Table Quest Privacy Policy

PRIVACY POLICY

Last Updated: 15 September, 2025

INTRODUCTION

This Privacy Policy (“Policy”) sets forth the principles and practices by which Viditrack EOOD (“Company”, “we”, “us”, or “our”) collects, uses, discloses, and safeguards personal data. Viditrack EOOD is a company duly incorporated under the laws of Bulgaria (Company No. 207864476), with its registered office at Raiko Daskalov 68, Floor 2, Office 8, 4000 Plovdiv, Bulgaria.

This Policy applies equally to: End-Users of the Table Quest platform, which facilitates restaurant reservations and pre-orders; and Restaurant Partners utilizing the Table Host platform for the management of reservations, menus, and related services.

The Company is committed to ensuring that all processing of personal data is carried out in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Bulgarian Personal Data Protection Act, and other applicable European and international data protection laws.

This Policy forms an integral part of the Table Quest Terms of Use and the Table Host Partner Terms. In the event of any inconsistency between translations, the English version shall prevail. This Policy also addresses the roles and responsibilities of the Company and Restaurant Partners as separate or joint controllers, depending on the context of processing.

SCOPE OF APPLICATION

This Policy applies to all processing of personal data carried out by Viditrack EOOD in connection with the operation of its platforms, websites, and related services. Specifically, it applies to:
1. End-users who access and use the Table Quest platform to browse restaurants, make reservations, place pre-orders, and complete payments.
2. Restaurant Partners who register with the Table Host platform to manage reservations, configure menus, process customer orders, and receive payments.
3. Visitors to our websites and mobile applications, whether they create an account or use transactional features, are included. Representatives and staff of Restaurant Partners, insofar as their personal data is processed for the purposes of account administration, contractual performance, compliance with legal obligations, and communication with the Company.
4. This Policy governs all personal data collected online (through websites, mobile applications, cookies, or analytics tools) and offline (through email, telephone, or contractual documentation) in connection with the services of Table Quest and Table Host.
5. This Policy is designed to provide transparency regarding our data practices and to ensure compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Bulgarian Personal Data Protection Act, and any other applicable European and international data protection laws.
6. This Policy forms an integral part of the Table Quest Terms of Use and the Table Host Partner Terms. By using our services, you acknowledge that you have read and understood this Policy and agree to its application in conjunction with the Terms mentioned above.
7. For the avoidance of doubt, Restaurant Partners may process certain categories of personal data as independent controllers for their own legal and regulatory obligations (e.g., invoicing, accounting, KYC, or food safety compliance). Such processing falls outside the scope of this Policy, and Restaurant Partners remain solely responsible for their compliance.
8. Where Restaurant Partners are established outside the EU/EEA, they act as independent controllers with respect to personal data processed for their own obligations (e.g., invoicing, accounting, or local regulatory compliance). Viditrack EOOD does not control such processing or the associated data transfers, and Restaurant Partners remain solely responsible for compliance with applicable local and international data protection laws.
LEGAL BASES FOR PROCESSING

We process personal data exclusively on the legal grounds permitted by the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Bulgarian Personal Data Protection Act, and other applicable European laws. In particular, processing activities are carried out pursuant to Article 6 GDPR on the following bases:

