Privacy Policy

Effective date: 04.05.2026

1. Who we are

This Privacy Policy explains how Project ONE OOD processes personal data.

We have not appointed a Data Protection Officer because this is not currently mandatory for our activities. Privacy-related requests can be sent to the email above.

This Policy is based on the EU General Data Protection Regulation, the Bulgarian Personal Data Protection Act, Bulgarian accounting rules, anti-money-laundering and know-your-customer obligations, and other applicable sectoral legislation.

2. Scope

This Policy applies when you:

• visit our website;
• submit an enquiry through a form, email, phone, chat, portal, social media, or listing platform;
• request information about a property;
• book or attend a viewing;
• visit our sales office, show homes, or events;
• become a client, buyer, seller, landlord, tenant, supplier, contractor, or business partner;
• enter into reservation, brokerage, consultancy, sale, lease, handover, or related property documentation with us;
• apply for a job or send us professional information.

3. What personal data we process, why, and on what legal basis

We process personal data only where necessary and where we have a legal basis.

A. Website visitors, security, and technical operation

Data processed: IP address, device and browser information, pages visited, timestamps, approximate location derived from IP, server logs, error logs, security logs, cookie-consent records.

Purpose: website operation, security, fraud prevention, troubleshooting, load balancing, and protection against abuse.

Legal basis: legitimate interests in maintaining a secure and reliable website; legal obligation where security logs are needed to demonstrate compliance.

B. Enquiries, property interest, viewings, and sales communication

Data processed: name, email address, phone number, preferred properties, budget range, timing, property requirements, viewing preferences, communication history, notes from calls, meetings, or visits.

Purpose: responding to enquiries, arranging viewings, providing property information, preparing offers, following up on property interest, managing sales and client-service processes.

Legal basis: steps prior to entering into a contract; contract where applicable; legitimate interests in managing enquiries and business communications.

C. Client onboarding, offers, reservations, contracts, lease/sale transactions, and handover

Data processed: identification and contact details, correspondence, contract data, purchase or lease terms, reservation details, payment data, invoicing data, bank/payment references, property-related documentation, handover documents, snagging lists, claims, warranty correspondence.

Purpose: preparing and performing contracts, administering transactions, issuing invoices, coordinating with counterparties, managing handover and after-sale communication, defending or exercising legal claims.

Legal basis: contract; legal obligation; legitimate interests in project administration, documentation, and claim defence.

D. AML/KYC checks where required by law

Data processed: ID/passport data and copies where required, nationality, date of birth, address, utility bill or proof of address, company data, UBO information, PEP status, sanctions-screening results, source-of-funds or source-of-wealth information, Commercial Register extracts, declarations and supporting documents.

Purpose: compliance with anti-money-laundering, counter-terrorist-financing, sanctions, and know-your-customer obligations in relation to real estate transactions and relevant business relationships.

Legal basis: legal obligation.

E. Marketing, newsletters, events, and business development

Data processed: name, email address, phone number, company, role, marketing preferences, newsletter engagement, event RSVP and attendance, communication preferences, photos/videos from events or show homes where applicable.

Purpose: sending newsletters, property updates, invitations, event information, market updates, business communications, and marketing content.

Legal basis: consent for email marketing to individuals and non-essential marketing cookies; legitimate interests for limited B2B communications where permitted; consent or appropriate notice for identifiable image use where required.

You can withdraw marketing consent at any time by using the unsubscribe link or by contacting us at office@projectONE.co.

F. Recruitment

Data processed: CV, cover letter, contact details, professional history, qualifications, interview notes, references where provided, and communication history.

Purpose: assessing applications, arranging interviews, communicating with candidates, and making recruitment decisions.

Legal basis: steps prior to entering into a contract; legitimate interests in recruitment administration; consent where applicable.

G. Legal claims, compliance, and corporate administration

Data processed: relevant correspondence, contracts, declarations, notices, accounting records, transaction files, legal documents, audit trails, compliance records.

Purpose: compliance with legal obligations, audits, internal administration, corporate governance, dispute resolution, claim defence, and cooperation with authorities.

Legal basis: legal obligation; legitimate interests; establishment, exercise, or defence of legal claims.

4. Children’s data

We do not knowingly target children through our website or marketing.

For online services in Bulgaria, where processing is based on consent and the child is under 14, consent must be given or authorised by a parent or legal guardian.

If we become aware that we have collected children’s data without a valid legal basis, we will take appropriate steps to delete or regularise the processing.

5. Where personal data comes from

We may receive personal data from:

• you directly, through forms, emails, phone calls, meetings, contracts, or visits;
• your device or browser when you use our website;
• public registers, including the Commercial Register, Property Register, Cadastre, and other lawful public sources;
• real estate portals, referral partners, developers, co-brokers, banks, lawyers, notaries, appraisers, surveyors, property managers, or counterparties;
• AML/KYC, sanctions, or compliance sources where legally required;
• social media or professional platforms where you interact with us.

6. Who we share personal data with

We may share data with the following categories of recipients where necessary.

A. Processors / service providers

These may include hosting providers, cloud storage providers, email and SMS providers, CRM systems, form tools, appointment scheduling tools, e-signature platforms, analytics providers, cookie-consent platforms, customer support/chat providers, IT support, cybersecurity providers, accounting software providers, and document-management tools.

These providers process data on our behalf under data-processing agreements and confidentiality obligations.

