Privacy Policy

1. Data Controller

The data controller responsible for processing your personal data is:

• Entity: HDE (HDetailEnterprise)
• Address: bul. "Dunav" #1, Plovdiv, Bulgaria
• Email: info@hdetailenterprise.com
• Website: https://hde.dev

2. Definitions

For the purposes of this Privacy Policy:

• "Platform" refers to the HDE web application at hde.dev and all associated services, including the provider marketplace and internal workspace portal.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, whether automated or not.
• "User" refers to any individual who accesses or uses the Platform.
• "Provider" refers to a third-party service provider who offers services through the Platform's marketplace.
• "Sub-processor" means any third-party entity that processes Personal Data on behalf of HDE.

3. Personal Data We Collect

We collect the following categories of personal data depending on how you interact with the Platform:

4. How We Use Your Data

We process your personal data for the following purposes:

• To provide, maintain, and improve the Platform and its services
• To create and manage your user account
• To process and fulfil orders for services including custom Discord bot development, hosting, maintenance, and third-party provider services
• To process payments and manage VIP subscriptions through Stripe
• To generate, issue, and manage invoices, credit notes, and payment records
• To facilitate consultation bookings and manage scheduling
• To operate the support ticket system and provide customer assistance
• To administer the affiliate programme and calculate commissions
• To manage the provider marketplace and track provider revenue
• To apply personalised pricing based on your account profile
• To store and apply your theme and language preferences
• To operate the wallet and financial credit system
• To track project progress and time entries
• To facilitate team collaboration, task management, and project coordination within teamspaces
• To process and manage job applications submitted through the careers section
• To provide multi-factor authentication and manage trusted device records for account security
• To deliver real-time notifications, presence indicators, and live updates across the Platform
• To maintain and serve knowledge base articles for self-service support
• To ensure the security of the Platform, including fraud prevention and access control
• To comply with legal obligations under Bulgarian and EU law
• To communicate with you regarding your account, orders, bookings, invoices, or support requests
• To measure and improve support quality through satisfaction ratings and SLA tracking
• To execute user-configured automation rules within teamspaces
• To send platform event notifications to administrator-configured external services (such as Discord webhooks) for operational monitoring
• When enabled and consented to, to collect anonymised analytics data to understand Platform usage patterns

5. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide services you have requested, including account management, order processing, payment processing, VIP subscription management, booking fulfilment, invoicing, and support ticket handling.
• Legitimate Interest (Article 6(1)(f)): Processing necessary for platform security, fraud prevention, service improvement, admin audit logging, SLA monitoring, and internal performance analytics. We have conducted a balancing test to ensure our legitimate interests do not override your rights.
• Legal Obligation (Article 6(1)(c)): Processing required to comply with tax, accounting, and other legal obligations under Bulgarian and EU law, including retention of financial records and invoices.
• Consent (Article 6(1)(a)): Where applicable, for optional processing such as analytics. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

6. Cookies and Local Storage

We use a minimal set of cookies that are essential for the operation of the Platform. When analytics are enabled and you have provided consent, additional non-essential cookies may be set. For full details, please refer to our Cookie Policy at /cookie-policy.

• next-auth.session-token: Authentication session cookie (HTTP-only, secure in production)
• next-auth.csrf-token: Cross-site request forgery protection cookie
• next-auth.callback-url: Authentication redirect cookie
• NEXT_LOCALE: Language preference cookie (en or bg)
• hde-workspace-token: Workspace portal session cookie for internal employees (HTTP-only, 24-hour inactivity timeout)

7. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal data. We share data only with the following categories of processors, strictly for the purposes described in this policy:

8. International Data Transfers

We aim to process all data within the European Economic Area (EEA). Where data must be transferred to processors outside the EEA (such as Discord, Inc., Alphabet Inc. (Google), GitHub (Microsoft Corporation), or Stripe, Inc. in the United States), we ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, or reliance on adequacy decisions where available.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data: retained while your account remains active and for up to 30 days following a deletion request
• Order and invoice data: retained for the duration required by Bulgarian tax and accounting regulations (typically 10 years for financial records)
• Payment and transaction records: retained for the duration required by financial regulations and for dispute resolution
• VIP subscription data: retained while the subscription is active and for 12 months after cancellation
• Booking data: retained for 12 months after the consultation date
• Support ticket data and attachments: retained for 24 months after ticket closure
• Affiliate data: retained while the affiliate account is active and for 12 months after deactivation
• Project and time tracking data: retained for the duration of the project and for 24 months after project completion
• Wallet transaction history: retained for the duration required by financial regulations
• Provider marketplace data: retained while the provider account is active and for 12 months after deactivation
• Teamspace data (teams, projects, tasks, comments, attachments, activity logs): retained for the duration of team membership and for 24 months after a team is disbanded or a member is removed
• Careers and recruitment data: application records and questionnaire responses are retained for 12 months after the recruitment process concludes, unless a longer period is required by law or the candidate requests earlier deletion
• MFA and security data: encrypted TOTP secrets and trusted device records are retained while MFA is enabled on the account and deleted upon MFA deactivation or account deletion
• Knowledge base data: article content is retained for as long as it remains published and for 12 months after removal
• Admin audit logs: retained indefinitely for security, compliance, and dispute resolution purposes
• Server logs (including IP addresses): retained for up to 90 days
• Analytics data (when enabled): retained in accordance with Google Analytics' data retention settings, subject to your consent

10. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. To exercise any of these rights, please contact us at info@hdetailenterprise.com:

• Right of Access (Article 15): You may request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17): You may request deletion of your personal data, subject to legal retention obligations.
• Right to Restriction (Article 18): You may request that we restrict processing of your data in certain circumstances.
• Right to Data Portability (Article 20): You may request your personal data in a structured, commonly used, machine-readable format.
• Right to Object (Article 21): You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP), 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria, or with any other competent EU supervisory authority.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

• Passwords are hashed using bcrypt with a cost factor of 12
• Authentication sessions use signed JWT tokens with periodic verification (every 10 seconds) against the database
• All data in transit is encrypted using HTTPS/TLS
• Database storage uses MongoDB Atlas encryption at rest
• Access to personal data is controlled by a hybrid role-based access control system with 40+ granular permissions across 15 domains, supporting both legacy roles and dynamic custom roles with per-user permission overrides
• All administrative actions affecting user accounts are logged in an immutable audit trail
• Administrators cannot modify their own accounts, and role-based restrictions prevent privilege escalation
• Force logout capability allows immediate session invalidation when security concerns arise
• Payment card data is processed exclusively by Stripe and is never stored on HDE servers
• Workspace portal data is sanitised to prevent exposure of real customer information to internal workers

12. Automated Decision-Making

The Platform uses automated processes for support ticket assignment (round-robin, least-active, or default-agent strategies), SLA deadline computation, and VIP discount application based on active subscription tier. These processes do not produce legal effects or similarly significant effects on users. Personalised pricing multipliers are set manually by administrators and are not the result of automated profiling. Within teamspaces, users may configure automation rules that trigger actions (such as changing a task status or assigning a team member) when specified conditions are met. These automations operate only on project and task data within the team and are fully user-controlled.

13. Children's Privacy

The Platform is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The "Last updated" date at the top of this page will be revised accordingly. Material changes will be communicated through the Platform. Continued use of the Platform after changes are published constitutes acceptance of the updated policy.

15. Contact

For any privacy-related enquiries, data subject requests, or complaints, please contact us at:

• Email: info@hdetailenterprise.com
• Address: bul. "Dunav" #1, Plovdiv, Bulgaria
• Supervisory Authority: Commission for Personal Data Protection (CPDP), 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria