At Ad Tech International, we recognize that trust is the foundation of every successful business relationship. As the organizer of B2B Growth Event, we are fully committed to protecting the personal data of our attendees, partners, speakers, sponsors, and website visitors.

This Privacy Policy explains how we collect, use, store, safeguard, and, where necessary, disclose personal information in connection with the organization and promotion of B2B Growth Event, including through our website, registration systems, and related communications.

When you register for the event, subscribe to updates, participate in event activities, or communicate with our team, you share certain personal information with us. We treat this responsibility with the utmost care and process your data in a lawful, fair, and transparent manner.

All personal data is processed in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and applicable national data protection laws. We implement appropriate technical and organizational measures designed to ensure the confidentiality, integrity, and availability of your information, and to protect it against unauthorized access, misuse, loss, or disclosure.

This Policy aims to provide clear and accessible information about:

• The categories of personal data we collect
• The purposes for which we process your data
• The legal bases for processing
• How long we retain your information
• Your rights as a data subject

Our objective is to ensure full transparency and data security, allowing you to engage with B2B Growth Event with confidence and peace of mind, while focusing on meaningful connections, knowledge exchange, and business growth.

SECTION I – General Information

Art. 1. Contact details of the Administrator responsible for processing personal data

Name: Аd Tech International
UIC: 205745480
Registered seat and business address:Sofia, Arsenalski Blvd 11, 1421
Telephone: +359 883 565 111
Email: hello@braindonors.agency

(2) The Administrator has not appointed a Data Protection Officer (DPO). This is since we process a limited amount of personal data and our activities do not fall within the categories for which the GDPR mandates the designation of a DPO. For this reason, no contact details for such a person are provided.

Art. 2. Contact details of the competent supervisory authority

Name: Commission for Personal Data Protection
Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Correspondence address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Telephone: +359 2 91 53 518
Website: www.cpdp.bg

SECTION II – Frequently Used Terms

Art. 3. For the purposes of this Privacy Policy, the following terms shall have the following meaning:

“Personal data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing of personal data” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making the data available, alignment or combination, restriction, erasure or destruction.

“Data Controller” (Administrator) means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Administrator.

“Data subject” means an identified or identifiable natural person to whom the personal data relates.

“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action, by which he or she signifies agreement to the processing of personal data relating to him or her.

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Legitimate interest” means an interest pursued by the Administrator or by a third party, sufficiently justified to warrant the processing of personal data, provided that such interest does not override the interests, fundamental rights and freedoms of the data subject.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person’s professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Cookies” means small text files stored on your device (computer, tablet, smartphone, etc.) when you visit our website. Cookies help the Administrator ensure the proper functioning of the website, improve your user experience, and provide personalised content and advertising.

SECTION III – Legal Grounds for Processing Personal Data

Art. 4. The Administrator processes your personal data on the following legal bases pursuant to Art. 6(1) GDPR:

1. Consent – for receiving marketing communications, newsletters, and personalised recommendations.
2. Contract – for the provision of services requested by you (Providing tickets for access to an event)
3. Legal obligation – for meeting accounting and tax requirements.
4. Legitimate interest – for analysing service performance and improving service quality.

(2) The Administrator clearly distinguishes between personal data strictly necessary for contractual or legal compliance (e.g., name of a legal representative or individual, address, telephone, email) and data that is provided voluntarily (e.g., marketing phone number, service preferences). Refusal to provide mandatory information may prevent the Administrator from delivering the requested service.

(3) If the Administrator intends to process personal data for a purpose different from the original one, a compatibility assessment is carried out. Processing continues only if the new purpose is compatible (e.g., archiving or statistical analysis). Otherwise, new consent is required.

Art. 5. (1) Processing of your personal data is carried out strictly on one of the following legal grounds, each linked to a specific processing purpose:

1. Performance of a Contract (Art. 6(1)(b) GDPR) – processing contact details, names, and payment data necessary for providing tickets for access to an event)
2. Legal Obligation (Art. 6(1)(c) GDPR) – processing invoicing details, payment information and correspondence required for compliance with accounting and tax legislation.
   Legitimate Interest (Art. 6(1)(e) GDPR) – processing technical data (IP addresses), security data and logs for network security, fraud prevention and service improvement.
3. Consent (Art. 6(1)(a) GDPR) – processing of email addresses, preference data, marketing data and cookies when not essential for provision of core services.
   
   

(2) The Administrator processes the following categories of personal data for the respective purposes:

Identification data (mandatory):
Examples: name, surname, email, telephone.
Source: provided directly by you during registration or service request.
Purpose: identification and communication following tickets for access to an event

Technical data (automatically collected):
Examples: IP address, browser type, operating system, cookie data, time of visit.
Source: collected automatically upon visiting the website.
Purpose: technical operation and usage analytics.

Payment data (processed by a third party):
Examples: card number, expiry date, CVV, cardholder name.
Source: provided directly by you when making a payment.
Purpose: processing payments for requested services.
Processing: performed directly by our payment service provider, Stripe Inc.

(3) The Administrator does not collect or process special categories of personal data under Art. 9 GDPR.

(4) The services of the Administrator are not intended for individuals under 18 years of age. The Administrator does not knowingly collect data from children or minors. If such processing is detected, the data will be deleted without undue delay.

(5) Provision of core services is not conditioned on consent for processing that is not strictly necessary (e.g., marketing messages). Refusal to give optional consent will not limit essential website functionality.

Art. 6. (1) When processing your personal data, we adhere to the following principles:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Storage limitation
5. Accuracy
6. Integrity, confidentiality and security

SECTION IV – Data Retention Periods and Security Measures

Art. 7. (1) The Administrator retains your personal data only for the time necessary to fulfil the purposes set out in this Policy or for as long as required by law. In determining retention periods, the following factors are considered:

1. Statutory requirements – obligations to archive accounting documents and business correspondence;
2. Technical possibilities – opportunities for anonymisation or pseudonymisation for analytical purposes.

(2) Specific retention periods:

1. Financial data and service documentation: 5 years from the last transaction (as required by accounting legislation);
2. Marketing communications and newsletter subscriptions: until consent is withdrawn or 24 months of inactivity;
3. Tracking technologies (cookies, pixels): 6 to 24 months depending on their purpose;

Art. 8. The retention periods result from a careful assessment of legal obligations, business needs, and your fundamental rights as a data subject. The Administrator prioritises the principle of minimisation of storage duration.

Art. 9. (1) Upon expiry of the applicable retention period, the Administrator promptly deletes or anonymises your personal data.

(2) Deletion is carried out through certified secure destruction methods ensuring irreversibility and preventing unauthorized access.

(3) Where full deletion is technically impossible or conflicts with justified business interests, anonymisation techniques are applied, eliminating any possibility of identifying you.

(4) Retention periods of the payment processor Stripe follow Stripe’s own retention policies, with only the last four digits of the card stored for accounting purposes.

Art. 10. (1) The Administrator implements comprehensive technical and organisational measures ensuring an appropriate level of security in relation to the risks for individuals.

(2) Measures include:

1. Encryption – TLS/SSL encryption for all communications between your browser and our website;
2. Access control – Multi-Factor Authentication (MFA) for access to critical systems;
3. Pseudonymisation / anonymisation – applied whenever feasible for analytics;
4. Regular testing – periodic penetration testing and security audits.

(3) Organisational measures include restricted access on a strictly “need-to-know” basis, mandatory staff training, and documented procedures for processing, storage and deletion.

(4) In the event of a high-risk personal data breach, you will be notified without undue delay, including information on:

1. the nature and scope of the incident;
2. contact details of our responsible data protection contact;
3. potential consequences and recommended measures;
4. actions undertaken to mitigate the impact.

(6) The Administrator uses the Cookie Script  Consent Management Platform (CMP) to manage cookie consent and maintain related records.

SECTION V – Parties with Access to Your Personal Data

Art. 11. (1) Following the performance of the contract by the Administrator and the provision of full website functionality, your personal data may be shared with the following categories of recipients who process data:

1. Staff responsible for handling service requests, delivering materials, or coordinating consultations;
2. Staff in the accounting and legal departments;
3. Hosting service providers;
4. State and regulatory authorities.

Purposes of processing:

1. Processing order-related data;
2. Processing accounting documentation in compliance with applicable legislation;
3. Protecting the legitimate and legal interests of the company in connection with its commercial activities;
4. Provision of information society services, including delivery of the digital service;
5. Regulatory reporting obligations and handling complaints submitted to competent authorities.

(2) All parties processing personal data strictly comply with the requirements for lawful and secure processing and storage. The Administrator acts as the sole controller of your data. However, in certain circumstances involving third-party platforms, joint controllership under Art. 26 GDPR may arise:

1. Joint controllership with Google LLC for data collected via Google Analytics or Google Ads, where Google determines the technical means and the Administrator determines the purposes of processing;
2. Other specific cases, such as HubSpot (CRM and marketing), Stripe Inc. (payments), and Webflow (hosting and CMS). These entities act as data processors, following the Administrator’s documented instructions and subject to Data Processing Agreements (DPAs) included in their terms of service.

SECTION VI – Data Subject Rights. Withdrawal of Consent

Art. 12. As a data subject, you have the full range of rights provided under the General Data Protection Regulation (GDPR), which you may exercise at any time with respect to the Administrator.

Art. 13. You may exercise the following fundamental rights:

1. The right to access your personal data and related information;
2. The right to request rectification of inaccurate or incomplete data;
3. The right to request erasure (“right to be forgotten”) under specific circumstances;
4. The right to request restriction of processing;
5. The right to data portability;
6. The right to object to processing, including profiling;
7. The right not to be subject to automated decision-making.

(2) When exercising the right to data portability, we will provide your data in a structured, commonly used, and machine-readable format (including, but not limited to, CSV, XML, or JSON). If technically feasible, you may request direct transmission of the data to another controller.

Art. 14. (1) You have the right to obtain confirmation as to whether personal data concerning you is being processed, and, where that is the case, access to the data and information about: the purposes of processing; the categories of data; the recipients; and the retention periods.

(2) When exercising your right of access, we will provide a copy of the personal data undergoing processing. A reasonable administrative fee may apply for additional copies. If the request is submitted electronically, the information will be provided in electronic format unless you request otherwise.

Art. 15. (1) You have the right to request the rectification of inaccurate personal data or completion of incomplete data by providing an additional statement.

(2) Upon rectification, the Administrator will notify all recipients to whom your data has been disclosed, unless this proves impossible or requires disproportionate effort.

Art. 16. (1) You may request the erasure of your personal data when:

1. The data is no longer necessary for the original purposes.
2. You withdraw your consent, and no other legal basis exists;
3. You object to processing.
4. Processing is unlawful;
5. Erasure is required for compliance with a legal obligation.

(2) The right to erasure does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.

Art. 17. (1) You may request restriction of processing where:

1. You contest the accuracy of the data;
2. The processing is unlawful and you oppose erasure;
3. The data is required for legal claims;
4. You have objected to processing pending the verification of overriding grounds.

(2) When processing is restricted, the data may only be processed for storage, with your consent, or for legal claims.

Art. 18. For data processed based on consent or contract through automated means, you have the right to receive the data in a structured, commonly used and machine-readable format and to transmit it to another controller. You may request direct transmission to another controller where technically feasible.

Art. 19. (1) You have the right to object to processing based on legitimate interest, including profiling. In such cases, processing will cease unless we demonstrate compelling legitimate grounds prevailing over your interests, rights and freedoms.

(2) Where personal data is processed for direct marketing purposes, you have an absolute right to object at any time. Processing for such purposes will cease immediately.

Art. 20. We do not use automated decision-making systems that produce legal effects concerning you. Should such systems be introduced, this Policy will be updated and you will be notified.

Art. 21. (1) To exercise your rights, you may submit a request via email, clearly indicating the right you wish to exercise. You must identify yourself appropriately to prevent unauthorised access to your data.

(2) The Administrator will provide information on actions taken without undue delay and in any event within one (1) month of receiving your request. This period may be extended by two months where necessary, and you will be informed accordingly.

Art. 22. (1) The Administrator applies the principle of Privacy by Design and by Default. For new technologies or processing operations likely to result in high risk to individuals (e.g., large-scale profiling), a Data Protection Impact Assessment (DPIA) is performed under Art. 35 GDPR.

(2) You may object to marketing communications at any time using the “Unsubscribe” link in any email or by contacting us directly.

SECTION VII – International Data Transfers

Art. 23. (1) As a general rule, your personal data is stored and processed within the European Union (EU) and the European Economic Area (EEA).

(2) Where we determine that standard safeguards may not provide adequate protection, the Administrator adopts additional technical and/or organisational measures in line with European Commission recommendations.

Art. 24. (1) In some cases, your personal data may be processed outside the EEA when using external service providers or technological platforms located in third countries.

(2) Such transfers occur only on a lawful basis and with guarantees ensuring a level of protection equivalent to that in the EEA.

Art. 25. (1) Personal data may be transferred to the following non-EEA countries:

United States of America (USA) – in connection with:

1. Analytical tools such as Google Analytics;
2. Advertising platforms including Google Ads and Meta/Facebook Ads;
3. HubSpot, used for CRM, client communications and marketing.

(2) In this context, specific technical and behavioural data (e.g., IP address, device identifiers, interaction data) may be transferred to Google LLC, acting as a data recipient outside the EEA.

SECTION VIII – Cookies and Tracking Technologies

Art. 26. To optimise website functionality and provide a personalised user experience, our platform uses cookies and similar tracking technologies activated during site navigation. These tools enable us to identify your device and store information about your preferences and usage patterns.

Art. 27. (1) Upon your first visit, you will be presented with a clear notification regarding our use of cookies, together with options for managing your preferences. Each section of the website provides access to a privacy control panel, allowing you to modify or withdraw cookie permissions at any time.

(2) Additionally, you may restrict or delete cookies through your browser settings according to your personal preferences.

SECTION IX – Final Provisions

Art. 28. If your rights under this Policy or applicable data protection legislation have been violated, you may file a complaint with the Commission for Personal Data Protection:

Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Telephone: 02/91-53-518
Website: www.cpdp.bg

Art. 29. (1) The Administrator reserves the right to update or amend this Privacy Policy at any time. Any change will be published prominently on the website, and users will be appropriately informed (e.g., via on-site notice or email).

(2) A revision becomes effective for you upon the earliest of:

1. receiving direct notification and not objecting within 14 days; or
2. 14 days after publication of the updated Policy on the website.

Art. 30. For all matters not explicitly regulated by this Policy, Bulgarian legislation and Regulation (EU) 2016/679 (GDPR) shall apply. Any disputes between the Administrator and the data subject will be resolved amicably. If agreement cannot be reached, the dispute shall be referred to the competent Bulgarian court at the Administrator’s registered seat.

Art. 31. (1) If any provision of this Policy is declared unlawful, invalid or unenforceable by a competent court, that provision shall be removed from the document.

(2) All remaining provisions shall continue to apply and remain binding upon the Administrator and the data subjects.

This Privacy Policy is approved and enters into force as of 10 February 2025.

‍