Privacy Policy

The data controller is Apex & Pillar OOD (UIC [placeholder]), a Bulgarian limited liability company registered with the Sofia City Commercial Register, with registered seat at ul. Shipka 1, Sofia 1000, Bulgaria. The firm is registered with the Sofia Bar Association.

For any privacy matter, contact: dpo@apexandpillar.bg.

• Identification data — name, ID/passport (where required for KYC).
• Contact data — email, phone, postal address, company.
• Case content — documents, instructions, and communications you submit in the course of an engagement.
• Payment data — billing details processed by our payment provider; we do not store card numbers.
• Usage / analytics data — IP address, device, pages viewed, only where you have consented to analytics cookies.

• Performance of a contract — to provide legal services you have engaged us for.
• Legal obligation — attorney recordkeeping, anti-money-laundering, tax and regulatory obligations under Bulgarian law.
• Consent — marketing communications and non-essential cookies.
• Legitimate interest — securing our website, detecting abuse, and the day-to-day administration of the firm.

• Attorney–client records — for the period required by the Bulgarian Bar Act and applicable AML rules (typically a minimum of 5 years from termination of the engagement).
• Leads and enquiry messages — 24 months from last contact, then deleted or anonymised.
• Website analytics — at most 14 months.
• Consent records — for as long as needed to evidence your choice plus 3 years.

We rely on the following sub-processors:

• Supabase (EU region) — database, authentication, storage.
• Stripe — payment processing.
• Google Workspace — email, documents, calendar.
• SMTP provider — transactional and notification email delivery.
• Telegram — operational notifications to attorneys (no client content shared).

Personal data may be disclosed to courts, public authorities and counterparties strictly where required to perform the engagement or to comply with the law.

Some processors (notably Stripe and Google) may process data outside the European Economic Area. Such transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) and supplementary technical and organisational measures.

Subject to applicable law, you may exercise the following rights:

• access to your personal data;
• rectification of inaccurate data;
• erasure (right to be forgotten);
• data portability;
• objection to processing based on legitimate interest;
• withdrawal of consent at any time.

To exercise any of these rights, write to dpo@apexandpillar.bg. You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP), cpdp.bg.

We apply technical and organisational measures appropriate to the risk, including transport encryption (TLS), encryption at rest, role-based access control, audit logs, and multi-factor authentication for staff.

We may update this policy from time to time. The "last updated" date above reflects the most recent change. Material changes will be communicated to active clients by email.