GDPR Bilgileri

Last updated: January 2026

Veri sorumlusu

Kişisel verilerinizin sorumlusu Construction Hub'dır. İletişim bilgileri Politikanın sonundadır.

  • The Controller determines the purposes and means of processing personal data collected through the Platform.
  • When a Client (legal entity) uses the Platform to manage data about its employees, subcontractors, or partners, the Client acts as an independent controller for that data, and Construction Hub acts as a data processor within the meaning of Art. 28 of the GDPR.
  • The relationship between Construction Hub and the Client as processor is governed by a Data Processing Agreement (DPA), which is an integral part of the subscription agreement.

2. Definitions

For the purposes of this Privacy Policy:

  • "Personal Data" -- any information relating to an identified or identifiable natural person (data subject).
  • "Processing" -- any operation with personal data: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
  • "Data Subject" -- a natural person whose personal data is processed (users, employees of clients, contact persons of partners).
  • "Data Processor" -- a person who processes personal data on behalf of the controller.
  • "Sub-processor" -- a third party to whom the processor has delegated part of the processing.
  • "Personal Data Breach" -- a breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

3. Scope and Applicability

This Privacy Policy applies to:

  • All individuals who visit the website constructionhub.bg.
  • Users who create an account and use the Platform.
  • Contact persons of legal entities -- clients, suppliers, and partners whose data is entered into the Platform.
  • Individuals who contact us through the contact form, email, or other channels.
  • Employees and representatives of client companies whose data is processed under the subscription agreement.

This Policy does not apply to anonymized or aggregated data that does not allow identification of a natural person.

4. Categories of Personal Data We Collect

4.1. Identification and Contact Data

During registration and use of the Platform, we collect:

  • User's first and last name.
  • Business email address.
  • Phone number (if provided).
  • Company name, registration number, and address of the client entity.
  • Position/role in the organization.

4.2. Technical Data

Automatically collected when accessing the Platform:

  • IP address and approximate geographic location (country/city level).
  • Browser type and version, operating system.
  • Device identifiers.
  • Date, time, and duration of sessions.
  • Pages and features visited.

4.3. Business Data

In the course of working with the Platform, the following may be processed:

  • Data from invoices, contracts, offers, and other documents entered by the Client.
  • Names and contacts of employees, subcontractors, and partners entered by the Client.
  • Financial information (bank accounts, invoice amounts) entered by the Client.
  • Data about construction sites, quantity surveys, and inventory.

Important: For business data entered by the Client, the Client is the data controller. Construction Hub processes this data solely on the Client's instructions and pursuant to the Data Processing Agreement.

4.4. Payment Data

For processing subscription payments:

  • Construction Hub does NOT store full bank card numbers.
  • Payments are processed by a certified payment operator (Stripe), which complies with PCI DSS Level 1 standards.
  • We store only: the last 4 digits of the card, card type, expiration date, and transaction identifier.

5. Purposes and Legal Bases for Processing

We process personal data only when there is a valid legal basis under Art. 6(1) of the GDPR:

5.1. Performance of a Contract (Art. 6(1)(b))

  • Creating and managing user accounts.
  • Providing the subscription service and technical support.
  • Processing payments and issuing invoices.
  • Communication regarding the service (system notifications, changes to terms).

5.2. Legitimate Interest (Art. 6(1)(f))

Subject to a balancing test ensuring our interest does not override the data subject's rights:

  • Improving the Platform through usage analysis (aggregated data).
  • Ensuring security -- detecting unauthorized access, abuse, and cyberattacks.
  • Preventing fraud and misuse of the service.
  • Internal reporting and auditing.

5.3. Legal Obligation (Art. 6(1)(c))

  • Retention of accounting documents pursuant to the Accounting Act (10 years).
  • Providing data when required by law or by order of a competent authority.
  • Fulfillment of tax obligations.

5.4. Consent (Art. 6(1)(a))

Only when no other legal basis applies:

  • Sending marketing communications and newsletters (with the right to opt out at any time).
  • Use of optional cookies for analytics and advertising.
  • Participation in satisfaction surveys and research.

Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before the withdrawal.

6. Cookies and Tracking Technologies

We use the following categories of cookies:

6.1. Strictly Necessary (no consent required)

  • Session cookies for authentication and maintaining the user session.
  • CSRF protection cookies (form security).
  • Cookies for remembering language preferences.

6.2. Analytics (with consent)

  • Google Analytics -- for traffic and visitor behavior analysis.
  • Internal analytics -- for improving the user experience.

6.3. Cookie Management

You can manage cookies through your browser settings or through the cookie banner on your first visit. Disabling strictly necessary cookies may impair the functionality of the Platform.

