Personal data protection policy

The protection of all personal data, in particular the strict respect of confidentiality of customers’ and employees’ data and compliance with the data protection laws applicable, is not only a legal requirement for us. Providing data protection is the basis for strong relationships with customers, business partners and employees. It is, therefore, a matter of great importance for us to protect confidential personal data from any unauthorized access. We draw the attention to this topic in the following Privacy Policy.

We are aware that health information is very sensitive and needs maximum protection. Therefore, we collect as little personal data as possible and secure it with the highest technical standards.

Тhe Digiburn Online Questionnaire and Digiburn App can be used anonymously. We collect your email address to be able to setup your profile internally and allow you to identify yourself easily for repetitive input. Sharing your name is entirely optional. All other data, such as gender, age, profession and similar is needed for the evaluation of your personal and professional wellbeing.

I. Introduction

1. DigiBurn Jsc.. (“DIGIBURN”, “we”) is a commercial company registered in the Commercial Register at the Registry Agency with UIC 206260843, with registered office and address of management Sofia 1202, Oborishte region, 47 “Bacho Kiro” Str.
2. DIGIBURN is a controller of personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 
3. While carrying out its commercial activity DIGIBURN shall process personal data in strict compliance with the provisions of the General Regulation on Data Protection and the Personal Data Protection Act (PDPA).
4. In fulfillment of its commitment to ensure full compliance with the legislation of the European Union (EU) and the Republic of Bulgaria regarding the processing of personal data, DIGIBURN adopts this Privacy Policy, which is applicable to all processing activities performed by DIGIBURN of personal data.
5. This policy applies to all personal data processed by DIGIBURN, including personal data of customers, employees, suppliers, subcontractors, partners.
6. This privacy policy is mandatory and should be observed by all suppliers, subcontractors, partners, employees working with or for DIGIBURN, as well as by third parties who have or may have access to DIGIBURN personal data.

II. Definitions

For the purposes of the General Data Protection Regulation and for the purposes of this Privacy Policy, the following terms have the following meaning:

1. Personal data – any information related to an identified natural person or an identifiable natural person (data subject); an identifiable natural person is an identifiable person, directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more features specific to the natural, the physiological, genetic, mental, intellectual, economic, cultural or social identity of that individual.
   Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
2. Special categories of personal data – personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the sole purpose of identifying an individual, health data condition or data on the sexual life or sexual orientation of the individual;
3. Processing – an operation or set of operations performed with personal data or a set of personal data by automatic or other means such as collection, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing, transmitting, distributing or any other way in which data is made available, arranged or combined, restricted, deleted or destroyed;
4. Administrator – a natural or legal person, public body, agency or other structure, which alone or jointly with others determines the purposes and means for the processing of personal data; where the purposes and means of such processing are determined by EU law or the law of a Member State, the controller or the specific criteria for determining it may be laid down in the Union’s law or in the law of a Member State;
5. Personal data processor – a natural or legal person, public authority, agency or other structure that processes personal data on behalf of the controller;
6. Data subject – a natural person who has been identified or who can be identified on the basis of certain information;
7. Recipient – a natural or legal person, public authority, agency or other entity to which personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the context of a specific investigation in accordance with EU or Member State law shall not be considered as recipients; the processing of such data by those public authorities complies with the applicable data protection rules in accordance with the purposes of the processing;
8. Third party – natural or legal person, public authority, agency or other authority other than the data subject, the controller, the processor and the persons who, under the direct supervision of the controller or the processor, have the right to process personal data;
9. Violation of the security of personal data – means a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed.
10. Supervisory body means the Commission for Personal Data Protection in the Republic of Bulgaria.

III. Principles related to the processing of personal data

DIGIBURN processes personal data in accordance with the principles related to the processing of personal data, regulated in Art. 5 of the General Data Protection Regulation, namely:

1. Compliance, Fairness and Transparency
   DIGIBURN processes personal data in compliance with the mandatory provisions of the General Data Protection Regulation and the LPPD, sincerely and openly.
2. Limited Data Collection
   DIGIBURN processes personal data only for specific, explicitly stated and lawful purposes and does not further process them in a manner incompatible with these purposes.
3. Minimizing the Personal Data Used
   DIGIBURN processes personal data, limited as necessary in connection with the purposes for which they are processed. DIGIBURN collects and processes only the minimum necessary personal data of individuals which:
   • are provided by law;
   • are needed to perform a contract;
   • are given under the individual’s consent for processing.
4. Collected personal data shall be processed for other purposes only with the consent of the persons
   In all cases where it is necessary for the collected and processed personal data of individuals to be used for purposes other than the primary ones, DIGIBURN notifies the relevant individuals, seeks their consent and proceeds to process their personal data for other purposes only after their explicit consent.
5. Accuracy and Timeliness
   The personal data stored by DIGIBURN shall be kept accurate and up-to-date, and all reasonable measures shall be taken to ensure the timely correction of inaccurate personal data.
6. Storage restriction
   DIGIBURN stores personal data in a form that allows the identification of the data subject for a period not longer than necessary for the purposes which the personal data are processed for. Personal data may be stored for longer periods insofar as they will be processed exclusively for archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89 (1), provided that the appropriate technical and organizational measures provided for in this Regulation in order to guarantee the rights and freedoms of the data subject (“storage restriction”).
7. Integrity and confidentiality
   DIGIBURN processes personal data in a way that ensures an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures.
8. Accountability
   DIGIBURN is responsible and able to prove that it complies with its obligations in relation to the processing of personal data.

IV. Categories of data subjects and categories of personal data

1. 1. Customers
      DIGIBURN collects and process personal data of its customers that are related to the Digiburn Online Questionnaire and Digiburn-App.
      1. What information does DIGIBURN collect
         As a matter of principle, DIGIBURN does not collect any data that allows direct identification of a person. To use DIGIBURN app, the consumer does not have to enter any distinctly identifiable data about himself/herself (e.g., name, e-mail address or home address).  However, if he/she uses DIGIBURN app as part of online therapy (only available in Bulgaria) or create an optional personal account (e.g., to access again old data when a smartphone is changed), the use of personal data is required.
      2. Pеrsonal data for the creation of an optional personal account
         In order to create an optional personal account that allows you to easily access your history even when you change your smartphone, we collect and process the following personal data in the way you provide it to us:
         • First Name
         • Second name
         • Nickname
         • e-mail address
           The legal basis for data processing is Art. 6 Paragraph I lit. b GDPR.
      3. Extended personal data while using Digiburn online therapy (this service and data fields are only available in Bulgaria)
         
         • Postal address
         • Insurance provider
         • Insured person number
         • Phone number
      4. Health-related data
         We always separately obtain consent from you for the processing of your health data. You can give your consent to the processing of this data, by clicking on the respective button. Your consent will be logged by us.
         Within the app, you can run through a 14-day screening phase to get an overall assessment of your mental health. During this screening, you will answer various questions and let the app know how you are feeling. Also, you can use further services, e.g., payment offers, which are described in more detail in Section 2 of our GTC. We collect, process, and use the following health data to be able to provide the services for you following Section 2 of our GTC:
      5. Data from the daily screening questions and further tags and note
         • Questions related to depressive symptoms
         • Questions about other psychological and somatic complaints and symptoms
         • Questions about your living conditions, leisure activities, and biography
         • Evaluations of the above-mentioned data regarding severity and type of symptoms as well as correlations between answers based on psychological theories.
         • Your entries on a scale of smileys with which you can regularly document your mood.
         • Text-based note entries created by you, which are transmitted in encrypted form and stored with us.
         • If you explicitly agree to this within the app, we store data from your Apple Health (iOS) or Google Fit (Android) application. These are primarily the number of steps per day and other indications of your physical activity. We use this data to provide our services within Digiburn, in particular, to report back to you any connections between psychological factors and your physical activity. Digiburn does not send data to Apple Health or Google Fit.
      6. Data from the psychological exercises
         • Text-based entries for the exercises
         • Voice-based recordings
         • The photos you uploaded during the exercises.The legal basis for data processing is Art. 9 para. II lit. h GDPR.
      7. Technical Data
         This is data that shows what hardware and software the costumer is using to access DIGIBURN app:
         • Data about the mobile platform (iOS/Android)
         • The version of the app
         • Device model
         • System version
         • “Identifier for Advertising in Apple” for iOS devices
         • “Advertising ID” for Android devices
           The legal basis for data processing is Art. 6 para. I lit. f GDPR.
      8. App usage data
         This is data that shows how the costumer uses DIGIBURN app:
         • How often was the app opened?
         • Which areas were clicked in the app?
         • App settings used (language settings, notifications)
         • Feedback data (incl. e-mail service)The legal basis for data processing is Art. 6 para. I lit. f GDPR and Art. 6 para. I lit. a GDPR for the feedback data.
      9. How we process your data
         We collect and store your personal, extended personal, health, technical, and app usage data while you use our app. Furthermore, we may transmit your health data in a completely anonymous form to universities, research bodies or private data research providers, that DIGIBURN cooperates within research.
         The legal basis for data processing is Art. 9 para. II lit. a GDPR
   2. Business partners and suppliers
      DIGIBURN processes personal data of individuals who represent (by law or by proxy) or work for business partners, suppliers and investors of DIGIBURN. Therefore, and to the extent permissible in the ordinary course of business, DIGIBURN may process the following categories of personal data:
      • Ordinary personal data: Names, address, telephone, e-mail and other data, which are relevant in the present case.
        In the event that DIGIBURN decides to process data of data subjects for marketing purposes, it shall take the measures necessary to obtain prior informed consent from the data subject.
   3. Job candidates
      • Ordinary personal data: Information contained in the CV of the candidate, such as names of the person, contact details (telephone number and e-mail), copies of documents for professional and educational qualification, etc.
        In the selection procedure of the job applicants, DIGIBURN can conduct various types of psychological tests for personality assessment with a focus on the behavior, skills, personal characteristics and qualities of the person, through which it is possible to obtain data on the cognitive skills and behavioral attitudes of the applicant.
        For the purposes of the selection procedure, the job applicant agrees in writing to the processing of the submitted data, after being provided with information about the processed data, in accordance with the applicable legislation and this Policy.
   4. Staff
      DIGIBURN collects the following categories of personal data from employees:
      • Ordinary personal data: names, PIN, passport data, education and qualifications, profession, length of service, remuneration, bank account data and others;
      • Special category of personal data: health status information contained in sick leaves, documents certifying permanent incapacity for work and / or other documents required by the applicable legislation for the respective position or in order to exercise specific rights of the employee.
        In the general case, DIGIBURN does not process personal data of employees on the basis of consent. However, in certain situations, consent may be required where it is required by the applicable law, including for the processing of a specific category of personal data.