B. Independent controllers and professional counterparties

These may include notaries, banks and financing institutions, lawyers, appraisers, surveyors, insurers, developers, co-brokers, property managers, accountants, auditors, public authorities, courts, regulators, and public registries.

These recipients usually process data as independent controllers under their own legal obligations.

C. Corporate transactions

If we reorganise, merge, sell, transfer, or restructure all or part of our business, personal data may be disclosed as part of the transaction under appropriate safeguards.

We do not sell personal data.

7. International transfers

Some service providers may process personal data outside the European Economic Area.

Where this happens, we rely on appropriate safeguards under GDPR, such as:

• an adequacy decision of the European Commission;
• the EU–US Data Privacy Framework for certified US organisations;
• Standard Contractual Clauses approved by the European Commission;
• supplementary technical, contractual, or organisational measures where necessary.

8. Retention periods

We keep personal data only for as long as necessary for the purpose for which it was collected or as required by law.

Typical retention periods are:

Where several retention periods apply, we keep the data for the longest applicable period required or permitted by law.

9. Your rights

Subject to applicable law, you have the right to:

• access your personal data;
• request correction of inaccurate or incomplete data;
• request deletion of your data;
• restrict processing;
• object to processing based on legitimate interests;
• object to direct marketing at any time;
• withdraw consent at any time, without affecting previous lawful processing;
• request data portability where applicable;
• lodge a complaint with the Commission for Personal Data Protection.

To exercise your rights, contact us at: office@projectONE.co.

We may need to verify your identity before responding. We will respond within the statutory deadline, unless an extension is permitted by law.

10. Cookies and similar technologies

We use cookies and similar technologies as described in our Cookie Policy.

Non-essential cookies are used only after your consent. You can accept all, reject all, or customise your cookie preferences. You can change or withdraw your consent at any time through the Cookie settings link in the website footer.

11. Security

We use appropriate administrative, technical, and physical safeguards to protect personal data, including access controls, TLS/SSL encryption, least-privilege access, logging, vendor due diligence, secure hosting, and internal confidentiality measures.

No system is completely secure, but we work continuously to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure.

12. Automated decision-making

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects concerning you.

13. Changes to this Policy

We may update this Privacy Policy from time to time. The latest version will be available on our website with an updated effective date.

Cookie Policy

Effective date: 04.05.2026

1. What cookies are

Cookies are small text files placed on your device when you visit a website. Similar technologies include pixels, tags, local storage, SDKs, and tracking scripts.

Cookies can be:

• strictly necessary, meaning they are required for the website to work;
• functional, meaning they enable enhanced features;
• analytics/measurement, meaning they help us understand website use;
• advertising/social media, meaning they help measure campaigns or show relevant advertising.

2. Your choices

We ask for your consent before placing non-essential cookies.

On your first visit, the cookie banner gives you clear choices:

• Accept all
• Reject all
• Customize

These options are shown with equal prominence. We do not use pre-ticked boxes. Non-essential cookies are not activated unless and until you consent.

You can change or withdraw your consent at any time through the Cookie settings link in the website footer.

Rejecting non-essential cookies will not prevent you from using the website, but some features, such as embedded maps, videos, scheduling tools, or chat functions, may not work or may require you to activate them manually.

3. How our cookie banner works

On first visit, only strictly necessary cookies are active.

If you select Customize, you can enable or disable categories separately.

We store a small consent cookie to remember your choices. We also keep a lightweight consent log for compliance purposes, including consent status, timestamp, banner version, and selected categories.

4. Cookie categories we use

A. Strictly necessary cookies — always active

Purpose: site operation, security, consent storage, load balancing, fraud prevention, session management, technical troubleshooting.

Typical tools: WordPress core, hosting/CDN, security firewall, consent-management platform.

These cookies do not require consent because the website cannot function properly without them.

B. Functional cookies — optional

Purpose: enhanced website features, such as maps, spam protection, scheduling, chat, embedded videos, saved preferences, or interactive tools.

Typical tools, if enabled: Google Maps, reCAPTCHA, Calendly, Tidio/Intercom, Vimeo, YouTube.

Where possible, we load functional services only after you consent or after you click a placeholder such as “Click to load map” or “Click to load video”.

C. Analytics and measurement cookies — optional

Purpose: understanding website usage, improving listings, measuring page performance, analysing session behaviour, improving user experience.

Typical tools, if enabled: Google Analytics 4, Hotjar or similar UX tools.

Analytics cookies are used only if you consent.

D. Advertising and social media cookies — optional

Purpose: measuring advertising campaigns, conversion tracking, retargeting, showing relevant property-related ads, and enabling social media features.

Typical tools, if enabled: Google Ads, Meta Pixel, LinkedIn Insight Tag, social sharing widgets.

Advertising and social media cookies are used only if you consent.

5. Example cookie table

This table must be checked against the actual cookies active on projectone.co before publishing.

6. Third-party cookies and international transfers

Some third-party providers may process data outside the EEA. Where relevant, transfers are based on an adequacy decision, the EU–US Data Privacy Framework for certified organisations, Standard Contractual Clauses, or other appropriate safeguards.

You can find more information in our Privacy Policy.

7. Managing cookies

You can manage cookies in three ways:

1. use the Cookie settings link in the footer;
2. change your browser settings;
3. delete stored cookies from your device.

Blocking all cookies may affect essential website functionality.

8. Contact

Questions about cookies can be sent to:

office@projectONE.co

You may also contact the Commission for Personal Data Protection using the contact details in our Privacy Policy.