Privacy and Data Protection Policy (GDPR)


“Leno Ventures” Ltd. (the “Company”) respects the privacy of its clients and ensures the utmost protection of their personal data. The current Privacy and Data Protection Policy (hereinafter referred to as the „Privacy Policy”) has been drafted and is based on the applicable Bulgarian and European legislation on data protection and enters into force as of 01.11.2020.

The present Privacy Policy regulates the processing of personal data of natural persons or representatives of legal entities of the Company clients or potential clients, as well as the users of the Platform in relation to the services offered by the Company.

The Platform means, together and separately, the internet page of, and any other platform through which the Company is presented, offered and / or provides services.

The present Privacy Policy, together with the Cookie Policy sets the rules which the Company shall comply with when processing the personal data, collected from and/or about you or which you provide.

Please, read this Privacy Policy carefully before using the Platform or providing your Personal data, regardless electronically, through the Web site or on paper, as the provision of your Personal data shall be deemed an agreement to its terms. If you do not wish your personal data to be processed in the way described in the current Privacy Policy, please do not provide them. The provision of your personal data is performed voluntarily and for the use of certain services, i.e. the use of the Platform and/or accessing it, as well as every request submitted through the Platform. Please keep in mind that the Company shall not be able to provide you with the services you have asked for, if you do not provide the necessary information. Please, also take in mind that in some particular cases your consent for the processing of personal data may not be required, if the Company has a different legal basis for processing your personal data, i.e. fulfillment of legal obligations.

Who processes your personal information and who is liable for it

“Leno Ventures” Ltd. is a limited liability company, incorporated in accordance with the Bulgarian legislation and registered with the Commercial register and register of NPLE with UIC 206082675, with registered office at 96 Tsarigradsko Shose Blvd, Level 7, Sofia.

You can contact us at any of the following coordinates:

At the shown above registered offices;


Categories of personal data, processed by the Company

In the course of providing the requested services, the Company may process the publicly available personal data, personal data available to the Company in the exercise of its legal rights and obligations and / or personal data provided by you. The main types of personal data processed are:

  1. In the course of providing the requested services, the Company may process
    • Personal identification information (name, middle and family name, PIN, date of birth, place of birth, citizenship, sex, identification document number);
    • Contact details (including permanent address, address for correspondence, different from the permanent address, your telephone number or a number of a contact person, email address and others);
    • Data on employment, occupation/position, work experience, education, previous employment, skills, qualifications, and others;
    • Financial information (bank accounts, sources and amount of income, usual expenses etc.);
    • Information about the representative (legal representative or a proxy) of our client;
    • Data related to health status.

Sources through which the Company collects information

  • Transactions related to the services provided by the Company;
  • Statement under the Law on Measures against Money Laundering (“LMML”);
  • Statement about the Beneficial owner under art. 66, para. 2 of the LMML;
  • Statement under the LМML for a politically exposed person;
  • Online form for a job application;
  • Email and chat communication, as well as telephone conversations incoming or outcoming from the Company;
  • Visiting the Platform;
  • Information provided to other Companies, in case of joint venture services;
  • Power of attorney to a representative of a client (if there is a representative elected or appointed);
  • And all other sources, which help generate the legal minimum of information, which the Company is required to collect.

Purposes and legal basis for processing of personal data

The Company processes personal data for the following purposes:

  1. Processing of personal data that is required for conclusion or execution of agreements, or related to preparation of agreements’ documents, or upon job application:
    • Identifying a client upon: signing of a new or an amendment of an existing agreement; detailing of the services provided thereto; execution of an agreement;
    • Preparation of contractual offers, sending pre-contractual information and contract draft;
    • Data received from the client in the course of performing contractual obligations, exercise of rights and assurance of performance of contracts;
    • Up-to-date identification of users of the Platform as clients;
    • Processing job application;
    • Accepting and answering clients’ complaints and/or requests;
    • Debt payments, rescheduling of due amounts; management of receivables collection;
    • Sharing important information regarding changes herein and other relevant information.
  2. For the execution of its legal duties, the Company processes your data for the following purposes:
    • Issuing invoices;
    • For performing tax-insurance control of the competent authorities and determining the tax in the tax area;
    • Providing information to the Commission for Personal Data Protection in relation to the obligations laid down in the regulation for personal data protection – the General Data Protection Regulation (EU) 2016/679 from 27 April 2016, etc.;
    • Obligations provided for in the Tax-Insurance Procedure Code and other related statutory instruments in relation to the keeping of proper and lawful accounting;
    • Prevention of fraud, money laundering and terrorist financing.
  3. The Company processes personal data obtained with the explicit consent of the client for the following purposes:
    • Direct marketing of products and services.
  4. The processing is required for the purposes of the legitimate interests of the Company:
    • For the purpose of ensuring security and protection of the Company’s and its visitors’ and employees’ property, interests and safety, the Company maintains video surveillance equipment;
    • Assessing the level of clients’ satisfaction, as well as the efficiency of the advertising target;
    • Ensuring the quality of clients’ service (video recording and audio recording).

Categories of third parties that may access and process your personal data

The Company does not disclose collected and stored nonpublic information and the client’s personal data before any unrelated third party, unless that is provided by the applicable legislation or the explicit consent of the client is given.

Depending on the product or service, as well as certain restrictions regarding confidential information, personal data of clients and information may be disclosed to:

  • Insurers with which the Company has a contract in its capacity of Insurance Intermediary;
  • Persons who are assigned by the Company to maintain the equipment and software used for the processing of your personal data;
  • Banks servicing the payments made by and to you;
  • Persons to whom the Company has provided the execution of part of the activities or obligations associated with a specific service provided to you; personal data processors who, on the basis of a contract with the Company, process your personal data on behalf of the Company as well as other companies of the holding structure of the Company in the course of provision of related services or activities;
  • Natural persons providing services related to contracts signing: notary public persons; lawyers; proxies;
  • Natural persons or legal entities providing consultancy services in different areas - lawyers, accountants, marketing agencies, etc.;
  • Courts and other competent authorities, institutions, and persons to whom the Company is obliged to provide personal data under current legislation;
  • Security companies holding a license to perform private security activities processing the video recordings on the territory of the Company offices and / or maintaining other registers in the course of ensuring the access regime in the same sites;
  • Other companies, in case of provision of joint venture services;
  • Other third parties which provide services to the Company.

How long does the Company keep your personal data

The time period for keeping your personal data depends on the processing purposes for which they were collected:

  • Personal data processed for the purpose of concluding/amending and executing contracts between the Company and you or a company represented by you- within the contract period and as of the definitive settlement of all financial relations between the parties. The Company may keep part of your personal data for a longer period of time until the expiration of the applicable limitation period in order to be protected from any client’s claims regarding performance / termination of contracts as well as in case of a legal disputes that has been already arisen until its final settlement by a court / arbitration adjudication that has entered into force.
  • Personal data processed for the purpose of issuing accounting / financial documents for the implementation of tax and social security regulations including, but not limited to - invoices, debit notes, credit notes, handover protocols, contracts for provision of service/goods, shall be kept not less than 11 years as from expiry of the limitation period for extinguished of the respective public claim, unless the applicable law provides for a longer period.
  • Personal data processed for the purpose of direct marketing - to the explicit withdrawal of the given direct marketing consent or receipt of an objection to the processing of personal data for the purpose of direct marketing.
  • Video surveillance data from security cameras - up to 200 days as from the recording creation. Phone calls shall be kept for up to 5 years from the call.
  • Personal data processed for the purpose of preventing fraud and money laundering shall be kept for a period of 5 years after the final settlement of all financial relations between the parties under Art. 67 of the LMML.
  • Personal data processed for the purpose of analyzing and evaluating job applications shall be kept for a period of 1 year after application or until the consent is explicitly withdrawn by the applicant.

