PRIVACY POLICY Digital New Era Ltd. UIC: 207276590VAT number: BG207276590Address: Str. Thessaloniki 47, gr. Sofia, BulgariaEmail: contact@studionewera.comPhone: +359 885 868 793
Effective from: 10 March 2025.Latest update: 10 January 2026.
1. INTRODUCTION
1.1 Digital New Era Ltd („we „, „us „, „our team „, „Provider „) respects your right to privacy and data protection.
1.2. This Privacy Policy describes:
What personal data we collect
How we use and protect them
Your rights as a data subject
How you can contact us
1.3. This policy applies to:
Website https://studionewera.com
Customer portal https://portal.studionewera.com
All our services and communications
1.4. We attach:
Regulation (EU) 2016/679 (GDPR) Personal Data Protection Act (PDPA) Any other applicable data protection standards
2. PERSONAL DATA CONTROLLER
2.1. Data Administrator:
Digital New Era Ltd.
2.2. Data Protection Officer (DPO):
If necessary, you can contact us at the above email with the subject „Data Protection Inquiry“.
3. WHAT PERSONAL DATA WE COLLECT
3.1. Details on initial contact
When you fill in a form on the website or contact us:
Name and surname Email address Phone number Company name (if applicable)Website goals and preferences Message/Inquiry
Legal basis: Consent (Article 6(1)(a) GDPR)
3.2. Customer portal registration details
When creating an account in the portal:
Username Email address Password: (stored encrypted)Name and surname Company data (UIC, VAT number, address) - for legal entitiesPhone Preferred language (Bulgarian/English)
Legal basis: Contractual necessity (Article 6(1)(b) GDPR)
3.3. Customer portal usage data
Project data:
Project names and descriptions
Tasks, statuses and priorities
Comments and feedback
History of changes
Communications:
Communications between you and our team
Call history
Message timestamps
Status of reading
Files and documents:
Uploaded documents (PDF, DOCX, images, etc.)
File metadata (size, upload date, type, name)
History of uploads
Subscription and payment details:
Stripe Customer ID (unique reference number for payments)Invoice and payment history
Subscription status (active, expired, terminated)
Payment method information (last 4 digits of the card - we do NOT store the full number)
Legal basis: Contractual necessity (Article 6(1)(b) GDPR)
3.4. Security data and technical use
Entry history:
Successful logins (date, time, IP address)
Unsuccessful login attempts
Session data
IP addresses and rate limiting:
IP address (to prevent abuse)
Rate limiting recordings (5 attempts/5 minutes)
Blocked IP addresses (storage: 24 hours in transient storage)
Browser and device information:
User agent (browser type and version)
Operating system
Device type (desktop/mobile/tablet)
Screen Resolution
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) - for security and fraud prevention
3.5. Data from analytical tools
Google Analytics 4:
Website visits (number, duration)
Pages you browse
Geographical location (city/region level)
Demographic data (age, sex) - anonymised
Site behaviour (clicks, scrolls)
Anonymized IP addresses (last octets removed)
Microsoft Clarity:
Heatmap data (where users click)
Session replay (anonymised session replay)
Scroll depth and engagement metrics
Meta Pixel (Facebook Pixel):
Visits to specific pages
Conversion events
Used for remarketing and measuring the effectiveness of ads
Legal basis:
Consent (Art. 6(1)(a) GDPR) - via cookie banner
Legitimate interest (Article 6(1)(f) GDPR) - to improve services
3.6. Data from email communications
Content of the emails we exchange
Date and time of dispatch/receipt
Your email address
Attachments
Legal basis: Contractual necessity (Art. 6(1)(b) GDPR) or Legitimate interest (Art. 6(1)(f) GDPR)
3.7. Billing and accounting data
Name and billing address
UIC/Bulstat
VAT number (if applicable)
Payment details (processed by Stripe - we do NOT store full card details)
Legal basis:
Contractual necessity (Article 6(1)(b) GDPR)
Legal obligation (Article 6(1)(c) GDPR) - tax and accounting legislation
4. HOW WE USE YOUR DATA
4.1. To provide the services:
Creation and maintenance of your website
Project and task management
Communication on projects
Technical support
4.2. For payment processing:
Issue of invoices
Payment processing via Stripe
Subscription tracking
Accounting purposes
4.3. For security and fraud prevention:
Protection against unauthorised access
Rate limiting and protection against brute-force attacks
Suspicious activity detection
Logging of audit actions
4.4. To improve services:
Platform usage analysis
UX/UI improvement
Performance optimization
Development of new features
4.5. For communication and support:
Answers to queries
Sending technical notifications
Notifications of service changes
Payment confirmations
4.6. For marketing (ONLY with your explicit consent):
Sending the newsletter
Information about new services and offers
Promotional messages
You can unsubscribe at any time via the link in the email.
4.7. For legal compliance:
Compliance with tax and accounting obligations
Response to legal requests from the authorities
Protecting our rights in disputes
5. LEGAL BASIS FOR PROCESSING (UNDER GDPR)
We process your personal data on the basis of:
5.1. Consent (Article 6(1)(a) GDPR)
When filling in a contact form
When uploading files to the portal
When you subscribe to the newsletter
When you accept cookies (non-essential)
5.2. Contractual necessity (Art. 6(1)(b) GDPR)
To create and maintain your website
To provide access to the customer portal
For project data storage and communications
To process payments and issue invoices
5.3 Legitimate interest (Article 6(1)(f) GDPR)
To prevent fraud and abuse (rate limiting, IP tracking)
To ensure system security
To improve services (anonymised analytics)
For direct marketing to existing customers (soft opt-in)
5.4. Legal obligation (Article 6(1)(c) GDPR)
For tax and accounting purposes (invoicing, VAT)
For storage of contract documentation (10 years)
At the lawful request of the competent authorities
6. DATA SHARING WITH THIRD PARTIES
6.1. we do NOT sell и We do NOT rent Your data to third parties for their marketing purposes.
6.2. We share data only when necessary with the following categories of recipients:
6.3. Technology Service Providers (Data Processors)
Hostinger International Ltd. (Hosting)
Location: Cyprus, EUObjective: Website and portal hostingData: All data stored on the serversProtection: Standard Contractual Clauses (SCCs), GDPR compliance
Stripe, Inc. (Payment processing)
Location: USA (Adequacy Decision + SCCs)Objective: Processing card paymentsData: Name, Email, Payment Details, Stripe Customer IDProtection: PCI-DSS Level 1, Standard Contractual ClausesPolicy: https://stripe.com/privacy
Google LLC (Analytics)
Services: Google Analytics 4, Google Search Console, Google FontsLocation: USAObjective: Traffic analysis, SEO monitoringData: Anonymised behaviour data, IP addresses (anonymised)Protection: Standard Contractual Clauses, Data Processing AgreementPolicy: https://policies.google.com/privacy
Meta Platforms, Inc. (Meta Pixel)
Location: USAObjective: Measuring the effectiveness of ads, remarketingData: Information about visits, conversionsProtection: Standard Contractual ClausesPolicy: https://www.facebook.com/privacy/
Microsoft Corporation (Microsoft Clarity)
Location: USAObjective: Analysis of user behaviourData: Heatmap data, session replay (anonymized)Protection: Standard Contractual ClausesPolicy: https://privacy.microsoft.com/
Cloudflare, Inc. (CDN and Security)
Location: USAObjective: Content Delivery Network, DDoS protectionData: IP addresses, HTTP requestsProtection: Standard Contractual ClausesPolicy: https://www.cloudflare.com/privacypolicy/
6.4. Legal and regulatory authorities
We can disclose data under:
A legal request from a court or prosecutor's office
Investigations by the police
Requests from tax authorities
Protecting our legal rights
6.5 Future Successors
In the event of a future sale, merger or acquisition of our business, the data may be transferred to the successor (with prior notice).
7. INTERNATIONAL DATA TRANSFERS
7.1. Services in the European Union
Your website and client portal are hosted on servers in Bulgaria and the European Union , ensuring full compliance with GDPR.
7.2. Services outside the EU
Some of our partners are located outside the European Union:
Service Company Location Protective measures Payment processing Stripe, Inc. USA Standard Contractual Clauses + Adequacy Decision + PCI-DSS Google Analytics Google LLC USA SCCs + DPA + IP Anonymization Meta Pixel Meta Platforms USA SCCs + Limited data sharing Microsoft Clarity Microsoft Corp. USA SCCs + DPA Cloudflare Cloudflare, Inc. USA SCCs + Privacy Shield Framework successor
7.3 What are Standard Contractual Clauses (SCCs)?
SCCs are contractual clauses approved by the European Commission that ensure that data transferred outside the EU receives adequate protection under the GDPR.
7.4. Your rights
You have the right to:
Objections to the transfer of your data outside the EU
Ask for more information about protective measures
Get a copy of the Standard Contractual Clauses
For questions: contact@studionewera.com
8. HOW LONG WE KEEP YOUR DATA
We store your data only as long as necessary for the purposes for which they were collected or as required by law.
8.1. Customer portal
Project data:
Term: For the duration of the contract + 3 years after completionReason: Potential disputes, warranty obligations
Messages and comments:
Term: For the duration of the contract + 1 year Reason: Evidence of communication, audit objectives
Uploaded files:
Term: For the duration of the contract + 6 months after completionReason: Ability to recover if necessary
History of activities:
Term: 12 months Reason: Activity monitoring, security audits
8.2. Payments and accounting
Invoices and accounting data:
Term: 10 years Reason: Legal requirement (Accounting Act, VAT Act)
Payment History:
Term: For the duration of the contract + 6 years Reason: Tax audits, proof of payments
Stripe Customer ID:
Term: As long as you have an active subscription + 1 year Reason: Payment processing, refunds
8.3. Security and logs
IP addresses for rate limiting:
Term: 24 hours (in transient storage)Reason: Prevent brute-force attacks
Security logs:
Term: 90 days Reason: Security audits, incident investigation
Audit logs:
Term: 1 year Reason: Compliance, evidence in disputes
8.4 Google Analytics
Anonymised analytical data:
Term: 14 months (according to GA4 settings)Reason: Traffic analysis, service improvement
8.5 Marketing (only with explicit consent)
Marketing data (newsletter):
Term: Until withdrawal of consent OR 2 years in case of inactivityReason: Legal Marketing
8.6. On request for deletion
You can request deletion of your data at any time, except when Legislation requires mandatory retention (e.g.: accounting records for 10 years).
9. YOUR RIGHTS (GDPR AND CCPA)
You have the following rights regarding your personal data:
9.1. Right to Access - Article 15 GDPR
What it includes:
The right to receive a copy of all your data that we process
Information about the purposes of the processing
Categories of recipients
Storage period
How to exercise:
Log in to the portal → Settings → „Download my data“
OR: contact@studionewera.com with subject „Data Access Request“
Deadline: 30 days (can be extended up to 60 days in complex cases)
9.2. Right to Rectification - Article 16 GDPR
What it includes:
Correction of inaccurate or incomplete data
How to exercise:
Portal → Settings → „Edit profile“
OR: contact@studionewera.com
Deadline: 30 days
9.3. Right to erasure / Right to be forgotten - Article 17 GDPR
What it includes:
Erasure of your data under certain conditions
Important restrictions:
Some data must be kept by law (invoices - 10 years)
Does not apply if the data are necessary for the defence of legal claims
How to exercise:
contact@studionewera.com with the subject „Data erasure request“
Deadline: 30 days
9.4. Right to Restriction of Processing - Article 18 GDPR
What it includes:
Restriction of processing in certain circumstances (e.g.: accuracy challenge)
How to exercise:
9.5. Right to Data Portability - Article 20 GDPR
What it includes:
Receive data in a structured, common format (JSON/CSV)
Transfer the data to another provider
How to exercise:
Portal → Settings → „Export data“
OR: contact@studionewera.com
Export format: JSON, CSV, ZIP archive
9.6. Right to Object - Article 21 GDPR
What it includes:
Objection to processing based on legitimate interest
Objection to direct marketing (at any time, without justification)
How to exercise:
Marketing: Click „Unsubscribe“ in any emailOther processing: contact@studionewera.com
9.7. Right not to be subject to automated decision-making - Article 22 GDPR
Status: We do NOT use automated decision making or profiling with legal implications.
