top of page

Datenschutzrichtlinie

1. Who We Are (Data Controller)

Interactive Bulgaria Foundation (IBF)
g.k. Iztok, ul. “Nikolay Ostrovski” 5, 1113 Sofia, Bulgaria
E-mail: ibfprojectbg@gmail.com | Tel: +359 877 366 209

IBF is the “controller” of the personal data processed via www.aistartup.space (“the Platform”).

2. Scope

This Policy applies to every visitor or registered learner who accesses the Platform, its sub-pages or any embedded/mobile version.

3. What Data We Collect and Why

  1. Account data
    • Name, e-mail, password, profile URL, privacy settings
    • Purpose: create and maintain your user account, authenticate log-ins
    • Legal basis: GDPR Art 6 (1)(b) – contract performance

  2. Optional profile data
    • Photo, title, phone number, postal addresses, personal bio
    • Purpose: personalise your public profile if you choose to add these items
    • Legal basis: GDPR Art 6 (1)(a) – consent

  3. Learning records
    • Course enrolments, progress, quiz scores, issued certificates
    • Purpose: provide courses, verify completion, compile anonymised Erasmus+ statistics
    • Legal basis: GDPR Art 6 (1)(b) – contract; Art 6 (1)(c) – legal obligation under the Erasmus+ grant

  4. Communications content
    • Forum posts, direct messages, support tickets
    • Purpose: enable community interaction, respond to enquiries, moderate content
    • Legal basis: GDPR Art 6 (1)(f) – our legitimate interest in running a safe learning environment

  5. Technical data
    • IP address, device type, browser details, cookie identifiers
    • Purpose: security, fraud prevention, site analytics, cookie-consent management
    • Legal basis: GDPR Art 6 (1)(f) – legitimate interest

We do not intentionally collect special-category data (GDPR Art 9) or children’s data (under 16) without parental consent.

4. Cookies and Tracking

The Platform uses three cookie types:

  1. Essential cookies – session ID and CSRF token, required for basic functionality.

  2. Analytics cookies – Matomo hosted in the EU; loaded only after you give opt-in consent via the banner.

  3. Functional cookies – remember choices such as preferred language.

Analytics cookies are disabled by default, in line with the ePrivacy Directive and the Bulgarian PDPA.

5. How We Share Your Data

• Our EU-based cloud host stores Platform data under a GDPR-compliant data-processing agreement.
• A course-authoring sub-processor located in the EEA receives limited learning-record data.
• Erasmus+ auditors receive only anonymised completion statistics.
• Public authorities may receive data when we are legally obliged to provide it (e.g., a court order or a request from the Commission for Personal Data Protection).

IBF never sells or rents your personal data.

6. International Transfers

All production servers are inside the European Union. If an exceptional transfer outside the EEA becomes necessary, we will rely on GDPR Art 46 safeguards such as Standard Contractual Clauses or the EU–US Data Privacy Framework.

7. Data Retention

• Account and learning records are kept for five years after your last log-in to allow certificate verification.
• Support tickets are retained for two years.
• Cookie-consent logs are stored for six months.
• Encrypted backup archives are held on a rolling 30-day basis.

When a retention period ends, data are securely erased or irreversibly anonymised.

8. Your Rights

At any time you may:

  1. Access a copy of your personal data (Art 15 GDPR).

  2. Rectify inaccurate or incomplete data (Art 16).

  3. Erase your data—the “right to be forgotten” (Art 17).

  4. Restrict processing in specific circumstances (Art 18).

  5. Port your data to another service (Art 20).

  6. Object to processing based on legitimate interest (Art 21).

  7. Withdraw consent where processing is consent-based, without affecting prior lawfulness.

Exercise these rights by e-mailing privacy@interact.bg. We respond within one month.
You may also complain to the Bulgarian Commission for Personal Data Protection or to the supervisory authority in your country of residence.

9. Security Measures

• TLS 1.3 encryption for data in transit
• AES-256 encryption at rest
• Multi-factor authentication for administrators
• Daily encrypted backups (30-day retention)
• Quarterly penetration tests by an external firm
• 24/7 firewall, intrusion detection and DDoS mitigation

10. Automated Decision-Making

No fully automated decisions with legal or similarly significant effects are made. Certificate issuance simply reflects whether course-completion criteria have been met.

11. Digital Services Act (DSA) Notice Mechanism

Each forum post features a “Report” button. Notices of allegedly illegal content are assessed by moderators within 48 hours. Appeals may be sent to moderation@aistartup.space.

12. Changes to This Policy

We will update this Policy when legal or technical changes require it. Material changes are announced via e-mail and a homepage banner at least 14 days before they take effect.

 

This Privacy Policy is issued under GDPR Arts 12–14 and §23 of the Bulgarian PDPA, and it incorporates Erasmus+ contractual obligations.

bottom of page