Privacy Policy

1. Data Controller

The data controller responsible for the processing of your personal data is:

2. Data We Collect

We may collect and process the following categories of personal data:

2.1. Data You Provide Directly

• Account and identity data: Full name, username, email address, phone number, postal address, company name (if applicable)
• Payment data: Billing address and payment card details (card number, expiration date, CVV). Note: full payment card data is processed directly by our payment processor (Borica) and is not stored on our servers
• Communication data: Any information you provide when contacting us via email, support forms, or other communication channels
• Order data: Details of your purchases, licence keys, Dongle identifiers, and transaction history

2.2. Data Collected Automatically

• Technical data: IP address, browser type and version, operating system, device type, screen resolution, language preferences
• Usage data: Pages visited, time and date of access, referring URLs, navigation paths, and interaction patterns on our website
• Software usage data: Licence activation data, Dongle identification, software version, and authentication logs necessary for licence management and security
• Log data: Server logs, error reports, and diagnostic data generated during use of the Service

2.3. Data from Third Parties

• Payment confirmation data: Transaction status and confirmation from our payment processor (Borica)

3. Purposes and Legal Basis for Processing

We process your personal data for the following purposes, each supported by a lawful basis under Article 6 of the GDPR:

Purpose	Legal Basis (Art. 6 GDPR)
Processing your orders, delivering digital products, and managing your licence	Performance of a contract (Art. 6(1)(b))
Processing card payments and preventing payment fraud	Performance of a contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f))
Providing technical support and responding to enquiries	Performance of a contract (Art. 6(1)(b))
Compliance with tax, accounting, and other legal obligations	Legal obligation (Art. 6(1)(c))
Licence enforcement, Dongle management, and prevention of unauthorised use	Legitimate interest (Art. 6(1)(f))
Improving our website, services, and user experience	Legitimate interest (Art. 6(1)(f))
Ensuring the security and integrity of our systems and preventing fraud or abuse	Legitimate interest (Art. 6(1)(f))
Sending essential service-related communications (e.g., licence expiry, security alerts, updates)	Performance of a contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f))
Sending marketing communications (only with your explicit consent)	Consent (Art. 6(1)(a))

Where processing is based on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms.

4. Third-Party Data Sharing

We may share your personal data with the following categories of third parties, only to the extent necessary for the stated purposes:

4.1. Payment Processor

Payment card data is transmitted securely to Borica AD (the Bulgarian national card payment operator) for the sole purpose of processing your payment transaction and complying with 3D Secure (3DS) authentication requirements. Borica processes payment data in accordance with PCI DSS standards and applicable data protection law. NuoVolta does not store full payment card numbers on its servers.

4.2. Service Providers (Data Processors)

We may engage trusted third-party service providers who process data on our behalf under written data processing agreements in accordance with Article 28 of the GDPR. These may include:

• Web hosting and cloud infrastructure providers
• Email service providers
• IT support and maintenance providers
• Analytics service providers

All data processors are contractually obligated to process your data only on our instructions, to maintain appropriate security measures, and to comply with applicable data protection laws.

4.3. Legal and Regulatory Authorities

We may disclose your personal data to public authorities, law enforcement agencies, courts, or regulatory bodies where required by law, legal process, or government request, or where necessary to protect our legal rights, safety, or property.

4.4. No Sale of Personal Data

We do not sell, rent, trade, or otherwise transfer your personal data to third parties for their own marketing or commercial purposes.

5. International Data Transfers

5.1. Your personal data is primarily stored and processed within the European Economic Area (EEA).

5.2. In the event that any personal data is transferred outside the EEA, we will ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, such as:

• An adequacy decision by the European Commission (Art. 45 GDPR)
• Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR)
• Other lawful transfer mechanisms as permitted under the GDPR

5.3. You may request information about the specific safeguards applied to any international transfer by contacting us at the address provided in Section 1.

6. Cookies and Tracking Technologies

6.1. Our website may use cookies and similar tracking technologies (such as web beacons and pixels) to enhance your experience, analyse usage, and ensure the proper functioning of the Service.