Contractual Necessity (Article 6(1)(b) GDPR). Processing that is strictly required for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject before entering into such a contract. This includes:
1. creating and managing user or partner accounts;
2. processing restaurant reservations and pre-orders;
3. facilitating secure payment transactions;
4. providing customer support and related operational services.
Legitimate Interests (Article 6(1)(f) GDPR). Processing that is necessary for the Company’s legitimate interests, provided such interests are not overridden by the fundamental rights and freedoms of the data subject. Legitimate interests pursued by the Company include:
1. safeguarding the security and integrity of our platforms;
2. detecting, preventing, and investigating fraudulent or unlawful activities;
3. maintaining, optimizing, and improving our services and user experience;
4. protecting our legal rights and enforcing contractual obligations.
Consent (Article 6(1)(a) GDPR). Processing that is based on the freely given, specific, informed, and unambiguous consent of the data subject. This applies in particular to:
1. the distribution of marketing communications and promotional offers;
2. the deployment of non-essential cookies and similar tracking technologies;
3. The use of advanced analytics and profiling tools to enhance service personalization.
4. Consent may be withdrawn at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Legal Obligation (Article 6(1)(c) GDPR). Processing that is necessary for compliance with legal obligations to which the Company is subject under European and Bulgarian law. Such obligations include:
1. compliance with accounting, tax, and corporate record-keeping requirements;
2. compliance with anti-money laundering (AML) and counter-terrorist financing (CTF) regulations;
3. responding to lawful requests and orders from regulatory authorities or courts.
PURPOSES OF PROCESSING

We process personal data exclusively for specified, explicit, and legitimate purposes, in line with the principle of purpose limitation under Article 5(1)(b) GDPR. In particular, personal data is processed for the following purposes:
1. Provision of Core Services. To enable and manage restaurant reservations, pre-orders, order processing, and related account functionality across the Table Quest and Table Host platforms.
2. Payments and Financial Administration. To process, authorize, and confirm payments; to issue invoices and receipts; and to maintain records necessary for compliance with applicable accounting, tax, and anti-money laundering obligations.
3. Account and Partner Management. To establish and maintain user accounts, partner dashboards, and administrative profiles, including authentication, access management, and configuration of service preferences.
4. Service Communications. To provide booking confirmations, reminders, updates, and other transactional or service-related notifications necessary for the proper performance of our services. These communications are considered operational in nature and do not constitute marketing. Opting out of marketing or promotional communications will not affect the receipt of transactional or operational communications that are strictly necessary for the provision of our services.
5. Platform Integrity and Security. To ensure the proper functioning, monitoring, and protection of our platforms; to detect and prevent fraud, abuse, or other unlawful activities; and to safeguard the confidentiality, availability, and integrity of personal data.
6. Customer Support and Dispute Resolution. To respond to inquiries, handle complaints, resolve disputes, and provide efficient customer care to both End-Users and Restaurant Partners.
7. Analytics and Service Optimization. To conduct statistical analysis, usage monitoring, product development, and quality assurance in order to improve user experience, optimize platform performance, and enhance service offerings.
8. Marketing and Promotional Communications. To deliver marketing materials, promotional offers, and personalized content where valid and explicit consent has been obtained, and only to the extent permitted by applicable data protection and ePrivacy laws.
DATA WE COLLECT

We collect and process only such personal data as is necessary for the lawful provision of our services and in strict compliance with the principles of lawfulness, fairness, and transparency under Article 5 GDPR. Depending on your interaction with our platforms, we may collect and process the following categories of data:
1. Identity and Contact Information: Full name, username, and title; Email address, telephone number, and other communication details; Account credentials and authentication tokens.
2. Transactional Information: Reservation details, booking confirmations, and pre-order history; Payment confirmations, billing history, and records of financial transactions; Communications and service interactions relating to reservations and orders.
3. Partner Information (for Restaurant Partners and their representatives): Legal entity details, company name, and business registration information; VAT number, tax identification, and other statutory identifiers; Authorized representatives and designated staff contacts; Bank account details, billing information, and payment credentials.
4. Technical and Usage Data: Internet Protocol (IP) address, device identifiers, browser type, operating system; Log files, session activity, and access timestamps; Cookies and similar tracking technologies (as further described in the Cookies and Similar Technologies section); Geolocation data and device settings, where enabled by the user.
5. Communication Data: Records of correspondence with customer support or partner relations; Responses to surveys, feedback forms, or promotional campaigns; Preferences expressed in account settings or marketing consents.
6. Children’s Data. Our services are not directed to individuals under the age of 16 (or under 13, where permitted by applicable law). We do not knowingly collect or process personal data relating to minors. If we become aware that such data has been collected without appropriate parental or guardian consent, we will promptly delete it in accordance with Article 8 GDPR.
7. Automated Decision-Making and Profiling. We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significant consequences for users, within the meaning of Article 22 GDPR. Where computerized tools are used (e.g., for analytics or personalization), such processing does not override user rights or freedoms and remains subject to appropriate safeguards.
8. We do not collect special categories of data (such as racial or ethnic origin, political opinions, religious beliefs, or health data) unless explicitly required and consented to under Article 9 GDPR, and only in strict compliance with applicable law.
9. Transactional Communications: confirmations, reminders, and service notifications relating to bookings and orders. Such communications are service-based and not considered marketing.
DATA SHARING AND DISCLOSURE

We share personal data only where necessary for the proper performance of our services, in full compliance with Articles 26–28 GDPR, and subject to appropriate contractual safeguards.

Joint Controllers. In certain circumstances, we and our Restaurant Partners may act as joint controllers (within the meaning of Article 26 GDPR) when jointly determining the purposes and means of processing – for example, when processing reservation details and related customer interactions. In such cases, the essential arrangement between the Company and the Restaurant Partner shall be made available to data subjects upon request.
Processors and Sub-Processors. We engage third-party service providers acting strictly as processors on our behalf, bound by written Data Processing Agreements as required by Article 28 GDPR. These include:
1. Payment Processors: Stripe, Inc. and its affiliates. Please note that in some instances, Stripe acts as an independent controller for payment data (e.g., card details, fraud detection). In such circumstances, Stripe’s privacy policy applies in addition to this Policy.”
2. Cloud Infrastructure Providers: such as Amazon Web Services (AWS), Google Cloud Platform (GCP), or equivalent, for secure data hosting and storage.
Analytics Providers, such as Google Analytics or Mixpanel, are used for monitoring usage and improving platform performance. All processors engaged by the Company are bound by written agreements in accordance with Article 28 GDPR, requiring them to: process personal data only on our documented instructions; maintain strict confidentiality obligations for personnel; implement appropriate technical and organizational measures to ensure data security; provide assistance in facilitating the exercise of data subject rights; and allow for audits and inspections to verify compliance.
Regulatory and Legal Disclosure. We may disclose data to competent authorities, regulators, or courts where required to comply with legal obligations under Bulgarian, EU, or international law (Article 6(1)(c) GDPR).
Corporate Transactions. In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to third parties subject to adequate contractual and technical safeguards.
No Unauthorized Sharing. We do not sell, rent, or otherwise disclose personal data to third parties for their independent marketing or commercial purposes without explicit consent.

All third-party access to personal data is limited to what is strictly necessary and subject to confidentiality obligations, data security measures, and continuous monitoring to ensure GDPR compliance.
USER RIGHTS

