data when necessary for the establishment, exercise, or defense of legal claims.
Data Retention in Contractual Relationships Data is retained for the duration of the contractual relationship unless there is another legal basis for its retention.
Data Retention in Pre-Contractual Relationships When processing data in pre-contractual relationships and if a final contract is not concluded, we delete the data within 6 months from the termination of the pre-contractual relationship.

After the expiration of the retention period, we delete or anonymize the personal data.

SHARING OF PERSONAL DATA

We share personal data with the following categories of third parties:

Email marketing service providers We share personal data with email marketing service providers in order to send our email newsletter and notify individuals who have subscribed to receive email communications about our news and services. – Data for individuals enrolled in the email newsletter.
Communication service providers We share personal data with communication service providers for internal coordination within our team and to serve our Company’s Clients.

– Data for identification

– Data for financial analysis

– Data regarding HR and Personnel of the Company

– Data regarding HR and Personnel of the Clients

– Data for business trips

– Accounting data of the Company

– Accounting data of the Clients

Marketing service providers We share data with marketing service providers to build our brand and presence on social media platforms, as well as to advertise our offered services. – Data from social media
Cloud and hosting service providers We share personal data with cloud and hosting service providers to deliver our Services and manage our business processes.

– Identification data

– Financial analysis data

– Data regarding HR and Personnel of the Company

– Data regarding HR and Personnel of the Clients

– Travel-related data

-Accounting data of the Company

– Accounting data of the Clients

Advertising service providers We share personal data with advertising service providers to promote our Company’s activities and attract new clients. – Data on website behavior
Analytics service providers We share personal data with data analytics service providers, specifically to analyze the behavior of visitors on our website. – Data on website behavior
GDPR compliance service providers We share personal data with GDPR compliance service providers to ensure compliance with all requirements under the GDPR and the Personal Data Protection Act. – Identification data
Competent government institutions We share data with competent government institutions when necessary to fulfill our contractual or legal obligations. Such institutions may include the National Revenue Agency, the National Social Security Institute, and others.

– Data related to HR and Personnel of the Company

– Data related to HR and Personnel of the Clients

– Accounting data of the Company

– Accounting data of the Clients

Software development and service providers We share personal data with software development and service providers to create, maintain, and improve our software services and internal processes.

– Accounting data of the Company

– Accounting data of the Clients

Social media platforms We share data when using social media platforms such as Facebook, Instagram, LinkedIn, and others. – Identification data

YOUR RIGHTS

As a data subject, you have the following rights:

Rights Description and Exercise of Rights
Right to information

You have the right to be informed about the personal data we process about you and how we process it.

You can obtain information through:

  • This Policy
  • The information we provide to you when using our Services
  • By sending an inquiry to our contact email. See how to contact us here..
Right of access

You have the right to request to be informed of or to access the personal data we process about you.

To access your personal data, you can contact us. See how to contact us here..

Right to rectification

You have the right to request correction or updating of the data we process about you when it is inaccurate or incomplete.

If you believe that your personal data is inaccurate or incomplete, please contact us and provide us with the correct information. See how to contact us here. We will make the necessary corrections or updates to ensure the accuracy and completeness of your personal data.

Right to erasure

You have the right to request the deletion of your personal data when:

  • The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • You withdraw your consent on which the processing is based, and there is no other legal ground for the processing.
  • You object to the processing, and there are no overriding legitimate grounds for the processing.
  • The personal data has been unlawfully processed.
  • The personal data must be erased for compliance with a legal obligation under Union or Member State law to which we are subject.

Sometimes, we may be unable to fulfill your request for deletion of personal data. For example, when:

  • The data is still necessary to be processed for the purpose for which it was collected.
  • We have a legitimate interest in processing the data that overrides your interest in deletion, such as for fraud prevention.
  • There is a legal obligation for us to retain the data.
  • The data is necessary for the establishment, exercise, or defense of legal claims.

To request the deletion of your personal data, you can contact us. You can find more information about data retention periods in the “Data Retention Periods” section.

Right to restriction of processing

You have the right to request the restriction of processing your personal data when:

  • You contest the accuracy of your personal data. In this case, the processing will be restricted for a period that allows us to verify the accuracy of the personal data.
  • The processing is unlawful, but you do not want your personal data to be deleted and instead request the restriction of their use.
  • We no longer need your personal data for the purposes of processing, but you require them for the establishment, exercise, or defense of legal claims.
  • You have objected to the processing pending the verification of whether our legitimate grounds override your interests.

You can request the restriction of processing your personal data by contacting us.

Right to object

You have the right to object to the processing of your personal data when:

  • We process your personal data based on legitimate interests, or
  • We process your personal data for the purposes of personalized advertising.

You can object to the processing of your personal data by contacting us.

Right to data portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and you have the right to request the transfer of this data to another controller when the processing is based on consent or contractual obligation or is carried out by automated means.

You can exercise your right to data portability by contacting us.

Right not to be subject to automated decision-making

You have the right not to be subject to a decision based solely on automated processing, including profiling, when that decision significantly affects you.

We do not engage in automated decision-making, including profiling.

Withdrawal of consent

You have the right to withdraw your consent for the processing of your personal data when the processing is based on your consent as defined in the GDPR.

Consent can be withdrawn in a manner similar to how it was given. For example, through a cookie banner, unsubscribing from an email newsletter, or by contacting us directly.

Right to lodge a complaint

You have the right to lodge a complaint with the relevant supervisory authority if you believe that your rights have been violated.

You can find the contact details of the appropriate supervisory authority by referring to their website or through other available sources.

DATA PROTECTION

We take the privacy and security of your personal data, including sensitive information, seriously. Our cybersecurity team actively works to maintain the integrity, confidentiality, and availability of our Services, and our policies and protocols are aimed at protecting your personal data. We continuously strive to improve the security of our systems. However, no method of data transmission over the internet or electronic storage is entirely secure, and we cannot guarantee the security of your personal data. Our security, safety, and privacy features are provided on an “as is” basis. Therefore, their effectiveness and flawless operation cannot be guaranteed, and we cannot provide absolute confidentiality, anonymity, or personal security.

In case we are legally obliged to inform you about unauthorized access to your Personal Information, we may notify you electronically or in writing, in accordance with applicable legislation.

 

COMPETENT DATA PROTECTION AUTHORITY

Authority: Commission for Personal Data Protection (CPDP)

Website: https://www.cpdp.bg/

Telephone: 02/91-53-518

Email: kzld@cpdp.bg

Address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. 2

 

You can find a complete list of data protection authorities in the EU here.

HOW TO CONTACT US

We welcome your comments, questions, or complaints regarding this Privacy Policy, the use of your personal data, or our response to your requests regarding the processing of your personal data. Please contact us using the following contact information:

Data Protection Center

office@mycfo.bg

You can address your inquiries regarding the protection of your personal data to the Data Protection Center.

CHANGES TO THE PRIVACY POLICY

The most current version of the policy will govern the use of your personal data by us. We may review this policy periodically, and we will notify you in advance of any changes. Notifications regarding changes to the Privacy Policy will be sent to the data subject via email.