Privacy Policy

1. Controller Identity and Contact Information

1.1 Data Controller

The data controller responsible for your personal data is:

• Legal Name: Dominaite EOOD
• Brand Name: dominaite
• UIC: 208557619
• Jurisdiction: Republic of Bulgaria
• Registered Address: str. Dr. Miron Ignatiev No. 11, fl. 2, ap. 4, Primorski, 9010 Varna, Bulgaria
• Manager: Stefan Nikolaev Stankov

1.2 Contact Details

For privacy-related inquiries, please contact us at:

• Privacy Email: privacy@dominaite.com
• Legal Email: legal@dominaite.com
• Support Email: support@dominaite.com

1.3 Our Role

dominaite is a technology company providing business management software. We act as:

• Data controller for account and business data of merchants who use our platform
• Data processor for customer data that merchants collect and manage through our platform
• A technology intermediary and agent introducing merchants to licensed payment providers

dominaite is not a bank, payment institution, electronic money institution, or payment processor under the Payment Services Directive (PSD2).

2. Personal Data We Collect

We collect different categories of personal data depending on how you interact with our Services.

2.1 Account and Business Data (Merchants)

When you register for and use our Services as a merchant, we collect:

• Identity information: Full name, business name, job title, date of birth
• Contact information: Email address, phone number, business address
• Business information: Company registration number, tax identification number, business type and industry, ownership structure
• Financial information: Bank account details for settlement, transaction history, invoicing data
• Authentication data: Username, password (encrypted), security questions, two-factor authentication credentials
• Verification documents: Government-issued ID, proof of address, business registration documents

2.2 Customer Transaction Data

When you use our platform to process transactions with your customers, we collect:

• Transaction details: Transaction amount, date and time, payment method, transaction status
• Customer information: Customer name, email address, phone number, delivery address
• Payment information: Masked card details (last 4 digits), card type, payment authorization data
• Purchase information: Products or services purchased, order numbers, invoice details

2.3 Technical and Device Data

When you access our Services, we automatically collect:

• Device information: IP address, device type, operating system, browser type and version, device identifiers
• Usage data: Pages visited, features used, time and date of access, time spent on pages, clickstream data
• Location data: General location inferred from IP address
• Diagnostic data: Error reports, performance data, crash logs

2.4 Communication Data

We collect information from your communications with us:

• Support communications: Messages, emails, chat logs, phone call recordings (with notice)
• Survey responses: Feedback, ratings, testimonials
• Marketing preferences: Subscription status, communication preferences

2.5 AI Training Data

We collect aggregated, anonymized data patterns to improve our AI features:

• Anonymized transaction patterns: Statistical patterns, trends, and behavioral insights (not linked to individual merchants or customers)
• Performance metrics: System usage patterns, feature effectiveness data

3. How We Collect Personal Data

3.1 Information You Provide Directly

• When you register for an account
• When you update your account or business profile
• When you process transactions through our platform
• When you contact our support team
• When you respond to surveys or provide feedback
• When you subscribe to marketing communications

3.2 Information Collected Automatically

• Through cookies and similar tracking technologies (see Section 11)
• Through our servers when you access or use our Services
• Through analytics tools and monitoring systems
• Through security and fraud detection systems

3.3 Information from Third Parties

• Payment partners: Transaction verification data, fraud screening results, settlement information
• Card schemes: Card validation data, chargeback information
• Identity verification providers: KYC/AML verification results, credit checks
• Business data providers: Company information, beneficial ownership data
• Public sources: Business registries, sanctions lists, adverse media screening

4. Legal Bases for Processing

We process your personal data only when we have a lawful basis to do so under GDPR Article 6:

4.1 Performance of Contract (Art. 6(1)(b))

Processing necessary to provide our Services to you, including:

• Creating and managing your account
• Processing transactions
• Providing customer support
• Delivering requested features and functionality

4.2 Legal Obligation (Art. 6(1)(c))

Processing necessary to comply with legal obligations, including:

• Anti-money laundering (AML) and counter-terrorism financing (CTF) checks
• Tax reporting and record-keeping requirements
• Responding to lawful requests from authorities
• Financial record retention under Bulgarian law

4.3 Legitimate Interests (Art. 6(1)(f))

Processing necessary for our legitimate business interests, including:

• Fraud prevention and security monitoring
• Improving and developing our Services
• Marketing our Services to existing customers
• Network and information security
• Business analytics and reporting
• Enforcing our legal rights

We balance our legitimate interests against your rights and will not process your data where your interests override ours.

