Privacy Policy
Effective date: 03.09.2025
1) Who we are (Controller)
Project ONE OOD (Bulgarian: „Проджект 1“ ООД)
UIC (EIK): 205322886 • VAT: BG205322886
Registered office: ul. Vitoshka Zornitsa 3, Building 2, Apt. 9, Dragalevtsi, 1415 Sofia, Bulgaria
Website: projectone.co
Email for privacy matters: office@projectONE.co
Data Protection Officer: Not appointed.
Supervisory authority (Bulgaria): Commission for Personal Data Protection (CPDP), 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria, kzld@cpdp.bg, cpdp.bg.
Applicable laws: EU GDPR and the Bulgarian Personal Data Protection Act; sectoral rules incl. Bulgarian accounting rules and AML/KYC legislation.
2) Scope
This notice covers how we process personal data when you visit our website, make an enquiry, book/view a property, become a client/supplier, or otherwise interact with us (online or at our sales office/show homes).
3) What we collect and why (purposes & legal bases)
We only process what’s necessary:
A. Website visitors & security
-
Data: IP address, device and browser data, pages visited, timestamps, basic geolocation derived from IP, error logs.
-
Basis: Legitimate interests (operate a secure, reliable site).
B. Enquiries, viewing bookings & property interest
-
Data: name, email/phone, preferred properties, budget range, timing, notes (incl. call/meeting notes).
-
Basis: Pre-contractual steps / Contract; Legitimate interests (sales workflow and customer service).
C. Client onboarding, offers, reservations, contracts, and handover
-
Data: identity and contact details; correspondence; contract data; purchase/lease terms; payment and invoicing data; handover and snagging documentation.
-
Basis: Contract; Legal obligation (accounting/tax); Legitimate interests (project administration and claim defense).
D. AML/KYC (where required by law for real estate transactions)
-
Data: identity documents (ID/passport copy/number, nationality, birth date), address/utility bill, UBO/PEP status, sanctions screening results, source-of-funds/wealth confirmations, company register extracts.
-
Basis: Legal obligation (anti-money-laundering and counter-terrorist-financing rules).
E. Marketing & events
-
Data: name, email, preferences, engagement with emails; event RSVPs and attendance; photos/videos from our events or show homes (only with appropriate notices/consent where required).
-
Basis: Consent for email marketing and optional cookies; Legitimate interests for business communications to corporate contacts (where permitted); Consent for identifiable image use.
F. Recruitment (if you apply)
-
Data: CV/cover letter, contact details, interview notes, references (where provided).
-
Basis: Pre-contractual steps; Consent where applicable.
Children: For online services in Bulgaria, parental/guardian consent is required where the child is under 14. We do not knowingly target children.
4) Where the data comes from
-
Directly from you (forms, email, phone, in person).
-
Your device/browser (see Cookie Policy).
-
Lawful third-party sources: public registers (e.g., Commercial Register/BRRA, Property Register, Cadastre), credit/AML databases, professional referrers and portals (e.g., real estate listing platforms), and counterparties (e.g., your bank or lawyer) where appropriate.
5) Who we share data with (categories of recipients)
-
Processors (service providers): hosting and cloud services, email/SMS providers, CRM and deal-flow tools, e-signature platforms, appointment scheduling tools, analytics/measurement (only if you consent to non-essential cookies), customer support/chat tools, IT/security providers. All are bound by data-processing agreements and confidentiality.
-
Professional counterparties (usually independent controllers): notaries, banks/financing institutions, appraisers, surveyors, lawyers, insurers, developers and co-brokers, property managers, and public authorities/registries as legally required.
-
Corporate transactions: if we reorganise, merge, or transfer business, data may be disclosed as part of the process under appropriate safeguards.
We do not sell personal data.
6) International transfers
When using providers outside the EEA, we rely on appropriate safeguards, such as an EU adequacy decision (e.g., EU–US Data Privacy Framework for certified US organisations) and/or the European Commission’s Standard Contractual Clauses, plus supplementary measures where needed.
7) Retention
We keep data only as long as needed or as required by law:
-
Website/security logs: typically up to 12 months, unless needed longer for incident review.
-
Enquiries & viewing records: up to 24 months after last interaction (or earlier upon objection/withdrawal).
-
Marketing lists: until you withdraw consent or after inactivity clean-ups.
-
Client/property files (offers, contracts, snagging, handover): generally 5 years after closing/end of relationship (for claim limitation), unless longer is necessary for legal claims or warranties.
-
Accounting & invoicing: 10 years from 1 January of the year following the reporting period (statutory rule).
-
AML/KYC records: 5 years after the end of the business relationship or the occasional transaction, extendable if required by law.
