Legal
Privacy and Cookie Policy
unramp.com and sub-sites
This Privacy and Cookie Policy (the "Privacy Policy") applies to personal data and the use of cookie files and analogous technologies on the unramp.com website and its sub-sites, including buy.unramp.com and app.unramp.com, as well as the mobile versions thereof (together, the "Platform").
This Privacy Policy is prepared in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation — "GDPR") and the Bulgarian Personal Data Protection Act (Закон за защита на личните данни — "PDPA"), as in force from time to time. It also takes into account the guidance issued by the European Data Protection Board ("EDPB") and the relevant decisions of the Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни — "CPDP") applicable as at the time of this revision. It further reflects the applicable requirements of the Bulgarian Electronic Commerce Act (Закон за електронната търговия — "ZEC") regarding cookies and the ePrivacy Directive (2002/58/EC). It explains how and why we process your personal data and how you can exercise your rights.
This Privacy Policy explains how we process your personal data, the legal bases on which we do so, and the rights you have in connection with that processing. Where processing is based on your consent, we will ask for it separately and specifically.. For processing based on other legal grounds (such as performance of a contract, compliance with a legal obligation, or our legitimate interests), this Privacy Policy serves as the information notice required under Articles 13 and 14 GDPR.
1. Personal Data Controller
The controller of your personal data is:
Unramp OOD
22 San Stefano Street, San Stefano Plaza, entrance B, 5th floor, office 16
City of Sofia 1504, Bulgaria
Unified Identification Code (UIC) / Company number: 207160415
Legal Entity Identifier (LEI): 984500JI09A3E8E14415
(hereinafter the "Company" or "we").
Data Protection contact email: [email protected]
2. Contact
For any questions related to the processing of your personal data or to exercise the rights described in this Privacy Policy, you can contact us at:
Email: [email protected]
Postal address: Unramp OOD, 22 San Stefano Street, San Stefano Plaza, entrance B, 5th floor, office 16, City of Sofia 1504, Bulgaria.
Data Protection contact email: [email protected]
You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) or with the supervisory authority of the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement.
Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Boulevard, Sofia 1592, Bulgaria
3. Categories of Personal Data
A. Personal data processed in connection with the Services provided
Categories of data
In order to provide you with the Services available through the Platform, we process the following categories of personal data:
• Identification data (e.g. name, surname, nationality, unique identifiers where required by law).
• Address data (e.g. residential address, correspondence address, country of residence).
• Contact data (e.g. email address, telephone number).
• Payment-related data (e.g. payment card details in tokenised or masked form via our payment processors, cryptocurrency wallet addresses used to carry out operations through the Platform).
• AML/KYC data including in particular: date and place of birth, nationality, copies of and data from identification documents, beneficial ownership information, Source of Funds / Source of Wealth documentation, information obtained from sanctions and PEP screening, adverse-media results, and other data required under applicable AML/CFT laws and our AML/KYC policy.
• Service-related data such as transaction history, details of purchases of crypto-assets, communication history with customer support, and data related to security events (e.g. failed authentication attempts during the transaction flow, fraud alerts), as well as records of your consent decisions and preference settings stored for compliance and audit purposes.
We only collect data that is proportionate, relevant and limited to what is necessary in relation to the purposes for which it is processed (the data-minimisation principle).
Purposes of processing
We process the above data for the following purposes:
• Provision of the Services through the Platform, including processing of purchases and transactions, and servicing your use of the Platform.
• Compliance with legal obligations relating to AML/CFT, sanctions, tax, accounting and other applicable regulations (including Regulation (EU) 2023/1114 (MiCA) and Regulation (EU) 2023/1113 (Transfer of Funds Regulation)).
• Customer support and the handling of complaints, requests and inquiries.
• Tailoring the Services to your needs, including adjusting interface display and functions to your device, settings and preferences where legally permissible.
• Ensuring the security and integrity of the Platform and the Services, including authentication, fraud prevention, monitoring and incident management.
• Communication with you in connection with the provided Services, including service messages, important notices and updates to our terms and policies.
• General relationship management.
• Establishment, exercise and defence of legal claims and participation in proceedings related to the provision of the Services.
Legal bases of processing
We process your personal data on the following legal grounds:
• Performance of a contract or taking steps at your request prior to entering into a contract, in particular for the provision of the Services (Article 6(1)(b) GDPR).
• Compliance with legal obligations (Article 6(1)(c) GDPR), in particular obligations arising from: anti-money-laundering and counter-terrorist-financing legislation (retention and verification of customer due diligence information for at least 5 years from the date of the relevant transaction or from the date of an occasional transaction); tax and accounting rules (storage of accounting documents for up to 10 years from 1 January of the year following the reporting period, pursuant to the Bulgarian Accountancy Act); obligations arising from MiCA and its delegated and implementing acts; and other applicable EU and national laws.
• Our legitimate interests (Article 6(1)(f) GDPR), consisting in: ensuring security and preventing fraud and abuse; processing and resolving complaints; improving and optimising the Platform and the Services; establishing, exercising and defending legal claims; and carrying out business analytics and internal reporting, to the extent that such interests are not overridden by your rights and freedoms. We document the balancing of our legitimate interests against your rights and freedoms, and we can provide you with a summary of the relevant balancing test upon request.
Where required by law (for example, for certain optional features), we will ask for your consent separately.
B. Personal data processed for marketing purposes
Categories of data
If you express interest in our Services (for example, by submitting a contact form, subscribing to a newsletter, or ticking a marketing-consent box), we process the following categories of personal data: name and surname; email address and/or telephone number; information about your role, company or area of interest, if provided; personal data that you may disclose in messages addressed to the Company; and technical and interaction data relating to marketing communications (e.g. open and click-through rates), where legally permitted.
Purposes of processing
• Answering contact requests and providing information about our Services.
• Sending marketing communications and materials (e.g. newsletters, product updates, promotions), including personalised offers where lawful.
• Managing your marketing preferences and consents.
Legal bases of processing
• Your consent (Article 6(1)(a) GDPR), where we send you electronic marketing communications and where this is required by law. You may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Our legitimate interest (Article 6(1)(f) GDPR) in promoting and developing our Services, in cases where applicable law allows us to send marketing communications without consent (e.g. soft opt-in for existing customers), subject to your right to object at any time.
You can withdraw your consent or object to marketing at any time using the unsubscribe link in our emails or by contacting us using the details in Section 2.
C. Other data and technical information
We may process data in connection with communication via social-media channels (e.g. messages received through official company profiles). In such cases, we process personal data provided through the social-media platform solely for communication, customer support and direct marketing of our Services (where lawful).
We also process certain information that may, depending on the circumstances, constitute personal data: IP address and other identifiers of your device or connection; information on your activity on the Platform (session identifiers, timestamps, interaction data); technical information regarding the device and software used (e.g. browser type and version, operating system, language settings); information from error logs and performance metrics; and mobile device identification numbers and other identifiers, where applicable.
This information is used to keep statistics and analyse how the Platform is used, to adapt the Platform to your preferences, to ensure security and detect fraud, and to ensure the stability and reliability of our IT systems. The legal basis is our legitimate interest (Article 6(1)(f) GDPR) in improving the operation of the Platform and preventing and detecting fraud.
4. Sharing of Personal Data
We only share your personal data where this is necessary and lawful.
4.1 Processors acting on our behalf
We may entrust the processing of your personal data to entities acting on our behalf as processors. Such processing is carried out exclusively on the basis of a written data-processing agreement meeting the requirements of Article 28 GDPR, and in accordance with documented instructions from the Company. We select processors carefully and require them to implement appropriate technical and organisational measures to protect your data.
