Privacy Policy

1.1. This Privacy Policy (hereinafter referred to as the “Privacy Policy”) explains how Belchev & Co. (hereinafter referred to as “B&Co”) collect, use, and protect the personal data of visitors (hereinafter referred to as the “Visitors”) to belchev-co.com and its subdomains (hereinafter referred to as the “Website”). It applies whenever and to the extent that Personal Data is processed.

1.2. B&Co encourages all Visitors to read it carefully to understand how their information is handled.

1.3. Unless otherwise stated, any capitalized terms used in this Privacy Policy that are not defined herein shall have the meaning given to them in the B&Co Terms and Conditions, where applicable.

2.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

2.2. “Controller” means Stefan Belchev, acting as a self-employed legal consultant, registered under BULSTAT: 181027885, email: legal@belchev-co.com.

2.3. The terms “Controller“, “Member State“, “Processor“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.

2.4. “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, primarily the Bulgarian Personal Data Protection Act, the GDPR, and, where applicable, the UK GDPR, the laws of the European Economic Area ("EEA"), Switzerland, Canada, and Israel, as in effect at the time of the Processing of Personal Data hereunder.

2.5. “Data Subject” means the identified or identifiable person to whom the Personal Data relates.

2.6. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

2.7. “Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Visitor, which is processed by B&Co in its capacity as a Controller or as otherwise described in this Privacy Policy.

2.8. “Standard Contractual Clauses” means in respect of transfers of Personal Data subject to the GDPR, the Standard Contractual Clauses between controllers and processors, and between processors and processors, as approved by the relevant jurisdiction’s authorities (the EU, the UK, Switzerland).

2.9. “Sub-processor” means any third party that carries out specific Processing activities of Personal Data under B&Co's instructions.

2.10. “UK GDPR” means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419), as supplemented by the Data Protection Act 2018.

3.1. While Processing Personal Data, B&Co will respect the following principles:

a) Lawfulness and Fairness - when Processing Personal Data, the individual rights of the Data Subjects must be protected. Personal Data must be collected and processed lawfully, fairly manner and proportionate manner.

b) Purpose Limitation - Personal Data shall be collected for specified, explicit and legitimate purposes and shall not be further processed in a manner that is incompatible with those purposes.

c) Transparency - the Data Subjects must be informed of how Visitors' Personal Data is being handled. When the Personal Data is collected, the Data Subject must be informed of:

i) The existence of the present Privacy Policy;

ii) The identity of the Controller;

iii) The purpose of Personal Data Processing;

iv) Whether the Personal Data is disclosed to third-parties.

v) The period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period.

d) Data Minimisation - Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

e) Accuracy - Personal Data kept on file must be correct and if necessary, kept up to date. Inaccurate or incomplete Personal Data should not be kept on file and deleted.

f) Storage Limitation - Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which it is processed.

g) Integrity and Confidentiality – Personal Data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures.

h) Accountability - B&Co is responsible for, and shall be able to demonstrate, compliance with the principles set out in this Section.

3.2. Where Processing is based on B&Co’s legitimate interests, B&Co has carried out a legitimate interests assessment (LIA) to ensure that such interests are not overridden by the rights and freedoms of the Data Subjects, considering the nature of the Personal Data, the context of the Processing, and the reasonable expectations of the Data Subjects.

4.1. B&Co will, both at the time of the determination of the means for Processing and at the time of the Processing itself, implement appropriate technical and organizational measures in order to meet the requirements of the applicable Data Protection Laws, and protect Visitors' rights.

4.2. B&Co will implement appropriate technical and organizational measures for ensuring that, by default, only Personal Data which are necessary for each specific purpose of the Processing are processed. This obligation applies to the amount of Personal Data B&Co collects, the extent of the Processing, the period of storage and accessibility.

5.1. B&Co collects and processes Personal Data as described in the table below. This structure ensures transparency regarding why we need your data, what exactly we collect, and our legal right to do so:

а) Essential Operations

• Categories of Personal Data: Technical Identifiers: IP address, Device ID, Browser type/version, and Operating system.

• Legal Basis: Legitimate interest in maintaining a functional, stable, and secure website, ensuring proper technical operation, and protecting the Website against misuse.

b) Website Analytics

• Categories of Personal Data: Usage & Analytics Data: Browser events, current/referring URL, traffic patterns, and screen dimensions.

