EN Legal
Privacy Policy
Updated 02/06/2026
Last updated: 2 May 2026
This Privacy Policy explains how ABC Consulting Group Ltd. ("ABC Consulting Group", "we", "us", "our") collects, uses and protects personal data when you visit abc-consulting-group.com (the "Website") or interact with us through it.
We are committed to protecting your personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"), the Bulgarian Personal Data Protection Act (Закон за защита на личните данни) and the Bulgarian E-Commerce Act (Закон за електронната търговия).
1. Who is the data controller
The controller of your personal data is:
ABC Consulting Group Ltd. (АБВ КОНСУЛТИНГ ГРУП ЕООД) UIC (ЕИК): 205149808 Registered address: ul. Tsarkovna nezavisimost No. 18, 7000 Ruse, Bulgaria Phone: +359 893 768 898 Contact form: abc-consulting-group.com/#contact
For any question regarding your personal data or to exercise your rights under the GDPR, please contact us by phone or via the contact form on the Website.
We have not appointed a Data Protection Officer because we are not required to do so under Article 37 GDPR.
2. What this policy covers
This policy covers personal data we process when you:
- visit any page of the Website;
- send us an inquiry through the contact form;
- register an account and access the administrative dashboard;
- otherwise communicate with us using the contact channels listed above.
This policy does not cover third-party websites that may be linked from our Website. We are not responsible for the privacy practices of those third parties — please review their policies separately.
3. What personal data we collect and why
We only collect the personal data we need for clearly defined purposes. The categories below summarise what we collect, why, and on what legal basis.
3.1 Visiting the Website (server logs and security)
| Item | Details |
|---|---|
| Data | IP address, browser type and version, operating system, referring URL, pages visited, timestamps |
| Purpose | To deliver the Website, ensure security and prevent abuse, diagnose technical issues |
| Legal basis | Legitimate interests — Art. 6(1)(f) GDPR (operating and securing our Website) |
| Retention | Up to 12 months in server access logs, then deleted or anonymised |
3.2 Contact form submissions
| Item | Details |
|---|---|
| Data | Name, email address, subject of inquiry, message content, date and time of submission |
| Purpose | To respond to your inquiry and follow up on potential collaboration |
| Legal basis | Consent — Art. 6(1)(a) GDPR (you submit the form voluntarily); and where you ask us about a service, the steps prior to entering into a contract — Art. 6(1)(b) GDPR |
| Retention | 12 months from the date of last correspondence, after which the submission is deleted unless a contractual relationship has started |
Contact form submissions are stored directly in our own database. We do not pass them to any third-party email marketing or CRM service.
3.3 Account registration and dashboard access
| Item | Details |
|---|---|
| Data | Email address, password (stored in hashed form by Firebase Authentication), account role assigned by an administrator, date of account creation, last sign-in timestamp |
| Purpose | To create and manage your administrative account, authenticate you, and grant you the level of access an administrator approves |
| Legal basis | Performance of a contract or pre-contractual steps — Art. 6(1)(b) GDPR; and our legitimate interest in operating the dashboard securely — Art. 6(1)(f) GDPR |
| Retention | For the lifetime of your account, plus 6 months after you request account deletion (to handle disputes or follow-up requests) |
Accounts are not granted dashboard permissions automatically. After registration, an administrator reviews and approves access.
3.4 Analytics
We use Google Analytics 4 (provided by Google Ireland Ltd. / Google LLC) to understand how visitors use the Website so we can improve it.
| Item | Details |
|---|---|
| Data | Pseudonymised online identifiers, IP address (truncated by Google), pages visited, time on page, device and browser information, approximate location (city / country level) |
| Purpose | To produce aggregate statistics about Website usage and improve the user experience |
| Legal basis | Consent — Art. 6(1)(a) GDPR. Google Analytics is loaded only after you accept analytics cookies in our cookie banner |
| Retention | Up to 14 months in Google Analytics, then automatically deleted |
You can withdraw consent at any time by changing your preferences in our cookie banner. See our Cookie Policy for full details on the cookies used.
4. Who has access to your data
Within ABC Consulting Group, only authorised staff with a clear need to do so have access to your personal data.
We share data with the following categories of recipients only to the extent necessary. The table below lists the third parties that may receive personal data when you use the Website, the role each one performs and the safeguards that apply. Where these recipients act as processors under Article 28 GDPR, that is reflected in their role description.
| Recipient | Role / data categories | Country | Privacy policy |
|---|---|---|---|
| Google Ireland Ltd. / Google LLC — Firebase Authentication | Authenticates administrative users; processes email address and hashed password | Ireland (EU) and the United States | policies.google.com/privacy |
| Google Ireland Ltd. / Google LLC — Cloud Firestore | Stores contact-form submissions, user profiles, site content and the cookie-consent audit log | Ireland (EU) — region europe-central2 |
policies.google.com/privacy |
| Google Ireland Ltd. / Google LLC — Cloud Storage for Firebase | Stores uploaded media (images and other assets used on the Website) | Ireland (EU) | policies.google.com/privacy |
| Google Ireland Ltd. / Google LLC — Firebase App Hosting (Cloud Run) | Serves the Website; processes IP addresses, user-agent strings and request paths in operational logs | Ireland (EU) — region europe-central2 |
policies.google.com/privacy |
| Google Ireland Ltd. / Google LLC — Google Analytics 4 | Aggregates usage statistics. Loaded only after you accept analytics cookies in our cookie banner. Google acts as a processor for this analytics data; we keep the Google Analytics "data sharing" settings restricted so that Google does not become an independent controller of your data | Ireland (EU) and the United States | policies.google.com/privacy |
| Google LLC — Gmail (SMTP, consumer account) | Outbound transactional email: when you submit the contact form, a notification email containing your name, email address and message body is sent from our staff Gmail account to ABC Consulting Group staff. Google does not offer a Data Processing Addendum for consumer Gmail; the data passes through Google's standard consumer-mail terms. We are evaluating a migration to a transactional email provider with a formal Article 28 DPA | Ireland (EU) and the United States | policies.google.com/privacy |
| Competent public authorities | Where required by Bulgarian or EU law (e.g. courts, the police, the Personal Data Protection Commission) | Bulgaria / EU | — |
The Google Cloud services listed above (Firebase Authentication, Cloud Firestore, Cloud Storage for Firebase, Firebase App Hosting and Google Analytics) operate under the Google Cloud Data Processing Addendum and Google's Standard Contractual Clauses for international transfers — see Section 5 below for the legal mechanism. Outbound email through Gmail SMTP is sent from a consumer Google account, which is not covered by the Google Cloud DPA; transfers to the United States in that case rely on the EU–US Data Privacy Framework.
We do not sell your personal data, and we do not share it with advertising networks.
5. International data transfers
When you use the Website, some of your data may be processed by Google on infrastructure located outside the European Economic Area, including the United States.
These transfers take place under safeguards approved by the European Commission, namely:
- the EU–US Data Privacy Framework, where the recipient is certified;
- the Standard Contractual Clauses (SCCs) included in Google's Data Processing Addendum.
You can request a copy of the safeguards in place by contacting us using the details in Section 1.
6. How long we keep your data
In addition to the retention periods listed in Section 3, the following general rules apply:
- Authentication logs — up to 12 months from the event;
- Backups — rolling 30-day cycle, after which the backup is overwritten;
- Records required by law (e.g. accounting records, contracts) — for the period mandated by Bulgarian law, typically up to 10 years.
When the retention period expires, data is deleted or irreversibly anonymised.
7. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — to obtain confirmation as to whether we process your data and a copy of it.
- Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — to ask us to delete your data where one of the conditions in the GDPR applies.
- Right to restriction of processing (Art. 18) — to limit how we use your data in certain situations.
- Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
- Right to object (Art. 21) — to object to processing based on our legitimate interests.
- Right to withdraw consent (Art. 7(3)) — at any time, where processing is based on consent. Withdrawing consent does not affect processing already carried out.
- Right not to be subject to automated decision-making (Art. 22). We do not carry out any automated decision-making producing legal or similarly significant effects.
To exercise any of these rights, please contact us by phone (+359 893 768 898) or through the contact form on the Website. We will respond within one month of receiving your request, as required by Art. 12(3) GDPR. We may extend this period by up to two further months for complex requests; if so, we will inform you of the extension and the reasons.
We may ask for additional information to verify your identity before acting on a request. This is to protect your data from unauthorised disclosure.
Right to lodge a complaint
If you believe that we have processed your personal data in breach of the law, you have the right to lodge a complaint with the Bulgarian supervisory authority:
Commission for Personal Data Protection (CPDP) 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria Phone: +359 2 915 3518 Email: kzld@cpdp.bg Website: www.cpdp.bg
You may also lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence or place of work.
8. Cookies
The Website uses cookies. For full details on the cookies we use, their purpose and how to manage them, please see our Cookie Policy.
9. Children
The Website is intended for adults — including school leaders, educators, partners and staff. We do not knowingly collect personal data from children under 14 (the age of digital consent under Bulgarian law in line with Art. 8 GDPR). If you believe a child has provided us with personal data, please contact us and we will delete it.
Activities targeting young people, including youth mentoring and training, are conducted through our partner organisations (schools, NGOs, training centres) under separate arrangements that do not involve children registering accounts on this Website.
10. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- HTTPS encryption for all data transmitted between your browser and the Website;
- access controls and role-based permissions for the administrative dashboard;
- password hashing performed by Firebase Authentication;
- regular backups stored in encrypted form;
- access to personal data limited to authorised staff on a need-to-know basis.
No method of transmission or storage is 100% secure, but we work to apply industry-standard safeguards. In the event of a personal data breach likely to result in a high risk to your rights, we will notify the CPDP and affected individuals as required by Articles 33–34 GDPR.
11. Changes to this policy
We may update this Privacy Policy from time to time, for example when our processing activities change or when laws are updated. The "Last updated" date at the top reflects the most recent version. Significant changes will be communicated through a notice on the Website or, where appropriate, by direct contact.
12. Contact
For any question about this Privacy Policy or how we handle your personal data, please contact us:
ABC Consulting Group Ltd. ul. Tsarkovna nezavisimost No. 18, 7000 Ruse, Bulgaria Phone: +359 893 768 898 Contact form: abc-consulting-group.com/#contact