Privacy Policy
Last updated: April 2026
This Privacy Policy explains how Grafix Solutions Ltd. (“we”, “us”, “our”) collects, uses, stores and protects your personal data when you visit grafixsolutions.eu or engage our services. We act as a data controller under Regulation (EU) 2016/679 (“GDPR”) and the Bulgarian Personal Data Protection Act.
1. Who we are
- Company: Grafix Solutions Ltd.
- Legal form: Limited liability company registered in Bulgaria
- EIK / Unified Identification Code: 207362534
- Registered address: Bulgaria
- Data protection contact: contact@grafixsolutions.eu
2. What data we collect
We collect only the data that is necessary for the purposes described below.
- Contact form data: name, email address, service of interest and the content of your message.
- Client & billing data: company name, VAT/EIK number, billing address, contact person and banking details (for clients only).
- Technical & usage data: IP address (truncated), browser type, operating system, referring URL, pages visited, session duration.
- Cookies & similar technologies: see our Cookie Policy.
- Communications: emails, chat messages and other correspondence you send us.
We do not knowingly collect personal data from children under 16 and we do not process special categories of data (health, religion, political views, etc.).
3. Why we collect it (purposes & legal basis)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Answering your contact form and quoting projects | Pre-contractual steps at your request (Art. 6 (1)(b)) |
| Providing services under a signed contract | Performance of a contract (Art. 6 (1)(b)) |
| Issuing invoices, bookkeeping, tax reporting | Legal obligation (Art. 6 (1)(c)) |
| Website analytics & service improvement | Your consent (Art. 6 (1)(a)) or legitimate interest (Art. 6 (1)(f)) |
| Marketing communications & remarketing | Your consent (Art. 6 (1)(a)) |
| Fraud prevention and site security | Legitimate interest (Art. 6 (1)(f)) |
4. Who we share your data with
We never sell your personal data. We share it only with trusted processors that help us operate the website and deliver our services. Each processor is bound by a written Data Processing Agreement.
| Processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Website hosting, edge network, logging | EU / USA (EU-US DPF) |
| Railway Corp. | Backend & database hosting for leads | EU / USA (SCCs) |
| Resend (Resend.com) | Transactional email delivery | EU / USA (SCCs) |
| Google Ireland Ltd. — Google Analytics 4 | Aggregated traffic analytics (only with your consent) | EU / USA (EU-US DPF) |
| Microsoft Ireland — Clarity | Aggregated session recording (only with your consent) | EU / USA (EU-US DPF) |
| Bulgarian bookkeeping partner | Accounting, tax and payroll | Bulgaria (EU) |
When data is transferred outside the European Economic Area, we rely on EU Standard Contractual Clauses or, where available, the EU-US Data Privacy Framework.
5. How long we keep your data
- Contact form inquiries: up to 24 months after last contact, then deleted or anonymised.
- Client contracts & invoices: 10 years after the end of the contractual relationship (required by Bulgarian accountancy law).
- Analytics data: up to 14 months in Google Analytics, 12 months in Microsoft Clarity.
- Marketing consent: until you withdraw it or for 24 months of inactivity.
- Server logs: maximum 30 days.
6. Your rights under the GDPR
As a data subject you have the right to:
- Access — obtain a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — ask us to delete your data (“right to be forgotten”), subject to legal retention obligations.
- Restriction — limit processing in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interest or direct marketing.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
- Automated decisions — not to be subject to a decision based solely on automated processing. We do not make such decisions.
To exercise any of these rights, email us at contact@grafixsolutions.eu. We will respond within 30 days. See the concise GDPR Rights page for a step-by-step guide.
7. Right to lodge a complaint
If you believe we process your personal data in violation of the law, you may lodge a complaint with the Bulgarian Data Protection Authority:
Address: 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
Phone: +359 2 915 3 518
Email: kzld@cpdp.bg
Website: www.cpdp.bg
8. Cookies
Our website uses essential, analytics and marketing cookies. You give or withdraw consent through the cookie banner. For a full list of cookies, their purpose and duration, see our Cookie Policy.
9. Security measures
We protect your data with industry-standard measures: TLS encryption in transit, encryption at rest, access control on a need-to-know basis, regular backups, secure development practices and periodic security reviews.
10. Changes to this policy
We may update this Privacy Policy from time to time. The latest version is always available at grafixsolutions.eu/privacy with an updated “Last updated” date. Material changes will be announced on the site.
11. Contact us
Questions, requests or concerns about your personal data? Email us at contact@grafixsolutions.eu. We usually reply within 24 business hours.