V. Obligation for lawful and consciential processing of personal data 

1. DIGIBURN establishes the grounds for processing the personal data under Art. 6 (1) of the General Data Protection Regulation:
   1. The data subject has given consent to the processing of his/her personal data for one or more specific purposes.
   2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
   3. Processing is necessary for compliance with a legal obligation to which the controller is subject.
   4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
   5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
   6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2. DIGIBURN performs only activities for processing personal data for which there is any of the grounds under Art. 6 (1) of the General Data Protection Regulation.

VI. Obligation to process personal data for specific purposes

1. The processing of personal data shall be carried out in fulfillment of the legal obligations of DIGIBURN, as well as in fulfillment of contractual obligations undertaken by DIGIBURN or on the basis of informed consent given by the client.
2. In carrying out its commercial activity DIGIBURN shall collect and use categories of personal data, indicated in the register of the activities for processing of personal data under art. 30 (1) of the General Data Protection Regulation (Appendix No.1). DIGIBURN receives personal data directly from the data subject (for example, when completing validated sample documents or correspondence via email, telephone or other means of communication) or from other sources (e.g. from partners, subcontractors, payment service providers, etc.).
3. DIGIBURN shall process personal data only for specific and explicitly indicated purposes, indicated in the register of the activities for processing of personal data under Art. 30 (1) of the General Data Protection Regulation, namely:
   1. For implementation of the services offered by DIGIBURN;
   2. for client registration and respectively for reporting;
   3. for conducting procedures for selection of candidates for work
   4. in order to fulfill a contract, which has been concluded or which is in the process of conclusion with a client of DIGIBURN, as well as for the conclusion or execution of a labor agreement with employees of DIGIBURN;
   5. when this is necessary for the protection of the legitimate interests of DIGIBURN or third parties, provided that the legitimate interests and fundamental rights and freedoms of the data subject do not take precedence over these legitimate interests;
   6. for up-to-date contact information with the data subject;
   7. for research purposes health data is transmitted in a completely anonymous form to partner universities, research bodies or private data research providers, that DIGIBURN cooperates within research.
   8. for providing information, including marketing communication through the channels chosen by the client (e.g., e-mail or telephone).
4. In case the data of the subject have to be used for a purpose incompatible with the original one, DIGIBURN shall notify him/her in due time and explain to him/her what is the legal basis, which allows the data to be used for this new purpose as well.
5. DIGIBURN provides the data subjects with the opportunity to choose whether to share their personal data with the company. In case the data subject objects to the processing of the personal data by DIGIBURN, the company respects this choice in accordance with its legal obligations. The objection may mean that DIGIBURN will not be able to carry out the activities necessary to achieve the objectives described above. It may also mean that the subject may not be able to use the services and products offered by DIGIBURN if he/she does not provide him/her with personal information about himself or if, after the data subject has provided this information, he/she objects to the processing. by DIGIBURN.
6. The following applies to customers data
   1. DIGIBURN collects, processes, and uses the data mentioned under Section IV, item 1 to provide the services mentioned in our General Terms and Conditions (Art. 1 GDPR). By providing us with your information, we can provide our services.
   2. The processing of your data is necessary for the conclusion or fulfillment of your contract with us to use the Digiburn app and in the case of the creation of the optional account. In addition, this is required when using the optional offer of the Digiburn Online Therapy service (https://www.Digiburn.health), which is independent of our GTC. If you do not provide us with this information, we will not be able to provide the services mentioned on our GTC.
7. The following applies to DIGIBURN’s employee data
   1. Personal data of employees can be processed within the context of the employment relationship, when necessary for meeting hiring decisions or in the aftermath of such, for delivering upon or termination of the employment contract, for exercising or satisfying the rights and obligations of representatives of contractors and employees. Personal data of these data subjects can be processed in favor of crime investigations only when there is ground to believe the investigated crime has taken place during the time of ongoing employment relationship and in case that the lawful right of the data subject for his/her own data not to be processed does not prevail and more specific the type and scope of data processing are not disproportionate to the underlying reasons for investigation.
   2. The Company sets in place the needed mechanisms for ensuring compliance with the principles of personal data processing, in line with the General Regulation, covered in section III.
   3. These rules also apply when personal data, including special categories of personal data, of employees are processed without participating or intended to be part of a document registration system.
   4. In this context, the persons who will be considered as employees are also persons employed for the purposes of vocational training (trainees)
   5. Data processing is necessary to comply with the legal obligations of DIGIBURN. The processing of personal data for employees is also admissible where national law requires, prescribes or authorizes data processing. The nature and scope of the data processing must be necessary for legally required data processing activities and comply with the relevant legal provisions. Personal data may be shared with different categories of recipients. For example, DIGIBURN provides personal data to the National Revenue Agency, the National Social Security Institute, the Executive Agency “General Labor Inspectorate”, competent law enforcement, law enforcement agencies, as well as other government agencies and institutions.

VII. Obligation to notify the data subject

1. In fulfillment of its obligations under art. 12, 13 and 14 of the General Data Protection Regulation DIGIBURN provides the data subject with comprehensible and easily accessible information about the personal data that it processes.
   1. In the event that DIGIBURN receives personal data directly from the data subject, the data subject shall be informed of the confidentiality in an appropriate form containing clear, simple and comprehensible language and including the following information:
      1. the data identifying DIGIBURN and the contact details of DIGIBURN and, where applicable, those of the DIGIBURN representative;
      2. the contact details of the Data Protection Coordinator, where applicable
      3. the purposes of the processing which the personal data are intended for and the legal basis for the processing
      4. where the processing is carried out on the basis of Article 6, para. 1, item f) of the General Data Protection Regulation (legitimate interests of DIGIBURN or a third party), the legitimate interests pursued by DIGIBURN or a third party;
      5. the recipients or categories of recipients of the personal data, if any
      6. where applicable, the intention of DIGIBURN to transfer personal data to a third country or to an international organization, as well as the presence or absence of a decision of the European Commission (EC) on the adequate level of protection or in case of data transfer 46 or 47, or Article 49 (1), para. 2 of the General Data Protection Regulation, a reference to the appropriate or applicable safeguards and the means of obtaining a copy thereof or information where available;
      7. the period which the personal data will be stored for and, if not possible, the criteria used to determine that period;
      8. the existence of a right to request DIGIBURN access to personal data, to correct or delete personal data or to restrict the processing of personal data relating to the data subject, or a right to object to the processing, as well as the right to the portability of the data;
      9. where the processing is based on the consent of the data subject, the existence of a right of withdrawal of consent at any time, without prejudice to the lawfulness of the processing based on consent before it is withdrawn;
      10. the right to appeal to the Commission for Personal Data Protection (CPDP);
      11. whether the provision of personal data is a mandatory or contractual requirement or a requirement necessary for the conclusion of a contract, and whether the data subject is obliged to provide personal data and the possible consequences if such data is not provided;
      12. the existence of automated decision-making, including profiling, and at least in these cases essential information on the logic used, as well as the significance and intended consequences of such processing for the data subject.
   2. In the event that DIGIBURN receives personal data from sources other than the data subject, the data subject shall be informed of the confidentiality in an appropriate form containing clear, simple and comprehensible language and including the information referred to in the previous point, as and information on the relevant categories of personal data, as well as the source of the personal data and, if applicable, whether the data are from a publicly available source. The privacy notice shall be brought to the attention of the data subject within a reasonable time after receipt of the personal data, but no later than 1 month or upon contacting the data subject at the latest or disclosing the personal data to another recipient for the first time.

VIII. Obligation for adequate, relevant and restricted processing of personal data

DIGIBURN collects personal data within the limits of what is necessary for the purpose of processing, brought to the knowledge of the data subject.

IX. Obligation to process accurate and updated personal data

1. DIGIBURN collects accurate personal data and ensures its timely updating.
2. Upon receipt of personal data, the employees of DIGIBURN, engaged in the process of collection of personal data, shall check the accuracy of the personal data provided to DIGIBURN.
3. The personal data stored by DIGIBURN shall be reviewed periodically.
4. DIGIBURN has adopted rules for processing the applications for correction of personal data by the data subject (Appendix No. 2)
5. All suppliers, subcontractors, partners, workers and employees who work with or for DIGIBURN, as well as third parties who provide personal data to DIGIBURN, shall be obliged to notify of any change in the personal data provided by them.

X. Provision of personal data of the entity to third parties

1. DIGIBURN does not pass on customer’s personal data to third parties, unless it is legally entitled or obliged to do so, or the data subject has given his/her consent.
2. Personal data may be shared with different categories of recipients. For example, in fulfilling legal obligations of the administrator, personal data may be provided to the National Revenue Agency, the National Social Security Institute, the Executive Agency “General Labor Inspectorate”, competent law enforcement, law enforcement agencies, as well as other government agencies and institutions.
3. DIGIBURN transfers data to other natural / legal persons who provide a certain type of goods or services to DIGIBURN, including services for information maintenance and security of IT systems, accounting services, archive and legal services and others. In such cases, DIGIBURN shall enter into a written agreement with the specific service provider that has provided sufficient guarantees for the application of appropriate technical and organizational measures in such a way that the processing complies with the requirements of Regulation (EU) 2016/679 and ensures protection of the rights of data subjects.
4. DIGIBURN maintains partnerships with other independent controllers of personal data. In connection with this partnership, it is possible for the parties to share certain data with each other. In such cases, DIGIBURN shall inform the data subjects in an appropriate manner about these categories of recipients, as well as conclude an additional agreement with the respective independent controller, thus, ensuring the confidentiality of the personal data shared.
5. If there is the figure of joint administrators between DIGIBURN and a third-party administrator, they shall define in a transparent manner their respective responsibilities for the implementation of the obligations under Regulation (EU) 2016/679 by mutual agreement.
6. DIGIBURN may transmit customer’s health data in the context of research cooperation in a completely anonymous form to university partners, research bodies or private data research providers, that DIGIBURN cooperates within research.
7. In the event that DIGIBURN processes personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or has it processed (see also third-party tools as described in Section XI), this will be done in compliance with the relevant legal requirements. In these cases, DIGIBURN will always take appropriate measures to adequately secure the personal data (e.g. through standard contractual clauses).

XI. International transfer of personal data – transmission of personal data to third countries outside the EU and the EEA 

1. DIGIBURN may transfer personal data to third countries outside the European Union and the European Economic Area only in compliance with the requirements of Regulation (EU) 2016/679 and in particular those set out in Chapter V thereof.
2. The transfer shall be made on the basis of a decision of the European Commission regarding the adequate level of protection provided by the third party in question. In the absence of such a decision by the European Commission, the transfer to a third party can only take place if there are adequate safeguards and provided that the data subjects’ rights and effective remedies are in place. Appropriate safeguards are standard data protection clauses included in personal data processing agreements concluded between DIGIBURN and the third party concerned.
3. Alternatively, the transfer of personal data to a third party may take place after the explicit consent of the data subject or where there are other grounds referred to in Article 49 (1) of Regulation (EU) 2016/679.
4. Тools of third-parties, with which DIGIBURN has business relations
   DIGIBURN sometimes commissions third-party providers to provide services for the analysis and evaluation of user behavior. Тhe aim is to constantly improve and further develop DIGIBURN. The information provided for this purpose is usually pseudonymized. If these service providers process personal data, DIGIBURN concludes an agreement with them for order processing in accordance with Article 28 GDPR, which obliges these service providers to comply with legal standards with regard to data protection and data security. This means that the processors are bound by DIGIBURN’s instructions and are regularly monitored by DIGIBURN. The processors whose services are used will not pass this data on to third parties, but will delete it after the fulfilment of the contract and the conclusion of statutory storage periods, unless you have consented to storage beyond this.
5. In detail DIGIBURN uses the following tools:
   1. Google Firebase
      In the mobile app we use Firebase (https://www.firebase.com/), a framework from Google’s subsidiary Firebase, based in San Francisco, CA, USA, through which we track and manage the following real-time functions
      • We use Firebase Crashlytics to track app crashes as they occur and to prevent future crashes. In the event of an app crash, a report is generated that includes the type and operating system of the device, recent activity in the app, and geolocation in pseudonymous form and sent to Google. For information on the functionality of Crashlytics, please visit https://firebase.google.com/products/crashlytics/.
      • The mobile app uses Firebase Remote Config to allow us to change the app on the devices on which it is installed without having to completely reinstall the app in the respective App Store. To do this, the device information, language, country, and regional settings are transferred to Google in the USA and processed there. Information about the functionality of Remote Config can be found at https://firebase.google.com/products/remote-config/
        For all Firebase services mentioned, only anonymized or pseudonymized user data is transmitted to Firebase (Google). The Firebase privacy policy is available at https://www.firebase.com/terms/privacy-policy.html and information about the specific data used in the mentioned services can be found at https://firebase.google.com/support/privacy
        The legal basis for the use of Firebase is our legitimate interest in maintaining Moodpath permanently and evaluating its performance according to article 6 paragraph 1 GDPR.
   2. Branch Metrics (only for Digiburn users in the United States of America/USA)
      Our app uses Branch Metrics which is operated by Branch Metrics Inc. 2443 Ash Street, Palo Alto, CA 94306, USA. This service is an open-source solution, which allows us to generate smart links to content within an app for statistical analysis and for marketing activities (the latter only in the USA). This can be done with appropriate software development kits (SDKs) for web, iOS, and Android operating systems. In the course of providing the service and its features, Branch Metrics collects data such as operating system and version, timestamp, API key (application identification key), application version, device model, manufacturer and identification number, iOS identification key for advertising, iOS identification key for vendors, Android identification key for advertising, IP address and network status. The above data is collected and encrypted for this purpose only.
      The legal basis for this is Article 6 Paragraph 1 lit. A GDPR.
      How can I prevent this? You can deactivate this collection for your device via this link https://branch.app.link/device-opt-out or generally restrict the use of certain data in your Android or iOS device.
   3. For sending emails in the context of creating, verifying and managing your personal, optional Digiburn account we use Mailgun (535 Mission St., 14th Floor San Francisco, CA 94105, USA). This provider processes and stores the email address, its content, subject, and other meta data in a high-security data center in Frankfurt am Main and deletes it after a maximum of 5 days.
   4. For the hosting of the data as well as our applications, databases, and servers, we use the cloud services of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), which acts as a processor for us and stores data in a high-security data center in Frankfurt am Main and Ireland.
   5. To send out Push Notifications, we use services of OneSignal, a U.S. company located at 2850 S Delaware St Suite 201, San Mateo, CA 94403, that processes data of the device to identify your device to send Push Notifications. Please visit https://documentation.onesignal.com/docs/data-collected-by-the-onesignal-sdkto see which data is processed by OneSignal (Note: OneSignal will automatically not collect IP Addresses from all EU Users.)
      The legal basis for this is Article 6 Paragraph 1 lit. f GDPR.

XII. Obligation to limit the storage of personal data

4.  DIGIBURN shall store personal data only for a period not longer than necessary for the purposes for which the personal data are processed.
5. After the expiration of the term of storage DIGIBURN shall ensure their proper destruction or deletion in accordance with an established procedure.
6. Terms for storage of personal data in DIGIBURN
   1. The personal data of customers are stored for a period of 2 (two) years. After the data has expired, the user’s email is deleted, thus achieving complete anonymization of the data subject. After deletion, only the identification number remains in the main database, which in itself can no longer be associated with a specific e-mail address, as well as with a specific data subject.
   2. The personal data of employees contained in the employment insurance documentation are stored for a period of 50 (fifty) years in accordance with the National Archives Fund Act, the Accounting Act, the Social Security Code and the Tax Insurance Procedure Code;
   3. Personal data of job applicants who have not been approved for appointment in DIGIBURN are stored for a period not longer than 6 (six) months from the end of the procedure, after which they are returned to the person or destroyed in an appropriate manner. Personal data may be stored for a long period up to 3 years for the purpose of submitting job offers only with the consent of the job applicant;
   4. The records from the technical means for video surveillance are stored for 2 (two) months from their preparation;
   5. Personal data contained in accounting documents are stored within the time limits under Article 12 of the Accounting Act.
   6. Along with these basic deadlines, DIGIBURN has established its rules for determining the term for storage and procedure for destruction of personal data (Аppendix No. 3).
7. Storage of customer’s data and methods for protection
   1. The personal data of customers are stored for a period of 2 (two) years. After the data has expired, the user’s email is deleted, thus achieving complete anonymization of the data subject. After deletion, only the identification number remains in the main database, which in itself can no longer be associated with a specific e-mail address, as well as with a specific data subject.
   2. DIGIBURN does not store customer’s data on the customer’s device in order to ensure maximum security and to ensure the smooth functioning of the app. DIGIBURN stores customer’s data on servers of its IT service providers in the platform Typeform which process that data on DIGIBURN’s behalf and on the legal basis of Art. 28 GDPR and is obliged to comply with the legal provisions on data protection and data security.
   3. DIGIBURN takes precautions to protect the personal data and to prevent misuse.
   4. The app communicates with DIGIBURN‘s server via encrypted connections using SSL (Secure Socket Layer), which prevents third parties from accessing customer’s personal data without authorization. Both servers and databases are behind firewalls to restrict access.
   5. Please note that in some employment relationships it is not allowed to use the Internet for private purposes during working hours or from your workplace. Some employers monitor unauthorized Internet activity in the workplace. Even if you are otherwise connected in multiple network environments, you must be aware that there is always a risk of unwanted access.

XIII. Obligation to process personal data in accordance with the rights of the data subject

DIGIBURN processes personal data, ensuring the exercise of the rights of the data subject, namely:

1. right to information about his/her personal data stored by DIGIBURN and receipt of a copy of his/her personal data stored (right of access);
2. right to correction of his/her personal data, if the same are inaccurate or out of date;
3. the right to have his/her personal data deleted, if applicable (right to be forgotten);
4. right to limit the processing of his/her personal data;
5. the right to withdraw the consent for processing of his/her personal data, if applicable;
6. right of portability of his/her personal data (to receive them or to be transferred to another personal data controller in a structured, widely used and machine-readable format), if applicable;
7. the right of his/her personal data not to be the subject of automatically taken decisions, which would affect him/her to a significant degree, without the possibility for human intervention;
8. right to object to the processing of his/her personal data, if applicable;
9. right to appeal against the processing of his/her personal data before the Commission for Personal Data Protection (CPDP) – Sofia, 1592, Blvd. “Prof. Tsvetan Lazarov” No 2 or at cpdp.bg.

If you want to make use of one of these rights, you can delete your data directly in the app in the section “Settings → Data & Security”. Of course, you can transfer your data beforehand using an automatic export function. Alternatively, you can send us an e-mail from the address registered with us to gdpr@digiburn.health or write to us stating your personal identification number (UID – you can find this in the settings section at the bottom of the profile page). We will then check this immediately and contact us.

XIV. Obligation for reporting on the processing of personal data

1. DIGIBURN shall be liable and shall be able to prove that it complies with its obligations in connection with the processing of personal data.
2. In its capacity of administrator of personal data DIGIBURN has created and maintains a register of the activities for processing personal data under Art. 30 (1) of the General Data Protection Regulation, according to an approved model, which contains the following information:
   1. activity for processing of the personal data;
   2. purpose of the processing of the personal data;
   3. grounds for processing the personal data;
   4. category of personal data subjects;
   5. categories of personal data;
   6. source of the personal data;
   7. term of storage of the personal data;
   8. recipients of personal data;
   9. automated decision-making / profiling;
   10. organizational and technical measures for protection;
   11. name of the state or the international organization upon transfer of personal data;
   12. guarantees for transfer of personal data to third countries or international organizations;
   13. joint administrators;
   14. processing personal data.
3. When necessary DIGIBURN shall carry out an assessment of the impact on the protection of the personal data, taking into account all the circumstances, related to the activities for processing of personal data.
4. Where, as a result of the personal data protection impact assessment, it is clear that DIGIBURN will start processing personal data which, due to a high risk, could cause harm to data subjects, the decision whether or not to continue processing should to be submitted for review by the Data Protection Coordinator.
5. In case the Data Protection Coordinator has serious concerns about the potential damage or danger, or about the quantity of the respective data, the issue should be referred to the CPDP.
6. DIGIBURN shall prove the fulfillment of its obligations in connection with the processing of personal data by documenting the main processes of personal data processing, adoption and application of rules and procedures for personal data processing, as well as by joining codes of conduct, implementation of appropriate technical and organizational measures, adoption of personal data protection techniques at the design stage and default personal data protection, assessment of the impact on personal data protection, etc.

XV. Obligation to guarantee security in the processing of personal data 

1. DIGIBURN is aware of the risks associated with the processing of certain categories of personal data.
2. In determining the appropriateness of the processing, DIGIBURN shall consider the extent of any damage or loss that may be caused to the data subject if a security breach occurs, as well as any probable damage to DIGIBURN’s reputation, including any loss of customer trust.
   1. In assessing appropriate technical measures to ensure security in the processing of personal data, DIGIBURN shall analyze the following circumstances:
      1. password protection provided;
      2. the existence of automatic locking of idle workstations in the network;
      3. removal of access rights for USB and other removable storage media;
      4. antivirus software and firewalls;
      5. access rights;
      6. the protection of devices leaving the premises of the organization, such as laptops and mobile phones;
      7. the security of local and wide area networks;
      8. confidentiality enhancement technologies, such as pseudonymization and anonymization;
      9. identification of appropriate international security standards.
   2. In assessing the appropriate organizational measures to ensure security in the processing of personal data, DIGIBURN shall take into account:
      1. appropriate training for DIGIBURN staff;
      2. guarantees of the reliability of DIGIBURN staff (e.g., recommendations);
      3. the inclusion of obligations regarding the protection of personal data in the employment contracts of the employees of DIGIBURN;
      4. the provision of disciplinary sanctions for the employees of DIGIBURN for violations in the processing of personal data;
      5. regular inspections of DIGIBURN staff to comply with the security standards relevant;
      6. exercising control over the physical access to personal data recorded on electronic media or contained on paper;
      7. the adoption and adherence to a “clean workplace” policy;
      8. storage of personal data contained on paper in lockable wall cabinets;
      9. restricting the use by DIGIBURN employees of mobile electronic devices inside and outside the workplace;
      10. adoption and observance of rules for creation and use of security passwords;
      11. regular backup of personal data and physical storage of media with copies outside the office;
      12. the inclusion of obligations regarding the protection of personal data in contracts with suppliers, subcontractors, partners and third parties, as well as an obligation for them to take appropriate security measures when transferring data outside the EU.
3. All suppliers, subcontractors, partners, employees who work with or for DIGIBURN and who have or may have access to the personal data processed by DIGIBURN, shall be responsible for ensuring the security of the storage of personal data.
4. All suppliers, subcontractors, partners, employees who work with or for DIGIBURN and who have or may have access to the personal data processed by DIGIBURN, shall be obliged to store securely and not to disclose personal data to third parties, unless DIGIBURN has not granted the right of access to this data by concluding a confidentiality agreement for this purpose.

