Data Controller Details

1. Introduction

Amvisible LTD (hereinafter also "AdFixer", "we", or "data controller". AdFixer has not appointed a Data Protection Officer, as it is not legally required to do so.) is committed to protecting the privacy, confidentiality, and security of personal data in compliance with the General Data Protection Regulation (GDPR) and applicable national data protection laws.

This Privacy Policy explains in a transparent manner:

• what categories of personal data we collect

• the purposes and legal bases for processing

• how long we retain data

• to whom we may disclose it

• how we secure it, and

• what rights data subjects have in relation to their personal data

We view data protection as an integral part of our corporate responsibility. AdFixer continuously implements organizational, contractual, and technical safeguards to ensure that personal data is processed lawfully, fairly and transparently, and only for clearly defined purposes.

2. Personal data collected

AdFixer contracts exclusively with entrepreneurs, primarily legal entities. However, in certain cases, natural persons acting as sole traders or independent professionals (insofar as permitted by law) may also enter into contractual relations with AdFixer.

Accordingly, the scope of personal data collected directly by AdFixer is limited but may include the following categories:

• Identification data: names of legal representatives of a company; in case of a natural person as contracting party – full name, date of birth (if required by law), and professional title.

• Contact details: business address, email address, phone number, billing address.

• Technical data: IP addresses, device identifiers, log data related to access to our services and website.

• Financial data: payment instrument information, invoicing details, VAT number, bank account information (where applicable).

• Contract-related data: data contained in the contractual documentation, correspondence, and any additional information necessary to establish, execute, and terminate contractual relationships.

In certain circumstances, additional data may be processed where it is necessary to comply with legal obligations (e.g., anti-money laundering checks, accounting and tax laws) or to provide services in accordance with customer instructions.

AdFixer does not intentionally collect or process sensitive categories of personal data under Article 9 GDPR (such as health, biometric, or religious data). Should such data be inadvertently provided by a customer, it will be securely deleted unless its processing is legally required.

3. Purposes for which personal data is collected and processed

We collect and process personal data only for specific, explicit, and legitimate purposes and do not further process it in a manner incompatible with those purposes, in line with Article 5(1)(b) GDPR. The purposes include:

• Provision of services: to register and maintain user profiles, manage subscriptions, deliver paid services, and ensure access to the functionalities of our website and platform. Without processing basic identification and contact data, AdFixer would be unable to differentiate between customers, provide access to eligible users, or fulfill contractual obligations.

• Authentication and account management: to verify customer identity during login, to enable secure access, and to respond to password reset or account recovery requests.

• Payment processing: to process payment details (e.g., credit card information) in order to collect remuneration for services rendered and comply with financial and accounting obligations.

• Contractual administration: to record the names of legal representatives of corporate clients in order to confirm representative authority, ensure the validity of contracts, and maintain a reliable human point of contact.

• Legal enforcement: to use identifying and contact information, where necessary, for pursuing or defending legal claims, including sending formal notices, initiating proceedings, or complying with lawful requests from authorities.

• Technical operation and security: to process IP addresses and technical logs to deliver website functionalities, maintain uninterrupted service, and ensure the integrity and security of our information technology systems.

In this respect, personal data is also processed by our trusted service providers, such as:

• Amazon Web Services (AWS): IP addresses and related technical information are transferred to AWS, which automatically records access logs containing IP address, date and time of access, browser version, and referrer URL. This temporary storage is necessary for system communication with the user's device. The data is retained for the duration of the session and analyzed only for ensuring continuous operation and IT security.

• Google Tag Manager: used to manage tracking pixels and scripts that improve website loading and integrate analytics and marketing services (e.g., Google Analytics). In this context, user IP addresses are processed to enable faster loading and performance optimization.

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects on individuals, unless explicitly stated and based on valid legal grounds.