• Legal Basis: Consent obtained via the cookie banner prior to any data collection.

c) Inquiry Management

• Categories of Personal Data: Communication Data: Name, email address, and the specific content of your message/inquiry.

• Legal Basis: Pre-contractual measures to provide information or services at your request. Processing of communication data is necessary to provide the legal consulting services you requested.

d) Security & Protection

• Categories of Personal Data: Technical & Traffic Data: Logs of access, IP addresses, and patterns of interaction with the Website.

• Legal Basis: Legitimate interest in preventing fraud, cyber-attacks, and protecting B&Co’s legal rights.

e) Data Aggregation

• Categories of Personal Data: Anonymized Data: Any of the above, processed such that the individual is no longer identifiable.2

• Legal Basis: Legitimate interest in service improvement through statistical research and data minimization.

f) Legal Compliance

• Categories of Personal Data: Necessary Records: Any data requested by public authorities, courts, or under specific legal mandates.

• Legal Basis: Legal Obligation to which B&Co is subject under applicable law.

5.2. We use cookies to facilitate the purposes above. Strictly necessary cookies (for essential operations and security) are deployed by default. Analytics and Marketing cookies are only deployed if you provide your explicit consent. For detailed information, see our Cookie Policy.

5.3. B&Co does not collect sensitive Personal Data (e.g., health, religion, political views). Our services are not directed at persons under 18, and we do not knowingly process data from minors.

6.1. B&Co stores Personal Data only for as long as necessary to fulfill the specific purposes for which it was collected, or to comply with mandatory legal, tax, and regulator y requirements.
6.2.The following retention periods apply:
a) Contractual & Accounting Records: Data related to service agreements, including billing information and signed contracts, is retained for ten (10) years. This period starts from the beginning of the year following the year in which the tax for the respective period became due, as per the Bulgarian Accountancy Act and the Tax and Social Insurance Procedure Code.
b) Legal Claims & Correspondence: Information necessary for the establishment, exercise, or defense of legal claims is retained for five (5) years, in accordance with the general statute of limitations under the Bulgarian Obligations and Contracts Act.
c) Inquiries & Communication: Personal data provided via the online form or email without a subsequent contract is retained for two (2) years to ensure continuity of communication and follow-up.
d) Technical Logs & Cookies: Technical data used for security and website stability is typically retained for up to one (1) year, unless a security incident or legal obligation requires a longer period.
6.3. Once the retention period expires, B&Co shall either securely delete or anonymize the Personal Data so that it can no longer be linked to an identifiable individual, in which case it may be used for statistical purposes (as per Section 5.1).

7.1. B&Co may share Visitors’ Personal Data with third parties acting as Processors, independent Controllers, or joint Controllers, such as hosting providers, IT service providers, analytics providers, and communication service providers, strictly to the extent necessary for the purposes described in this Privacy Policy.
7.2. Where such third parties act as independent or joint Controllers, their Processing of Personal Data shall be governed by their own privacy notices and applicable data protection laws.
7.3. Personal Data may also be disclosed where required by law, court order, or a competent public authority. Unless otherwise stated, the Processors who receive data from B&Co are prohibited from using this Personal Data beyond what is necessary to provide the product or service to Visitors, directly or by participating in B&Co’s activities.

8.1. When transferring Personal Data, B&Co is committed to ensuring that the data importer, where acting as a Processor, maintains materially similar technical and organizational security measures for the storage and Processing of Personal Data as those implemented by B&Co.
8.2. Visitors’ Personal Data may be processed, stored, and transferred to third parties acting as Processors, independent Controllers, or joint Controllers, in the manner and to the extent described in this Privacy Policy, in the applicable agreements concluded by B&Co, and, where required, based on the consents provided by Visitors.
8.3. Transfers of Personal Data from the EEA, Switzerland, and the United Kingdom to countries that offer an adequate level of data protection may take place under or pursuant to adequacy decisions published by the relevant authorities (hereinafter referred to as the “Adequacy Decisions”), without any further safeguard being required.
8.4. Visitors are informed that some service providers (e.g., analytics or hosting providers) may be located in, or may transfer Personal Data to, the United States. Such transfers are carried out in compliance with applicable data transfer mechanisms, including Adequacy Decisions, the EU-U.S. Data Privacy Framework, or Standard Contractual Clauses ("SCC"), as applicable.
8.5. If the Processing of Personal Data by Processor includes a transfer (either directly or via onward transfer) to other countries that have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative compliance mechanism recognized by Data Protection Laws (as may be adopted by Processor in its own discretion), the terms set forth in the applicable Standard Contractual Clauses shall apply.

9.1. As Data Subjects, Visitors shall have one or more of the following data subject rights with respect to the Personal Data that B&Co Processes.

a) Access – Visitors have a right to access Visitors' Personal Data, including receiving a copy and to obtain certain information about the B&Co’s Processing activities.
b) Rectification – the GDPR grants Visitors the right to correct inaccurate Personal Data and/or complete incomplete Personal Data.
c) Deletion/Erasure – Visitors have the right to request erasure of Personal Data (the right to be forgotten). B&Co shall take reasonable steps to inform any other Processors also Processing the data.
d) Restrict Processing – Visitors have the right to restrict Processing of Personal Data, under certain circumstances.
e) Portability – Visitors have the right to data portability to:

i) receive a copy of the Personal Data in a structured, commonly used and machine-readable format;
ii) transmit the Personal Data to another data controller (including directly by another data controller where possible).

f) Object to Processing – Visitors have the right to object, on grounds relating to their particular situation, to Processing based on legitimate interests, including Processing for direct marketing or statistical purposes, in accordance with applicable law. 
g) Object to automated decision making – Visitors have the right to not be subject to automated decision making, including profiling, which has legal or other significant effects on Visitors. B&Co does not employ automated decision-making processes, including profiling, that produce legal or otherwise significant effects concerning Visitors.
h) Withdraw consent – Visitors may, at any time, withdraw Visitors' consent to B&Co’s Processing when the Processing is based solely on Visitors' consent.

9.2. These rights can be exercised by writing to B&Co at legal@belchev-co.com. Upon receipt of Visitors' requests at the contact details provided above, B&Co shall reply without undue delay and within the applicable statutory deadlines (usually within one (1) month). If the request is submitted by a person other than the Visitor, without providing evidence that the request is legitimately made on Visitors' behalf, the request will be rejected.
9.3. Any request to exercise rights is free of charge unless Visitors' request is unfounded or excessive (e.g. if Visitors have already requested such Personal Data multiple times in the last twelve (12) months or if the request generates an extremely high workload). In such a case, B&Co may charge Visitors a reasonable request fee according to applicable Data Protection Laws.
9.4. B&Co may refuse, restrict or defer the provision of Personal Data where it has the right to do so, for example if fulfilling the request will adversely affect the rights and freedoms of others.
9.5. Please note that any request with regards to Personal Data which is publicly available should be submitted directly to the third-party supplier of such data.

10.1. B&Co reserves the right to make any changes to this Privacy Policy at any time, as B&Co deems it necessary or desirable. If B&Co makes any material changes restricting or affecting in any way Visitors' rights, B&Co may notify Visitors on the Website and, when possible, by email, prior to the change becoming effective. 
10.2. Visitors’ continued use of the Website after any such changes or after explicitly accepting the new Privacy Policy upon using the Website shall constitute Visitors’ acknowledgement of the updated Privacy Policy. If Visitors do not agree with the changes, they should discontinue use of the Website.

11.1. This Privacy Policy and any questions relating thereto shall be governed by the laws of the Republic of Bulgaria, to the exclusion of any rules of conflict resulting from private international law.
11.2. Any dispute relating to this Privacy Policy shall be subject to the jurisdiction of the competent courts of Sofia, Bulgaria, without prejudice to any mandatory rights of Data Subjects under applicable data protection laws, including the GDPR.

12.1. We value Visitors' opinion, and if Visitors have any comments or questions about this Privacy Policy, B&Co’s handling of Visitors' Personal Data, a possible Personal Data Breach, or want to exercise Visitors' rights, please contact us at the addresses below and B&Co will treat Visitors' requests or complaints confidentially.

• Email - legal@belchev-co.com

• or via our online contact form here

12.2. If Visitors feel Visitors' Personal Data has been mishandled or if B&Co has failed to meet Visitors' expectations, Visitors are encouraged to contact B&Co but Visitors are entitled to complain directly to the relevant Supervisory Authority. If you are located within the EEA and believe that your personal data is being processed in violation of the GDPR, you have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection ("CPDP"):

• Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria

• Email: kzld@cpdp.bg

• Website: www.cpdp.bg

​

Last updated: 1 February 2026