XVI. Confidentiality

1. Personal data is subject to confidentiality. It is forbidden for employees to perform unauthorized collection, processing or use of personal data. Any processing performed by an unauthorized employee entrusted to him/her in the performance of his/her duties is unauthorized. The “need to know” principle applies: Employees can only access personal data if and to the extent necessary for their respective tasks. This requires careful division and separation of roles and responsibilities, as well as their implementation and maintenance within the scope of authorization concepts.
2. In the cases of processing of special categories of personal data (sensitive personal data) for the purposes, indicated in art. 9 (2) (h) of the General Regulation, those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies
3. Employees are not authorized to disclose personal information to unauthorized persons or in any other way or to use them for personal or economic purposes. Company managers must inform their employees of the obligation to protect the privacy of the data when they start work. This obligation shall remain in effect also after the employment of the employee concerned has ended.
4. Personal data must be protected against unauthorized access, unauthorized processing or disclosure, as well as accidental loss or destruction at any time. This applies irrespective of the processing of data electronically or in paper form.
5. Before implementing new processes or data processing, especially new information systems, all technical and organizational measures to protect personal data must be defined and implemented. These measures must be appropriate to the current technology standards, the risks arising from the processing and the need for data protection (defined by the classification process). The responsible department can consult with the corporate data protection coordinator. The technical and organizational measures for the protection of personal data are part of the management of the information safety of the Company and must be consistent with the technical changes and the organizational changes.

XVII. Violation of the security of personal data

1. The proper handling of personal data breaches is essential as the General Regulation provides for a very strict reporting requirement for data breaches. In the case of data security breaches, there are legal obligations to notify the supervising authority and the data subjects.
   1. “Personal data breach” means a security breach that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed. The breach of data security is a breach of data security and data protection where it is probable or proven that personal data is known to unauthorized persons. Data security breaches often involve significant risks to the person concerned, such as damage to reputation, even credit card abuse or identity theft, as well as serious shortcomings for the company.
   2. The General Regulation provides for a mandatory reporting requirement for data breaches. Art. 33 of the General Regulation (notification of the supervisory authority) and Art. 34 of that Regulation (for the notification of data subjects) determine when such an obligation is applicable.
2. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Art. 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
3. The processor shall notify the controller without undue delay after becoming aware of a personal data breach. The notification referred to in paragraph 1 shall at least:
   1. Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
   2. Communicate the name and contact details of the data protection coordinator or other contact point where more information can be obtained.
   3. Describe the likely consequences of the personal data breach.
   4. Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
      Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
4. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with Art. 33 of the General Regulation.
5. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
6. The communication to the data subject presented above shall describe in simple manner the nature of breach in the security of personal data, covering at least:
   1. Communicates the name and contact details of the data protection coordinator or other contact point where more information can be obtained
   2. Describe the likely consequences of the violation of personal data.
   3. Describes the measures taken or suggested by the controller to handle the personal data breach, including, where appropriate, mitigation measures for possible adverse effects.
7. The above message to the data subject is not required if any of the following conditions are met:
   1. The controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.
   2. The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in Art. 34(1) of the General Regulation is no longer likely to materialize.
   3. It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
8. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that at least one of the conditions listed above is met (ref. Art. 34(3) of the General Regulation).

XVIII. Final provisions

1. Data protection coordinator in DIGIBURN
   1. DIGIBURN has appointed a data protection coordinator, and all interested parties have easy access to this employee.
   2. The Data Protection Coordinator monitors compliance with this Policy and serves as the single point of contact for all data subjects in exercising their rights under this Policy and the applicable data protection legislation.
   3. The Data Protection Coordinator shall be:
      Georgi Natchev
      tel .: + 359 888 888 248
      E-mail: gdpr@digiburn.health
   4. The data protection coordinator shall render assistance to the data subjects. The data subject may address all his/her requests and questions related to the exercise of his rights under the Regulation to the said coordinator.
2. Amendments and supplements to the Personal Data Protection Policy
   DIGIBURN reserves the right to change this Privacy Policy and, if necessary, will notify all interested parties in an appropriate manner.

If you have any questions, suggestions or comments, you are welcome to contact our customer support team at gdpr@digiburn.health or our data protection coordinator:  Georgi Natchev.

This Privacy Policy was last amended on 24.02.2021.

This Privacy Policy is available for reference at the website of DIGIBURN, as well as for reference by the employees of DIGIBURN on the server of the Company, and is also available on paper or electronic media in the office of the Company and is made available to any interested subject of personal data for proper acquaintance. with her.