This Privacy Policy (“Policy”) explains how we process personal data in connection with:

• use of the Effortless Tax website and application (together, the “Application”), including registration and profile creation;
• entering into and performing contracts for the services we provide through the Application, including assistance with the preparation and filing of annual personal income tax returns under Bulgarian law;
• advertising, promotions and marketing campaigns relating to the Application and the services and products it offers.

Please read this Policy carefully to understand how we collect and process the personal data you provide.

Terms of Use. For conditions on using the Application, the services offered, ordering methods and other terms related to contracting with us, please see our Terms of Use available on the Website.

Definitions. The terms “personal data”, “processing”, “controller”, “processor”, “third country”, “international organisation”, “data subject”, “representative” and “Member State” (and their derivatives) have the meanings given in Regulation (EU) 2016/679 (the GDPR) and in applicable Bulgarian law.

1. Data Controller

1.1. The controller under this Policy and of the Application is “Effortless Tax” EDPK (single-member variable capital company), entered in the Commercial Register under UIC 208440078, with registered office and address of management: 47 Cherni Vrah Blvd., floor 6, Sofia, Bulgaria (the “Company”, “we”, “us”).
1.2. For questions about this Policy, contact us at our registered address or by email at support@effortless.tax.

2. Personal data we collect and process

2.1. We process the following categories of personal data:

• Data you provide when registering a profile in the Application: first and last name, email address, phone number.
• Data you provide in connection with services you order, contracts you enter into and their performance, including name(s), EGN (Personal Number), email, phone number, address, identity document details, nationality/ies and place of residence, tax and social security information, income and payers of income, expenses, payments and investments and their beneficiaries, bank accounts and account holders, taxes due, tax reliefs and related personal data, assets, liabilities to certain persons, order and payment history, etc.
• Information you provide when you contact or interact with us via any communication channel regarding specific matters, orders, complaints, enquiries or activity on social networks (e.g., Facebook)-including by phone, post, forms in the Application, email, social media or otherwise-such as name, email, phone number, social profile, photos, address, etc. In some cases, after prior notice, we may make audio recordings of your phone calls with us. When you contact us on social media, our profiles there may be public and your interactions or postings may be public. We do not control and are not responsible for the use of your social media profiles.
• Data related to payments and refunds in the cases provided, such as bank information, bank account, debit/credit card used, cardholder, etc.
• Data you provide when you subscribe to marketing communications from us or participate in surveys we organise.
• When you access and use our Application, we may collect and process information about your device and online identifiers (e.g., IP address, operating system, browser type, location) and about how you use the Application, as well as data from permitted cookies.

2.2. We usually collect data directly from you, and you are responsible for providing only accurate and truthful data you are entitled to disclose to us. In rarer cases, we may obtain personal data from public registers and authorities, such as the Commercial Register, the BULSTAT Register, the National Revenue Agency (NRA), etc.

2.3. In some cases, providing your personal data is necessary to conclude and perform a contract with you and to comply with legal requirements. For example, to provide our services we need data for your identification, nationality/ies, income and its payers, powers of attorney, etc. If you do not provide the required data, you may not be able to receive the ordered services, or the services may not be performed accurately or properly.

3. Your responsibilities when providing personal data

• Use the designated channels. Please provide personal data only through our designated channels - support@effortless.tax in particular. Avoid other channels (including in-app chatbots, social media profiles, ad-hoc email addresses or phone numbers), as we do not control them, they are not covered by our policies, and we bear no responsibility for them.
• Passwords. Do not share your passwords with anyone and keep your profile secure. You can change your password at any time in the Application or by contacting us.
• Third-party sites and external links. For your convenience, the Application may include advertisements, chatbots, or links to third-party sites or services (e.g., social networks, AI tools, content providers). This Policy does not apply to those third parties, and we are not responsible for their processing of personal data. If you choose to visit or use them, please review their privacy policies.
• Accuracy and rights. By providing us with data (including personal data) you declare and warrant that it is accurate and truthful, that you have the right to provide it for the purposes in our terms and policies, and that doing so does not infringe third-party rights (privacy, personality rights, copyright and related rights, intellectual property, etc.).

4. Purposes of processing (why we use your data)

4.1. Our primary purpose in collecting and processing personal data is to conclude and perform a services contract between us.
4.2. In addition, we may use limited categories of personal data you provide for the following purposes:

• to communicate with you and provide information you request about the Application, how to use it, and our services;
• to send administrative and legal information, such as changes to our terms, policies, contact details, reminders, etc.;
• to ensure the security and protection of our systems, the Application, our services, profiles and third-party information;
• for administrative, judicial and enforcement proceedings in cases provided by law, and to comply with or fulfil our obligations arising from statutes or acts of executive or judicial authorities;
• to exercise our rights or protect your, our, third-party or public legitimate interests, such as detecting, investigating and preventing theft, crime, fraud, abuse and other offences, and enforcing rights under contracts to which we are a party;
• to send newsletters, marketing materials and other notices by post, email or SMS-only where you have consented; you will always have a free and easy right to opt out;
• for statistical purposes and analytics to improve and change our products, services, procedures and policies concerning the Application and its functionalities (e.g., via information collected from your browser or app, such as IP address, OS, browser type, visit details, location, etc.).

5. Legal bases for processing

5.1. When you order services (including remotely), and for their provision and performance, processing is necessary for the conclusion and performance of a contract to which you are a party.
5.2. In other cases we may rely on additional legal bases, including:

• Your consent-e.g., to send you marketing communications or materials;
• Legal obligation-e.g., for your precise identification, accounting purposes, or administrative/judicial/enforcement proceedings;
• Legitimate interests of ours or a third party-e.g., some forms of direct marketing to our clients; detecting and preventing theft, crime, fraud, abuse; and improving our products, services, procedures and policies regarding the Application and its functionalities.

6. Recipients of personal data

6.1. Personal data you provide may be disclosed to the following categories of recipients:

• Public authorities and institutions, where done at your request or with your express authorisation, or as part of the service you have requested, or where you have agreed (e.g., the National Revenue Agency (NRA));
• Our service providers and subcontractors to the extent they need access to data to provide their services (e.g., accounting experts and lawyers; technical support relating to the services or the Application; hosting and payment providers; companies and persons from whom we license specialised software such as accounting software). We will take reasonable commercial measures (e.g., written agreements) so that their use of your personal data is confidential, limited to necessity or legal obligations, and compliant with data-protection rules;
• Persons to whom we are obliged to disclose data under applicable laws, acts of executive or judicial authorities, court proceedings, investigations of unlawful activity, or lawful requests by governmental, judicial or regulatory bodies;
• Third parties where we have a reasonable belief that disclosure is necessary to prevent death, harm or financial loss, or for detecting, investigating and preventing theft, crime, fraud, abuse or other offences, including infringement of our rights or the rights of others (e.g., privacy rights);
• Third parties in a corporate transaction (reorganisation, merger, consolidation, sale, joint venture, transfer or other disposition of all or part of our business);
• Publicly, where you interact with us on social media-our profiles there may be public and your interactions may be public. This also depends on your profile settings; we do not control or take responsibility for your social media profile.

7. Transfers to third countries

7.1. Sometimes providing our services may require transferring personal data to jurisdictions outside the European Union with different data-protection laws; for example, if we use a provider established in the United States. In such cases we will transfer personal data to a third country only on the basis of:
a) a European Commission decision on an adequate level of protection for that country (GDPR Art. 45); or
b) appropriate safeguards under GDPR Art. 46, including reliance on the Standard Contractual Clauses, as amended or replaced by the European Commission, or suitable safeguards with specific authorisation by a competent supervisory authority; or
c) binding corporate rules approved by a competent supervisory authority (GDPR Art. 47); or
d) your consent to such transfer.

8. Your rights

8.1. Right to withdraw consent. Where we process your personal data on the basis of your consent (e.g., some marketing), you may withdraw it at any time for that processing. This does not affect the lawfulness of processing before withdrawal. You may exercise this right free of charge by: (i) emailing support@effortless.tax with a clear statement that you withdraw consent; (ii) writing to our registered address; or (iii) using the contact form in the Application. If you withdraw consent, we will erase such data from our systems to the extent provided by law and within a reasonable time.
8.2. Right of access. You may request information at any time about the personal data we hold about you. In some cases this will be only the data you entered in your profile. We strive to provide it promptly and accurately; please note that collection and provision may require some technical time and security procedures.
8.3. Right to rectification. You may request correction of inaccurate personal data.
8.4. Right to erasure (“right to be forgotten”). This is not absolute and applies as provided by law. For example, you may request erasure where the data are no longer needed for the purposes for which they were collected, provided we have no legal obligation that requires further processing (e.g., some of your data continue to be processed for accounting, debt collection or tax purposes). We will honour any lawful and well-founded erasure request.
8.5. Right to restriction of processing as provided by law.
8.6. Right to data portability. In the cases provided by law, you may request to receive-or to have us transmit to a third party-a copy of your data in a structured, commonly used format (this applies only to data you provided that are processed automatically on the basis of your consent or a contract).
8.7. Right to object. In particular, you may object at any time to processing based on legitimate interests, for direct marketing, or for performance of a task in the public interest or exercise of official authority. We will stop processing unless there are compelling legal grounds which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims. For direct marketing, you may object at any time by following the instructions in the message or by emailing support@effortless.tax.
8.8. Right to lodge a complaint. If you are established in the EU, you may lodge a complaint with a supervisory authority-in particular in your Member State of habitual residence, place of work or place of the alleged infringement. In Bulgaria, the supervisory authority is the Commission for Personal Data Protection (CPDP), address: 1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd. (website available on the CPDP portal).

9. Retention period

9.1. We will retain personal data as long as necessary for the relevant processing purposes and to fulfil our legal obligations.
9.2. In particular, we will retain:

• Contract data-generally 5 years from the end of the year of final performance of the relevant contract. Please note we will not retain all data you provided; at our discretion, after providing the service we may permanently destroy data you provided. Do not rely on us as an archive.
• Accounting and control data-in accordance with statutory accounting and control rules. Data processed for other statutory obligations will be retained until the obligation ceases.
• Marketing data-until you withdraw your consent (if applicable) or object, or upon deleting your profile, or when we remove your data from our other systems; or 2 years from your last order, whichever occurs first.
• We may delete inactive profiles in the Application after 2 years from the last active action.
• You may cease interacting with us on social media at any time using that platform’s tools.

9.3. Personal data we process for other purposes will be processed and stored as necessary and in accordance with data-protection laws and applicable standards.
9.4. For the avoidance of doubt, we may generate and retain aggregated statistical reports and materials that do not contain personal data and from which no individual can be identified. This Policy does not apply to such materials.

10. Changes to this Policy

10.1. We may amend this Policy and will publish any changes in the Application; we may also notify you by email or another appropriate method. Where we process your personal data on the basis of your consent and the changes affect such processing, we will inform you and seek your consent to the changes.

‍