DRAFT — PO validation required (D-7) before publication.

Privacy Policy

MySmartBusiness — SaaS platform published by TANARIEL EOOD

Last updated: [PUBLICATION DATE]


1. Data controller

The controller of the personal data described in this policy is:

TANARIEL EOOD Single-member limited liability company incorporated under Bulgarian law EIK: 206851287 — VAT no.: BG206851287 Registered office: bd James Bourchier 99, floor 2, apartment 5, Lozenets district, 1407 Sofia, Bulgaria Manager: Mr DEVAUX Jean-Bernard Hubert Raoul Data protection contact: privacy@mysmartbusiness.eu

Dual role. TANARIEL EOOD acts as the data controller for the data described in this policy (account, billing and Platform usage data). For the data that our clients process via the Platform concerning their own contacts and end customers (CRM records, members, email/SMS campaign recipients, review authors, etc.), the client is the data controller and TANARIEL EOOD acts as the data processor within the meaning of Article 28 of the GDPR; such processing is governed by our General Terms and Conditions (article "Protection of personal data").

2. Data collected

We collect the following categories of data:

a) Account and identification data — surname, first name, email address, password (hashed), language, time zone, telephone number where applicable, passwordless login credentials (WebAuthn keys/passkeys, magic links).

b) Professional and billing data — company name, address, country, tax / intra-EU VAT identification number, history of subscriptions, orders, invoices and payments. Complete bank card data is collected and stored exclusively by our payment provider Stripe; we retain only a payment-method identifier and the last four digits.

c) Usage data and technical data — connection and activity logs, IP address, browser and device type, pages viewed, actions performed within the Platform, diagnostic and security data.

d) Communications — exchanges with support, notifications sent, communication preferences.

e) Approximate geolocation data — country/region inferred from the IP address (via MaxMind), used for security, taxation (VAT) and certain features (link routing).

We do not collect any special category of data ("sensitive" data) and never request any.

3. Purposes and legal bases

Purpose Legal basis (Art. 6 GDPR)
Account creation and management, provision of the Services Performance of the contract (b)
Invoicing, collection, accounting Performance of the contract (b) and legal obligation (c)
Calculation and collection of VAT, tax obligations Legal obligation (c)
Platform security, prevention of fraud and abuse Legitimate interest (f)
Customer support and communication relating to the service Performance of the contract (b)
Improvement of the Services, aggregated internal statistics Legitimate interest (f)
Information on developments in the Services and the Provider's offers Legitimate interest (f), with a right to object at any time
Management of the affiliate programme (attribution, commissions) Performance of the contract (b)
Compliance with authorities' requests and dispute management Legal obligation (c) and legitimate interest (f)

We never sell your personal data and do not use it for third-party advertising purposes.

4. Recipients and sub-processors

The data is accessible to authorised staff of TANARIEL EOOD and to the following sub-processors, each acting for a specific purpose and under a contract compliant with Article 28 of the GDPR:

Sub-processor Role Processing location
Hetzner Online GmbH Hosting of the Platform and databases European Union (Germany/Finland)
Stripe Payment processing EU / United States*
Mailgun (Sinch) Sending of transactional emails and campaigns EU / United States*
Migadu Email mailbox hosting (MySmartEmail module) Switzerland* / EU
Internet.bs Domain name registration and management Outside the EU*
BulkGate / Mobica Sending of SMS EU / depending on SMS destination*
AWS S3 / DigitalOcean Spaces File storage EU / United States*
MaxMind Geolocation by IP address (security, VAT, routing) United States*

* See section 5 for the framework governing transfers outside the EU.

The data may also be disclosed to the competent authorities where required by law.

5. Transfers outside the European Union

Where the use of a sub-processor involves a transfer of personal data outside the European Economic Area (in particular to the United States or other third countries), such transfer is governed by appropriate safeguards within the meaning of Chapter V of the GDPR, primarily:

  • the standard contractual clauses (SCC) adopted by the European Commission, supplemented where appropriate by additional measures; and/or
  • an adequacy decision of the European Commission where one exists (e.g. Switzerland, or adequacy mechanisms applicable to the United States for certified providers).

A copy of the applicable safeguards may be requested at privacy@mysmartbusiness.eu.

6. Retention periods

Data Period
Account and Tenant data (client environment) Term of the contract + 30 days after termination, then permanent deletion
Invoices and accounting records 10 years (legal obligation)
Technical and security logs 12 months maximum
Exchanges with support Term of the contract + 3 years
Data relating to affiliate commissions Duration of participation + statutory accounting and tax periods
Strictly necessary cookies Duration of the session or the limited period necessary for the function (see section 8)

Upon expiry of the 30-day retention period following termination, the client environment (Tenant) and the data it contains are permanently deleted, subject to statutory retention obligations.

7. Your rights

In accordance with the GDPR, you have the following rights over your personal data:

  • Right of access (Art. 15) — obtain a copy of your data;
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data;
  • Right to erasure (Art. 17) — within the limits of statutory retention obligations;
  • Right to restriction of processing (Art. 18);
  • Right to portability (Art. 20) — receive your data in a structured and commonly used format;
  • Right to object (Art. 21) — in particular to processing based on legitimate interest and to commercial communications;
  • Right to withdraw your consent at any time, where processing is based on it, without affecting the lawfulness of prior processing.

To exercise these rights, write to privacy@mysmartbusiness.eu, providing proof of your identity. We respond within one (1) month, extendable by two (2) months for complex requests.

You also have the right to lodge a complaint with a supervisory authority, in particular the Bulgarian Commission for Personal Data Protection (КЗЛД / CPDP — www.cpdp.bg) or the authority of your country of residence (e.g. the CNIL in France).

Note for end data subjects: if your data is processed by one of our clients via the Platform (e.g. you are a contact in a client's CRM or a campaign recipient), please address your request first to that client, who is the data controller. We will forward to our client any request received directly.

8. Cookies

The Platform uses exclusively strictly necessary cookies for its operation:

Cookie Purpose Duration
Session cookie Maintaining the authenticated session Session
CSRF token Protection against request forgery Session
Essential preferences (language) Remembering the display language 12 months max.

These cookies are essential to the provision of the service and do not require prior consent within the meaning of the ePrivacy directive. No advertising, profiling or third-party tracking cookies are used. Should any non-essential cookies be introduced, they would be subject to your prior consent via a dedicated banner and this policy would be updated.

9. Security

We implement appropriate technical and organisational measures (Art. 32 GDPR), in particular: encryption of communications (TLS), password hashing, strong authentication available (2FA, WebAuthn/passkeys), isolation of client environments (dedicated database per Tenant), regular backups, logging, access control on the principle of least privilege.

In the event of a data breach likely to give rise to a risk to your rights and freedoms, we will notify the competent supervisory authority and, where applicable, the data subjects, in accordance with Articles 33 and 34 of the GDPR.

10. Amendments to this policy

We may update this policy to reflect legal, technical or Service developments. Any substantial amendment is notified to clients (email and/or notification within the Platform) before it takes effect. The date of the last update appears at the head of the document.

11. Contact

For any question relating to this policy or to the processing of your personal data:

TANARIEL EOOD — bd James Bourchier 99, fl. 2, ap. 5, Lozenets, 1407 Sofia, Bulgaria Email: privacy@mysmartbusiness.eu