Privacy Policy

1. Data Controller

The data controller responsible for processing your personal data is:

• Entity: HDE (HDetailEnterprise)
• Address: bul. "Dunav" #1, Plovdiv, Bulgaria
• Email: info@hdetailenterprise.com
• Website: https://hde.dev

2. Definitions

For the purposes of this Privacy Policy:

• "Platform" refers to the HDE web application at hde.dev and all associated services.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, whether automated or not.
• "User" refers to any individual who accesses or uses the Platform.
• "Sub-processor" means any third-party entity that processes Personal Data on behalf of HDE.

3. Personal Data We Collect

We collect the following categories of personal data depending on how you interact with the Platform:

4. How We Use Your Data

We process your personal data for the following purposes:

• To provide, maintain, and improve the Platform and its services
• To create and manage your user account
• To process and fulfil orders for custom Discord bot development, hosting, and maintenance
• To facilitate consultation bookings and manage scheduling
• To operate the support ticket system and provide customer assistance
• To administer the affiliate programme and calculate commissions
• To apply personalised pricing based on your account profile
• To store and apply your theme and language preferences
• To ensure the security of the Platform, including fraud prevention and access control
• To comply with legal obligations under Bulgarian and EU law
• To communicate with you regarding your account, orders, bookings, or support requests

5. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide services you have requested, including account management, order processing, booking fulfilment, and support ticket handling.
• Legitimate Interest (Article 6(1)(f)): Processing necessary for platform security, fraud prevention, service improvement, admin audit logging, and SLA monitoring. We have conducted a balancing test to ensure our legitimate interests do not override your rights.
• Legal Obligation (Article 6(1)(c)): Processing required to comply with tax, accounting, and other legal obligations under Bulgarian and EU law.
• Consent (Article 6(1)(a)): Where applicable, for optional processing activities. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

6. Cookies and Local Storage

We use a minimal set of cookies, all of which are essential for the operation of the Platform. No tracking, advertising, or analytics cookies are used. For full details, please refer to our Cookie Policy at /cookie-policy.

• next-auth.session-token: Authentication session cookie (HTTP-only, secure in production)
• next-auth.csrf-token: Cross-site request forgery protection cookie
• next-auth.callback-url: Authentication redirect cookie
• NEXT_LOCALE: Language preference cookie (en or bg)

7. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal data. We share data only with the following categories of processors, strictly for the purposes described in this policy:

8. International Data Transfers

We aim to process all data within the European Economic Area (EEA). Where data must be transferred to processors outside the EEA (such as Discord, Inc. in the United States, or Stripe, Inc. when implemented), we ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, or reliance on adequacy decisions where available.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data: retained while your account remains active and for up to 30 days following a deletion request
• Order data: retained for the duration required by Bulgarian tax and accounting regulations (typically 10 years for financial records)
• Booking data: retained for 12 months after the consultation date
• Support ticket data and attachments: retained for 24 months after ticket closure
• Affiliate data: retained while the affiliate account is active and for 12 months after deactivation
• Admin audit logs: retained indefinitely for security, compliance, and dispute resolution purposes
• Server logs (including IP addresses): retained for up to 90 days

10. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. To exercise any of these rights, please contact us at info@hdetailenterprise.com:

• Right of Access (Article 15): You may request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17): You may request deletion of your personal data, subject to legal retention obligations.
• Right to Restriction (Article 18): You may request that we restrict processing of your data in certain circumstances.
• Right to Data Portability (Article 20): You may request your personal data in a structured, commonly used, machine-readable format.
• Right to Object (Article 21): You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP), 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria, or with any other competent EU supervisory authority.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

• Passwords are hashed using bcrypt with a cost factor of 12
• Authentication sessions use signed JWT tokens with periodic verification (every 60 seconds) against the database
• All data in transit is encrypted using HTTPS/TLS
• Database storage uses MongoDB Atlas encryption at rest
• Access to personal data is controlled by a five-tier role-based access system with 20 granular permission types
• All administrative actions affecting user accounts are logged in an immutable audit trail
• Administrators cannot modify their own accounts, and role-based restrictions prevent privilege escalation
• Force logout capability allows immediate session invalidation when security concerns arise

12. Automated Decision-Making

The Platform uses automated processes for support ticket assignment (round-robin, least-active, or default-agent strategies) and SLA deadline computation. These processes do not produce legal effects or similarly significant effects on users. Personalised pricing multipliers are set manually by administrators and are not the result of automated profiling.

13. Children's Privacy

The Platform is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The "Last updated" date at the top of this page will be revised accordingly. Material changes will be communicated through the Platform. Continued use of the Platform after changes are published constitutes acceptance of the updated policy.

15. Contact

For any privacy-related enquiries, data subject requests, or complaints, please contact us at:

• Email: info@hdetailenterprise.com
• Address: bul. "Dunav" #1, Plovdiv, Bulgaria
• Supervisory Authority: Commission for Personal Data Protection (CPDP), 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria