PRIVACY POLICY

1. Introduction

Gran Fondo Bulgaria Ltd. ("we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you:

• Visit our website at www.granfondobulgaria.com
• Register for our cycling events
• Subscribe to our newsletters
• Contact us through any channel
• Participate in our events

Please read this Privacy Policy carefully. By using our services, you consent to the collection and use of your personal data as described in this policy.

2. Data Controller

The data controller responsible for your personal data is:

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions, please contact our DPO:

• Email: privacy@granfondobulgaria.com
• Phone: +359 2 987 6543
• Address: 1 Bulgaria Square, 1463 Sofia, Bulgaria

3. Data We Collect

We collect different types of personal data depending on how you interact with us:

3.1 Information You Provide

Registration Data

• Full name (first name and last name)
• Email address
• Phone number
• Postal address
• Date of birth
• Gender
• Nationality
• Cycling club affiliation (if applicable)

Health & Emergency Data

• Emergency contact name and phone number
• Medical conditions relevant to participation
• Allergies or special medical requirements
• Blood type (optional)

Payment Data

• Billing address
• Payment method details
• Transaction history

3.2 Information Collected Automatically

Technical Data

• IP address
• Browser type and version
• Device type and operating system
• Time zone setting and location
• Pages visited and time spent on our website

Event Data

• Race timing data
• GPS tracking data (during the event)
• Checkpoint times
• Finishing position and time

3.3 Information from Third Parties

• Timing partners (race results)
• Photography partners (event photos)
• Social media platforms (if you connect your account)
• Cycling federations (license verification)

4. Legal Basis for Processing

Under GDPR, we must have a valid legal basis for processing your personal data. We rely on the following legal bases:

Special Category Data

Health data is considered 'special category' data under GDPR. We process this data based on:

• Your explicit consent provided during registration
• Vital interests (medical emergencies)
• Legal obligations for event safety

5. How We Use Your Data

5.1 Event Management

• Processing your registration and entry
• Allocating race numbers and timing chips
• Managing start waves and corrals
• Recording and publishing race results
• Issuing finisher certificates and medals
• Coordinating logistics (race packs, refreshments)

5.2 Communication

• Sending registration confirmations
• Providing event updates and important information
• Responding to your inquiries and support requests
• Sending post-event surveys and feedback requests
• Marketing communications (with your consent)

5.3 Safety & Security

• Ensuring participant safety during events
• Emergency response coordination
• Contacting emergency contacts if needed
• Fraud prevention and detection
• Verifying participant identity

5.4 Legal & Administrative

• Processing payments and refunds
• Maintaining financial records for tax purposes
• Complying with legal obligations
• Handling insurance claims
• Resolving disputes

5.5 Improvement & Analytics

• Analyzing participation trends and demographics
• Improving our events and services
• Developing new features and offerings
• Website analytics and performance optimization

6. Data Sharing & Disclosure

We may share your personal data with the following categories of recipients:

6.1 Service Providers

6.2 Event Partners

• Event sponsors (only aggregated, anonymized data unless you consent otherwise)
• Local authorities (as required for event permits)
• Medical and emergency services (for safety purposes)
• Insurance providers (for claims processing)

6.3 Public Disclosure

The following information may be made publicly available:

• Race results (name, nationality, age category, time, position)
• Event photographs and videos
• Participant lists (name, nationality, race number)

6.4 Legal Requirements

We may disclose your data when required by law, including:

• Responding to court orders or legal processes
• Cooperating with law enforcement investigations
• Protecting our legal rights
• Complying with regulatory requirements

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place:

7.1 Safeguards

• EU adequacy decisions for countries with adequate data protection
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules for transfers within corporate groups
• Certification schemes (e.g., EU-US Data Privacy Framework)

7.2 Countries

We may transfer data to service providers in:

• United States (cloud services, payment processing)
• Other EU/EEA countries (timing partners, sponsors)

You may request a copy of the safeguards used for international transfers by contacting our Data Protection Officer.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

After the retention period, we will securely delete or anonymize your data. Anonymized data may be retained for statistical purposes.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse:

9.1 Technical Measures

• SSL/TLS encryption for all data transmissions
• Encrypted data storage
• Secure password hashing
• Regular security updates and patches
• Firewall and intrusion detection systems
• Regular security audits and penetration testing

9.2 Organizational Measures

• Access controls and role-based permissions
• Staff training on data protection
• Confidentiality agreements with employees and contractors
• Data protection impact assessments
• Incident response procedures

9.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Inform affected individuals without undue delay if there is a high risk
• Document the breach and our response

10. Your Rights

Under GDPR, you have the following rights regarding your personal data:

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer:

• Email: privacy@granfondobulgaria.com
• Mail: Data Protection Officer, Gran Fondo Bulgaria Ltd., 1 Bulgaria Square, 1463 Sofia, Bulgaria

We will respond to your request within one month. This period may be extended by two months for complex requests, in which case we will inform you.

Right to Lodge a Complaint

If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority. In Bulgaria, this is:

11. Cookies Policy

Our website uses cookies and similar tracking technologies to enhance your browsing experience and analyze website traffic.

11.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help the website remember your preferences and how you use the site.

11.2 Types of Cookies We Use

11.3 Managing Cookies

You can control cookies through:

• Our cookie consent banner when you first visit our website
• Your browser settings (most browsers allow you to block or delete cookies)
• Third-party opt-out tools (e.g., Google Analytics Opt-out)

11.4 Third-Party Cookies

We use services from third parties that may set their own cookies:

• Google Analytics: Website analytics
• Facebook Pixel: Advertising and remarketing
• Stripe: Payment processing
• YouTube: Embedded videos

12. Children's Privacy

Our events are generally intended for participants aged 18 and over, or 16-17 with parental consent.

12.1 Age Requirements

• Participants must be at least 16 years old
• Participants aged 16-17 require written parental/guardian consent
• We do not knowingly collect data from children under 16

12.2 Parental Consent

For participants aged 16-17, a parent or legal guardian must:

• Provide written consent for participation
• Agree to these privacy terms on behalf of the minor
• Serve as the primary contact for communications

If you believe we have collected personal data from a child without appropriate consent, please contact us immediately at privacy@granfondobulgaria.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

13.1 Notification of Changes

When we make changes:

• We will update the "Last Updated" date at the top of this policy
• For significant changes, we will notify you by email or website notice
• We will obtain fresh consent if required for material changes

13.2 Your Continued Use

Your continued use of our services after changes become effective constitutes acceptance of the revised policy. We encourage you to review this policy periodically.

13.3 Previous Versions

Previous versions of this Privacy Policy are available upon request. Please contact our Data Protection Officer.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 5 business days.