4.4 Consent (Art. 6(1)(a))

For certain processing activities, we ask for your explicit consent:

• Marketing communications (where not based on legitimate interest)
• Optional cookies beyond strictly necessary ones
• Sharing data with third parties for their own purposes (if applicable)

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

5. How We Use Personal Data

5.1 Service Delivery

We use your personal data to:

• Create, maintain, and secure your account
• Process and manage transactions
• Calculate and transfer settlements
• Provide customer support and respond to inquiries
• Send service-related notifications and updates
• Authenticate your identity and prevent unauthorized access

5.2 AI-Powered Features

We use personal data to power our AI features:

• Business Partner AI: Analyzes your business data to provide personalized insights, recommendations, and optimization suggestions solely for your benefit
• Customer insights: Helps you understand customer behavior patterns and preferences
• Fraud detection: Identifies potentially fraudulent transactions
• Predictive analytics: Forecasts trends and business performance

Important: Your individual business data is used only to provide AI services to you. We may use aggregated, anonymized data patterns (not linked to you or any identifiable person) to improve our AI models for all users.

5.3 Fraud Prevention and Security

We use personal data to:

• Detect and prevent fraud, money laundering, and other illegal activities
• Monitor for security threats and unauthorized access
• Verify your identity and business legitimacy
• Screen against sanctions lists and watchlists
• Investigate suspicious transactions or behavior

5.4 Compliance and Legal Obligations

We use personal data to:

• Comply with anti-money laundering (AML) and know-your-customer (KYC) requirements
• Meet tax reporting and financial record-keeping obligations
• Respond to legal requests, court orders, and regulatory inquiries
• Enforce our General Terms and Conditions
• Protect our legal rights and interests

5.5 Business Operations and Improvement

We use personal data to:

• Analyze usage patterns and improve our Services
• Develop new features and functionality
• Conduct market research and customer surveys
• Generate business analytics and reports
• Train and improve our AI models using anonymized data

5.6 Marketing and Communications

We use personal data to:

• Send you information about new features and updates
• Provide tailored product recommendations
• Invite you to events, webinars, or surveys
• Send promotional offers (with your consent where required)

You can opt out of marketing communications at any time using the unsubscribe link in emails or by contacting us.

6. How We Share Personal Data

We do not sell your personal data. We share personal data only in the following circumstances:

6.1 Payment Partners and Financial Institutions

We share necessary transaction and business data with:

• Licensed payment service providers: To process payments and manage settlements
• Card schemes (Visa, Mastercard, etc.): For payment authorization and fraud prevention
• Acquiring banks: To facilitate merchant accounts and settlements
• Payment gateways: To securely transmit payment information

We act as an agent introducing you to these licensed providers. They process payment data under their own licenses and privacy policies.

6.2 Service Providers and Processors

We share data with trusted third-party service providers who process data on our behalf:

• Cloud hosting providers: To store and manage data
• Identity verification services: To conduct KYC/AML checks
• Fraud prevention services: To screen transactions and detect suspicious activity
• Customer support platforms: To manage support tickets and communications
• Analytics providers: To understand Service usage and performance
• Email and communication services: To send notifications and marketing

These processors are contractually bound to process data only according to our instructions and to maintain appropriate security measures.

6.3 Business Transfers

If we undergo a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the successor entity. We will notify you of any such change and your rights regarding your data.

6.4 Legal and Regulatory Authorities

We may share personal data with:

• Law enforcement agencies: When required by law or to prevent/investigate crime
• Regulatory authorities: To comply with financial regulations and supervisory requests
• Tax authorities: To meet tax reporting obligations
• Courts and dispute resolution bodies: In connection with legal proceedings

We will only share data when legally required or permitted to do so.

6.5 Professional Advisors

We may share data with lawyers, accountants, auditors, and other professional advisors who assist us in running our business, subject to confidentiality obligations.

6.6 With Your Consent

We may share your personal data with other third parties where you have given specific consent for us to do so.

7. International Data Transfers

7.1 Transfers Outside the European Economic Area (EEA)

Some of our service providers and partners are located outside the EEA, including in countries that may not provide the same level of data protection as EU law.

7.2 Safeguards

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses with recipients in third countries
• Adequacy Decisions: We transfer data to countries recognized by the European Commission as providing adequate protection (e.g., UK, Switzerland)
• Binding Corporate Rules: Where applicable, we rely on processors with approved BCRs
• Additional Security Measures: We implement supplementary technical and organizational measures to ensure data protection

7.3 Your Rights Regarding Transfers

You have the right to request information about the safeguards we have in place for international transfers and to obtain a copy of the relevant documents. Contact us at privacy@dominaite.com.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations.

8.1 Retention Periods

• Transaction data: 7 years from the date of the transaction (to comply with Bulgarian accounting and tax law)
• Account data: Duration of the business relationship plus 7 years (to comply with AML/CTF and financial record-keeping requirements)
• Customer data processed on your behalf: As instructed by you (the merchant) or as required by law
• Marketing data: Until you withdraw consent or opt out, plus a suppression period to respect your preferences
• Technical and usage data: Typically 24–36 months, unless needed for security or fraud investigations
• Support communications: 3 years from resolution

8.2 Deletion After Retention Period

After the applicable retention period expires, we securely delete or anonymize personal data so that it can no longer identify you.

8.3 Legal Holds

We may retain data beyond normal retention periods if required for legal proceedings, investigations, or regulatory requests.

9. Your Data Protection Rights

Under the GDPR, you have the following rights regarding your personal data:

9.1 Right of Access (Art. 15)

You have the right to request a copy of the personal data we hold about you and information about how we process it.

9.2 Right to Rectification (Art. 16)

You have the right to request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure (Art. 17)

You have the right to request deletion of your personal data in certain circumstances, including:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where processing is based on consent)
• You object to processing based on legitimate interests
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

Note: This right is not absolute. We may retain data where we have a legal obligation to do so (e.g., 7-year retention for transaction records).

9.4 Right to Restriction of Processing (Art. 18)

You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

9.5 Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller where:

• Processing is based on consent or contract, and
• Processing is carried out by automated means

9.6 Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds that override your interests.

9.7 Rights Related to Automated Decision-Making (Art. 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significant effects.

Our AI features: Our AI-powered insights and recommendations are designed to assist you in making business decisions. They do not make automated decisions that have legal or similarly significant effects without human intervention. You always retain control over business decisions.

If you believe an automated decision has been made that significantly affects you, you have the right to:

• Obtain human intervention
• Express your point of view
• Contest the decision

9.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: privacy@dominaite.com
• Subject Line: Data Subject Rights Request

Please include:

• Your full name and account email address
• The specific right you wish to exercise
• Details to help us locate your data (if applicable)
• Proof of identity (if we cannot verify your identity from our records)

We will respond to your request within one month of receipt. In complex cases, we may extend this by two additional months and will inform you of the extension.

9.9 No Fee

We will not charge a fee to process your request unless it is clearly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse the request.

10. Security Measures

We implement comprehensive technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

10.1 Technical Security Measures

• Encryption: Data is encrypted in transit (using TLS 1.2 or higher) and at rest (using AES-256 or equivalent)
• Access controls: Role-based access controls and multi-factor authentication
• Network security: Firewalls, intrusion detection/prevention systems, DDoS protection
• Secure development: Security testing, code reviews, vulnerability scanning
• Data segregation: Logical separation of merchant and customer data
• Backup and recovery: Regular encrypted backups with tested recovery procedures

10.2 Organizational Security Measures

• Data protection policies: Comprehensive internal policies and procedures
• Staff training: Regular security and privacy training for all personnel
• Access management: Strict controls on who can access personal data and audit logs
• Vendor management: Due diligence and contractual protections for third-party processors
• Incident response: Documented procedures for detecting, responding to, and reporting security incidents
• Privacy by design: Privacy considerations integrated into system design and development

10.3 Payment Security

While we are not a payment processor ourselves, we work with PCI DSS-compliant payment partners and implement security measures aligned with PCI DSS standards to protect payment information.

