Privacy Policy

Sofia Tour Guide Website: sofia-tour.guide Privacy contact: privacy@sofia-tour.guide

2.1 Automatically collected data — When you visit the Website we collect: IP address and approximate location (country/city); browser type, OS, device type; page URLs, referrer URL, visit timestamps, session duration; and interaction data (clicks, scrolls) via Google Analytics.

2.2 Data you provide voluntarily — When you submit a contact form: your name, email address, and message.

2.3 Administrative accounts — Email address and hashed password of users with CMS access. This data is not accessible to public visitors.

We do not collect special-category data (health, biometric, political, etc.) and do not perform automated profiling with legal consequences.

Providing and maintaining the Website — legal basis: Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures).

Responding to contact form enquiries — legal basis: Art. 6(1)(b) or Art. 6(1)(f) GDPR (legitimate interests).

Web analytics via Google Analytics — legal basis: Art. 6(1)(a) GDPR (consent).

Security and fraud prevention — legal basis: Art. 6(1)(f) GDPR (legitimate interests).

Compliance with legal obligations — legal basis: Art. 6(1)(c) GDPR.

Supabase Inc. (USA) — database, authentication, and file storage. Data hosted in the EU (Frankfurt, AWS eu-central-1). Acts as a data processor under Art. 28 GDPR.

Vercel Inc. (USA) — Website hosting infrastructure. May process IP addresses as part of CDN request handling.

Google LLC (USA) — Google Analytics. Processes traffic and behaviour data upon your consent.

Competent authorities — where required by law or court order.

We do not sell or share personal data with third parties for marketing purposes.

Supabase, Vercel, and Google are established in the United States. Transfers are carried out on the basis of Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR (European Commission Decision of 4 June 2021). For Google Analytics, the EU–US Data Privacy Framework additionally applies.

Contact form data: 2 years from the last contact.

Analytics data (Google Analytics): 14 months (GA4 default).

Server logs: 90 days.

Administrative accounts: until account deletion.

Under Chapter III of the GDPR you have the right to:

Access (Art. 15) — obtain a copy of your personal data.

Rectification (Art. 16) — correct inaccurate or incomplete data.

Erasure / 'Right to be forgotten' (Art. 17) — request deletion when processing is unlawful or the purpose has lapsed.

Restriction of processing (Art. 18) — temporarily suspend processing in certain cases.

Data portability (Art. 20) — receive your data in a structured, machine-readable format where processing is based on consent or contract.

Objection (Art. 21) — object to processing based on legitimate interests.

Withdrawal of consent — at any time, without affecting the lawfulness of prior processing.

To exercise any right, send a written request to privacy@sofia-tour.guide. We will respond within 1 month (extendable by up to 2 months for complex requests).

You have the right to lodge a complaint with the supervisory authority:

Commission for Personal Data Protection (CPDP) Address: 2 Prof. Tsvetan Lazarov Blvd, 1592 Sofia, Bulgaria Website: www.cpdp.bg | Email: kzld@cpdp.bg | Phone: +359 2 915 3519

This right does not affect other administrative or judicial remedies.

The Website uses cookies — small text files stored in your browser.

Session cookies: required for the Website to function correctly. Always active.

Analytic cookies (Google Analytics / GA4): used to measure traffic and user behaviour. Activated only upon your explicit consent via the cookie banner. You may withdraw consent or manage preferences at any time.

We reserve the right to update this Privacy Policy when required by changes in law, our practices, or services offered. For material changes we will publish the updated version with a new date. We recommend periodic review of this page.

Sofia Tour Guide Email: privacy@sofia-tour.guide