Your rights in relation to the processing of your personal data

  1. General rights
  2. You have the following rights described below, related to the processing of personal data, which you may exercise at any time while the Company keeps or processes your personal data by sending a request to the address of the Company referred to above or electronically by e-mail:

    Any client is entitled to access his/her personal data collected by the Company upon written request. the Company shall be obliged to grant access solely to the data concerning the respective client, where personal data of third persons may be disclosed in the course of exercising the rights described above. Upon exercising his/her right of access, any the Company client shall be entitled at any time to request:

    • confirmation of whether his/her personal data are being processed, information for the purposes of such processing, categories of personal data, and recipients or categories of recipients to whom personal data are disclosed;
    • to be notified in writing in a plain form and the notification shall contain his or her personal data that are being processed, as well as any available information about their source;
    • information about the logic of any automated processing of personal data.

    Any client shall be entitled, at any time, to request from the Company to:

    • erase, rectify or block his/her personal data, the processing of which does not comply with the applicable legislation;
    • notify any third persons to whom personal data have been disclosed of any erasure, rectification or blocking carried out in accordance with the preceding paragraph unless notification is impossible or involves excessive effort.

    Any client in relation to his/her personal data, shall be entitled to:

    • object before the Company the processing of his or her personal data in the presence of a legal basis for this; where the objection is justified, the personal data of the client concerned can no longer be processed;
    • object the processing of his or her personal data for the purpose of direct marketing;
    • be notified prior to the first disclosure of his or her personal data to third persons or prior to their use for the purpose of direct marketing, as the respective client shall be entitled to object such personal data disclosure or use.
  3. Complaint before a supervisory authority
  4. You have the right to submit a complaint directly to the supervisory authority:
    Commission of Personal Data Protection, having its seat address at 2 Prof. Tsvetan Lazarov, 1592 Sofia, Bulgaria (

  5. Profiling
  6. Upon assessing the appropriateness of the services provided by the Company, the latter DOES NOT perform profiling as the processing of your personal data is not automated. The preparation of the assessment is strictly individual for each client and is done in accordance with the requirements of the law by certain employees to whom the Company has commissioned this assessment.

  7. Objection against the direct marketing
  8. You have the right to object to the future processing of your personal data for the purposes of direct marketing and advertising as well as to disclosure to third persons and personal data use on their behalf for the purposes of direct marketing and advertising by withdrawing your consent at any time. For this purpose, you can send an electronic message requesting the respective suspension of the use of your personal data for the purpose of direct marketing at:

  9. Can you refuse to provide personal data to the Company and what are the consequences of it?
  10. In order to conclude a contract with you and / or to provide you with the requested services in accordance with the respective legal and contractual obligations, the Company requires certain data detailed in this Privacy Policy.

    Non-provision of such data may impede the ability to assess the appropriateness and expedience of personal data processing and lead to obstruction for providing you with the type of service you have requested and / or to conclude a contract under the terms and conditions you require.

  11. Portability of personal data.
  12. You have the right to request that your personal data be transmitted or transferred to another data controller in a structured, widely used and machine-readable format. If it is technically feasible, the Company shall transfer the data directly.

    How does the Company protect your data?

    The Company applies organizational, physical, IT and other required measures to ensure the security and protection of your personal data and the monitoring of the processing of personal data.
    These security measures include, but not limited to, the following activities:

    • The Company has established the requirements for processing, registering and keeping personal data by implementing internal procedures, the observance of which is constantly supervised;
    • The access of the Company employees to personal data and permission to process personal data in the Company database is limited, depending on their duties;
    • The Company has established confidentiality obligations for its employees;
    • Access to the office equipment of the Company and the computers of each employee is limited;
    • For maximum security when processing, transferring and keeping your personal data, the Company may use additional protection means such as encryption, pseudonymization, etc.;

    The security measures applied are subject to constant improvement and adaptation to state-of-the-art technologies.

Cookie policy

To learn more about the Cookie Policy, please visit the Cookie Policy page.

Client’s consent

By filing an agreement request, or when applying for any services provided by the Company, and/or using the Company’s Platform, the client of the company and / or the user of the Platform agrees with the collection and use of public or non-public information and personal data by the Company as provided in this Privacy Policy.

Privacy policy amendments

It is important that we periodically update this Privacy Policy. Please, periodically visit this page, to stay up to date on these changes. We will explicitly notify you of significant changes regarding the way we handle your personal information. If you do not agree with the changes, you have the right to terminate your relationship with the Company. If you continue to use the Platform, you will be deemed to have read and agreed to the changes.