Back
100% GDPR & Data Protection Compliance

Privacy Policy

Политика за поверителност

Last updated: March 9, 2026

1. General Information

Personal Data Controller

This Privacy Policy describes how Zhizhevo Stone EOOD / STEVEN STUDIO ("we", "our", "ours") collects, uses, stores and protects the personal data of our users and clients in full compliance with:

  • Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)
  • Personal Data Protection Act (PDPA) — Bulgarian legislation
  • Electronic Commerce Act (ECA)
  • Copyright and Related Rights Act (CRRA)

2. What Data We Collect

Automatically Collected Data

  • Session ID (NOT IP address)
  • Device type
  • Browser type
  • Pages visited
  • Referrer
  • Anonymized IP
  • Terminal game completions (difficulty level, elapsed time)
  • Security event logs (anonymized IP, event type)

⚠️ We collect anonymized IP addresses (last octet removed). We do NOT collect full IP addresses or fingerprints.

Voluntarily Provided

  • Name
  • Email address
  • Phone number
  • Messages
  • Company (optional)

⚠️ Important:

We never collect sensitive personal data (race, ethnicity, political views, health status, sexual orientation, biometric data) without your explicit consent and legal basis.

3. Data Collection Tools and Forms

Our website offers free tools that collect personal data to provide personalized recommendations and quotes. Each tool requires explicit GDPR consent before submission.

Site Scanner (Website Analysis)

  • Email address, name, phone
  • Scanned website URL
  • Scan result (score)

AI Visibility Check

  • Email address, name, phone
  • Business name, city, website URL
  • Check result (score)

Chatbot Builder Demo

  • Email address, name, phone
  • Industry, communication tone, business name
  • Color preferences

Referral Programme

  • Name, email address, phone
  • Referral method

Purpose of processing: Providing personalized recommendations, generating quotes, and improving our services.

Retention period: 24 months

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) + explicit consent (GDPR checkbox on each form).

4. Automated Profiling and Lead Scoring

When using our Quiz (quote questionnaire), we perform automated profiling to provide better service.

What we collect:

  • Answers to business questions (project type, budget, timeline)
  • Email address, phone number
  • Preferred communication method

How lead scoring works:

  • Qualification — how well the user matches our services
  • Budget — estimated project budget
  • Urgency — how soon the user wants to start
  • Fit score — overall compatibility with our services

Purpose: Personalizing recommendations and prioritizing requests for faster service.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

Your rights:

You have the right to object to automated profiling and request a manual review of your request. Contact us at brixeat@gmail.com.

5. AI Chatbot

🤖 How the AI Chatbot Works

On your first message you will be asked for explicit consent for chats to be recorded. Without your consent, chats are NOT RECORDED.

📝 What we record:

  • Content: Full text of your messages and AI responses
  • Metadata: Time and date of each message
  • Technical data: Session ID, device type (mobile/tablet/desktop), browser type, User Agent, page URL
  • Personal data: Name, email, phone (if voluntarily provided)
  • Response time: How quickly AI responds (for performance improvement)

We do NOT record IP addresses, browser fingerprints, geolocation or sensitive personal data

🎯 Purpose of processing:

  • Improving AI assistant quality and responses
  • Training proprietary AI models for better service
  • Analyzing user needs and optimizing services
  • Preparing personalized offers
  • Using successful chat examples in future marketing materials (only with your additional consent)
  • Improving STEVEN STUDIO's business strategy

⏱️ Retention period:

24 months (2 years) from the last message in the chat. After this period, data is automatically and irreversibly deleted from all our systems.

🔒 Security and encryption:

  • All chats are stored encrypted in a secure PostgreSQL database
  • Only authorized STEVEN STUDIO employees have access to records
  • We use AES-256 encryption for storage
  • TLS/SSL encryption for data transfer
  • Regular security audits and penetration testing

🤝 Third parties (AI providers):

For the chatbot to work, we use the services of OpenAI (ChatGPT API).

  • Data retention: ZERO — OpenAI does NOT store your chats
  • Training: DISABLED — OpenAI does NOT use your data for model training
  • In accordance with OpenAI API Data Usage Policy (30-day zero retention)
  • GDPR-compliant Data Processing Addendum (DPA) signed

More information: OpenAI Privacy Policy

🗑️ Right to deletion:

You have the right to delete all your chats at any time:

  1. Directly from the chatbot: Use the "Delete my data" button
  2. By email: Send a request to brixeat@gmail.com
  3. By phone: Call +359 87 72 75 750

⏱️ Deletion deadline: Up to 72 hours from submitting the request

After deletion, data is irreversibly erased and cannot be recovered.

6. Cookies

We use cookies to improve your experience. You have full control over them.

Necessary cookies (Strictly Necessary)

Required for the site to function. Cannot be refused.

  • Session cookies (session management)
  • CSRF protection
  • Cookie consent preferences
  • Cloudflare Turnstile (CAPTCHA bot protection)

📊 Analytics cookies

Help us understand how visitors use the site.

  • Google Analytics 4 (GA4)
  • Microsoft Clarity
  • Vercel Analytics
  • Vercel Speed Insights

You can refuse from the cookie settings menu.

🎯 Marketing cookies

Used to show personalized ads.

  • Google Ads
  • Meta Pixel (Facebook/Instagram)
  • LinkedIn Insights

You can refuse from the cookie settings menu.

💾 Local Storage

Data stored locally in your browser. Not sent to our servers.

  • cookie-consent — your cookie preferences
  • chat-consent — consent for AI chatbot conversation recording
  • theme — preferred theme (dark/light)
  • locale — preferred language (bg/en)

7. Data Security

🛡️ Technical measures:

  • AES-256 encryption of data at rest
  • TLS 1.3 / SSL encryption in transit
  • HTTPS mandatory (HSTS enabled)
  • CSP (Content Security Policy) headers
  • Rate limiting against brute force attacks
  • SQL Injection protection (parameterized queries)
  • XSS protection (input sanitization)
  • CSRF tokens on all forms
  • Security headers (X-Frame-Options, X-Content-Type-Options, etc.)
  • Regular security audits and penetration testing
  • Automatic security updates on all dependencies
  • Backup systems with encryption
  • Cloudflare Turnstile CAPTCHA
  • Anti-spam honeypot fields

⚠️ Important to know:

Despite all security measures, no system can guarantee 100% protection. If you notice suspicious activity or a security breach, please immediately notify us at brixeat@gmail.com

8. Your GDPR Rights

As a data subject, you have the following legal rights:

Right to Access

You can request a copy of the data we store.

Right to Rectification

You can request correction of inaccurate or incomplete data.

Right to Erasure

Known as the "right to be forgotten". You can request deletion of your data.

Right to Restriction

You can request temporary restriction of processing of your data.

Right to Data Portability

You can receive your data in a structured, machine-readable format (JSON/CSV).

Right to Object

You can object to the processing of your data for direct marketing.

📞 How to exercise your rights:

📧Email: brixeat@gmail.com

📞Phone: +359877275750

💬Directly from the AI chatbot — "Data management" button

Response deadline: Up to 30 days from submitting the request (may be extended to 60 days for complex requests).

🏛️ Right to file a complaint with a supervisory authority:

If you believe your rights have been violated, you can file a complaint with:

Commission for Personal Data Protection (CPDP)

Address: Sofia 1592, bul. "Prof. Tsvetan Lazarov" No. 2

Phone: +359 2 915 3 518

Email: kzld@cpdp.bg

Website: www.cpdp.bg

9. Policy Changes

We reserve the right to update this Privacy Policy. In case of significant changes, we will notify you through:

  • Website banner
  • Email (if you have provided one)
  • Chatbot message

Last updated: March 9, 2026

10. Contacts

For any questions related to this Privacy Policy or the processing of your personal data:

General inquiries

📧 brixeat@gmail.com📞 +359877275750

Data and privacy questions

📧 brixeat@gmail.com

Have questions about your data?

Contact us at any time. Your privacy is our priority.

Contact UsBack to home