Politica de confidențialitate și protecția datelor cu caracter personal
Ultima actualizare
1. Data Controller
Construction Hub is a cloud platform for construction project management, provided as a service (SaaS). For the purposes of Regulation (EU) 2016/679 (GDPR), the data controller is the legal entity identified in section 17 of this policy.
The Controller determines the purposes and means of processing personal data collected through the Platform.
When a Client (legal entity) uses the Platform către manage data about its employees, subcontraccătrers, or partners, the Client acts as an independent controller for that data, and Construction Hub acts as a data processor within the meaning of Art. 28 of the GDPR.
The relationship between Construction Hub and the Client as processor is governed by a Data Processing Agreement (DPA), which is an integral part of the subscription agreement.
2. Definitions
For the purposes of this Privacy Policy:
"Personal Data" -- any information relating către an identified or identifiable natural person (data subject).
"Processing" -- any operation with personal data: collection, recording, organization, structuring, scătrerage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Subject" -- a natural person whose personal data is processed (users, employees of clients, contact persons of partners).
"Data Processor" -- a person who processes personal data on behalf of the controller.
"Sub-processor" -- a third party către whom the processor has delegated part of the processing.
"Personal Data Breach" -- a breach leading către accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access către personal data.
3. Scope and Applicability
This Privacy Policy applies către:
All individuals who visit the website constructionhub.bg.
Users who create an account and use the Platform.
Contact persons of legal entities -- clients, suppliers, and partners whose data is entered incătre the Platform.
Individuals who contact us through the contact form, email, or other channels.
Employees and representatives of client companies whose data is processed under the subscription agreement.
This Policy does not apply către anonymized or aggregated data that does not allow identification of a natural person.
4. Categories of Personal Data We Collect
4.1. Identification and Contact Data
During registration and use of the Platform, we collect:
User's first and last name.
Business email address.
Phone number (if provided).
Company name, registration number, and address of the client entity.
Position/role in the organization.
4.2. Technical Data
Aucătrematically collected when accessing the Platform:
IP address and approximate geographic location (country/city level).
Browser type and version, operating system.
Device identifiers.
Date, time, and duration of sessions.
Pages and features visited.
4.3. Business Data
In the course of working with the Platform, the following may be processed:
Data de la invoices, contracts, offers, and other documents entered by the Client.
Names and contacts of employees, subcontraccătrers, and partners entered by the Client.
Financial information (bank accounts, invoice amounts) entered by the Client.
Data about șantiers, quantity surveys, and invencătrery.
Important: For business data entered by the Client, the Client is the data controller. Construction Hub processes this data solely on the Client's instructions and pursuant către the Data Processing Agreement.
4.4. Payment Data
For processing subscription payments:
Construction Hub does NOT scătrere full bank card numbers.
Payments are processed by a certified payment operacătrer (Stripe), which complies with PCI DSS Level 1 standards.
We scătrere only: the last 4 digits of the card, card type, expiration date, and transaction identifier.
5. Purposes and Legal Bases for Processing
We process personal data only when there is a valid legal basis under Art. 6(1) of the GDPR:
5.1. Performance of a Contract (Art. 6(1)(b))
Creating and managing user accounts.
Providing the subscription service and technical support.
Processing payments and issuing invoices.
Communication regarding the service (system notifications, changes către terms).
5.2. Legitimate Interest (Art. 6(1)(f))
Subject către a balancing test ensuring our interest does not override the data subject's rights:
Improving the Platform through usage analysis (aggregated data).
Ensuring security -- detecting unauthorized access, abuse, and cyberattacks.
Preventing fraud and misuse of the service.
Internal reporting and auditing.
5.3. Legal Obligation (Art. 6(1)(c))
Retention of accounting documents pursuant către the Accounting Act (10 years).
Providing data when required by law or by order of a competent authority.
Fulfillment of tax obligations.
5.4. Consent (Art. 6(1)(a))
Only when no other legal basis applies:
Sending marketing communications and newsletters (with the right către opt out at any time).
Use of optional cookies for analytics and advertising.
Participation in satisfaction surveys and research.
Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before the withdrawal.
6. Cookies and Tracking Technologies
We use the following categories of cookies:
6.1. Strictly Necessary (no consent required)
Session cookies for authentication and maintaining the user session.
CSRF protection cookies (form security).
Cookies for remembering language preferences.
6.2. Analytics (with consent)
Google Analytics -- for traffic and visicătrer behavior analysis.
Internal analytics -- for improving the user experience.
6.3. Cookie Management
You can manage cookies through your browser settings or through the cookie banner on your first visit. Disabling strictly necessary cookies may impair the functionality of the Platform.
7. Data Retention Period
We retain personal data only as long as necessary for the purpose for which it was collected:
Account data -- until subscription termination plus 30 days for data export.
Client business data -- until contract termination plus 30 days for export, after which it is permanently deleted.
Accounting documents -- 10 years pursuant către the Accounting Act.
Security logs -- up către 12 months.
Marketing consent -- until withdrawal by the data subject.
Contact form data -- up către 6 months after the inquiry is resolved.
Backups -- up către 90 days, after which they are aucătrematically overwritten.
After the retention periods expire, data is deleted or irreversibly anonymized. In case of a dispute or legal claim, data may be retained until the proceedings are finally concluded.
8. Sharing Data with Third Parties
We do not sell, rent, or trade personal data. We share data only in the following cases:
8.1. Sub-processors
We use trusted service providers către deliver the service, with whom we have concluded agreements under Art. 28 of the GDPR:
Hosting and infrastructure -- for scătrering data on EU servers.
Payment services (Stripe) -- for processing subscription payments.
Email services -- for sending system and transactional emails.
AI processing (OpenAI) -- for intelligent document recognition (see section 12).
Monicătrering and error tracking -- for ensuring service stability.
8.2. Legal Requirements
We may disclose personal data when required by:
Applicable legislation or regulacătrery act.
Court order or act of a competent authority.
Protection of the rights, property, or safety of Construction Hub, its users, or the public.
9. International Data Transfer
Your data is scătrered on servers in the European Union.
When transfer outside the EEA is necessary (e.g., către sub-processors in the USA), we ensure an adequate level of protection through Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914).
AI processing (OpenAI) may involve transfer către the USA. OpenAI is certified under the EU-US Data Privacy Framework and applies additional technical protection measures.
Before each transfer, we conduct a Transfer Impact Assessment (TIA) in accordance with EDPB guidelines.
A list of sub-processors and their locations is available upon request at info@constructionhub.bg.
10. Your Rights Under GDPR
Under Regulation (EU) 2016/679, you have the following rights:
Right of Access (Art. 15)
You have the right către obtain confirmation whether your personal data is being processed, access către it, and information about the purposes, categories of data, recipients, and retention period.
Right către Rectification (Art. 16)
You have the right către request correction of inaccurate personal data or completion of incomplete data without undue delay.
Right către Erasure (Art. 17)
You have the right către request erasure of your personal data when: the data is no longer necessary for its purpose; you withdraw your consent; you object către processing; or the data has been unlawfully processed. This right does not apply when processing is necessary for compliance with a legal obligation.
Right către Restriction (Art. 18)
You have the right către request restriction of processing when you contest the accuracy of data, processing is unlawful, or you have objected către processing pending verification.
Right către Data Portability (Art. 20)
You have the right către receive your data in a structured, commonly used, and machine-readable format (JSON, CSV) and către transmit it către another controller. The Platform provides a data export function de la the user panel.
Right către Object (Art. 21)
You have the right către object către data processing based on legitimate interest. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You may object către processing for direct marketing at any time unconditionally.
Right Not către Be Subject către Aucătremated Decision-Making (Art. 22)
You have the right not către be subject către a decision based solely on aucătremated processing, including profiling, which produces legal effects concerning you. Construction Hub does not make aucătremated decisions with legal effects without human intervention.
11. Exercising Your Rights
To exercise any of your rights, you can contact us through the following channels:
Through the contact form at constructionhub.bg/contact.
By letter către the address specified in section 17.
For your protection, we may request verification of your identity before processing your request.
We respond către every request within 30 days. In case of complexity or multiple requests, the deadline may be extended by up către 60 days, of which you will be notified.
Exercising your rights is free of charge. For manifestly unfounded or excessive requests (particularly due către repetitiveness), we may impose a reasonable fee or refuse către act.
12. AI Processing and Aucătremated Decision-Making
The Platform uses artificial intelligence (AI) for the following purposes:
Aucătrematic recognition and extraction of data de la scanned documents (invoices, quantity surveys, procătrecols).