Pursuant to Articles 12–23 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and in accordance with other applicable data protection laws, you are afforded the following rights in relation to your personal data:
1. Right of Access. You are entitled to obtain confirmation as to whether we process your personal data and, where this is the case, to receive a copy of such data together with comprehensive information on the purposes of processing, the categories of data concerned, and the recipients or categories of recipients.
2. Right to Rectification. You have the right to request, without undue delay, the correction of any inaccurate or incomplete personal data concerning you.
3. Right to Erasure (“Right to be Forgotten”). You may request the deletion of your personal data where one of the grounds outlined in Article 17 GDPR applies, including where the data is no longer necessary for the purposes for which it was collected, or where you have withdrawn consent and no other lawful basis exists for processing.
4. Right to Restriction of Processing. You have the right to request the limitation of processing in the circumstances enumerated under Article 18 GDPR, such as where the accuracy of the data is contested or the processing is unlawful, but you oppose erasure.
5. Right to Object. You may object, on grounds relating to your particular situation, to the processing of your personal data carried out under Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where personal data is processed for direct marketing purposes, you may object at any time, and such data will no longer be processed for those purposes.
6. Right to Withdraw Consent. Where processing is based on your consent under Article 6(1)(a) GDPR, you may withdraw that consent at any time, without affecting the lawfulness of processing carried out before such withdrawal.
7. Right to Data Portability. You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and to transmit such data to another controller where technically feasible, in accordance with Article 20 GDPR.
8. Procedure for Exercising Rights
  1. Requests may be submitted to privacy@viditrack.com. To safeguard your data, we may require verification of identity before fulfilling any request.
  2. We will respond to all valid requests within one (1) month of receipt. This period may be extended by up to two (2) additional months where the request is particularly complex or numerous, in which case you will be duly informed in accordance with Article 12(3) GDPR.
  3. In accordance with Article 12(5) GDPR, where requests are manifestly unfounded or excessive, we reserve the right to charge a reasonable administrative fee or to refuse to act on the request. In such cases, we will provide the reasons for our decision.
9. Supervisory Authority and Right to Complaint. Without prejudice to any other administrative or judicial remedy, you have the right to complain to your local data protection authority or to our lead supervisory authority, the Commission for Personal Data Protection (CPDP), Bulgaria, if you consider that the processing of your personal data infringes applicable law.
COOKIES AND SIMILAR TECHNOLOGIES
1. We use cookies and comparable tracking technologies to operate, secure, and improve our services in accordance with the ePrivacy Directive (2002/58/EC), GDPR, and applicable Member State laws. “Cookies” include HTTP cookies, HTML5/local storage, SDKs, pixels, tags, web beacons, and device identifiers used in our websites and mobile applications.
2. Types of Technologies We Use
  1. Strictly Necessary (Essential) Cookies. Enable core platform functionality, security, authentication, load balancing, and fraud-prevention. These are required for the service to work and are set by default.
  2. Functional Cookies. Remember choices (e.g., language, region, UI preferences) to provide enhanced, personalized features.
  3. Performance & Analytics Cookies. Measure usage, diagnose issues, and help us improve (e.g., page performance, feature adoption, crash reports). Data is aggregated or pseudonymized.
  4. Advertising & Personalization Cookies (subject to opt-in consent). Enable delivery of relevant offers, frequency capping, and performance measurement of campaigns. May be set by us or by authorized third parties (e.g., ad networks).
3. Purposes and Legal Bases
  1. Strictly Necessary: processed based on legitimate interests (Article 6(1)(f) GDPR) and/or contractual necessity (Article 6(1)(b)) to provide the requested service (e.g., maintaining sessions, preventing abuse).
  2. Functional, Analytics, Advertising: processed only with your prior consent (Article 6(1)(a) GDPR) as required by the ePrivacy rules. You may withdraw consent at any time (see “Managing Your Preferences” below).
4. Third-Party Cookies and SDKs. We may authorize trusted third parties to set cookies/SDKs for the purposes described above (e.g., cloud hosting, analytics, anti-fraud, payments, and—where consented—advertising). Such parties act either as processors (under our instructions) or as separate controllers for their own purposes. Where third parties act as controllers (e.g., specific analytics or ad providers), their privacy notices apply in addition to this Policy.
