DRAFT — PO validation required (D-7) before publication.
Privacy Policy
MySmartBusiness — SaaS platform published by TANARIEL EOOD
Last updated: [PUBLICATION DATE]
1. Data controller
The controller of the personal data described in this policy is:
TANARIEL EOOD Single-member limited liability company incorporated under Bulgarian law EIK: 206851287 — VAT no.: BG206851287 Registered office: bd James Bourchier 99, floor 2, apartment 5, Lozenets district, 1407 Sofia, Bulgaria Manager: Mr DEVAUX Jean-Bernard Hubert Raoul Data protection contact: privacy@mysmartbusiness.eu
Dual role. TANARIEL EOOD acts as the data controller for the data described in this policy (account, billing and Platform usage data). For the data that our clients process via the Platform concerning their own contacts and end customers (CRM records, members, email/SMS campaign recipients, review authors, etc.), the client is the data controller and TANARIEL EOOD acts as the data processor within the meaning of Article 28 of the GDPR; such processing is governed by our General Terms and Conditions (article "Protection of personal data").
2. Data collected
We collect the following categories of data:
a) Account and identification data — surname, first name, email address, password (hashed), language, time zone, telephone number where applicable, passwordless login credentials (WebAuthn keys/passkeys, magic links).
b) Professional and billing data — company name, address, country, tax / intra-EU VAT identification number, history of subscriptions, orders, invoices and payments. Complete bank card data is collected and stored exclusively by our payment provider Stripe; we retain only a payment-method identifier and the last four digits.
c) Usage data and technical data — connection and activity logs, IP address, browser and device type, pages viewed, actions performed within the Platform, diagnostic and security data.
d) Communications — exchanges with support, notifications sent, communication preferences.
e) Approximate geolocation data — country/region inferred from the IP address (via MaxMind), used for security, taxation (VAT) and certain features (link routing).
We do not collect any special category of data ("sensitive" data) and never request any.
3. Purposes and legal bases
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Account creation and management, provision of the Services | Performance of the contract (b) |
| Invoicing, collection, accounting | Performance of the contract (b) and legal obligation (c) |
| Calculation and collection of VAT, tax obligations | Legal obligation (c) |
| Platform security, prevention of fraud and abuse | Legitimate interest (f) |
| Customer support and communication relating to the service | Performance of the contract (b) |
| Improvement of the Services, aggregated internal statistics | Legitimate interest (f) |
| Information on developments in the Services and the Provider's offers | Legitimate interest (f), with a right to object at any time |
| Management of the affiliate programme (attribution, commissions) | Performance of the contract (b) |
| Compliance with authorities' requests and dispute management | Legal obligation (c) and legitimate interest (f) |
We never sell your personal data and do not use it for third-party advertising purposes.
4. Recipients and sub-processors
The data is accessible to authorised staff of TANARIEL EOOD and to the following sub-processors, each acting for a specific purpose and under a contract compliant with Article 28 of the GDPR:
| Sub-processor | Role | Processing location |
|---|---|---|
| Hetzner Online GmbH | Hosting of the Platform and databases | European Union (Germany/Finland) |
| Stripe | Payment processing | EU / United States* |
| Mailgun (Sinch) | Sending of transactional emails and campaigns | EU / United States* |
| Migadu | Email mailbox hosting (MySmartEmail module) | Switzerland* / EU |
| Internet.bs | Domain name registration and management | Outside the EU* |
| BulkGate / Mobica | Sending of SMS | EU / depending on SMS destination* |
| AWS S3 / DigitalOcean Spaces | File storage | EU / United States* |
| MaxMind | Geolocation by IP address (security, VAT, routing) | United States* |
* See section 5 for the framework governing transfers outside the EU.
The data may also be disclosed to the competent authorities where required by law.
5. Transfers outside the European Union
Where the use of a sub-processor involves a transfer of personal data outside the European Economic Area (in particular to the United States or other third countries), such transfer is governed by appropriate safeguards within the meaning of Chapter V of the GDPR, primarily:
- the standard contractual clauses (SCC) adopted by the European Commission, supplemented where appropriate by additional measures; and/or
- an adequacy decision of the European Commission where one exists (e.g. Switzerland, or adequacy mechanisms applicable to the United States for certified providers).
A copy of the applicable safeguards may be requested at privacy@mysmartbusiness.eu.
6. Retention periods
| Data | Period |
|---|---|
| Account and Tenant data (client environment) | Term of the contract + 30 days after termination, then permanent deletion |
| Invoices and accounting records | 10 years (legal obligation) |
| Technical and security logs | 12 months maximum |
| Exchanges with support | Term of the contract + 3 years |
| Data relating to affiliate commissions | Duration of participation + statutory accounting and tax periods |
| Strictly necessary cookies | Duration of the session or the limited period necessary for the function (see section 8) |
Upon expiry of the 30-day retention period following termination, the client environment (Tenant) and the data it contains are permanently deleted, subject to statutory retention obligations.
7. Your rights
In accordance with the GDPR, you have the following rights over your personal data:
- Right of access (Art. 15) — obtain a copy of your data;
- Right to rectification (Art. 16) — correct inaccurate or incomplete data;
- Right to erasure (Art. 17) — within the limits of statutory retention obligations;
- Right to restriction of processing (Art. 18);
- Right to portability (Art. 20) — receive your data in a structured and commonly used format;
- Right to object (Art. 21) — in particular to processing based on legitimate interest and to commercial communications;
- Right to withdraw your consent at any time, where processing is based on it, without affecting the lawfulness of prior processing.
To exercise these rights, write to privacy@mysmartbusiness.eu, providing proof of your identity. We respond within one (1) month, extendable by two (2) months for complex requests.
You also have the right to lodge a complaint with a supervisory authority, in particular the Bulgarian Commission for Personal Data Protection (КЗЛД / CPDP — www.cpdp.bg) or the authority of your country of residence (e.g. the CNIL in France).
Note for end data subjects: if your data is processed by one of our clients via the Platform (e.g. you are a contact in a client's CRM or a campaign recipient), please address your request first to that client, who is the data controller. We will forward to our client any request received directly.
8. Cookies
The Platform uses exclusively strictly necessary cookies for its operation:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Maintaining the authenticated session | Session |
| CSRF token | Protection against request forgery | Session |
| Essential preferences (language) | Remembering the display language | 12 months max. |
These cookies are essential to the provision of the service and do not require prior consent within the meaning of the ePrivacy directive. No advertising, profiling or third-party tracking cookies are used. Should any non-essential cookies be introduced, they would be subject to your prior consent via a dedicated banner and this policy would be updated.
9. Security
We implement appropriate technical and organisational measures (Art. 32 GDPR), in particular: encryption of communications (TLS), password hashing, strong authentication available (2FA, WebAuthn/passkeys), isolation of client environments (dedicated database per Tenant), regular backups, logging, access control on the principle of least privilege.
In the event of a data breach likely to give rise to a risk to your rights and freedoms, we will notify the competent supervisory authority and, where applicable, the data subjects, in accordance with Articles 33 and 34 of the GDPR.
10. Amendments to this policy
We may update this policy to reflect legal, technical or Service developments. Any substantial amendment is notified to clients (email and/or notification within the Platform) before it takes effect. The date of the last update appears at the head of the document.
11. Contact
For any question relating to this policy or to the processing of your personal data:
TANARIEL EOOD — bd James Bourchier 99, fl. 2, ap. 5, Lozenets, 1407 Sofia, Bulgaria Email: privacy@mysmartbusiness.eu