7. Data Retention Period

We retain personal data only as long as necessary for the purpose for which it was collected:

  • Account data -- until subscription termination plus 30 days for data export.
  • Client business data -- until contract termination plus 30 days for export, after which it is permanently deleted.
  • Accounting documents -- 10 years pursuant to the Accounting Act.
  • Security logs -- up to 12 months.
  • Marketing consent -- until withdrawal by the data subject.
  • Contact form data -- up to 6 months after the inquiry is resolved.
  • Backups -- up to 90 days, after which they are automatically overwritten.

After the retention periods expire, data is deleted or irreversibly anonymized. In case of a dispute or legal claim, data may be retained until the proceedings are finally concluded.

8. Sharing Data with Third Parties

We do not sell, rent, or trade personal data. We share data only in the following cases:

8.1. Sub-processors

We use trusted service providers to deliver the service, with whom we have concluded agreements under Art. 28 of the GDPR:

  • Hosting and infrastructure -- for storing data on EU servers.
  • Payment services (Stripe) -- for processing subscription payments.
  • Email services -- for sending system and transactional emails.
  • AI processing (OpenAI) -- for intelligent document recognition (see section 12).
  • Monitoring and error tracking -- for ensuring service stability.

8.2. Legal Requirements

We may disclose personal data when required by:

  • Applicable legislation or regulatory act.
  • Court order or act of a competent authority.
  • Protection of the rights, property, or safety of Construction Hub, its users, or the public.

9. International Data Transfer

Your data is stored on servers in the European Union.

  • When transfer outside the EEA is necessary (e.g., to sub-processors in the USA), we ensure an adequate level of protection through Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914).
  • AI processing (OpenAI) may involve transfer to the USA. OpenAI is certified under the EU-US Data Privacy Framework and applies additional technical protection measures.
  • Before each transfer, we conduct a Transfer Impact Assessment (TIA) in accordance with EDPB guidelines.
  • A list of sub-processors and their locations is available upon request at info@constructionhub.bg.

Veri sahibi olarak haklarınız

Under Regulation (EU) 2016/679, you have the following rights:

Erişim hakkı (Madde 15)

İşlediğimiz kişisel verilerinize, işleme amaçlarına, kategorilere, alıcılara ve saklama süresine ilişkin bilgi alma hakkınız vardır.

Düzeltme hakkı (Madde 16)

Yanlış veya eksik kişisel verilerinizin düzeltilmesini veya tamamlanmasını talep edebilirsiniz.

Silme hakkı (Madde 17) — "unutulma hakkı"

Verileriniz artık ilk toplandığı amaç için gerekli değilse veya rızanızı geri çektiyseniz veya yasalara aykırı olarak işlendilerse, silinmelerini talep edebilirsiniz.

İşlemenin kısıtlanması hakkı (Madde 18)

Belirli durumlarda, örneğin verilerin doğruluğuna itiraz ediyorsanız veya işlemenin yasalara aykırı olduğuna inanıyorsanız, verilerinizin işlenmesini kısıtlamayı talep edebilirsiniz.

Veri taşınabilirliği hakkı (Madde 20)

Bize sağladığınız kişisel verileri yapılandırılmış, yaygın olarak kullanılan ve makine tarafından okunabilir bir formatta alma ve bunları başka bir veri sorumlusuna iletme hakkınız vardır.

Right to Object (Art. 21)

You have the right to object to data processing based on legitimate interest. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You may object to processing for direct marketing at any time unconditionally.

Otomatik karar vermeye tabi olmama hakkı (Madde 22)

Sizin için önemli sonuçlar doğuran, yalnızca otomatik işlemeye dayanan kararlara tabi olmama hakkınız vardır.

Haklarınızı nasıl kullanabilirsiniz?

Bu hakları kullanmak için bizimle aşağıdaki şekillerde iletişime geçebilirsiniz:

  • E-posta: info@constructionhub.bg
  • İletişim formu aracılığıyla web sitemizden
  • Hesap ayarlarınız üzerinden (mevcut bazı işlevler için)

For your protection, we may request verification of your identity before processing your request.

Talebinize 30 gün içinde yanıt veriyoruz. Karmaşık durumlarda bu süre 60 güne kadar uzatılabilir; sizi önceden bilgilendireceğiz.

Haklarınızın kullanılması ücretsizdir. Açıkça temelsiz veya aşırı taleplerde makul bir ücret talep edebilir veya talebi reddedebiliriz.

12. AI Processing and Automated Decision-Making

The Platform uses artificial intelligence (AI) for the following purposes:

  • Automatic recognition and extraction of data from scanned documents (invoices, quantity surveys, protocols).
  • Intelligent matching of nomenclature items through semantic vectors (embeddings).
  • Suggestions for document categorization and classification.

Safeguards for AI Processing

  • AI results are always suggestions -- the final decision rests with the user, who reviews and approves/rejects the results.
  • No automated decisions with legal or significant effects are made without human intervention.
  • Documents sent for AI processing are processed in real-time and are not stored by the AI provider for model training.
  • AI processing may involve data transfer to a sub-processor (OpenAI) as described in section 9.
  • You have the right to request human intervention or to refuse AI processing at any time.

13. Data Protection by Design and by Default

In accordance with Art. 25 of the GDPR, we apply the principles of Data Protection by Design and by Default:

  • Data minimization -- we collect only data necessary for the specific purpose.
  • Data isolation (multi-tenancy) -- each Client's data is strictly isolated at the database level. No Client can access another Client's data.
  • Role-based access control (RBAC) -- each user accesses only the data for which they have permission, as determined by the Account Administrator.
  • Encryption by default -- all data is encrypted in transit (TLS 1.3) and at rest.
  • Audit trail -- every user action is logged for traceability and accountability.
  • Pseudonymization -- where possible, we use internal identifiers instead of direct personal data.

14. Technical and Organizational Security Measures

We apply the following measures pursuant to Art. 32 of the GDPR:

14.1. Technical Measures

  • Data encryption in transit via TLS 1.3 and HSTS.
  • Data encryption at rest (AES-256) for databases and backups.
  • Multi-factor authentication (MFA) for administrative access.
  • Web Application Firewall (WAF) and DDoS protection.
  • Automatic anomaly and suspicious activity detection.
  • Regular vulnerability scanning and penetration testing.
  • Regular automated backups with geographic replication.

14.2. Organizational Measures

  • Principle of least privilege for employee access.
  • Staff training on data protection.
  • Personal data incident management policy.
  • Regular review and update of security measures.
  • Confidentiality agreements with all employees and subcontractors.

15. Breach Notification

In the event of a personal data breach:

  • We notify the Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware, when the breach is likely to result in a risk to the rights and freedoms of natural persons (Art. 33 GDPR).
  • We notify affected data subjects without undue delay when the breach is likely to result in a high risk (Art. 34 GDPR).
  • We document every breach, including the facts, consequences, and corrective measures taken.
  • When Construction Hub acts as a processor, we notify the Client (controller) without undue delay so they can fulfill their notification obligations.

Veri koruma görevlisi (DPO)

Veri korumasıyla ilgili sorularınız için Veri Koruma Görevlimiz: info@constructionhub.bg

  • Email: info@constructionhub.bg
  • Subject: "DPO / Data Protection"
  • The DPO reviews all inquiries and requests related to personal data processing and coordinates the fulfillment of data subjects' rights.

17. Right to Complaint and Contact with the Supervisory Authority

If you believe that the processing of your personal data violates the GDPR, you have the right to file a complaint with the supervisory authority:

Commission for Personal Data Protection (CPDP)

  • Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
  • Phone: 02/91-53-518
  • Email: kzld@cpdp.bg
  • Website: www.cpdp.bg

We recommend contacting us first at info@constructionhub.bg to resolve the matter directly.

18. Children's Data

Construction Hub is a B2B platform intended for legal entities and their employees. We do not knowingly collect personal data from individuals under 16 years of age. If we discover that we have collected data from a child, we will delete it immediately. If you believe a child has provided personal data through the Platform, please contact us at info@constructionhub.bg.

19. Changes to the Privacy Policy

We reserve the right to update this Policy in case of:

  • Changes in applicable legislation or supervisory authority guidance.
  • Changes in services, features, or sub-processors.
  • Technological changes requiring adaptation of protection measures.
  • Recommendations from audits or impact assessments.

For material changes, we will notify you by email and/or notification in the Platform at least 30 days in advance. Continued use of the Platform after the changes take effect constitutes acceptance of the updated Policy.

20. Applicable Law and Contact Information

This Privacy Policy is governed by Regulation (EU) 2016/679 (GDPR), the Bulgarian Personal Data Protection Act, and applicable European and national legislation.

Contact for data protection inquiries:

  • Email: info@constructionhub.bg
  • Website: constructionhub.bg
  • Subject: "Personal Data Protection"

Platformun düzgün çalışmasını sağlamak ve deneyiminizi iyileştirmek için çerezler kullanıyoruz. Çerezler hakkında daha fazla bilgi