6.2. Types of Cookies Used

• Strictly necessary cookies: Essential for the operation of the website and the provision of the Service (e.g., session management, authentication, security). These cookies cannot be disabled.
• Functional cookies: Enable enhanced functionality and personalisation (e.g., language preferences, user settings).
• Analytical/performance cookies: Help us understand how visitors interact with our website by collecting information anonymously (e.g., page views, navigation paths). These are only placed with your consent.

6.3. Cookie Consent

Except for strictly necessary cookies, we will obtain your consent before placing cookies on your device. You may manage your cookie preferences at any time through your browser settings or through any cookie consent mechanism provided on our website.

6.4. Please note that disabling certain cookies may affect the functionality of the Service.

7. Data Retention

7.1. We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Specific retention periods include:

• Account and licence data: Retained for the duration of your active licence and for a period of five (5) years after licence expiry or account deletion, to comply with legal obligations and to protect our legitimate interests in the event of disputes
• Transaction and payment records: Retained for a minimum of ten (10) years as required by Bulgarian tax and accounting legislation
• Communication records: Retained for three (3) years from the date of the last communication, unless a longer period is required for ongoing dispute resolution or legal proceedings
• Technical and usage logs: Retained for up to twelve (12) months, unless required for security investigation or legal proceedings
• Marketing consent records: Retained for as long as the consent remains active, and for a reasonable period thereafter as proof of consent

7.2. Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised so that it can no longer be associated with you.

8. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR. You may exercise these rights at any time by contacting us at [email protected]:

8.1. Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to access that data and receive a copy thereof, together with information about the processing.

8.2. Right to Rectification (Art. 16 GDPR)

You have the right to request the correction of inaccurate personal data and, taking into account the purposes of the processing, to have incomplete personal data completed.

8.3. Right to Erasure ("Right to Be Forgotten") (Art. 17 GDPR)

You have the right to request the deletion of your personal data where: the data is no longer necessary for its original purpose; you withdraw your consent (where consent is the legal basis); you object to the processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or erasure is required by law. This right is subject to exceptions, including where retention is necessary for compliance with legal obligations or for the establishment, exercise, or defence of legal claims.

8.4. Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of processing of your personal data in certain circumstances, including where you contest the accuracy of the data, where the processing is unlawful, or where you have objected to the processing pending verification of legitimate grounds.

8.5. Right to Data Portability (Art. 20 GDPR)

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.

8.6. Right to Object (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, to the processing of your personal data based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims. You have an absolute right to object to processing for direct marketing purposes at any time.

8.7. Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

8.8. Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently engage in solely automated decision-making of this nature.

8.9. Exercising Your Rights

To exercise any of the above rights, please submit a written request to [email protected]. We may need to verify your identity before processing your request. We will respond to your request within one (1) month, which may be extended by a further two (2) months where necessary due to the complexity or number of requests. We will inform you of any such extension within the initial one-month period.

9. Data Security

9.1. We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in accordance with Article 32 of the GDPR. These measures include, but are not limited to:

• Encryption of data in transit (TLS/SSL) and at rest where appropriate
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Staff training on data protection obligations
• Secure payment processing through PCI DSS-compliant third parties

9.2. While we take all reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of your data.

10. Data Protection Officer

For any questions or concerns regarding the processing of your personal data, or to exercise your data protection rights, you may contact our Data Protection Officer at:

11. Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR or applicable data protection laws, you have the right to lodge a complaint with the competent supervisory authority. The lead supervisory authority for NuoVolta is:

You also have the right to lodge a complaint with the supervisory authority in your country of residence or place of work.

12. Children's Privacy

The Service is not directed at individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18 without valid parental consent, we will take steps to delete that data as soon as possible.

13. Changes to This Privacy Policy

13.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The updated Policy will be posted on our website with a revised "Last updated" date.

13.2. Where changes are material, we will endeavour to notify you through the Service or via email prior to the changes taking effect.

13.3. Your continued use of the Service after the posting of the revised Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically.

14. Contact

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact us at: