Effective Date: 05.05.2023
THIS PRIVACY NOTICE
This Privacy Notice governs how MyCFO Ltd., VAT number 206166098 (referred to as “We,” “Us,” or “Our”) processes personal data. “Personal Information” or “Personal Data” means any information that allows someone to identify you directly or indirectly. “Processing” of personal data means any collection, use, sharing, and storage of personal data.
The Privacy Policy describes the processing of personal data in connection with the following services:
– Digital accounting services and financial management – The company provides digitized accounting and financial services (Digital Accounting). The service is available as an Android, iOS, and web application accessible at https://mycfo.bg (the Site).
– Accounting services – The company provides accounting services to its clients.
– Financial Consulting – The company provides financial analysis (“CFO as a Service”) and consulting services to its clients.
PERSONAL INFORMATION WE COLLECT
We process personal data of the following categories of data subjects:
Third Parties | Third parties refer to all individuals or representatives of legal entities whose data is provided by the Company’s clients. |
Clients | Clients refer to individuals or representatives of legal entities who use the services provided by the Company. |
Email Newsletter Subscribers | Email newsletter subscribers refer to individuals who have subscribed to receive the Company’s email newsletter. |
Website Visitors | Website visitors refer to all individuals who have visited the Company’s website (https://mycfo.bg) |
Social Media Users | Social media users refer to individuals who use social media platforms such as Facebook, Instagram, LinkedIn, and others. |
We process the following categories of personal data:
Category | Description | Collection | Notes |
Identification Data | Personal data includes names, identification numbers, identity document data, etc. The data is processed for the purpose of identifying data subjects during the course of a specific activity. Identification may be necessary for contract signing, customer service, etc. | Data collected personally from the data subject | |
Email Newsletter Subscribers Data | Personal data includes email addresses, names, and information on whether the sent messages have been read and/or opened. Personal data is processed to send our email newsletter to interested individuals. The data subject can refuse to provide the data without any adverse consequences and can unsubscribe from receiving the email newsletter at any time by clicking on a button/link with the text “unsubscribe” or similar. | Data collected personally from the data subject. | |
Website Behavior Data | Personal data includes visited pages, duration of user sessions, and other related information. The data is collected to improve the customer experience for website visitors and attract new customers. The data subject can refuse the processing of personal data by using our cookie banner. | Automatically collected data | |
Financial Analysis Data | Personal data includes all financial information provided by the client, including but not limited to income and expense data, data on key employees and clients, etc. The data is processed to provide financial analysis services and consultancy to the Company. |
Data collected personally from the data subject. Data collected from third parties. |
– Clients |
Employee Personal Data and HR Data |
Personal data includes data related to remuneration, insurance contributions, sick leave, vacation data, employee health data reflected in a medical certificate upon employment, and other data necessary for compliance with legal requirements applicable to the Company. Personal data is processed to fulfill legal requirements for employers to store certain employee data and declare it to state institutions such as the National Revenue Agency, the National Social Security Institute, etc. Paragraph 1 of Article 9 of the GDPR does not apply as the processing is necessary for the purposes of preventive or occupational medicine, the assessment of the employee’s working capacity, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services based on Union or Member State law or pursuant to a contract with a healthcare professional, subject to the conditions and safeguards referred to in paragraph 3. |
Data collected from third parties. | |
Social Media Data | Personal data includes any interactions between the data subject and our pages and profiles on social media platforms, such as likes, shares, comments, personal messages, etc. We process data when using social media platforms like Facebook, Instagram, LinkedIn, etc., to communicate with our clients and a wider audience and promote our offered services. | Data collected personally from the data subject. | |
Client Accounting Data | Processed personal data includes data about invoice issuers and recipients, identifiers, addresses, data about provided and received services, their value, data about payments made, and any other information that the client is required to process in connection with proper accounting practices. The Company processes personal data to fulfill its contractual obligations to its clients by providing accounting services | Data collected from third parties. |
PURPOSE AND LEGAL BASIS FOR PROCESSING
We process personal data for the following purposes:
Purpose | Legal Basis | Categories of personal data: |
We process personal data from the behavior of visitors to our website to improve the customer experience. | Consent | – Data about website behavior |
The company processes personal data in the internal accounting management. | Compliance with a legal obligation | – Accounting data of the company |
The company processes personal data in maintaining a profile and page on social media to build its brand and promote its services. | Legitimate interest | – Data from social media |
The processing of personal data is carried out to provide comprehensive accounting services to the clients of the company. | Contractual necessity |
– Identification data – Data for financial analysis – Data regarding HR and personnel of the clients – Accounting data of the clients |
The company processes personal data for promoting the presented services and attracting new clients through personalized advertising. | Consent |
– Data of individuals subscribed to the email newsletter – Data about website behavior |
DATA RETENTION PERIODS
Personal data is only stored for as long as necessary to achieve the purpose for which it is processed. A complete list of the purposes for which we process personal data can be found above.
The appropriate retention period for personal data is determined based on the quantity, nature, and sensitivity of the processed personal data, the potential risk of harm from unauthorized use or disclosure of personal data, whether the purposes of the processing can be achieved through other means, as well as based on applicable legal requirements (such as applicable limitation periods).
Personal data is stored according to one or more of the following retention periods:
Data Retention, Automatically Deleted | We automatically delete certain data after a specific period of time has elapsed. |
Data Retention, Personally Deletable by the Data Subject | In some cases, we provide the data subjects with the ability to delete their personal data themselves. |
Data Retention, Deletable by the Data Administrator | The data administrator may independently delete personal data in certain cases. |
Data Retention until Deletion Request is Sent by the Data Subject | We delete certain data upon receiving a deletion request from the data subject. |
Profile Data Retention | When you delete your profile, we erase all information associated with the profile unless we have another legitimate basis for retaining the information. |
Data Retention for Establishment, Exercise, or Defense of Legal Claims | We retain some data when necessary for the establishment, exercise, or defense of legal claims. |
Data Retention in Contractual Relationships | Data is retained for the duration of the contractual relationship unless there is another legal basis for its retention. |
Data Retention in Pre-Contractual Relationships | When processing data in pre-contractual relationships and if a final contract is not concluded, we delete the data within 6 months from the termination of the pre-contractual relationship. |
After the expiration of the retention period, we delete or anonymize the personal data.
SHARING OF PERSONAL DATA
We share personal data with the following categories of third parties:
Email marketing service providers | We share personal data with email marketing service providers in order to send our email newsletter and notify individuals who have subscribed to receive email communications about our news and services. | – Data for individuals enrolled in the email newsletter. |
Communication service providers | We share personal data with communication service providers for internal coordination within our team and to serve our Company’s Clients. |
– Data for identification – Data for financial analysis – Data regarding HR and Personnel of the Company – Data regarding HR and Personnel of the Clients – Data for business trips – Accounting data of the Company – Accounting data of the Clients |
Marketing service providers | We share data with marketing service providers to build our brand and presence on social media platforms, as well as to advertise our offered services. | – Data from social media |
Cloud and hosting service providers | We share personal data with cloud and hosting service providers to deliver our Services and manage our business processes. |
– Identification data – Financial analysis data – Data regarding HR and Personnel of the Company – Data regarding HR and Personnel of the Clients – Travel-related data -Accounting data of the Company – Accounting data of the Clients |
Advertising service providers | We share personal data with advertising service providers to promote our Company’s activities and attract new clients. | – Data on website behavior |
Analytics service providers | We share personal data with data analytics service providers, specifically to analyze the behavior of visitors on our website. | – Data on website behavior |
GDPR compliance service providers | We share personal data with GDPR compliance service providers to ensure compliance with all requirements under the GDPR and the Personal Data Protection Act. | – Identification data |
Competent government institutions | We share data with competent government institutions when necessary to fulfill our contractual or legal obligations. Such institutions may include the National Revenue Agency, the National Social Security Institute, and others. |
– Data related to HR and Personnel of the Company – Data related to HR and Personnel of the Clients – Accounting data of the Company – Accounting data of the Clients |
Software development and service providers | We share personal data with software development and service providers to create, maintain, and improve our software services and internal processes. |
– Accounting data of the Company – Accounting data of the Clients |
Social media platforms | We share data when using social media platforms such as Facebook, Instagram, LinkedIn, and others. | – Identification data |
YOUR RIGHTS
As a data subject, you have the following rights:
Rights | Description and Exercise of Rights |
Right to information |
You have the right to be informed about the personal data we process about you and how we process it. You can obtain information through:
|
Right of access |
You have the right to request to be informed of or to access the personal data we process about you. To access your personal data, you can contact us. See how to contact us here.. |
Right to rectification |
You have the right to request correction or updating of the data we process about you when it is inaccurate or incomplete. If you believe that your personal data is inaccurate or incomplete, please contact us and provide us with the correct information. See how to contact us here. We will make the necessary corrections or updates to ensure the accuracy and completeness of your personal data. |
Right to erasure |
You have the right to request the deletion of your personal data when:
Sometimes, we may be unable to fulfill your request for deletion of personal data. For example, when:
To request the deletion of your personal data, you can contact us. You can find more information about data retention periods in the “Data Retention Periods” section. |
Right to restriction of processing |
You have the right to request the restriction of processing your personal data when:
You can request the restriction of processing your personal data by contacting us. |
Right to object |
You have the right to object to the processing of your personal data when:
You can object to the processing of your personal data by contacting us. |
Right to data portability |
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and you have the right to request the transfer of this data to another controller when the processing is based on consent or contractual obligation or is carried out by automated means. You can exercise your right to data portability by contacting us. |
Right not to be subject to automated decision-making |
You have the right not to be subject to a decision based solely on automated processing, including profiling, when that decision significantly affects you. We do not engage in automated decision-making, including profiling. |
Withdrawal of consent |
You have the right to withdraw your consent for the processing of your personal data when the processing is based on your consent as defined in the GDPR. Consent can be withdrawn in a manner similar to how it was given. For example, through a cookie banner, unsubscribing from an email newsletter, or by contacting us directly. |
Right to lodge a complaint |
You have the right to lodge a complaint with the relevant supervisory authority if you believe that your rights have been violated. You can find the contact details of the appropriate supervisory authority by referring to their website or through other available sources. |
DATA PROTECTION
We take the privacy and security of your personal data, including sensitive information, seriously. Our cybersecurity team actively works to maintain the integrity, confidentiality, and availability of our Services, and our policies and protocols are aimed at protecting your personal data. We continuously strive to improve the security of our systems. However, no method of data transmission over the internet or electronic storage is entirely secure, and we cannot guarantee the security of your personal data. Our security, safety, and privacy features are provided on an “as is” basis. Therefore, their effectiveness and flawless operation cannot be guaranteed, and we cannot provide absolute confidentiality, anonymity, or personal security.
In case we are legally obliged to inform you about unauthorized access to your Personal Information, we may notify you electronically or in writing, in accordance with applicable legislation.
COMPETENT DATA PROTECTION AUTHORITY
Authority: Commission for Personal Data Protection (CPDP)
Website: https://www.cpdp.bg/
Telephone: 02/91-53-518
Email: kzld@cpdp.bg
Address: Sofia 1592, Prof. Tsvetan Lazarov Blvd. 2
You can find a complete list of data protection authorities in the EU here.
HOW TO CONTACT US
We welcome your comments, questions, or complaints regarding this Privacy Policy, the use of your personal data, or our response to your requests regarding the processing of your personal data. Please contact us using the following contact information:
Data Protection Center
office@mycfo.bg
You can address your inquiries regarding the protection of your personal data to the Data Protection Center.
CHANGES TO THE PRIVACY POLICY
The most current version of the policy will govern the use of your personal data by us. We may review this policy periodically, and we will notify you in advance of any changes. Notifications regarding changes to the Privacy Policy will be sent to the data subject via email.