9.8. How to exercise your rights
Email: contact@studionewera.comPhone: +359 885 868 793
Mailing address: Str. Thessaloniki 47, gr. Sofia, Bulgaria
Timelines:
We respond to requests within 30 calendar days
May be extended to 60 days in complex cases (we will inform you)
Free: The exercise of your rights is free of charge unless the request is manifestly unfounded or excessive.
9.9. Lodging a complaint with a supervisory authority
If you believe that we are violating your data protection rights, you may file a complaint with:
Commission for Personal Data Protection (CPDP)
10. DATA SECURITY
10.1. Please find attached appropriate technical and organisational measures to protect your data:
10.2. Technical measures
Encryption:
SSL/TLS for all communications (HTTPS)Encrypted passwords (bcrypt hashing)
Encrypted backups
Access Protection:
Rate limiting (5 tries / 5 minutes)
Automatic IP blocking for suspicious activity
Two-factor authentication (planned)
Monitoring:
24/7 security monitoring
Automatic scans for malware
Log all critical actions
Backup:
Daily automatic backups
Encrypted storage of backups
Offsite backup copy
10.3. Organisational measures
Restricted Access:
Access to data only for authorized employees
Role-based access control (RBAC)
Employee confidentiality (NDA)
Training:
Regular team training on GDPR and security
Awareness for phishing and social engineering
Procedures:
Incident response plan for data breach
Regular security audits
Documented data processing procedures
10.4. Important information
WE CANNOT GUARANTEE 100% SECURITY.
No system is absolutely secure. Despite all measures, there is a residual risk of:
Mass cyber attacks
Zero-day vulnerabilities
Force majeure circumstances
You are also responsible:
Use a strong password
Don't share your login details
Notify us immediately if you suspect a compromise
11. DATA BREACH NOTIFICATION
11.1. Our obligations (Art. 33-34 GDPR)
In the event of a data breach that may threaten your rights and freedoms:
In a high-risk violation:
Notify CPC within 72 hours from learning
Notify You directly (by email or in the portal) without undue delay
We describe the nature of the infringement and the possible consequences
We provide advice on protecting your data
11.2. Information we will include
What data is affected
Which users are affected
The likely consequences
The measures we have taken
Recommendations for your action
Contact point for questions
11.3. Preventive measures
We make every effort to prevent breaches:
SSL/TLS encryption
Secure servers with updated software
Regular backups
Strict access rules
Monitoring for abnormal activity
Rate limiting against brute-force attacks
Regular security audits
11.4. Contact us
If you suspect a security breach:
Urgent Email: contact@studionewera.com (with subject „SECURITY INCIDENT“)Phone: +359 885 868 793
12. COOKIES
12.1. For detailed information on how we use cookies, please see our Cookie Policy .
12.2 We use:
Mandatory cookies (for functionality)Analytical cookies (Google Analytics - with your consent)Marketing cookies (Meta Pixel - with your consent)
12.3. You can manage cookies by:
Cookie banner on first visit
Browser settings
Footer of the site → „Cookie settings“
13. CHILDREN AND MINORS
13.1. Our services NO CA intended for persons under 18 years of age.
13.2. NO collect knowingly personal data of children under 18.
13.3. If you are a parent/guardian and discover that your child has provided personal data, please contact us immediately. We will delete the data.
14. CHANGES TO THE PRIVACY POLICY
14.1. We may update this policy from time to time.
14.2 In significant changes :
We notify you by email
We publish a notification in the portal
Update the „Last Updated“ date at the top
14.3. We recommend review this policy periodically.
15. CONTACTS AND QUESTIONS
For any questions about this Privacy Policy or data protection:
Digital New Era Ltd.
Email: contact@studionewera.comPhone: +359 885 868 793
Data Protection inquiries: contact@studionewera.com with subject „Data Protection Inquiry“
Personal Data Protection Commission (PDPC):
Date of acceptance: 10 March 2025.Latest update: 10 January 2026.
© 2026 Digital New Era Ltd. All rights reserved.