4.2 Named processors handling sensitive categories of data
Because of the particular sensitivity of identification, AML/KYC and payment-related data, we identify below the principal processors to which such categories of personal data may be disclosed in connection with the provision of the Services. Each of the entities listed below acts as a processor for Unramp under a written data-processing agreement; where the entity uses its own sub-processors, the list of approved sub-processors is available on request.
| Entity (legal name, seat, registration) | Role | Categories of personal data processed | Data location / transfer basis |
|---|---|---|---|
| Sum and Substance Ltd ("Sumsub"), 30 St. Mary Axe, London EC3A 8BF, United Kingdom; company number 09688671. | KYC / AML identity verification. | Identification data; address data; AML/KYC data (date and place of birth, nationality, copies and data from identification documents, beneficial ownership information, Source of Funds / Source of Wealth documentation, PEP and sanctions screening outcomes, adverse-media results). | United Kingdom (and EU sub-processing). Transfers to the UK are made in reliance on the European Commission's adequacy decision for the United Kingdom of 28 June 2021 (Decision (EU) 2021/1772). |
| Elliptic Enterprises Limited, 1 Northumberland Avenue, Trafalgar Square, London WC2N 5BW, United Kingdom; company number 08458210. | Wallet-address screening; on-chain analytics; Transfer-of-Funds Regulation (Reg. (EU) 2023/1113) support. | Payment-related data (in particular cryptocurrency wallet addresses); service-related data (transaction details necessary for screening); AML/KYC outcomes relating to the customer's destination wallet. | United Kingdom (and EU sub-processing). Transfers to the UK are made in reliance on the European Commission's adequacy decision for the United Kingdom of 28 June 2021 (Decision (EU) 2021/1772). |
| Hawk AI GmbH, Friedenstraße 22B/i3, 81671 Munich, Germany; commercial register Munich HRB 247534. | Transaction monitoring; ongoing PEP and sanctions screening; AML rule-engine. | Identification data; payment-related data; service-related data; AML/KYC data (PEP and sanctions screening outcomes, transaction patterns and rule-engine outcomes). | European Economic Area (Germany / EU). |
| Mangopay Poland sp. z o.o. (operating under the Nethone brand), ul. Marszałkowska 126/134, 00-008 Warsaw, Poland; KRS 0000635459; NIP 5223070603. | Transaction-level fraud prevention (device fingerprinting, behavioural risk scoring, transaction-risk-analysis under PSD2 SCA). | Payment-related data (in tokenised / masked form via the payment processor); service-related data (device, session and behavioural data); identification data (where required for fraud-investigation). | European Economic Area (Poland). Mangopay Poland sp. z o.o. uses authorised sub-processors, some of which may transfer personal data outside the EEA on the basis of EU Standard Contractual Clauses (in particular IPQS LLC and Ekata, Inc. — both established in the United States); the full sub-processor list is available on request. |
| Straal sp. z o.o., Plac Europejski 1/40, 00-844, Warsaw, Poland; KRS 0000523320; NIP 7010418414. | Card-payment processing and gateway routing. The sole processor of payment card data (card details in tokenised or masked form) in connection with card-funded transactions on the Platform. | Payment-related data (payment card details in tokenised / masked form); identification data and contact data as required for transaction routing. | European Economic Area (Poland). |
| Fireblocks Inc., 251 Little Falls Drive, Wilmington, Delaware 19808, United States of America; together with Fireblocks Limited, 3 Daniel Frisch Street, Tel Aviv, Israel, where applicable. | MPC-based custody and transaction signing for the Company's own treasury wallets used to settle customer purchases. | Payment-related data (cryptocurrency wallet addresses associated with customer transactions); limited service-related data necessary for transaction signing and reconciliation. | United States and European Union data centres. Transfers to the United States are made on the basis of the EU-US Data Privacy Framework Adequacy Decision of 10 July 2023 (Commission Implementing Decision (EU) 2023/1795), where the recipient is self-certified, or otherwise on the basis of EU Standard Contractual Clauses (Module 2 — controller to processor) with supplementary measures. |
This table identifies the principal processors handling sensitive categories of personal data on our behalf as at the time of publication of this Privacy Policy. We may from time to time replace, add or remove processors; the current version of the list is available on request to [email protected].
4.3 Categories of other processors
We also engage processors that do not, in the ordinary course, receive sensitive categories of personal data (identification, AML/KYC and payment-related data), but that may process limited identifiers, contact data, technical data or service-related data. These processors include:
• Cloud and hosting infrastructure providers — for the secure hosting, storage and processing of Platform data (in particular Amazon Web Services EMEA SARL, established in Luxembourg, providing infrastructure in the European Union; and managed-database providers operating within the same EU regions).
• Content-delivery, perimeter-security and DDoS-mitigation providers — for the performance, availability and security of the Platform.
• Customer-relationship-management and customer-support tools — for the management of customer enquiries, complaints and support tickets.
• Email, communication and notification providers — for the transmission of service messages, notifications and (where you have consented) marketing communications.
• Analytics and website-statistics providers — in particular Google Analytics, used to analyse aggregate Platform usage; activated only where you have given consent through our cookie banner (see Section 11).
• Technical cookie-management and consent-platform providers — for managing your cookie preferences and recording consent decisions.
• Reference market-data providers — for the supply of crypto-asset and FX reference rates.
• Professional advisers — including external legal counsel, accountants and auditors, retained by Unramp under appropriate confidentiality obligations.
A current list naming each of these processors is available on request to [email protected]. Where any of these processors transfers personal data to a country outside the EEA, the transfer is governed by an appropriate safeguard as described in Section 5.
4.4 Disclosures to competent public authorities
We may share your personal data with competent public authorities (in particular law-enforcement authorities, courts, regulators, tax authorities, the Bulgarian Financial Intelligence Directorate of the State Agency for National Security, the Bulgarian Financial Supervision Commission, and the equivalent authorities of other EU/EEA Member States) where they request it and where there is a valid legal basis for disclosure (such as a court order, an administrative decision, or a statutory reporting obligation). Where legally permitted, we will notify you of such a disclosure request before complying with it.
4.5 Other recipients
We may share your personal data with our auditors, banking partners and other professional advisers under appropriate confidentiality and contractual obligations, where necessary for the management of our business and the fulfilment of our regulatory obligations.
Upon request to [email protected], we can provide you with an up-to-date consolidated list of the categories of processors and recipients of your personal data.
5. Transfer of Personal Data to Third Countries
Your personal data may be transferred to countries outside the European Economic Area ("EEA") in connection with the provision of the Services (for example, where a processor or a sub-processor is established outside the EEA, or in connection with communications with cryptocurrency exchanges, blockchain analytics providers or custodians of crypto-assets that may be based outside the EEA).
Where transfers to third countries occur, we ensure that an adequate level of data protection is provided by applying one or more of the following safeguards:
5.1 Transfers to the United Kingdom
Transfers to entities established in the United Kingdom (including Sum and Substance Ltd and Elliptic Enterprises Limited as identified in Section 4) are made in reliance on the European Commission's adequacy decision for the United Kingdom of 28 June 2021 (Commission Implementing Decision (EU) 2021/1772).
5.2 Transfers to the United States
Transfers to entities established in the United States (including, where applicable, Fireblocks Inc. as identified in Section 4, the sub-processors of Mangopay Poland sp. z o.o. located in the United States, and certain analytics, cloud-security and infrastructure providers) are made on the basis of one of the following safeguards, in the following order of preference:
• the EU-US Data Privacy Framework Adequacy Decision of 10 July 2023 (Commission Implementing Decision (EU) 2023/1795), where the recipient is self-certified to the framework; or
• Standard Contractual Clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914 (Module 2 — controller to processor; Module 3 — processor to sub-processor; as applicable), supplemented where necessary by additional technical, contractual and organisational measures in line with the EDPB's recommendations on supplementary measures.
5.3 Other third-country transfers
Transfers to any other third country are made on the basis of one of the following safeguards: (a) an adequacy decision adopted by the European Commission; (b) Standard Contractual Clauses approved by the European Commission, supplemented by appropriate technical, contractual and organisational measures; (c) binding corporate rules; or (d) such other appropriate safeguards as are recognised under Chapter V of the GDPR.
Upon request to [email protected], we can provide additional information about the specific safeguards in place for a given transfer and, where applicable, a copy of the relevant standard contractual clauses (which may be redacted to protect commercial confidentiality).
6. Retention of Personal Data
We store your personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. In particular:
• AML/KYC data: for at least 5 years from the end of the relevant transaction, and longer where required under AML/CFT legislation.
• Accounting and tax-related documents: for up to 10 years from 1 January of the year following the reporting period, in accordance with the Bulgarian Accountancy Act (Закон за счетоводството).