8) Your rights
Subject to law, you may:
-
Access, rectify, or erase your data;
-
Restrict processing or object to processing based on legitimate interests (including direct marketing);
-
Withdraw consent at any time (this won’t affect past lawful processing);
-
Request data portability.
To exercise rights, email office@projectONE.co. You can also lodge a complaint with CPDP (details above).
9) Cookies & similar technologies
See our Cookie Policy for details on categories used, your choices (Accept all / Reject all / Customize), and how to change or withdraw consent any time via the Cookie settings link in the site footer.
10) Security
We use administrative, technical, and physical safeguards (TLS, access controls, least-privilege, logging, vendor due diligence). No method is 100% secure, but we work continuously to protect your data.
11) Automated decision-making
We do not use automated decision-making that produces legal or similarly significant effects about you.
12) Changes
We may update this notice from time to time. The latest version will always be available here with an updated Effective date.
Cookie Policy
Effective date: [add before publishing]
1) What cookies are
Cookies are small files placed on your device by our site. They can be essential (strictly necessary for the site to work) or non-essential (analytics, functional, advertising, social media).
2) Your choices (consent)
-
We ask for your consent before setting non-essential cookies.
-
Consent must be freely given, specific, informed, and unambiguous: no pre-ticked boxes.
-
The banner shows “Accept all”, “Reject all”, and “Customize” with equal prominence.
-
You can change or withdraw consent anytime via the persistent “Cookie settings” link in the footer.
-
Rejecting categories may affect certain features (e.g., embedded maps or videos).
3) How our banner works
-
On first visit, only strictly necessary cookies are active.
-
If you choose Customize, you can toggle categories on/off.
-
We store a small cookie to remember your choices and keep a lightweight log of consents for compliance.
4) Cookie categories we use
-
Strictly necessary (always on)
– Purpose: site operation, security, network management, load balancing, cookie-consent storage.
– Typical tools: core WordPress, hosting/CDN (e.g., PHPSESSID, __cf_bm), security firewalls.
-
Functional (opt-in)
– Purpose: enhanced features such as embedded maps, form protection, scheduling, chat.
– Typical tools (if enabled): Google Maps, reCAPTCHA (spam protection), Calendly, Intercom/Tidio (live chat), Vimeo/YouTube player preferences.
-
Analytics/measurement (opt-in)
– Purpose: understand site usage (which listings are viewed, session metrics), improve UX and performance.
– Typical tools: Google Analytics 4 (IP masking and retention controls), Hotjar (UX feedback/heatmaps).
-
Advertising & social media (opt-in)
– Purpose: measure campaigns and show relevant ads (e.g., remarketing of specific listings).
– Typical tools: Google Ads (incl. gclid), Meta pixel (_fbp), LinkedIn Insight Tag, social share widgets.
We may load some functional services (e.g., maps/videos) only after you click a placeholder (“Click to load map/video”) to avoid dropping cookies before consent.
5) Example cookie table (edit to match your actual setup)
|
Name |
Provider |
Category |
Purpose |
Type |
Storage |
|---|---|---|---|---|---|
|
cookie_consent_* |
CMP (consent manager) |
Strictly necessary |
Stores your cookie choices |
1st-party |
6–12 months |
|
PHPSESSID |
Hosting / WordPress |
Strictly necessary |
Session management |
1st-party |
Session |
|
__cf_bm |
Cloudflare (if used) |
Strictly necessary |
Bot management |
3rd-party |
≤30 minutes |
|
_ga, _ga_* |
Google Analytics 4 |
Analytics |
Usage statistics |
1st-party |
2–14 months |
|
_gid |
Google Analytics 4 |
Analytics |
Session stats |
1st-party |
24 hours |
|
_gcl_au |
Google Ads |
Advertising |
Conversion tracking |
1st-party |
3 months |
|
_fbp |
Meta |
Advertising |
Remarketing |
1st-party |
3 months |
|
NID / SID / HSID |
Google Maps (if embedded) |
Functional |
Map display & preferences |
3rd-party |
Up to 6 months |
|
__Secure-ENID |
reCAPTCHA (if used) |
Functional/Security |
Spam & abuse prevention |
3rd-party |
Up to 13 months |
|
vuid / yt_prefs |
Vimeo / YouTube (if embedded) |
Functional |
Video player settings |
3rd-party |
Varies |
Note: Third-country transfers may occur for some providers. Where relevant, we rely on EU adequacy decisions (e.g., EU–US Data Privacy Framework for certified providers) or Standard Contractual Clauses plus supplementary measures.
6) Managing cookies
-
Use the Cookie settings link (footer) to change or withdraw consent anytime.
-
You can also control cookies through your browser settings. Blocking all cookies may impair essential site functions.
7) Contact
Questions about cookies? Email office@projectONE.co. You can also contact CPDP (see Privacy Policy).
Recent Comments