Contents
3. What Personal Data We Collect
4. Legal Grounds for Processing
1. Introduction
Mercatus Ltd. (“Mercatus“, “we“, “our“, “the Company“) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website https://mercatusoutsourcing.com or communicate with us.
We process your personal data in accordance with:
– Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), and
– The Bulgarian Personal Data Protection Act (PDPA) and related national legislation.
2. Data Controller
Mercatus Ltd.
UIC: 200873063
Registered address: Sofia 1407, “Lozenets” district, 2 Plachkovitsa Str., fl. 4, ap. 23
Email: info@mercatusoutsourcing.com
If you have any questions about this policy or your personal data, you can contact our Data Protection Officer (DPO) at the above email.
3. What Personal Data We Collect
We only collect the minimum data necessary to provide and improve our services.
- Identity Data: First name, last name
- Contact Data: Email address, telephone number
- Usage & Technical Data: IP address, browser type, device information, cookies
- Inquiry Data: Information voluntarily provided when contacting us through forms or email
- Cookies Data: Data collected via cookies or similar technologies (see Section 9 below)
We do not intentionally collect special categories of personal data (such as health, religion, or biometrics). If such data is inadvertently received, it is deleted immediately.
4. Legal Grounds for Processing
We process your personal data only when one or more of the following legal bases apply:
- Contract (Art. 6(1)(b) GDPR): When processing is necessary to provide a service or respond to an inquiry.
- Consent (Art. 6(1)(a) GDPR): When you have given explicit consent (e.g., newsletter, contact forms).
- Legitimate Interest (Art. 6(1)(f) GDPR): When processing is required for website operation, fraud prevention, or business development, provided your interests are not overridden.
- Legal Obligation (Art. 6(1)(c) GDPR): When we are required to keep records or cooperate with authorities.
You can withdraw your consent at any time by emailing info@mercatusoutsourcing.com.
5. Purpose of Processing
- Providing and maintaining website functionality;
- Responding to inquiries and customer support requests;
- Managing contracts and business relationships;
- Conducting lawful marketing activities (with your consent);
- Ensuring IT and data security;
- Fulfilling legal or regulatory obligations.
We do not use your data for automated decision-making or profiling.
6. Retention Periods
- Contact & Inquiry Data: Up to 3 years from last communication
- Contractual Data: Up to 7 years after contract termination (accounting/legal requirements)
- Marketing / Newsletter Data: Until you withdraw consent or 3 years of inactivity
- Technical & Log Data: Up to 12 months for security and analytics
- Cookies: As specified in the Cookie Policy (see Section 9)
After these periods, data is securely deleted or anonymised.
7. Data Sharing and Transfers
We only share your data when necessary and under strict controls:
- Service Providers: IT maintenance, hosting, analytics, CRM or marketing software under written data processing agreements.
- Authorities: When legally required by Bulgarian or EU law.
We do not sell personal data.
If data must be transferred outside the EU / EEA, we ensure adequate protection using: the EU Standard Contractual Clauses (SCCs) approved by the European Commission; or transfers to countries with an adequacy decision by the European Commission.
8. Your Rights
You have the following rights under GDPR and the PDPA:
- Access – to obtain a copy of your personal data.
- Rectification – to correct inaccurate or incomplete data.
- Erasure (“Right to be Forgotten”) – to request deletion when lawful.
- Restriction – to limit processing under certain conditions.
- Data Portability – to receive data in a machine-readable format.
- Objection – to processing based on legitimate interest or for direct marketing.
- Withdraw Consent – at any time without affecting prior lawful processing.
To exercise any of these rights, email info@mercatusoutsourcing.com or send a written request to our address above. We may ask for proof of identity before processing your request.
If you believe your data rights have been violated, you may contact the Bulgarian Commission for Personal Data Protection: Website: www.cpdp.bg/en | Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
9. Cookies
Our website uses cookies to:
- Ensure website functionality;
- Analyse traffic and improve performance;
- Remember your preferences.
Types of cookies used:
- Essential cookies – required for basic functionality;
- Analytics cookies – anonymous statistics on usage;
- Marketing cookies – only with consent.
You can manage or delete cookies at any time through your browser settings. Full details are available in our Cookie Policy.
10. Data Security
We apply appropriate technical and organisational measures to protect your personal data, including: encryption and secure transmission (SSL/TLS); access controls and confidentiality agreements; regular security audits and data protection training.
11. Data Breach Notification
In case of a personal data breach, Mercatus will notify the Commission for Personal Data Protection within 72 hours (as required by GDPR Article 33), and inform affected individuals without undue delay if the breach poses a high risk to their rights and freedoms.
12. Children’s Data
Our website and services are not directed at individuals under 16 years of age, and we do not knowingly collect data from minors. If you believe we have collected data from a child, please contact us at info@mercatusoutsourcing.com to delete it.
13. Changes to This Policy
We may update this Privacy Policy periodically to reflect legal or operational changes. The latest version will always be available on our website, with the “Last Updated” date shown at the top. If the changes are significant, we will notify users via email or on the website homepage.