Legal

Privacy Policy

Last updated: 30 April 2026.

1. Data controller

The controller of your personal data is ALTEA-N LTD (ALTEA-N EOOD — single-member limited liability company under Bulgarian law), UIC 207644213, with registered seat in the Republic of Bulgaria, EU. Trading as AlteaCloud.

Contact for any privacy-related matter: office@alteacloud.com.

2. What personal data we process

  • Contact & enquiry data — name, email, company, message content you send via email, the contact form or our client portal at tickets.alteacloud.com.
  • Project & client data — billing details, the content you send us to build your website (text, images, login credentials for third-party platforms, etc.).
  • Hosting & technical data — for hosting customers: domain, server logs, IP addresses, access timestamps, error logs.
  • Payment data — invoice details. Card data is processed by Stripe Payments Europe Ltd.; we never see or store full card numbers.
  • Analytics & usage data — anonymised IP addresses, pages viewed, device and browser type via Google Analytics 4 (anonymize_ip enabled).
  • Marketing measurement data — the Meta (Facebook) Pixel collects browser-level identifiers, page URL, referrer and a timestamp to measure the effectiveness of our Facebook and Instagram advertising. You can opt out via your browser, an ad-blocker extension, or the Google/Meta opt-out tools described in the Cookie Policy.

3. Why we process it (legal basis)

  • Performance of a contract (GDPR Art. 6(1)(b)) — to deliver the services you ordered.
  • Legal obligation (Art. 6(1)(c)) — accounting, invoicing and tax retention under Bulgarian law.
  • Legitimate interest (Art. 6(1)(f)) — securing our infrastructure, fraud prevention, basic analytics.
  • Consent (Art. 6(1)(a)) — for non-essential cookies and any direct marketing. You can withdraw consent at any time.

4. How long we keep it

  • Enquiries that don't lead to a contract — up to 24 months.
  • Project files & client correspondence — for the duration of the contract and up to 5 years thereafter, or longer where needed for the establishment, exercise or defence of legal claims (GDPR Art. 17(3)(e)).
  • Invoices & accounting records — 10 years (Bulgarian Accountancy Act, art. 12).
  • Hosting server logs & security/audit logs — up to 24 months.
  • Analytics data — up to 14 months in Google Analytics.
  • Records relating to AUP breaches, fraud, abuse or law-enforcement requests — for the period necessary to defend our legitimate interests, plus the applicable statute-of-limitation period.

Where you exercise the right to erasure, we may continue to retain a minimum data set strictly necessary to: (i) comply with our legal obligations, (ii) defend or assert legal claims, (iii) prevent fraud or abuse of our services, or (iv) document the lawful basis on which we processed your data.

5. Who we share data with

We use a small number of trusted processors who act on our instructions and are bound by data-processing agreements:

  • Hosting providers in the EU (data centres located in the European Economic Area).
  • Email infrastructure — Google Workspace.
  • Payment processing — Stripe Payments Europe Ltd.
  • Client portal — tickets.alteacloud.com (operated by us on EU infrastructure).
  • Analytics — Google Analytics 4 (anonymised IP).
  • Marketing measurement — Meta Platforms Ireland Ltd. (Meta / Facebook Pixel), used to measure conversions on our Facebook and Instagram advertising. Meta acts as an independent controller for the data it receives — see facebook.com/privacy/policy. Opt-out: see the Cookie Policy.

We do not sell your data, and we use Meta only for measuring our own ads — not for selling audiences to third parties.

6. International transfers

Some processors (e.g. Google, Meta) are headquartered in the EU but operated by US parent companies, and may transfer data to the United States for processing. Such transfers are protected by the EU–US Data Privacy Framework (under which both Google and Meta are certified) and/or Standard Contractual Clauses approved by the European Commission.

7. Your rights under GDPR

You have the right to: access, rectify, erase, restrict or object to processing of your data, data portability, and to withdraw any consent you've given. To exercise any of these, write to office@alteacloud.com. We respond within one month.

You also have the right to lodge a complaint with the Bulgarian supervisory authority — the Commission for Personal Data Protection (KZLD): cpdp.bg.

8. Cookies

We use a small number of cookies for essential functionality, language/theme preferences and analytics. See our Cookie Policy.

9. Security

We use HTTPS everywhere, encrypted backups, strong access controls and the principle of least privilege. No method of transmission or storage is 100% secure, and we provide no warranty against unauthorised access caused by factors outside our reasonable control (including weak credentials, compromised end-user devices, or the actions of third parties). The Client remains responsible for the security of their own access credentials and end-user devices.

10. Client-controlled data & hosting

Where we host websites or services on behalf of clients, we act as a processor in respect of personal data that the client (as controller) collects from their own users. The client is responsible for the lawfulness of that processing — including their own privacy notice, legal basis, GDPR rights handling, and any sector-specific obligations. We are not responsible for any content, products or services that clients publish, sell or distribute through systems we host. See our Terms of Service, sections 7–9.

11. Changes to this policy

If we materially change this policy, we'll update the "Last updated" date and, where relevant, notify active clients by email.