1. CONTROLLER DATA
This website is owned by the Estorium Foundation, registered in the Commercial Register of the Registry Agency, UIC: 206240470, office and management address: 15 "13-ti mart" str., app. 7, Sredets district, 1142, Sofia, Bulgaria.
The Estorium Foundation controls the personal data processed in connection with this website under the General Data Protection Regulation (EU Regulation 2016/679-GDPR) and in accordance with local legislation.
At the Estorium Foundation, we respect the right to privacy of all individuals, and the protection of our website users’ personal data is our top priority. We strive to be completely transparent regarding why we need your data, how it is stored, and what your rights are, so we will provide you with the necessary information in this document.
2. CONTACT DETAILS
If you have any questions about the Terms and Conditions and the Privacy Policy, you can contact us at the following:
Estorium Foundation, Atanas Hristoskov - Chairman,
Address: 15 "13-ti mart" str., app. 7, Sredets district, 1142, Sofia, Bulgaria
Phone: +359893492371
Email: estoriumproject@gmail.com
3. WHAT PERSONAL DATA IS PROCESSED AND STORED?
When you visit our website, we collect the following personal data:
Automatically collected data
- IP address and server log files data. This data is not combined or used for user analysis.
They contain a set of system information about the user: IP address; ISP (Internet Service Provider); the browser you are using when visiting the website (such as Google Chrome, Internet Explorer, and Mozilla Firefox); The data collected in this way is purely statistical and anonymous and cannot be linked to a specific individual easily since data is
pseudonymised - a unique number is automatically generated for each user. This pseudonymous data is actually stored by our hosting provider, and we do not have direct access to it. However, we reserve the right to check such data in the emergence of specific indications of illegal use.
Data collected when sending an inquiry via the contact form:
- Name;
- Phone number;
- Email;
When you make a donation through the "Support us" section, we receive
- Transaction information - payment method (such as credit or debit card number or bank account information), amount, payment date and payment method;
- First and last name;
- The email address you provide so we can send your donation certificate. The latter is an official document that you can use to deduct the donation from your annual tax.
Data collected during account/profile creation
- First and last name;
- Email;
Personal data contained in the content shared on www.estorium.org
When you share content with Estorium or a third party shares content containing your personal data, this may include:
- Your face
- Voice
- Names, nicknames
- Date and place of birth
- Gender
- Nationality
- Ethnicity
- Religion
- Profession/occupation
- The country and locality where the content was created
- The exact location of the content’s creation
- Content creation date
4. WHY DO WE NEED YOUR DATA?
We process your personal data solely for the following purposes:
4.1. Automatically collected data - to detect and prevent fraud and unauthorised access to the system and to ensure the security of the Administrator systems.
4.2. The personal data collected when sending an inquiry - name, email and phone number - so that we can identify who the request was made by and respond;
4.3 The personal data collected when making a donation – in order to fulfil our obligations under tax law and be able to identify the donator so a certificate of appreciation can be issued to them, and the donation can be deducted from their annual tax.
4.4 Your personal data collected when creating an account - for the purpose of administering and maintaining your account.
4.5. Personal data related to shared content - Estorium is a digital anthropological archive where we want to preserve the living image and spiritual imprint of millions of human beings. The archive contains documentary portraits and authentic stories of people in their natural environment. In this regard, it is important for us to map the content with as much detail as possible to enable proper searching and filtering, as well as provide as much information as possible about its origin.
5. WHAT GROUNDS IS YOUR PERSONAL DATA PROCESSED ON?
In order to process your personal data lawfully, a valid legal basis must exist. Depending on the purpose, we process your personal data on the following grounds:
- Under 4.1. - based on our legitimate interest in protection from unlawful use. This data is not combined or used for user analysis.
- Under 4.2. - on the basis of your consent; without it, you will not be able to send the message;*
- Under 4.3 - based on our statutory accounting obligations.
- Under 4.4. - on the basis of the consent you provided; without it, you will not be able to create an account;*
- Under 4.5 - based on the necessary processing for the purposes of historical research and archiving in the public interest, as well as on the grounds of your consent, which we require confirmation for by the person providing the content.
6. WHAT ARE WE DOING WITH THE PERSONAL DATA WE COLLECT?
All electronic and paper forms displaying personal data are protected by appropriate organisational and technical measures under the requirements for preventing accidental or intentional destruction, accidental loss, unauthorised access, alteration, or dissemination, as well as other unlawful forms of processing.
The Estorium Foundation does not disclose your personal data to third parties outside those listed here except to statutory institutions and supervisory authorities when required to do so by law. At our discretion, we may share the data with processors who have provided guarantees of lawful processing and meet the legal requirements.
USE OF GOOGLE ANALYTICS
We use Google Analytics to collect sensitive information about the users of the webpage, such as the website you are coming from, the country you are in, your language, your online behaviour, the browser you are using, the network, etc. This information does not include personal data, and you cannot be identified through it. We collect said data in order to analyse what type of users are visiting the website and how they use it, which helps us personalise the service. Information is collected through cookies from Google Analytics – so when you visit our website, the so-called third-party cookies – those from Google Analytics – reach you. You can optout of the use of your data by Gооglе Аnаlуtісѕ by using the Gооglе Аnаlуtісѕ opt-out brоwѕеr extension for JavaScript by Google Аnаlуtісѕ (gа.јѕ, applоtiсѕ.јѕ, dс.јѕ). If you would like to opt-out, kindly download and install the extension on your web browser.