10.4 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach is likely to result in a high risk
• Provide information about the nature of the breach and measures taken to address it

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide, improve, and secure our Services.

11.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help us recognize your device and remember information about your visit.

11.2 Types of Cookies We Use

• Strictly necessary cookies: Essential for the operation of our Services (e.g., authentication, security)
• Performance cookies: Help us understand how you use our Services to improve performance
• Functionality cookies: Remember your preferences and settings
• Analytics cookies: Provide statistical information about Service usage
• Marketing cookies: Deliver relevant advertisements and measure campaign effectiveness (with consent)

11.3 Cookie Policy

For detailed information about the cookies we use, how we use them, and how to manage your cookie preferences, please see our Cookie Policy [link to be inserted].

11.4 Managing Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Services.

12. Children’s Privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children.

If you are under 18, you may not register for or use our Services. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information.

If you believe we have collected information from a child, please contact us at privacy@dominaite.com.

13. Merchant Responsibilities for Customer Data

13.1 Merchant as Data Controller

When you use our Services to collect and manage your customers’ personal data:

• You are the data controller for your customer data
• dominaite acts as a data processor processing customer data on your behalf

13.2 Your Obligations

As a merchant using our platform, you are responsible for:

• Providing your customers with a privacy notice explaining how you collect and use their data
• Obtaining necessary consents from customers where required
• Ensuring you have a lawful basis for processing of customer data
• Honoring customer data protection rights (access, deletion, etc.)
• Complying with applicable data protection laws in your jurisdiction

13.3 Data Processing Agreement

The terms governing our processing of customer data on your behalf are set out in Section 8 (Data Protection) of our General Terms and Conditions, which incorporates data processing terms compliant with GDPR Article 28.

14. Third-Party Links

Our Services may include links to third-party websites, apps, or services for your convenience. We take care to link only to services we consider reputable and necessary to operate or enhance the Services. However, we do not control third-party websites or their privacy practices. If you choose to follow a link or use a third-party service, that third party’s privacy policy will apply. We encourage you to review it before providing personal data. If you believe a linked service is unsafe or inappropriate, please contact us at privacy@dominaite.com and we will review it.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features.

15.1 How We Notify You

We will notify you of material changes by:

• Posting the updated Privacy Policy on our website with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice in your account dashboard

15.2 Effective Date of Changes

Changes will become effective on the date specified in the updated Privacy Policy. Your continued use of our Services after the effective date constitutes acceptance of the updated Privacy Policy.

15.3 Version History

We maintain a record of previous versions of this Privacy Policy. You may request access to previous versions by contacting privacy@dominaite.com.

16. Contact Us and Complaints

16.1 Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@dominaite.com
• Legal Email: legal@dominaite.com
• Postal Address:

dominaite - Data Protection
Dominaite EOOD
str. Dr. Miron Ignatiev No. 11, fl. 2, ap. 4
Primorski, 9010 Varna
Bulgaria

16.2 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates data protection law.

The supervisory authority in Bulgaria is:

• Commission for Personal Data Protection (CPDP)
• Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
• Phone: +359 2 915 3 518
• Email: kzld@cpdp.bg
• Website: www.cpdp.bg

If you are located in another EU member state, you may also contact the supervisory authority in your country of residence or work.

16.3 Our Commitment

We are committed to resolving any privacy concerns you may have. Please contact us first, and we will work with you to address your concerns promptly and fairly.

17. Definitions and Interpretation

17.1 Key Terms

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data, including collection, storage, use, and deletion
• Data Controller: The entity that determines the purposes and means of processing of personal data
• Data Processor: The entity that processes personal data on behalf of the controller
• GDPR: General Data Protection Regulation (EU) 2016/679

17.2 Interpretation

References to "you" and "your" refer to the individual or entity using our Services. Headings are for convenience only and do not affect interpretation.