Back to Home

Privacy Policy

Last updated: March 2026

Overview

The data controller for your personal data is NETTINGALE BULGARIA EOOD (UIC: 205815007), registered at ul. 23 Septemvri, No 8, Svoge 2260, Bulgaria. This policy explains what data we collect, why we collect it, and how we handle it in accordance with the General Data Protection Regulation (GDPR).

Your use of Nettingale is also governed by our Terms of Service .

Data We Collect

We collect the minimum data necessary to provide our service:

  • Account information: Email address and password (hashed) for authentication
  • Billing information: Payment card details are handled directly by Stripe - Nettingale never stores your card data
  • Website data: Your WordPress files, database, and backups stored on our servers
  • Usage data: Server logs for security and performance monitoring

How We Use Your Data

We process your data on the following legal bases under GDPR Art. 6:

Contractual necessity (Art. 6(1)(b)):

  • To provide and maintain your hosting service
  • To process payments and manage your subscription
  • To send service-related notifications (downtime, security alerts)

Legitimate interest (Art. 6(1)(f)):

  • To improve our infrastructure and service reliability
  • To monitor and protect against security threats

Consent (Art. 6(1)(a)):

  • To send marketing communications (you may withdraw consent at any time)

Legal obligation (Art. 6(1)(c)):

  • To retain records where required by tax, accounting, or other applicable law

Data Storage

Your website data is stored on secure servers in the European Union. We do not transfer your data outside the European Economic Area. We maintain encrypted backups for 30 days. All data transmission uses TLS encryption.

Third-Party Services and Sub-processors

We use the following third-party services to operate the platform:

  • Hetzner: Server infrastructure and data storage (EU)
  • Cloudflare: CDN and DDoS protection. Traffic may be routed through Cloudflare points of presence outside the EEA for performance and security purposes. Cloudflare participates in the EU-US Data Privacy Framework. No website data is stored outside the EEA - only transit traffic passes through global nodes.
  • Stripe: Secure payment processing (EU-US Data Privacy Framework certified)
  • Amazon Web Services (SES): Transactional email delivery (EU region)

We may update this list of sub-processors as our service evolves. Material changes will be communicated via email. We do not sell your data to third parties.

Data Processing Agreement

If you store personal data of your own users on your WordPress sites hosted by Nettingale, we act as a data processor on your behalf under GDPR Art. 28. A Data Processing Agreement (DPA) is available on request. Contact moc.elagnitten@ycavirp to request a copy.

Your Rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectification of inaccurate data (Art. 16)
  • Erasure of your data (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability - export your data in a structured format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent for marketing communications

If you believe your data protection rights have been violated, you have the right to lodge a complaint with Bulgaria's Commission for Personal Data Protection (CPDP) at www.cpdp.bg .

Cookies

We use essential cookies only for authentication and session management. We do not use tracking or advertising cookies.

Data Retention

Account data is retained while your account is active. Upon account deletion, we remove your data within 30 days, except where legally required to retain it.

Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33
  • Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Art. 34
  • Include in any notification the nature of the breach, likely consequences, and measures taken or proposed to address it

Contact

For privacy-related inquiries, contact us at moc.elagnitten@ycavirp

We have not appointed a Data Protection Officer as it is not required under GDPR Art. 37 given the nature and scale of our data processing. For all privacy matters, use the contact above.