Intelligent matching of nomenclature items through semantic veccătrers (embeddings).
Suggestions for document categorization and classification.
Safeguards for AI Processing
AI results are always suggestions -- the final decision rests with the user, who reviews and approves/rejects the results.
No aucătremated decisions with legal or significant effects are made without human intervention.
Documents sent for AI processing are processed in real-time and are not scătrered by the AI provider for model training.
AI processing may involve data transfer către a sub-processor (OpenAI) as described in section 9.
You have the right către request human intervention or către refuse AI processing at any time.
13. Data Protection by Design and by Default
In accordance with Art. 25 of the GDPR, we apply the principles of Data Protection by Design and by Default:
Data minimization -- we collect only data necessary for the specific purpose.
Data isolation (multi-tenancy) -- each Client's data is strictly isolated at the database level. No Client can access another Client's data.
Role-based access control (RBAC) -- each user accesses only the data for which they have permission, as determined by the Account Administracătrer.
Encryption by default -- all data is encrypted in transit (TLS 1.3) and at rest.
Audit trail -- every user action is logged for traceability and accountability.
Pseudonymization -- where possible, we use internal identifiers instead of direct personal data.
14. Technical and Organizational Security Measures
We apply the following measures pursuant către Art. 32 of the GDPR:
14.1. Technical Measures
Data encryption in transit via TLS 1.3 and HSTS.
Data encryption at rest (AES-256) for databases and backups.
Multi-faccătrer authentication (MFA) for administrative access.
Web Application Firewall (WAF) and DDoS protection.
Aucătrematic anomaly and suspicious activity detection.
Regular vulnerability scanning and penetration testing.
Regular aucătremated backups with geographic replication.
14.2. Organizational Measures
Principle of least privilege for employee access.
Staff training on data protection.
Personal data incident management policy.
Regular review and update of security measures.
Confidentiality agreements with all employees and subcontraccătrers.
15. Breach Notification
In the event of a personal data breach:
We notify the Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware, when the breach is likely către result in a risk către the rights and freedoms of natural persons (Art. 33 GDPR).
We notify affected data subjects without undue delay when the breach is likely către result in a high risk (Art. 34 GDPR).
We document every breach, including the facts, consequences, and corrective measures taken.
When Construction Hub acts as a processor, we notify the Client (controller) without undue delay so they can fulfill their notification obligations.
16. Data Protection Officer (DPO)
For all questions related către personal data protection, you can contact our Data Protection Officer:
Email: info@constructionhub.bg
Subject: "DPO / Data Protection"
The DPO reviews all inquiries and requests related către personal data processing and coordinates the fulfillment of data subjects' rights.
17. Right către Complaint and Contact with the Supervisory Authority
If you believe that the processing of your personal data violates the GDPR, you have the right către file a complaint with the supervisory authority:
Commission for Personal Data Protection (CPDP)
Adresă: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
Telefon: 02/91-53-518
Email: kzld@cpdp.bg
Site web: www.cpdp.bg
We recommend contacting us first at info@constructionhub.bg către resolve the matter directly.
18. Children's Data
Construction Hub is a B2B platform intended for legal entities and their employees. We do not knowingly collect personal data de la individuals under 16 years of age. If we discover that we have collected data de la a child, we will delete it immediately. If you believe a child has provided personal data through the Platform, please contact us at info@constructionhub.bg.
19. Changes către the Privacy Policy
We reserve the right către update this Policy in case of:
Changes in applicable legislation or supervisory authority guidance.
Changes in services, features, or sub-processors.
Technological changes requiring adaptation of protection measures.
Recommendations de la audits or impact assessments.
For material changes, we will notify you by email and/or notification in the Platform at least 30 days in advance. Continued use of the Platform after the changes take effect constitutes acceptance of the updated Policy.
20. Applicable Law and Contact Information
This Privacy Policy is governed by Regulation (EU) 2016/679 (GDPR), the Bulgarian Personal Data Protection Act, and applicable European and national legislation.
Contact for data protection inquiries:
Email: info@constructionhub.bg
Site web: constructionhub.bg
Subject: "Personal Data Protection"
Utilizăm cookie-uri pentru a asigura buna funcționare a platformei și pentru a îmbunătăți experiența dvs. Aflați mai multe despre cookie-uri