Privacy Policy

Last updated: 10 March 2026

1. Introduction

This Privacy Policy explains how Encorp Bulgaria Ltd (Енкорп България ООД), CID 207883658, VAT BG207883658, with registered address at Simeonovsko shose 33, 1700 Sofia, Bulgaria ("Encorp AI", "we", "us", or "our"), collects, uses, stores, and protects your personal data when you use the Encorp AI client portal at portal.encorp.ai (the "Service").

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Bulgarian Personal Data Protection Act (Закон за защита на личните данни, "ЗЗЛД"). This policy is designed to help you understand what data we collect, why we collect it, and how you can exercise your rights.

2. Data Controller

The data controller responsible for your personal data is:

  • Company: Encorp Bulgaria Ltd (Енкорп България ООД)
  • CID: 207883658
  • VAT: BG207883658
  • Address: Simeonovsko shose 33, 1700 Sofia, Bulgaria
  • Email: hi@encorp.ai
  • Manager: Martin Kuvandzhiev

3. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Account Information

  • Full name
  • Email address
  • Company name and details
  • Password (stored in hashed form only)

3.2 Billing and Payment Data

  • Billing address
  • Payment method details (processed by our payment service provider; we do not store full card numbers)
  • Invoicing history and transaction records

3.3 Usage and Technical Data

  • API usage statistics (request counts, token usage, model selection)
  • IP address and approximate geolocation
  • Browser type and version, device type, operating system
  • Access timestamps and session duration
  • Pages visited within the Service

3.4 Communication Data

  • Support ticket content and correspondence
  • Feedback and survey responses

Important: Encorp AI operates as a secure AI gateway with a zero-retention policy for AI request and response content. We do not store, log, or retain the content of your API requests or the responses generated by third-party AI models.

4. Purposes and Legal Basis for Processing

We process your personal data for the following purposes and under the corresponding legal bases as defined in Article 6(1) of the GDPR:

PurposeLegal Basis
Account creation and authenticationPerformance of a contract (Art. 6(1)(b))
Service delivery and API access managementPerformance of a contract (Art. 6(1)(b))
Billing, invoicing, and payment processingPerformance of a contract (Art. 6(1)(b))
Usage analytics and service improvementLegitimate interest (Art. 6(1)(f))
Customer supportPerformance of a contract (Art. 6(1)(b))
Security monitoring and fraud preventionLegitimate interest (Art. 6(1)(f))
Compliance with legal obligations (tax, accounting)Legal obligation (Art. 6(1)(c))
Service-related communicationsLegitimate interest (Art. 6(1)(f))

5. Data Sharing and Third-Party Services

We may share your personal data with the following categories of recipients:

  • AI Model Providers (e.g., OpenAI, Anthropic, Google) — We route API requests through these providers on your behalf. We transmit only the minimum data necessary for the AI request and do not share your account information with them.
  • Payment Processors — We use third-party payment service providers to process transactions securely. These processors are PCI DSS compliant.
  • Cloud Infrastructure Providers — Our Service is hosted on cloud infrastructure within the EU/EEA where technically feasible.
  • Analytics Services — We may use analytics tools to understand how the Service is used and to improve it.
  • Legal and Regulatory Bodies — Where required by law or to protect our legal rights.

All third-party processors are bound by data processing agreements in compliance with Article 28 of the GDPR.

6. International Data Transfers

Some of the third-party services we use may process data outside the European Economic Area (EEA). Where such transfers occur, we ensure that appropriate safeguards are in place, including:

  • European Commission adequacy decisions (Art. 45 GDPR)
  • Standard Contractual Clauses (Art. 46(2)(c) GDPR)
  • The EU-U.S. Data Privacy Framework, where applicable

You may request details of the specific safeguards applied to your data by contacting us at hi@encorp.ai.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law:

  • Account data: Retained for the duration of your account and up to 12 months following account closure, unless a longer period is required for legal or compliance purposes.
  • Billing and financial records: Retained for a minimum of 10 years as required under Bulgarian tax and accounting legislation (Закон за счетоводството).
  • Usage logs and technical data: Retained for up to 12 months for security and analytics purposes.
  • Support correspondence: Retained for up to 24 months after resolution.
  • AI request/response content: Not retained. Zero-retention policy applies.

8. Your Rights as a Data Subject

Under the GDPR (Articles 13–22) and the Bulgarian ЗЗЛД, you have the following rights with respect to your personal data:

  • Right of Access (Art. 15) — You may request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16) — You may request that we correct inaccurate or incomplete data.
  • Right to Erasure (Art. 17) — You may request the deletion of your personal data, subject to legal retention obligations.
  • Right to Restriction of Processing (Art. 18) — You may request that we limit the processing of your data under certain circumstances.
  • Right to Data Portability (Art. 20) — You may request to receive your data in a structured, commonly used, machine-readable format.
  • Right to Object (Art. 21) — You may object to the processing of your data based on legitimate interest.
  • Right Not to Be Subject to Automated Decision-Making (Art. 22) — You have the right not to be subject to decisions based solely on automated processing that produce legal effects concerning you.
  • Right to Withdraw Consent (Art. 7(3)) — Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at hi@encorp.ai. We will respond to your request within 30 days, as required by the GDPR.

9. Cookies and Tracking Technologies

Our Service uses the following types of cookies:

  • Strictly Necessary Cookies — Essential for the operation of the Service (e.g., session authentication, security tokens). These do not require consent under the GDPR.
  • Functional Cookies — Used to remember your preferences and settings to enhance your experience.
  • Analytics Cookies — Help us understand how the Service is used so we can improve it. These are only placed with your consent.

You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of the Service.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure authentication mechanisms with hashed passwords
  • Role-based access controls
  • Regular security audits and vulnerability assessments
  • Incident response procedures

11. Data Protection Officer

For any questions regarding data protection or to exercise your rights, you may contact our Data Protection Officer:

  • Name: Martin Kuvandzhiev
  • Email: hi@encorp.ai
  • Address: Simeonovsko shose 33, 1700 Sofia, Bulgaria

12. Supervisory Authority

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority. In Bulgaria, this is the:

  • Commission for Personal Data Protection (Комисия за защита на личните данни, КЗЛД)
  • Address: 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
  • Website: www.cpdp.bg
  • Email: kzld@cpdp.bg

You also have the right to lodge a complaint with any other EU supervisory authority, in particular in your Member State of residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

13. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such data promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we do, we will revise the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

If we make material changes that affect how we process your personal data, we will notify you via email or through a prominent notice on the Service prior to the changes taking effect.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

  • Email: hi@encorp.ai
  • Address: Encorp Bulgaria Ltd, Simeonovsko shose 33, 1700 Sofia, Bulgaria

16. Applicable Law

This Privacy Policy and any disputes arising from or in connection with it shall be governed by the laws of the Republic of Bulgaria and the applicable provisions of the GDPR. The competent courts in Sofia, Bulgaria shall have jurisdiction over any disputes, without prejudice to your right to lodge a complaint with a supervisory authority or to bring proceedings in the courts of your place of habitual residence.