5. International Transfers. Use of third-party cookies/SDKs may involve transfers of personal data outside the EU/EEA (including to the United States). Where such transfers occur, we rely on appropriate safeguards such as the European Commission Standard Contractual Clauses (SCCs) and, where necessary, supplementary measures consistent with Schrems II.
6. No Covert Fingerprinting. We do not engage in non-transparent browser or device fingerprinting for advertising. Any device signals we process are limited to security and fraud-prevention, platform integrity, and service diagnostics, and are handled under the legal bases stated above.
7. Managing Your Preferences (Consent & Withdrawal)
  1. Cookie Banner/Settings Center: On first visit and thereafter at any time, you can grant, refuse, or granularly adjust consent via our banner or “Cookie Settings” link in the footer/app menu.
  2. Withdrawal of Consent: You may withdraw consent at any time with future effect using the same controls.
  3. Browser/Device Controls: You can delete or block cookies via browser settings and manage mobile advertising IDs in device settings. Refusing or turning off non-essential cookies will not affect essential functions, but some features may become unavailable or operate with reduced performance.
8. Retention
  1. Session Cookies: expire when you close your browser or end your app session.
  2. Persistent Cookies: remain for a defined period (e.g., days to months) specified in our cookie ledger and renewed only with valid consent.
    We retain consent records (time stamp, categories, region/signal) to demonstrate compliance with GDPR/ePrivacy.
9. Transparency: Cookie Ledger. We maintain an up-to-date cookie ledger (list of cookies/SDKs used, provider, purpose, and lifespan). The ledger is accessible via the Cookie Settings interface and may be appended to this Policy as an annex or hosted on our website. We review and update it periodically.
10. Do Not Track & Preference Signals. While there is no EU-wide legal standard for “Do Not Track”, we honor applicable consent preference mechanisms supported by our platform and, where technically feasible, treat them consistently with EU consent requirements.
11. Note: Additional details on analytics providers, advertising partners, and their data practices are available in the cookie ledger and the third parties’ own privacy notices.
DATA SECURITY
1. We take the protection of personal data seriously and maintain robust technical and organizational measures (“TOMs”) in compliance with Article 32 GDPR, the Bulgarian Personal Data Protection Act, and industry best practices. Our security framework is designed to ensure a level of protection appropriate to the risks presented by processing, including the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
2. Technical Measures
  1. Encryption: All sensitive information is encrypted both in transit (TLS 1.2 or higher) and at rest using strong cryptographic standards (AES-256 or equivalent).
  2. Network Security: Firewalls, intrusion detection and prevention systems (IDS/IPS), and DDoS protection are employed to secure infrastructure.
  3. Access Controls: Role-based access control (RBAC), multifactor authentication (MFA), and the principle of least privilege are enforced to minimize risk.
  4. Segregation of Data: Logical separation of customer and partner data within hosting environments to prevent unauthorized cross-access.
3. Organizational Measures
  1. Policies & Procedures: Comprehensive information security policies, including incident response, data handling, and acceptable use.
  2. Training & Awareness: Regular staff training on data protection, cybersecurity hygiene, and GDPR compliance.
  3. Vendor Management: Security due diligence and contractual safeguards for all processors and sub-processors.
  4. Data Protection Impact Assessments (DPIAs): Conducted where processing is likely to result in high risk to individuals’ rights and freedoms.
4. Monitoring & Testing
  1. Penetration Testing: Regular internal and third-party penetration tests of applications and infrastructure.
  2. Vulnerability Management: Continuous monitoring and timely patching of systems and applications.
  3. Audit & Compliance: Periodic audits to assess compliance with GDPR, ISO/IEC 27001 standards, and other applicable frameworks.
5. Data Resilience & Recovery
  1. Backups: Regular encrypted backups stored in geographically redundant data centers.
  2. Business Continuity Planning (BCP): Documented disaster recovery and continuity procedures to ensure service availability.
  3. Incident Response: Formalized incident management program to detect, report, and remediate security incidents, including mandatory breach notifications in line with Articles 33–34 GDPR.
  4. Where a personal data breach occurs, we will notify the competent supervisory authority within 72 hours in accordance with Article 33 GDPR, and data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR).
DATA PROTECTION BY DESIGN AND BY DEFAULT