You can find out how Google processes your information here.
USE OF STRIPE – A DONATION PAYMENTS PLATFORM
Our donation payments are made through an external payment platform – Stripe. Stripe is a payment processing platform (similar to PayPal). Stripe Oauth is ’their authorisation protocol, and it uses tokens (instead of sharing password data) to authenticate the identity of both the users and the service provider. Stripe account access facilitates user registration, login, and authentication.
When you make a payment through Stripe, the data specified in the section is also provided to the Stripe platform.
You can read their complete privacy policy here.
When you use Stripe through our website, the so-called third-party cookies – generated by Stripe itself – reach you. You can read Stripe’s complete cookie policy here.
YouTube
When the content shared by you or another storyteller and containing your data is in video or VR format, we store it and make it available through the YouTube video-sharing platform. You can read their privacy policy here.
Digital Ocean
The data we store is also available to our hosting and cloud provider, Digital Ocean. DigitalOcean is AICPA SOC 2 Type II certified. By complying with this globally recognised information security control framework audited by an independent auditor (Ernst & Young LLP), DigitalOcean demonstrates a commitment to protecting sensitive information. In addition, DigitalOcean has achieved Cloud Security Alliance (CSA) STAR Level 1, which addresses the core security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service. You can read their privacy policy here.
Sound Cloud
When content shared by you or another storyteller and containing your data is in audio format, we store it and make it available through the Sound Cloud platform. You can read their privacy policy here.
CROSS-BORDER PROCESSING
Estorium is working towards growing into an international project and bringing together the stories of people from all over the world. In this regard, if you are located outside Bulgaria, it is possible that your data is located on servers in Bulgaria or other countries. Nonetheless, no matter where you are, the information processed by Estorium may be stored on servers outside Bulgaria.
7. HOW LONG DO WE STORE YOUR PERSONAL DATA FOR?
We store your data for the following amounts of time:
- Automatically collected personal data – log files – is stored for security reasons (e.g., for the purpose of investigating cases of abuse and/or fraud), but the duration of their storage is determined at the discretion of the hosting provider. Usually, this period does not exceed 30 days. Data that is necessary for investigation purposes or as evidence is not deleted until the conclusion of each specific case.
- The data from inquiries sent to us is stored for up to 3 months after the end of the communication to account for its possible restoration, after which it is deleted. If you withdraw your consent for the storage of this data, it will be deleted immediately.
- The data from donations made is stored for a period of up to 10 years from January 1st following the year of the donation – in compliance with Article 12 of the Accounting Act.
- The data collected from the profile you created is stored for up to 30 days after your request for its deletion – this is the technological time required for its complete erasure.
- The data accompanying or contained in the shared content – Estorium’s goal is to be a digital anthropological archive that lasts over time, so from today’s point of view, the storage period of the content collected in it is indefinite, in case no reasons for the deletion of content arise – e.g. in case of withdrawal of consent of persons whose data is contained in it or accompany it.
8. WHERE DO WE GET YOUR DATA?
- Automatically collected data is automatically entered into our servers when you visit the website.
- Profile/account details, inquiries and donations – evidently, they are provided personally by you when you create an account, send an inquiry or donate.
- Your personal data contained in the content shared with Estorium – this data may not have been uploaded by you but by a third party which has declared to us that they have obtained your consent. In the event of any claims made by you regarding personal data or copyright, we will request a copy of this consent from the user who uploaded the material. In the event that the document in question is not provided, the material will be taken down, and the uploading user’s account will be deleted upon three (3) proven violations of the terms and conditions and privacy policies. Apart from that, you have the right to withdraw the provided consent for data processing at any time by notifying us at estoriumproject@gmail.com or using the form we have provided for your convenience – here.
9. AUTOMATED DECISION-MAKING.
No automated decision-making is based on your data, and you are not subject to remarketing.
Regarding “profiling”, refer to part 6, section “Use of Google Analytics”.
‘Profiling’ refers to any form of automated processing of personal data aimed at using personal data to evaluate certain personal aspects, and in particular, to analyse or predict aspects related to one’s fulfilment of professional duties, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
10. WHAT ARE YOUR RIGHTS?
1. he right of access to personal data related to you – you can request information about how we use your data and receive a copy of the information we store in relation to you.
2. The right of data correction – e.g., data that is submitted inaccurately, incompletely or has changed since the original information was sent to us.
3. The right of deletion of your personal data ("the right to be forgotten")
4. The right to limit the processing of your personal data.
5. The right to obtain the personal data you have provided us with that concerns you and to reuse it by transferring it to another controller ("the right of portability").
6. The right, at any time and for reasons regarding your particular situation, to object to the processing of your personal data.
7. The right to complain to a higher authority in case your rights have been violated or you have suffered from unlawful processing of your personal data (the higher authority for personal data protection in the Republic of Bulgaria is the Commission for Personal Data Protection, located at 2, "Tsvetan Lazarov" boulevard, 1592, Sofia, Bulgaria).
Exercising your rights as described above is free of charge. Only in the event that the requests are explicitly unfounded or excessive, in particular, due to their repetitiveness, the Administrator reserves the right to:
- charge a reasonable fee, taking into account the administrative costs of providing the information and communication or taking the requested action, or
- refuse to act on the request.
Link to the personal data access form
Link to the personal data correction form
Link to the form for deleting/limiting the processing/withdrawing your consent.