EU AI Act - Aug 2, 2026 Check for free
18 min

Personal Data Protection Policy

Unified personal data protection policy of CNTS Ltd, covering kazva.bg, AI Readiness Audit, and EU AI Act Wizard, in compliance with GDPR.

I. Data Controller

CNTS Ltd (ЦНТС ООД) is a data controller within the meaning of Regulation (EU) 2016/679 (GDPR).

  • Company ID (EIK): 206255746
  • VAT number: BG206255746
  • Registered address: 44 Dunav Street, fl. 3, 1202 Sofia, Bulgaria
  • Managing Director: Hristina Todorova Panayotova
  • Data protection email: [email protected]

II. Scope of the Policy

This policy covers the processing of personal data when using the following products and services of CNTS Ltd:

  1. kazva.bg - a free feedback and analytics platform (surveys, NPS).
  2. AI Readiness Audit (cnts.bg/audit) - a paid digital product for assessing a business's AI readiness.
  3. EU AI Act Wizard (cnts.bg/ai-act) - a paid product for generating compliance documents under the EU Artificial Intelligence Act.

III. Applicable Legislation

This policy has been prepared in accordance with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation - GDPR);
  • The Personal Data Protection Act (PDPA) of the Republic of Bulgaria;
  • Regulation (EU) 2024/1689 (Artificial Intelligence Act - AI Act) - regarding transparency provisions;
  • The Act on the Provision of Digital Content and Digital Services and the Consumer Protection Act - regarding the right of withdrawal in distance sales.

IV. Roles in Data Processing

CNTS Ltd acts as the data controller for all three products.

For the kazva.bg platform, organizations and companies that collect feedback may act as joint controllers or data processors only when the user has explicitly consented to sharing their data with a specific organization.

Where joint controllership applies, the respective responsibilities are defined by a contract between CNTS Ltd and the organization. The essence of this arrangement is available to data subjects upon request.

For the AI Readiness Audit and EU AI Act Wizard products, CNTS Ltd is the sole data controller.

V. Types of Personal Data by Product

5.1. kazva.bg

  • Contact data: email address provided during registration.
  • Demographic data: year of birth, gender, and location - provided voluntarily.
  • Profile data: additional information the user voluntarily adds.
  • Usage data: questionnaire responses, ratings, preferences, and settings.

Users enter data only for themselves. The platform does not envisage or allow entry of personal data of third parties.

Free-text responses on kazva.bg may, at the user's own initiative, contain special categories of data within the meaning of Art. 9 GDPR (e.g., data concerning health, political opinions, religious beliefs). CNTS Ltd does not request or encourage the provision of such data. If the user voluntarily enters such information, processing is based on their explicit consent (Art. 9(2)(a) GDPR), expressed through the voluntary entry. We recommend that users do not include sensitive personal data in their responses unless they expressly wish to do so.

5.2. AI Readiness Audit (cnts.bg/audit)

  • Email address: for delivery of audit results.
  • Website URL: subject of the technical analysis.
  • Payment data: processed entirely by Stripe; CNTS Ltd does not store card numbers.
  • Generated content: audit results, llms.txt file, JSON-LD markup, and personalized recommendations.

5.3. EU AI Act Wizard (cnts.bg/ai-act)

  • Email address: for delivery of compliance documents.
  • Business information: description of activities, sector, AI systems used - necessary for risk assessment under the AI Act.
  • Payment data: processed entirely by Stripe; CNTS Ltd does not store card numbers.
  • Generated documents: AI Act compliance documents, risk assessments, and recommendations.

VI. Age Restriction

The kazva.bg platform is not intended for individuals under 14 years of age (Art. 25b of the PDPA). The AI Readiness Audit and EU AI Act Wizard services are not intended for individuals under 18 years of age, as they constitute paid business services. If we discover that data has been collected from a person below the applicable age threshold, that data will be immediately deleted.

VII. Purposes and Legal Bases for Processing

We process personal data on the following legal grounds under Art. 6(1) GDPR:

  • Performance of a contract (Art. 6(1)(b)): processing is necessary for the provision of services - registration and use of kazva.bg, delivery of paid audits and compliance documents.
  • Consent (Art. 6(1)(a)): when the user voluntarily provides additional data or consents to sharing information with a specific organization (kazva.bg).
  • Legal obligation (Art. 6(1)(c)): to comply with tax and accounting legislation, as well as AI Act requirements.
  • Legitimate interest (Art. 6(1)(f)): to maintain platform security, prevent abuse, and improve services.

CNTS Ltd has conducted a balancing test which concluded that the stated interests do not disproportionately affect the rights and freedoms of data subjects. A copy of the assessment is available upon request at [email protected].

VIII. How We Collect Data

  • Registration: when creating a profile on kazva.bg.
  • Order: when purchasing an AI Readiness Audit or EU AI Act Wizard.
  • Platform usage: data generated through interaction with the products.
  • Automated scanning: technical scanning of the specified website (AI Readiness Audit) - only publicly available information is collected.
  • Indirect collection from scanned websites: When the AI Readiness Audit scans a website at a client's request, publicly available information related to the website operator may be processed (e.g., employee names, contact details, photographs published on the site). This information is collected from the public website (source within the meaning of Art. 14(2)(f) GDPR) and is processed on the basis of the client's legitimate interest in a technical assessment of AI visibility (Art. 6(1)(f)). The data is processed solely for the purpose of generating the audit and is not retained beyond the generated report. Operators of scanned websites may exercise their rights under Section XVI by contacting us at [email protected].
  • Communication: when you contact us by email or through a contact form.

Providing an email address is a contractual requirement necessary for creating a profile on kazva.bg or for delivery of purchased products. Without this data, it is not possible to provide the respective service. Providing demographic data is entirely voluntary, and refusal does not restrict access to the services.

IX. Disclosure of Data to Third Parties

Feedback from kazva.bg is transmitted to client organizations in aggregated and pseudonymized form by default, where individual responses cannot be linked to a specific user without additional information held solely by CNTS Ltd. Personal data is disclosed to a specific organization only with the user's explicit consent.

To deliver our services, we use the following sub-processors (data processors):

  • Hetzner Online GmbH (Germany, EU) - hosting for kazva.bg.
  • Supabase Inc. (USA; data stored in EU/Frankfurt, SCCs) - database for AI Readiness Audit and EU AI Act Wizard.
  • Vercel Inc. (USA; data processed in EU/Frankfurt, SCCs) - hosting for the AI Readiness Audit platform.
  • Stripe Inc. (USA, Standard Contractual Clauses - SCCs) - payment processing.
  • Anthropic PBC (USA, SCCs) - AI content generation for AI Readiness Audit and EU AI Act Wizard.
  • Firecrawl (USA, SCCs) - technical website scanning for AI Readiness Audit.
  • Google LLC (USA, SCCs) - Google Places API for enriching business information.
  • Resend Inc. (USA, SCCs) - delivery of transactional emails.
  • Plausible Analytics (EU) - cookie-free web analytics for cnts.bg.
  • Cloudflare Inc. (USA; content delivery network with EU processing, SCCs) - hosting, CDN, and server-side function execution for cnts.bg.

CNTS Ltd has entered into Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR with all listed sub-processors. These agreements ensure that sub-processors process personal data only on our documented instructions and apply appropriate technical and organizational measures. A copy of the applicable DPAs may be obtained upon request at [email protected].

We do not sell, rent, or share personal data with third parties for marketing purposes.

We may disclose personal data when required by law, court order, or a binding request from a competent authority. We will notify the data subject where legally permissible.

X. International Data Transfers

The primary processing of data takes place within the European Union. For sub-processors established in the USA (Supabase, Vercel, Stripe, Anthropic, Firecrawl, Google, Resend), data transfers are carried out on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Art. 46(2)(c) GDPR.

XI. Retention Periods

11.1. kazva.bg

Personal data is retained for the duration of the active user profile. After profile deletion, data is retained for an additional period of 180 days, after which it is permanently deleted.

11.2. AI Readiness Audit

Audit results are accessible to the client for a period of 6 months from the date of purchase. After this period, access is terminated and data is deleted within 30 days, unless the client requests earlier deletion.

11.3. EU AI Act Wizard

Generated compliance documents are accessible for a period of 6 months from the date of purchase. Business information provided for risk assessment is deleted together with the documents.

11.4. Financial and Accounting Data

Data required for tax and accounting purposes (invoices, payment confirmations) is retained for a period of 10 years in accordance with the Accountancy Act.

11.5. Anonymized Data

Anonymized and aggregated data has no retention limit, as it does not constitute personal data.

XII. Use of Artificial Intelligence (AI) - Transparency

In accordance with the transparency requirements of Regulation (EU) 2024/1689 (AI Act), we disclose the following:

12.1. Which Products Use AI

  • AI Readiness Audit (paid plans) - uses artificial intelligence to generate an llms.txt file, JSON-LD markup, personalized recommendations, and improvement guides.
  • EU AI Act Wizard - uses artificial intelligence to generate compliance documents, risk assessments, and alignment recommendations.

12.2. What AI Does

  • Analyzes publicly available information from the client's website.
  • Generates textual content: technical files (llms.txt), structured data (JSON-LD), recommendations, and compliance documents.
  • Provides personalized improvement guides based on the analysis.

12.3. What AI Does NOT Do

  • Scoring is entirely deterministic - it is based on objective technical checks, with no AI model involvement.
  • The free tier of AI Readiness Audit does not use AI - results are calculated algorithmically.
  • The kazva.bg platform does not use AI for processing feedback or personal data.

12.4. Model Used

Content generation uses Anthropic Claude (Opus model), provided by Anthropic PBC.

12.5. Training Data

Client data is not used for training AI models. Our contract with Anthropic PBC explicitly prohibits the use of input and output data for training purposes.

12.6. Human Oversight

AI-generated content is provided as source material. Clients are responsible for reviewing, adapting, and ultimately using the generated documents and recommendations. CNTS Ltd recommends that all generated materials be reviewed by a qualified person before use.

12.7. Risk Classification

Pursuant to Annex III of Regulation (EU) 2024/1689, the AI components of AI Readiness Audit and EU AI Act Wizard do not fall within the category of high-risk systems. They are classified as limited-risk systems (Title IV), subject to the transparency obligations under Art. 50.

XIII. Security and Breach Notification

We implement appropriate technical and organizational measures to protect personal data:

  • Data is stored on servers within the European Union (Germany and Frankfurt).
  • Communication is protected through SSL/TLS encryption.
  • Data at rest is encrypted.
  • Payment data is processed entirely by Stripe in accordance with PCI DSS.
  • Access to data is restricted on a need-to-know basis.

CNTS Ltd has conducted a Data Protection Impact Assessment (DPIA) pursuant to Art. 35 GDPR for its AI-based products. The assessment concluded that the applied technical and organizational measures adequately mitigate the identified risks.

In the event of a personal data breach, CNTS Ltd will notify the Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware of the breach, as well as affected individuals where applicable.

XIV. Cookies and Analytics

14.1. kazva.bg

The platform uses a single cookie - kazvabg_cookie. This cookie is encrypted and is used for:

  • Recognizing the user on return visits;
  • Preserving preferences and functionality;
  • Storing interaction history;
  • Preventing abuse.

14.2. cnts.bg (including /audit and /ai-act)

The cnts.bg website uses Plausible Analytics - a web analytics system that does not use cookies, does not collect personal data, and is fully GDPR compliant. No marketing cookies, advertising pixels, or tracking tools are used.

For more information, see our Cookie Policy.

XV. Right of Withdrawal for Distance Sales

For the paid products AI Readiness Audit and EU AI Act Wizard, you have the right to withdraw from the purchase within 14 days of the date of purchase, without giving any reason, in accordance with the Consumer Protection Act (transposing Directive 2011/83/EU on consumer rights).

To exercise your right of withdrawal, send a request to [email protected]. Refunds are issued via the original payment method within 14 days of receiving the request.

Note: If the digital content has been fully delivered and you have expressly agreed to its immediate provision, confirming that you lose your right of withdrawal, a refund may not be possible.

XVI. Rights of Data Subjects

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): to obtain information about whether and what personal data we process about you.
  • Right to rectification (Art. 16): to request correction of inaccurate data.
  • Right to erasure (Art. 17): to request deletion of your data ("right to be forgotten").
  • Right to restriction of processing (Art. 18): to request restriction of processing.
  • Right to object (Art. 21): to object to processing based on legitimate interest.
  • Right to data portability (Art. 20): to receive your data in a structured, machine-readable format.
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing prior to withdrawal.
  • Right not to be subject to automated decision-making (Art. 22): including profiling with legal effects. Our AI products do not make automated decisions with legal effects - they generate content for human review.

XVII. How to Exercise Your Rights

You can exercise your rights in the following ways:

  • Self-service: through the profile deletion function on kazva.bg.
  • By email: by sending a request to [email protected].
  • By post: to: CNTS Ltd, 44 Dunav Street, fl. 3, 1202 Sofia, Bulgaria.

We will respond to your request within 1 month of receipt. If necessary, this period may be extended by an additional 2 months for complex or multiple requests, and you will be informed accordingly.

XVIII. Marketing Communications

CNTS Ltd does not send unsolicited marketing communications. Communication with users is limited to:

  • Technical and system notifications;
  • Delivery of ordered products (audits, compliance documents);
  • Platform maintenance messages;
  • Responses to user inquiries.

XIX. Version and Changes

CNTS Ltd reserves the right to update this policy. When material changes occur, the updated version will be published on cnts.bg and kazva.bg. Where changes materially affect users' rights, affected individuals will be notified by email.

Last updated: 16.03.2026

XX. Right to Complain

If you believe the processing of your personal data violates your rights, you have the right to file a complaint with:

Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia
www.cpdp.bg

Before filing a complaint, we encourage you to contact us at [email protected] so we can attempt to resolve the matter.

XXI. Data Protection Officer

Following an assessment of our processing activities pursuant to Art. 37 GDPR, we have determined that the appointment of a Data Protection Officer is not mandatory. Nonetheless, inquiries regarding data protection may be directed to [email protected].

XXII. Contact

For questions about this personal data protection policy:

  • Company: CNTS Ltd (ЦНТС ООД)
  • Company ID (EIK): 206255746
  • Address: 44 Dunav Street, fl. 3, 1202 Sofia, Bulgaria
  • Email: [email protected]

© 2026 CNTS Ltd. All rights reserved.

Have questions about your personal data?

Contact us at [email protected] - we respond within 1 business day.

Write to us