Effective Date: April 19, 2026 · Version: 2.0

This Privacy Policy describes how GNXSoft LTD ("GNXSoft", "we", "our", or "us") collects, uses, discloses, and safeguards personal data when you visit gnxsoft.com, submit a contact form, subscribe to our newsletter, or engage with our services. GNXSoft LTD is a Bulgarian limited liability company registered at str. Tsar Simeon I 56, Burgas 8000, Bulgaria, and acts as the data controller for personal data collected through this website.

We comply with Regulation (EU) 2016/679 (the General Data Protection Regulation, GDPR), the Bulgarian Personal Data Protection Act, and sector specific obligations including NIS2, PCI DSS (where card data is in scope), and Bulgarian National Revenue Agency (NAP) fiscal rules for customers whose deployments we operate.

Data protection contact: Our Data Protection Officer can be reached at dpo@gnxsoft.com for any privacy related request or complaint.

1. Information We Collect

We collect personal data only where we have a lawful basis under Article 6 GDPR. The categories below reflect everything this website and our managed services may process.

Personal Information You Provide
  • Name, business email, company, and message content submitted through the contact form (legal basis: legitimate interest in responding to business enquiries).
  • Name and email when you submit a blog comment (legal basis: consent, which you may withdraw by requesting removal).
  • Email address when you subscribe to our newsletter (legal basis: consent, with a one click unsubscribe in every message).
  • Professional information you voluntarily share during commercial discovery calls e.g. job role, project scope used only to prepare a proposal.
Information Collected Automatically
  • IP address and browser user agent (legal basis: legitimate interest in security, abuse prevention, and fraud detection see Section 7).
  • Pages visited, time on page, and referring URL (via privacy respecting analytics; no cross site tracking).
  • Device class, operating system, and browser type for accessibility and compatibility diagnostics.

We do not collect special category data (health, biometrics, political opinions) through this website. Card data entered during any future commerce flow is handled exclusively by our PCI DSS compliant payment processor GNXSoft never stores raw PAN or CVV.

2. How We Use Your Information

  • Respond to commercial enquiries, prepare proposals, and deliver engaged services.
  • Moderate and display blog comments and reply to community questions.
  • Send product updates and engineering insights to subscribers who have opted in.
  • Measure website performance and iteratively improve content and accessibility.
  • Detect, investigate, and respond to abuse, spam, fraud, and security incidents.
  • Meet legal, regulatory, audit, and tax obligations (including NAP fiscal rules where we operate fiscal deployments on behalf of customers).

3. Cookies and Local Storage

gnxsoft.com uses only the minimum cookies necessary for the site to function and defend itself:

  • Session Cookie (__sid): Maintains your browsing session. HttpOnly, SameSite=Lax, Secure; expires at end of session.
  • CSRF Token (csrftoken): Prevents cross site request forgery on form submissions. Expires after 12 months.
  • Language Cookie (django_language): Stores your EN/BG preference so the site opens in your chosen language.

We do not set advertising, profiling, or third party tracking cookies. You can block or delete cookies in your browser at any time; doing so may limit certain features (for example, the language switcher will not persist across sessions).

4. Third Party Processors and Sub Processors

We rely on a small, audited set of sub processors. Each is bound by a Data Processing Agreement under Article 28 GDPR and contracted only for defined purposes:

  • Hetzner Online GmbH (EU, Germany) primary hosting and backups for gnxsoft.com and managed service infrastructure.
  • Amazon Web Services (EU, Frankfurt / Ireland) secondary hosting and disaster recovery region for customer deployments that require multi cloud resilience.
  • Cloudflare (EU edges) DNS, TLS termination, and DDoS protection.
  • SMTP relay (self hosted, Bulgaria) transactional email for contact form confirmations and newsletter delivery.
  • Google Analytics 4 (when a customer opts in) aggregated, IP anonymised website analytics. Google Privacy Policy. Opt out via the Google Analytics Opt out Add on.

Any new sub processor is announced on this page at least 30 days before production use.

5. International Data Transfers

By default, data stays within the European Economic Area. Where a sub processor operates infrastructure outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and apply supplementary measures (encryption in transit and at rest, strict access controls) to meet the Schrems II standard.

6. Data Retention

  • Contact form submissions: retained for up to 24 months, then permanently deleted.
  • Commercial proposals and project correspondence: retained for the duration of the engagement plus 5 years for warranty and tax obligations.
  • Blog comments: retained while the associated post is published, or until you request removal.
  • Newsletter subscriptions: retained until you unsubscribe or request removal.
  • Security logs (IP addresses, firewall events): up to 90 days for incident investigation, then deleted or anonymised.
  • Fiscal data under NAP supervision (customer deployments only): retained per Bulgarian fiscal law typically 10 years and accessed only by personnel with a documented operational need.

7. Your Rights Under GDPR

If you are located in the EEA or the UK, you have the following rights under GDPR / UK GDPR:

  • Right of Access (Art. 15): request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): ask us to correct inaccurate or incomplete data.
  • Right to Erasure (Art. 17): request deletion, subject to legal retention obligations.
  • Right to Data Portability (Art. 20): receive your data in a structured, machine readable format.
  • Right to Restrict Processing (Art. 18) and Right to Object (Art. 21): limit or object to specific processing activities.
  • Right to Lodge a Complaint: with the Bulgarian Commission for Personal Data Protection (cpdp.bg) or your local supervisory authority.

We respond to verified requests within 30 days (extendable by 60 days for complex cases, with written notice). Contact dpo@gnxsoft.com to exercise any right.

8. Security Measures

Our technical and organisational measures follow an ISO 27001 aligned baseline and include:

  • TLS 1.3 with hybrid post quantum key exchange (X25519 + ML KEM 768) on all public endpoints.
  • Encryption at rest for databases and backups (AES 256 GCM, customer scoped keys).
  • Role based access control, hardware key MFA for all production access, and centralised audit logging.
  • Annual third party penetration tests and quarterly internal security reviews.
  • Structured incident response with named incident commander and a 4 hour SLA for managed operations customers.

9. Data Breach Notification

In the event of a personal data breach likely to result in a risk to individuals' rights and freedoms, we will notify the Bulgarian Commission for Personal Data Protection within 72 hours as required by Article 33 GDPR, and affected individuals without undue delay.

10. Children's Privacy

Our website and services are intended for business users and are not directed at individuals under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently received such information, please contact us so we can delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy to reflect new services, legal requirements, or operational changes. Material changes will be announced at least 14 days in advance via the website banner and, where applicable, to subscribers by email. The "Effective Date" above always reflects the current version.

12. Contact Us

For privacy questions, data subject requests, or to report a concern: