Privacy Policy & GDPR Statement
Aidos Ltd / Аидос ООД
(UIC: 131375280)
1. Introduction & Scope
This Privacy Policy & GDPR Statement explains how Aidos Ltd / Аидос ООД, operating under the trade name Aidos Accountancy Services (“Aidos”, “we”, “us”, “our”), processes personal data in the course of providing accounting, payroll, tax, and advisory services, and through the operation of our website and business communications.
This policy replaces our previous GDPR statement published in 2018 and reflects current practices under Regulation (EU) 2016/679 (GDPR) and applicable Bulgarian data protection legislation.
It applies to:
- Clients and prospective clients
- Employees and job applicants
- Website visitors
- Business partners and suppliers
- Other individuals whose personal data we process in the course of our professional activities
This document is intended as a clear, transparent explanation of our data protection approach. It is not a marketing document and not a software or e-commerce privacy policy.
2. Who We Are (Data Controller Details)
Data Controller:
Aidos Ltd / Аидос ООД, operating as Aidos Accountancy Services
Registered office:
Sofia, Republic of Bulgaria
UIC: 131375280
VAT number: BG131375280
Email (privacy & compliance matters):
📧 [email protected]
Aidos acts:
- As data controller for website data, client onboarding, contractual relations, and internal business administration
- As data processor when handling accounting, payroll, and tax data strictly on behalf of and under the documented instructions of our clients
When acting as a data processor, our processing activities are governed by a Data Processing Agreement (DPA) forming part of the client engagement, in accordance with GDPR Article 28.
3. What Personal Data We Process
Depending on the nature of our relationship and services, we may process the following categories of personal data:
Identification & Contact Data
- Full name
- Date and place of birth
- Nationality
- Personal identification number or equivalent (e.g. EGN, foreign ID number)
- ID card or passport details (where legally required)
- Residential address
- Email address and telephone number
Employment & Payroll Data
- Employment contracts and amendments
- Salary and remuneration data
- Social security and tax identifiers
- Leave, benefits, and statutory reporting data
Company & Legal Representation Data
- Shareholders, directors, managers, and beneficial owners
- Company registration and corporate documentation
- Signatory and representation rights
Website & Communication Data
- Contact form submissions
- Email correspondence
- Limited technical data (such as IP address and browser information), where necessary for website operation, security, and analytics
We adhere to the principle of data minimization. We collect and process only personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed and for compliance with legal obligations.
4. Legal Basis for Processing (GDPR Art. 6)
We process personal data on one or more of the following legal bases:
- Performance of a contract (Art. 6(1)(b))
To provide accounting, payroll, tax, and advisory services requested by our clients. - Legal obligation (Art. 6(1)(c))
To comply with Bulgarian and EU laws, including tax, accounting, labor, and social security legislation. - Legitimate interests (Art. 6(1)(f))
For business administration, professional communication, security, and service improvement, where such interests are not overridden by the rights of data subjects. - Consent (Art. 6(1)(a))
Where required, for example for optional communications or for website analytics cookies.
Where special categories of personal data are processed (e.g. health-related data in payroll contexts), this is done strictly in accordance with GDPR Article 9 and applicable labor and social security legislation.
5. How and Why We Use Personal Data
We use personal data solely for legitimate professional purposes, including:
- Client onboarding and identity verification
- Company formation and statutory registrations
- Payroll processing and employment administration
- Accounting, tax compliance, and statutory reporting
- Communication with clients, authorities, and business partners
- Website operation and inquiry handling
- Internal administration, quality control, and compliance
Personal data is never used for unrelated purposes and is not sold or commercially exploited.
6. Cookies and Website Analytics
When you visit our website, we may process limited technical and usage data through cookies or similar technologies.
We use Google Analytics to understand how visitors use our website and to improve its performance and content. Analytics data may include information such as pages visited, time spent on the website, device and browser type, and general location (country or city level).
Analytics cookies are used only after consent has been provided via our cookie consent banner.
Further information about cookies, analytics technologies, and how consent is managed is available in our Cookie Policy, published on our website.
7. Data Sharing & Third Parties
We may share personal data only where necessary and lawful, including with:
- Public authorities (e.g. Bulgarian National Revenue Agency, Trade Register, social security institutions)
- Banks and financial institutions, when required for company or payroll-related processes
- Professional partners, such as lawyers, notaries, auditors, translation services, and IT providers
- Software and infrastructure providers supporting our accounting, payroll, and communication systems
Third parties are selected with due care and are required to maintain appropriate data protection and confidentiality standards. Where required, data processing agreements or equivalent safeguards are in place.
8. Data Storage, Security & Retention
We apply appropriate technical and organisational measures to protect personal data against unauthorized access, loss, misuse, or disclosure.
Security measures include:
- Controlled access to systems and documents
- Staff confidentiality obligations and GDPR training
- Secure IT infrastructure and authentication measures
- Segregation of access based on role and responsibility
Personal data is retained only for as long as necessary to fulfill contractual obligations and statutory retention requirements under Bulgarian and EU law. Once data is no longer required, it is securely deleted or destroyed.
9. Data Subject Rights Under GDPR
Individuals whose personal data we process have the following rights under GDPR:
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”), where applicable
- Right to restriction of processing
- Right to data portability, where applicable
- Right to object to processing based on legitimate interests, including for direct marketing purposes
- Right to withdraw consent, where processing is based on consent
Requests may be submitted in writing using the contact details below. In certain cases, exercising these rights may affect our ability to provide services or comply with legal obligations.
10. International Data Transfers
As a rule, personal data is processed within the European Union / European Economic Area (EU/EEA).
Where transfers outside the EU/EEA are required (for example, through the use of international cloud or software service providers), such transfers are carried out in compliance with GDPR using appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission.
11. Contact Details and Complaints
For any questions, requests, or concerns regarding personal data protection or compliance matters, please contact:
You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни – КЗЛД), which is the competent supervisory authority for data protection in Bulgaria.
12. Changes to This Policy
We may update this Privacy Policy & GDPR Statement to reflect legal, regulatory, or operational changes.
Change log
| Version | Date | Description |
|---|---|---|
| 1.0 | January 2026 | Full rewrite replacing 2018 GDPR policy |
This Privacy Policy & GDPR Statement forms part of Aidos’ Governance Framework.
Last reviewed: January 2026