We adhere to the principle of data protection by design and by default as required under Article 25 GDPR, ensuring that data protection considerations are embedded throughout the lifecycle of our services. Specifically:
1. Privacy by Design. Safeguards for the protection of personal data are integrated into the architecture of our platforms and services from the earliest stages of conception, design, and development.
2. Privacy by Default. By default, we process only the minimum personal data necessary for each defined purpose. Access to such data is strictly limited to authorized personnel and configured to prevent unnecessary or excessive processing.
3. Continuous Review and Alignment. We conduct regular reviews of product features, operational processes, and internal policies to ensure continued alignment with evolving data protection standards, industry practices, and regulatory guidance.
4. Data Protection Impact Assessments (DPIAs). Where processing activities are likely to present a high risk to the rights and freedoms of individuals, we perform formal DPIAs to identify risks and implement appropriate technical and organizational safeguards before processing commences.
5. Contractual and Procurement Controls. Security, confidentiality, and data protection requirements are systematically embedded in our contractual frameworks with third-party providers, suppliers, and partners, ensuring that external engagements meet the same high standards we apply internally.
INTERNATIONAL DATA TRANSFERS
1. We primarily store and process personal data within the European Union (EU) / European Economic Area (EEA). However, certain processing activities may require the transfer of personal data to jurisdictions outside the EU/EEA, including to countries that may not provide the same level of data protection as guaranteed under European law.
2. In such cases, we implement appropriate safeguards in strict compliance with Chapter V of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), ensuring that data subjects continue to enjoy enforceable rights and effective legal remedies. These safeguards include:
  1. European Commission Standard Contractual Clauses (“SCCs”). Transfers are carried out pursuant to the most recent versions of the SCCs adopted by the European Commission under Decision (EU) 2021/914, which contractually bind recipients to GDPR-equivalent standards of protection.
  2. Adequacy Decisions. Where the European Commission has recognized a third country as providing an adequate level of protection under Article 45 GDPR, transfers are conducted on that basis.
  3. Supplementary Safeguards (Schrems II Compliance). In accordance with the judgment of the Court of Justice of the European Union in Case C-311/18 (“Schrems II”), we apply supplementary technical and organizational measures, including:
    1. robust encryption (with keys retained exclusively within the EU);
    2. strict access controls and monitoring of data requests;
    3. contractual commitments requiring the recipient to challenge unlawful government access requests where legally permissible.
  4. Transparency. Upon request, we will provide further details regarding the specific safeguards applied to a particular transfer, including access to the relevant SCCs or references to adequacy decisions.
  5. Limitations on Transfers. We do not transfer personal data to jurisdictions lacking enforceable rights or effective legal remedies for data subjects unless and until compliant safeguards have been implemented in accordance with GDPR requirements.
3. Intra-EEA Transfers: Personal data may also be transferred and processed between data centers and service providers located within the EEA to ensure service continuity and resilience.
DISCLAIMERS AND LIMITATIONS
1. This Policy is intended to provide transparency in accordance with applicable data protection laws. It does not create or confer rights or obligations beyond those established under the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Bulgarian Personal Data Protection Act, or other binding legislation.
2. The rights described herein are not absolute and may be subject to lawful restrictions, including where processing is required:
  1. to comply with a legal obligation imposed upon the Company;
  2. for the establishment, exercise, or defense of legal claims; or
  3. for reasons of substantial public interest recognized under European Union or Member State law.
3. The Company shall not be held liable for any processing of personal data undertaken independently by Restaurant Partners or by third parties acting as separate controllers, outside the scope and control of this Policy. Such entities remain solely responsible for their respective compliance obligations.
4. To the fullest extent permitted by applicable law, the Company disclaims liability for any indirect, incidental, or consequential damages arising from or relating to the processing of personal data, except where such limitation is expressly prohibited by law.
5. Certain rights may be restricted under Articles 17(3), 20(3), and 23 GDPR, including where processing is required for legal compliance, public interest, or the establishment, exercise, or defense of legal claims.
DATA RETENTION
1. We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with applicable legal, regulatory, and contractual obligations, in line with the principle of storage limitation under Article 5(1)(e) GDPR. Retention periods are determined by reference to:
  1. the nature and category of the data;
  2. the purpose of processing;
  3. statutory or regulatory requirements; and
  4. the legitimate interests of the Company, balanced against the rights and freedoms of the data subject.
2. Specifically:
  1. Account Data. Personal data associated with user or partner accounts is retained for the duration of the contractual relationship and deleted upon account closure, subject to any legal obligations requiring further retention.
  2. Transactional Data. Booking, order, and payment records are retained for a minimum of five (5) years to comply with Bulgarian commercial and tax law and other applicable EU record-keeping requirements. Certain documents may be retained for up to ten (10) years where required by statutory accounting or anti-money laundering obligations.
  3. Cookies and Tracking Technologies. Retention periods for cookies and comparable technologies vary depending on their purpose (e.g., session, functional, analytics, or marketing) and are specified in our Cookie Banner and Cookie Ledger. Users may adjust or withdraw consent at any time.
  4. Communications and Support Data. Customer service records, correspondence, and support tickets are retained for as long as reasonably necessary to resolve the inquiry, establish or defend legal claims, or comply with statutory retention requirements.
  5. Backup Copies. Data contained in system backups may remain stored for more extended periods in secure, access-restricted archives, but will be permanently overwritten or deleted in accordance with defined retention schedules.
  6. Deletion and Anonymization. Upon expiry of the applicable retention period, personal data will be securely deleted or irreversibly anonymized, ensuring that it can no longer be associated with an identifiable individual.
3. Retention periods are determined by reference to criteria including legal obligations, limitation periods for claims, business necessity, and technical constraints. Where data is retained for the establishment, exercise, or defense of legal claims, it will be archived with restricted access until the claim is resolved or the limitation period has expired.
CHILDREN’S DATA
1. Our platforms and services are not directed to, and are not intended for use by, individuals under the age of 16 (or under 13 where permitted by applicable local law). We do not knowingly collect, use, or process personal data relating to minors.
2. If we become aware that personal data of a child has been collected without the necessary parental or guardian consent as required under Article 8 GDPR, we will take immediate steps to:
  1. Delete the Data – promptly and securely erase the child’s personal data from our systems, unless we are legally obliged to retain it.
  2. Notify the Parent or Guardian – where possible, inform the parent or guardian of the incident and the remedial measures taken.
  3. Prevent Further Processing – implement technical and organizational safeguards to prevent continued processing of such data.
3. Parents or legal guardians who believe their child has provided personal data to us without consent may contact us at privacy@viditrack.com. Upon verification of both identity and relationship to the child, we will take all appropriate remedial actions without undue delay.
4. To further mitigate risks, we actively monitor our services to ensure they are not used to solicit or collect information from minors.
5. Any such data shall be erased immediately and without undue delay upon discovery, unless continued retention is required by law.
CONTACT INFORMATION
1. Viditrack EOOD has formally appointed a Data Protection Officer (“DPO”) pursuant to Article 37 GDPR. The DPO operates independently and may be contacted directly for any matters relating to the processing of personal data and the exercise of your rights under this Policy.
2. If you have any questions, concerns, or requests relating to this Policy or the processing of your personal data, you may contact us at:
  
  Data Protection Officer (DPO)
  Viditrack EOOD
  Raiko Daskalov 68, Floor 2, Office 8, 4000 Plovdiv, Bulgaria
  Email: privacy@viditrack.com
3. For matters relating to supervision and enforcement, our lead supervisory authority is:

Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd. Sofia 1592, Bulgaria
Website: https://www.cpdp.bg

You may also lodge a complaint with the CPDP or with the supervisory authority in your habitual place of residence, place of work, or place of the alleged infringement, in accordance with Article 77 GDPR.
AMENDMENTS
1. We may amend this Policy from time to time to reflect changes in legal requirements, industry standards, or service developments. Updated versions will be published on our websites and applications with the “Last Updated” date revised accordingly. Where changes materially affect your rights or the way we process your data, we will notify you in advance by email or a prominent in-app notice.
2. While this Policy is intended for a global audience, it is governed by and shall be interpreted in accordance with GDPR and the applicable laws of Bulgaria. Where local data protection laws apply in addition to GDPR (e.g., in the United Kingdom or the United States), we comply with such laws to the extent required.