• Records required under MiCA: for the periods required under Article 68(9) and the related delegated and implementing acts, currently 5 years (extendable to 7 years on supervisor request).
• Data for legal claims: for the duration of the relevant limitation periods under the applicable civil, commercial and administrative laws.
• Marketing data: until you withdraw your consent or effectively object. We may retain limited information (e.g. email address and an opt-out record) solely to document that you have opted out and to respect your preferences.
• Data processed on the basis of consent: until you withdraw your consent, unless a longer retention period is required by law or justified by our legitimate interests.
• System logs and technical operational data: up to 30 days, unless a longer period is required for security-incident investigation or legal purposes.
After the relevant retention periods expire, we delete or irreversibly anonymise your personal data. We periodically review the data we hold to ensure that it is up to date and not retained for longer than necessary.
7. Your Rights
In connection with our processing of your personal data, you have the following rights under the GDPR and the PDPA:
• Right of access — to obtain confirmation as to whether we process your personal data and, if so, to obtain a copy of the data and information about the processing.
• Right to rectification — to have inaccurate or incomplete personal data corrected or completed.
• Right to erasure ("right to be forgotten") — to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent and there is no other legal basis, or where you have objected and there are no overriding legitimate grounds. This right is subject to limitations where processing is required by law (for example, by AML/CFT or tax obligations).
• Right to restriction of processing — to request that we limit the processing of your data in certain cases.
• Right to data portability — to receive personal data you have provided to us in a structured, commonly used and machine-readable format, where processing is based on consent or contract and carried out by automated means.
• Right to object — to object at any time to processing based on our legitimate interests (including profiling), and to object at any time to processing for direct-marketing purposes.
• Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to lodge a complaint — with the CPDP or another competent supervisory authority if you consider that the processing of your personal data infringes the GDPR or applicable national law.
• Right not to be subject to solely automated decisions — where we make any decision based solely on automated processing that produces legal or similarly significant effects, you have the right to request human review, to express your point of view, and to contest the decision (see Section 10 for further information).
We respond to your requests without undue delay and in any event within one month of receipt. This period may be extended by two further months where necessary; in such cases, we will inform you of the extension and the reasons for it. Exercising your rights is, in principle, free of charge.
To exercise your rights, please contact us using the details in Section 2 above.
8. Source of Data
In some cases, we may obtain your personal data from sources other than you. These sources may include: your legal representative or attorney; a principal in the case of a power of attorney granted by you; business partners involved in a transaction or in Services you use; publicly available registers and databases (such as commercial registers, sanctions and PEP lists); and providers of identity-verification, sanctions-screening, fraud-prevention and blockchain-analytics services (in particular the processors identified in Section 4.2).
Where we have obtained your personal data from a third party and are required to do so under Article 14 GDPR, we will inform you of this within one month of obtaining your data, or at the time of first contact with you, whichever is earlier, unless an exemption applies.
9. Requirement to Provide Data
The provision of your personal data may be:
• Required by law and/or necessary to conclude and perform the agreement — in particular for identification, AML/KYC checks and transaction processing. Failure to provide such data will prevent us from entering into or performing the agreement and from providing the Services.
• Necessary for the proper functioning of the Platform — some technical and usage data are necessary for the Platform to operate properly and securely. Failure to provide such data (for example, by disabling all cookies or blocking certain scripts) may result in limited or no access to certain functionalities.
• Necessary for processing complaints, requests or appeals — failure to provide the relevant contact and identification details may make it impossible to process your complaint or request.
• Voluntary for marketing and optional features — the provision of data for marketing communications is voluntary. If you do not provide such data or do not give consent (where required), you will not receive marketing materials, but this will not affect your ability to use the core Services.
10. Automated Decision-Making, Including Profiling
In connection with our regulatory obligations to prevent money laundering, terrorist financing, sanctions evasion and fraud, and to comply with the Transfer of Funds Regulation (Regulation (EU) 2023/1113), we operate automated controls that screen each transaction in real time against AML/CFT and sanctions criteria and against on-chain risk indicators.
Where the automated controls determine that a transaction does not meet our compliance criteria (for example, a positive sanctions or PEP hit, an elevated on-chain risk score above our policy threshold, or a profile inconsistent with the customer's stated source of funds), the transaction is automatically rejected and any fiat received is refunded to the original payment instrument. We consider that such an automatic rejection may constitute a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.
The legal basis for such automated decisions is:
• compliance with our legal obligations under EU and Bulgarian AML/CFT, sanctions, MiCA and Transfer of Funds Regulation requirements (Article 6(1)(c) GDPR and Article 22(2)(b) GDPR — authorised by Union or Member State law); and
• the performance of the contract between you and the Company (Article 6(1)(b) GDPR and Article 22(2)(a) GDPR — necessary for entering into or performing the contract for the provision of the Services), in particular as regards automated rejections triggered by fraud-prevention controls.
To safeguard your rights, freedoms and legitimate interests, we implement the following measures:
• The scope of the automated decision is limited to the rejection of a transaction and the consequential refund of any fiat received to your original payment instrument. The automated decision does not commit you to any obligation, and does not produce adverse consequences beyond the rejection of the relevant transaction.
• The underlying rules, thresholds and risk policies are reviewed periodically by our compliance function (and, where relevant, validated independently) for accuracy, relevance and proportionality.
• You have the right to request human intervention from our compliance function, to express your point of view, and to contest the decision. Requests should be addressed to [email protected] or to the customer-support contact in Section 2; we aim to respond without undue delay and in any event within one month of receipt.
• You have the right to obtain meaningful information about the logic involved in the automated decision and the envisaged consequences, subject to such limitations as are necessary to protect the confidentiality of our AML/CFT controls and the operation of any sanctions or AML investigation.
Beyond the automated controls described above, the Company may carry out limited profiling for purposes such as tailoring marketing communications, where permitted by law and based on your consent or our legitimate interest. Such profiling does not produce legal effects or similarly significantly affect you, and you have the right to object at any time.
If in the future we introduce automated decision-making that produces legal or similarly significant effects in a way not described above, we will provide you with specific information about the logic involved and the envisaged consequences, and ensure that the safeguards required by the GDPR and the PDPA are in place.
11. Miscellaneous Provisions
We reserve the right to make changes to this Privacy Policy due to developments in Internet technologies, changes in data-protection or other applicable laws, and the future development of our Platform and Services. We will inform you of any material changes in a visible and comprehensible manner, for example via a notice on the Platform or by email, where appropriate.
Our Services are not directed at children under the age of 18, and we do not knowingly collect personal data from children under that age. If we become aware that we have collected personal data of a child under 18 without appropriate consent, we will take steps to delete such data without undue delay.
Links to other websites may be visible on the Platform. Such websites operate independently and are not supervised by the Company. We are not responsible for the privacy practices of such external sites.
12. Security of Personal Data
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include in particular:
• encryption of data in transit and at rest, where appropriate;
• logical and physical access controls based on the need-to-know principle;
• segmentation and protection of network infrastructure;
• regular testing, assessment and evaluation of the effectiveness of technical and organisational measures;
• secure development and maintenance practices for our IT systems;
• incident-response and business-continuity procedures, including a documented personal-data-breach response procedure in accordance with Articles 33 and 34 GDPR.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where the risk is high, also inform you directly.
13. Cookies Policy
This Cookies Policy forms an integral part of the Privacy Policy. It explains how cookies and similar technologies are used on the Platform, what information is collected through them, and how you can manage your preferences.
We may amend this Cookies Policy from time to time, in particular due to developments in Internet technology and changes in applicable law. We will inform you of material changes, for example via a banner or notice on the Platform.
13.1 General provisions
The Platform uses cookies and similar technologies to perform functions of obtaining information about the customer and their behaviour, and to support the proper functioning and improvement of the Platform.
Information about the customer is obtained in particular through: (a) saving cookies on the customer's terminal equipment (e.g. computer, smartphone, tablet); (b) collecting web-server logs on the server managed on behalf of the Company; (c) using similar technologies (e.g. local storage, pixels), where applicable.
Personal data collected using cookies and similar technologies is processed only for the purposes specified in this Cookies Policy and in the Privacy Policy, and is protected using appropriate technical and organisational measures, including encryption and access controls.
Cookies allow, in particular, the recognition of the customer's device and the display of the Platform appropriately adapted to the customer's individual preferences, including language and settings.
13.2 Purpose of using cookies
Cookies and similar technologies are used in particular to:
• adapt the content of the Platform to the customer's preferences and end-device and to optimise the use of the Platform;
• create anonymous, aggregated statistics that help us to understand how customers use the Platform, which allows us to improve its structure and content and to detect errors;
• maintain the state of the customer's session during a transaction (for example, remembering the steps already completed in the transaction flow, so that the customer does not have to restart from the beginning);
• ensure the security and integrity of the Platform, including the prevention of misuse and fraud, and supporting authentication and access-control mechanisms.
Legal bases:
• Essential cookies: for cookies that are strictly necessary for the provision of the service explicitly requested by the customer (e.g. essential session cookies), the legal basis is our legitimate interest in ensuring the proper functioning and security of the Platform (Article 6(1)(f) GDPR), and the cookies are considered strictly necessary within the meaning of Article 4a of the Bulgarian Electronic Commerce Act.
• Non-essential cookies: for all other cookies (e.g. analytics, functional non-essential, advertising), the legal basis is your consent (Article 6(1)(a) GDPR and Article 4a of the Bulgarian Electronic Commerce Act). Such cookies will only be used if you have given consent via the cookie banner or settings. You may withdraw your consent at any time.
13.3 Types of cookies
The Company uses two basic types of cookies: session cookies, which are temporary files deleted when the customer closes the browser; and persistent cookies, which remain on the customer's device for a specified period or until manually deleted.
By category of necessity, we use:
• Essential cookies — absolutely necessary for the proper functioning of the Platform (e.g. maintaining transaction session state, remembering privacy settings and cookie preferences). Without them, the Platform may not function correctly.
• Functional cookies — enrich the functionality and personalisation of the Platform. Without them, the Platform will work properly but may not be tailored to the customer's preferences.
• Analytics cookies — help us to collect information about how customers use the Platform (e.g. which pages are visited, how long, which links are clicked), allowing us to improve the Services and compile aggregate statistics. In particular, we use Google Analytics, supplied by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), with Google LLC (1600 Amphitheatre Parkway, Mountain View, California 94043, United States) as its sub-processor where applicable.
• Advertising and remarketing cookies — used to display more relevant advertisements on third-party websites or to measure the effectiveness of advertising campaigns, where lawful and based on your consent.
By source, cookies may be: first-party (placed directly by the Company); or third-party (placed by entities such as analytics, advertising or security service providers — including Google Analytics).
Details of the cookies currently in use and their parameters (names, duration, providers, purposes) are provided in the cookie table accessible via the cookie banner on the Platform.
13.4 Management and deletion of cookies
The storage of, and access to, cookies that are not strictly necessary is based on the customer's consent, obtained through the cookie banner on the Platform.
The customer may, at any time and without detriment, withdraw consent to non-essential cookies or change preferences through:
• the cookie-management tool or banner provided on the Platform;
• relevant browser or device settings (e.g. clearing cookies, enabling "Do Not Track").
Restricting or disabling cookies may affect some of the functionalities available through the Platform, in particular those that rely on cookies to operate properly (e.g. maintaining logged-in sessions, remembering preferences). The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
13.5 System logs
Information about certain behaviour of the customer is subject to logging at the server layer (system logs). This data is used solely for the purpose of administering the Platform, ensuring the most efficient operation of hosting services, and for security purposes.
The record may include in particular: the time of arrival of the request; the time of sending the response; the name of the customer's station or identifier; information about errors that occurred during the HTTPS transaction; the URL of the page previously visited by the customer (referrer link); information about the customer's browser and device; and IP-address information.
As a rule, the above data is not associated with specific individuals and is used solely for server administration, security, incident investigation and statistical purposes. Where such data constitutes personal data, it is processed on the basis of our legitimate interest (Article 6(1)(f) GDPR) and retained for no longer than necessary, typically up to 30 days, unless a longer period is required for security-incident investigation or legal purposes.
Questions about this Privacy Policy: [email protected] | unramp.com — Document owner: Unramp OOD — Compliance / Data Protection