4. Legal Bases for Processing

We process personal data only where a valid legal basis under Article 6 GDPR applies. The main legal bases on which AdFixer relies are:

Where consent is not given or is withdrawn, we may only continue such processing if another valid legal basis exists, such as overriding legitimate interests.

We do not process personal data on the basis of special categories under Article 9 GDPR unless explicitly required by law and subject to the conditions set therein.

5. Data Retention

We retain personal data only for as long as it is necessary for the purposes for which it was collected, in compliance with the principles of storage limitation under Article 5(1)(e) GDPR, or as long as required by statutory retention periods.

Retention periods are determined as follows:

• Account and registration data: retained for the duration of the customer's registration and contractual relationship with AdFixer. Upon account deletion or termination of services, such data will be deleted or anonymized, unless statutory obligations require further retention.

• Contractual and billing data: retained for up to ten (10) years to comply with Bulgarian accounting, tax, and commercial law requirements.

• Technical data (e.g., IP addresses, access logs): retained for up to seven (7) days by Amazon Web Services (AWS) for system security and operational purposes, after which it is automatically deleted.

• Correspondence and communication records: retained for the period necessary to manage customer inquiries, support, or dispute resolution, but not longer than three (3) years after the last contact, unless legal claims require longer retention.

• Marketing and consent-based data: retained until the customer withdraws consent or objects to processing, after which it will be promptly deleted, unless another legal basis for retention exists.

After the expiration of applicable retention periods, personal data will either be securely deleted, anonymized, or archived in a way that prevents further processing.

6. Data Security

We implement appropriate technical and organizational measures (TOMs) in accordance with Article 32 GDPR to ensure the confidentiality, integrity, availability, and resilience of personal data.

• Technical measures include, but are not limited to: pseudonymisation, encryption using state-of-the-art technologies, secure data transmission (TLS/SSL), multi-factor authentication, access logging, and regular penetration testing. These measures are designed to protect data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

• Organizational measures include: data minimization and separation of duties, strict role-based access controls, regular staff training on data protection and information security, clearly defined responsibilities, and procedures for incident management.

We also maintain a data breach response plan, ensuring that in the unlikely event of a personal data breach, we notify the competent supervisory authority and affected individuals in accordance with Articles 33–34 GDPR.

7. Data Sharing and Disclosure

We share personal data with third parties only where this is necessary for the performance of a contract, to comply with legal obligations, or to safeguard our legitimate interests, always ensuring that adequate safeguards are in place.

Typical categories of recipients include:

• Service providers / processors: such as hosting providers, payment service providers, IT maintenance providers, and marketing/analytics partners, who process data strictly on our instructions under Article 28 GDPR.

• Professional advisers: accountants, auditors, and legal advisors, bound by professional secrecy.

• Public authorities and regulators: where disclosure is required by law, court order, or regulatory request.

All processors engaged by AdFixer are subject to written agreements that impose obligations equivalent to those required by GDPR, including confidentiality, security, and limited purpose processing.

8. International Data Transfers

A transfer of personal data to countries outside the European Union (EU) or the European Economic Area (EEA) is carried out only under the conditions set out in Chapter V GDPR.

Transfers are permitted where:

• The European Commission has adopted an adequacy decision confirming that the third country ensures an adequate level of protection;

• The recipient has adopted Binding Corporate Rules (BCRs) approved by a competent supervisory authority;

• We and the recipient have entered into the European Commission's Standard Contractual Clauses (SCCs), supplemented by technical and organizational safeguards; or

• The transfer falls under another derogation under Article 49 GDPR (e.g., explicit consent, necessity for performance of a contract, or for the establishment, exercise, or defense of legal claims).

Where transfers are made to providers in the United States, we rely on SCCs combined with supplementary measures to ensure a level of protection essentially equivalent to that within the EU/EEA.

9. Use of Cookies

Our website uses cookies and similar technologies in order to provide essential functionality, improve user experience, and analyze how our services are used. Cookies are small text files placed on your device that may contain a unique identifier ("cookie ID"), allowing us or third-party providers to recognize your browser and device.

