Skip to content

Legal

Privacy policy

Last updated: 2026-05-19

This Privacy Policy explains how Clean Nest Ltd (Клийн Нест ООД), trading as Horeca Staffing, processes personal data collected through this website. It is drafted to comply with Regulation (EU) 2016/679 (the "GDPR"), the Bulgarian Personal Data Protection Act (ЗЗЛД), the Bulgarian Electronic Commerce Act (ЗЕТ) and other applicable European Union and Bulgarian legislation.

We act as the data controller for the personal data described below.

1. Who we are

This website is operated by Clean Nest Ltd (Bulgarian legal name: Клийн Нест ООД), a limited liability company (ООД) incorporated in the Republic of Bulgaria, trading under the brand name "Horeca Staffing".

  • Registered office: Bulgaria, Sofia 1421, Triaditsa district, Yuzhen Park, bl. 1, ent. V, fl. 5, ap. 13.
  • Unified Identification Code (ЕИК / UIC): 208550927.
  • VAT registration: BG208550927 (registered under Art. 100(1) of the Bulgarian VAT Act on 11.12.2025).
  • Contact email for privacy matters: [email protected].
  • General contact email: [email protected].

In this policy, "we", "us", "our", "the Company" and "Horeca Staffing" all refer to Clean Nest Ltd.

2. Personal data we collect

We collect only the personal data that you actively provide to us or that is strictly necessary for the operation and security of this website. We do not collect special categories of personal data (as defined in Art. 9 GDPR) and we do not knowingly collect data from children under the age of 16.

a) Data submitted through the lead / contact form

  • Hotel or company name.
  • Contact name and role (optional).
  • Business email address.
  • Approximate number of employees needed and type of staff requested.
  • Preferred region and start date.
  • Free-text message you choose to send us.

b) Technical and security data

  • IP address and approximate user-agent (browser) information.
  • Submission timestamp and the page from which the request was sent.
  • Anti-spam verification data (where Cloudflare Turnstile or similar challenge is used).

c) Administrator authentication data

For users who access our internal administration area, we process the email address used for one-time-code (OTP) authentication and a hashed, time-limited verification code. These records are kept only for the time necessary to operate the authentication system.

d) Analytics data

Where you have given consent, we may use analytics tools (such as Google Analytics 4 or Plausible) to understand aggregate usage of the website. See the Cookie Policy for details.

3. Purposes and legal bases for processing

We process your personal data on one or more of the following legal bases under Art. 6(1) GDPR:

  • Steps prior to entering into a contract (Art. 6(1)(b) GDPR): to evaluate, respond to and follow up on your request for staffing services.
  • Legitimate interests (Art. 6(1)(f) GDPR): to keep a record of business enquiries, protect the website against abuse and spam, and improve our services. We balance these interests against your rights and freedoms and never use them to override your fundamental rights.
  • Consent (Art. 6(1)(a) GDPR): for non-essential cookies and analytics, and for any marketing communications you may receive. Consent can be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Compliance with a legal obligation (Art. 6(1)(c) GDPR): to comply with tax, accounting, anti-money-laundering and other obligations imposed on us by Bulgarian and EU law.

4. How long we keep your data

  • Lead-form submissions: retained for up to 24 months from the date of submission, after which they are deleted or irreversibly anonymised for aggregate statistics.
  • Contractual records: where your enquiry leads to a signed agreement, the underlying personal data is retained for the longer statutory periods required by Bulgarian law — including, but not limited to, the periods set out in the Accountancy Act (Закон за счетоводството) and the Tax and Social-Insurance Procedure Code (ДОПК), typically up to 10 years for accounting documents.
  • Technical / security logs: retained for up to 12 months for fraud-prevention and troubleshooting purposes.
  • OTP / authentication records: codes are kept only until expiry (10 minutes); audit logs are retained for up to 12 months.

5. Who has access to your data

Your data is accessible only to authorised personnel of Clean Nest Ltd and to a limited number of processors who help us operate this website and our business. Each processor is bound by a written data-processing agreement that meets the requirements of Art. 28 GDPR.

Categories of recipients include:

  • Our hosting and infrastructure provider.
  • Our transactional email provider (Mailgun, EU region).
  • Our anti-spam / bot-protection provider (Cloudflare Turnstile, when enabled).
  • Our analytics provider, where consent has been given (Google Analytics, Plausible).
  • Professional advisers (accountants, lawyers) under appropriate confidentiality obligations.
  • Bulgarian public authorities and courts, where we are legally required to disclose data.

We do not sell your personal data, and we do not share it for third-party advertising purposes.

6. International transfers

Our primary infrastructure is operated in the European Union / European Economic Area. Where a processor (for example, Google Analytics) processes data outside the EU/EEA, we rely on adequacy decisions of the European Commission and/or the Standard Contractual Clauses adopted under Art. 46 GDPR, together with any supplementary measures necessary to ensure an essentially equivalent level of protection.

7. Your rights under the GDPR

Subject to the conditions set out in the GDPR, you have the following rights regarding your personal data:

  • The right of access (Art. 15 GDPR).
  • The right to rectification (Art. 16 GDPR).
  • The right to erasure / "to be forgotten" (Art. 17 GDPR).
  • The right to restriction of processing (Art. 18 GDPR).
  • The right to data portability (Art. 20 GDPR).
  • The right to object to processing carried out on the basis of legitimate interests (Art. 21 GDPR).
  • The right to withdraw consent at any time, where processing is based on consent (Art. 7(3) GDPR).
  • The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22 GDPR) — we do not carry out such automated decision-making.

To exercise any of these rights, please write to us at [email protected]. We will respond within one month of receipt of your request, in accordance with Art. 12(3) GDPR. The period may be extended by a further two months where necessary, taking into account the complexity and number of the requests; if so, we will inform you.

8. Right to lodge a complaint

If you believe that our processing of your personal data infringes the GDPR or Bulgarian data-protection law, you have the right to lodge a complaint with the Bulgarian supervisory authority:

Commission for Personal Data Protection (Комисия за защита на личните данни / CPDP)
2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
Email: [email protected]
Website: www.cpdp.bg

You may also lodge a complaint with the supervisory authority of the EU member state of your habitual residence, place of work or the place of the alleged infringement.

9. Security

We apply appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, in accordance with Art. 32 GDPR. These measures include TLS-encrypted transport, encrypted secrets management, hashed authentication credentials, access controls, rate limiting and regular security review.

10. Changes to this policy

We may update this Privacy Policy from time to time, for example to reflect changes in our processing activities or in applicable law. The current version is always available on this page, with the "Last updated" date shown at the top.