Last updated: 1 January 2026
1.1. The data controller is:
Project Management Academy EOOD,
with registered office and management address: BULGARIA, Sofia, Lyulin District, Block 604, Floor 3, UIC 205690799.
Contact email: contacts@docilab.com
1.2. At present, we have not appointed a Data Protection Officer (DPO), as our core activities do not fall within the mandatory cases under Article 37 of the GDPR and UK GDPR.
2.1. This Privacy Policy governs how we collect, process, store, and protect your personal data. It is issued in accordance with:
Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
The UK General Data Protection Regulation (UK GDPR)
The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), where applicable
The Bulgarian Personal Data Protection Act and other applicable legislation.
2.2. By registering, accessing, or using the Service, you acknowledge that you have read and understood this Policy.
2.3. This Policy is an integral part of our Terms of Service.
2.4. This Policy applies to all users of the Service. Specific rights for residents of certain regions (e.g., the European Economic Area, the United Kingdom, California) are detailed in the relevant sections below.
3.1. Identification and Contact Data: First name, last name, email address, telephone number.
3.2. Financial Data: For bank transfers, we store transaction data (payer name, date, amount) for accounting purposes. We do not process or store payment card details. Payments via PayPal are handled by PayPal; we receive only a transaction confirmation.
3.3. Technical Data: IP address, browser type, operating system, device information, and access logs.
3.4. Service Usage Data: History of viewed articles, submitted questions, and user preferences within the Service.
3.5. User-Submitted Content: Questions or requests you submit.
3.6. CCPA/CPRA Categorization: For California residents, the data above falls under the following CCPA categories of „Personal Information“:
Identifiers (e.g., name, email, IP address).
Commercial Information (e.g., purchase records).
Internet or Network Activity (e.g., usage logs).
Inferences (limited, drawn from your usage to provide the service).
We do not collect „Sensitive Personal Information“ as defined under the CPRA.
3.7. International Data Transfers: Our Service is hosted within the European Union. If we use sub-processors located outside the EU/UK (e.g., in the USA), any transfer of your personal data will be protected by appropriate safeguards as required by the GDPR and UK GDPR, such as the European Commission’s Standard Contractual Clauses.
4. PURPOSES OF PROCESSING AND LEGAL BASIS
4.1. Account Creation and Service Provision
Purpose: To create and manage your user account and provide you with access to the Service’s content.
Legal Basis (GDPR/UK GDPR): Performance of a contract (Article 6(1)(b)).
Retention Period: For the duration of your active account. After account closure, we retain your core identification and transaction data for a period of 3 years to comply with legal obligations (e.g., tax), resolve potential disputes, enforce our agreements, and protect our legitimate legal interests. Other usage data (e.g., history of viewed articles) is anonymized or deleted within 12 months of account closure.
4.2. Payment Processing and Invoicing
Purpose: To process your payments and issue legally required electronic invoices.
Legal Basis (GDPR/UK GDPR): Performance of a contract (Article 6(1)(b)) and compliance with a legal obligation (Article 6(1)(c)).
Retention Period: 13 years from the end of the calendar year in which the transaction occurred, as mandated by Bulgarian accounting and tax law.
4.3. Administrative Communications
Purpose: To send you essential, non-marketing communications related to the service, such as payment confirmations, important updates to our Terms of Service or this Privacy Policy, and security alerts.
Legal Basis (GDPR/UK GDPR): Performance of a contract (Article 6(1)(b)) and legitimate interest (Article 6(1)(f)) in maintaining clear communication with our users.
Retention Period: For the duration of our relationship with you (i.e., while your account is active or you are subscribed to such updates).
4.4. Service Security and Legal Protection
Purpose: To ensure the security and integrity of the Service, prevent fraud and abuse, and defend our legal rights.
Legal Basis (GDPR/UK GDPR): Legitimate interest (Article 6(1)(f)) in protecting our business and users.
Retention Period: Up to 3 years from the date of the relevant activity or security event, unless a specific legal claim or investigation requires a longer retention period.
4.5. Storing User Interaction History
Purpose: To maintain a history of your submitted questions and commissioned individual materials for your personal reference and to allow us to improve our services.
Legal Basis (GDPR/UK GDPR): Performance of a contract (Article 6(1)(b)).
Retention Period: For the duration of your active account. You may request the deletion of specific content, which we will evaluate on a case-by-case basis against our legal obligations.
4.6. Compliance with Legal Obligations
Purpose: To comply with requests and orders from law enforcement, courts, or other regulatory bodies.
Legal Basis (GDPR/UK GDPR): Compliance with a legal obligation (Article 6(1)(c)).
Retention Period: As required by the specific law, regulation, or legal proceeding, which may exceed the standard retention periods outlined above.
4.7. Basis for U.S. and California Users
For users in the United States, the processing described above is necessary for the performance of the services you have requested. We do not use your personal information for purposes that are materially different from those disclosed here. For California residents, this processing falls under the CCPA/CPRA permitted business purposes.
5. MANDATORY NATURE OF DATA PROVISION
5.1. The provision of your identification data, contact data, and necessary payment data is mandatory for entering into and performing the contract with us. Without this data, we cannot create your account or provide you with access to the paid services.
5.2. The provision of all other data categories is voluntary. However, choosing not to provide certain voluntary data may limit your ability to use some interactive features of the Service.
6. SHARING OF PERSONAL DATA WITH THIRD PARTIES
6.1. We do not sell your personal data to third parties.
6.2. We may share your data only with the following categories of recipients under strict confidentiality agreements:
Service Providers (Processors): Trusted companies that provide essential services to us, such as cloud hosting, payment processing (e.g., PayPal), and email delivery services. They process data solely on our instructions.
Legal and Regulatory Authorities: When we are required to do so by applicable law, or in response to valid legal process (e.g., a court order or subpoena).
Professional Advisors: Our lawyers, auditors, or insurers when necessary to obtain professional advice or to establish, exercise, or defend legal claims.
6.3. CCPA/CPRA Notice: For the purposes of the California Consumer Privacy Act, we do not „sell“ or „share“ your Personal Information as those terms are defined under California law. We do not engage in cross-context behavioral advertising.
7. INTERNATIONAL DATA TRANSFERS
7.1. The personal data we collect is stored and processed on servers located within the European Union.
7.2. In the course of our operations, we may use service providers (data processors) located outside the EU/UK, such as in the United States. Any transfer of your personal data to such a third country will be carried out in compliance with applicable data protection laws and only on the basis of appropriate safeguards, such as:
An adequacy decision by the European Commission or the UK Government;
The Standard Contractual Clauses (SCCs) approved by the European Commission;
The UK International Data Transfer Addendum to the SCCs; or
Any other legally recognized mechanism ensuring an adequate level of protection.
8. USE OF COOKIES AND SIMILAR TECHNOLOGIES
8.1. The Service uses only strictly necessary cookies. These are essential for the basic functioning of the website (e.g., maintaining your login session) and do not require your prior consent under the GDPR, UK GDPR, or the ePrivacy Directive.
8.2. We use:
Session Cookies: To keep you logged in during your visit.
Functional Cookies: To remember basic user preferences.
8.3. We do not use analytics, advertising, tracking, or profiling cookies.
8.4. For users in the United States, these cookies are used solely for essential operational purposes. Their use does not constitute „cross-context behavioral advertising“ as defined by the CCPA/CPRA, and therefore no opt-out mechanism is offered or required.
9. YOUR DATA PROTECTION RIGHTS
9.1. Rights under the GDPR and UK GDPR.
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:
Right of Access: To request a copy of your personal data.
Right to Rectification: To correct inaccurate or incomplete data.
Right to Erasure („Right to be Forgotten“): To request deletion of your data under certain circumstances.
Right to Restriction of Processing: To limit how we use your data.
Right to Data Portability: To receive your data in a structured, machine-readable format.
Right to Object: To object to processing based on our legitimate interests.
To exercise any of these rights, please contact us using the details in Section 13.
9.2. Rights for California Residents under the CCPA/CPRA.
If you are a California resident, you have the following rights, subject to certain exceptions:
Right to Know: You have the right to request, up to twice in a 12-month period, that we disclose: (i) the categories and specific pieces of Personal Information we have collected about you; (ii) the categories of sources; (iii) the business purpose for collecting or selling it; (iv) the categories of third parties with whom we share it.
Right to Delete: You have the right to request the deletion of Personal Information we have collected from you.
Right to Correct: You have the right to request correction of inaccurate Personal Information.
Right to Opt-Out of Sale/Sharing: We DO NOT SELL and DO NOT SHARE (for cross-context behavioral advertising) your Personal Information. Therefore, an opt-out is not applicable.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
How to Submit a CCPA Request: To exercise your Right to Know, Delete, or Correct, please email us at contacts@docilab.com. We will need to verify your identity before processing your request.
9.3. Exercising Your Rights and Complaints.
You can exercise any of your rights by contacting us at contacts@docilab.com. We may ask for specific information to confirm your identity. UK users have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO). EEA users may contact their national data protection authority.
10. DATA PROCESSORS AND SUBPROCESSORS
We engage carefully selected third-party service providers (Processors) to assist in operating the Service (e.g., hosting, payment processing). These Processors act only on our documented instructions, are bound by strict data protection agreements, and are prohibited from using your personal data for their own purposes.
11. DATA SECURITY
11.1. We implement and maintain appropriate technical and organizational security measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include SSL/TLS encryption for data in transit, strict access controls, regular security assessments, and staff training.
11.2. Despite our best efforts, no method of transmission over the Internet or electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.
12. POLICY UPDATES
12.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.
12.2. If we make material changes, we will notify you by email (to the address associated with your account) and/or by placing a prominent notice on our Service at least 30 days before the changes take effect. We will indicate the „Last updated“ date at the top of this Policy.
12.3. Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the terms.
13. CONTACT INFORMATION
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Project Management Academy EOOD
Email: contacts@docilab.com