Cookies are categorized as follows:

• Strictly necessary (essential) cookies: These cookies are required for the proper functioning of our website and cannot be disabled. They enable core features such as navigation, secure access to protected areas, storing login sessions, or saving privacy preferences. The use of such cookies is based on our legitimate interest under Article 6(1)(f) GDPR in providing a functional and secure website.

• Functional and performance cookies: These cookies help us improve the performance and usability of our website by remembering your preferences and analyzing site usage.

• Analytics and marketing cookies: These cookies are placed only with your prior consent (Article 6(1)(a) GDPR). They allow us and our partners (e.g., Google Analytics, Google Tag Manager) to measure website traffic, monitor user actions, and deliver personalized marketing. Consent can be withdrawn at any time with future effect, without affecting the lawfulness of processing before withdrawal.

Cookie management

When you first visit our website, you will be presented with a cookie banner that allows you to consent (or decline) to the use of non-essential cookies. You may also adjust your cookie preferences at any time through your browser settings or via the cookie settings link provided on our website.

Please note that disabling strictly necessary cookies may limit the functionality of our website and certain services may not be available.

Cookies used

A detailed list of the cookies employed on our website, including their purpose, provider, storage duration, and type (essential vs. non-essential):

Third-Party Services & Integrations

We use third-party services to operate our website, provide our services, and maintain internal organization. These providers may process personal data either as processors (acting on our behalf) or as independent controllers, in accordance with their own privacy policies. The categories of third-party services include:

• Analytics and marketing tools (e.g., Google Analytics, Google Ads, Facebook Pixel, LinkedIn Ads): These tools help us analyze website usage, measure campaign performance, and provide remarketing features. They rely on cookies and similar technologies and are used only with your consent via our cookie banner (Art. 6(1)(a) GDPR). Where possible, IP anonymization is enabled.

• Social media platforms (Facebook, Instagram, Twitter/X, YouTube, LinkedIn): We maintain official pages on social media to communicate with customers and promote our services. If you interact with us on these platforms, the provider may process your data according to its own privacy policy. Our legal basis is legitimate interest (Art. 6(1)(f) GDPR).

• Newsletter services (Mailchimp): We use Mailchimp to send newsletters. Subscription requires double opt-in consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time by unsubscribing.

• Email communications: If you contact us by email, we process your personal data to respond to inquiries (Art. 6(1)(f) GDPR) or perform contracts (Art. 6(1)(b) GDPR).

• Internal organization tools (Google Drive, Slack, Atlassian tools such as Confluence, Jira, Trello): These are used for communication, document storage, and project management. Processing is based on contract performance (Art. 6(1)(b) GDPR) and legitimate interest (Art. 6(1)(f) GDPR).

• Microsoft Clarity captures behavioural metrics—such as heatmaps and session replay—together with standard technical information (for example IP address, browser type and device data). This helps us analyse site usage, identify possible usability issues, improve our products/services and support our marketing activities.

Website usage data is collected through first- and third-party cookies and similar tracking technologies, solely on the basis of your consent (Art. 6(1)(a) GDPR), which you provide via our cookie banner. You can withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.

Where personal data is transferred outside the EU/EEA, such transfers are secured using Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or adequacy decisions of the European Commission.

10. Data Subjects' Rights

If we process your personal data, you have the following rights under the General Data Protection Regulation (GDPR):

You may exercise your rights by contacting us at office@amvisible.com or by postal mail at: Amvisible LTD, 13 Kiril I Metodii Street, Seslavtsi, Sofia, Bulgaria. We will respond without undue delay and within one month, in accordance with Article 12 GDPR.

11. Changes to the Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. The updated version will always be available on our website. Where changes materially affect your rights, we will provide additional notice (e.g., via email or account notification).

This Privacy Policy was last updated on 05.10.2025.