Data Privacy Policy

This comprehensive privacy policy explains how TMP-Group.eu collects, processes, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws. We are committed to transparency and the protection of your privacy rights.

Effective Date: July 2025

Table of Contents

1. Preamble
2. Data Controller
3. Overview of Processing Activities
4. Legal Basis for Processing
5. Categories of Personal Data
6. Security Measures
7. Data Sharing and Recipients
8. International Data Transfers
9. Data Retention and Deletion
10. Your Rights as a Data Subject
11. Cookie Policy
12. Business Services and Processing
13. Payment Processing
14. Third-Party Services and Integrations
15. Contact Information

1. Preamble

This Privacy Policy sets forth how we collect, process, and protect personal data in connection with our psychological counseling platform and related services. This policy applies to all personal data processing activities conducted through our website, mobile applications, external online presences, and integrated third-party services (collectively referred to as our "Services").

We process personal data in strict compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Bulgarian Personal Data Protection Act, and other applicable data protection legislation. The terminology used in this policy corresponds to the definitions provided in Article 4 GDPR.

2. Data Controller

TMP Group EOOD
M.Sc. Psychologist Patric Pförtner
Ivan Pamukchiev 7A
5600 Troyan
Bulgaria
Company Registration Number: 208242609

Contact Information:
Email: info@tmp-group.eu
Phone: +359 87 6401659
Website: https://TMP-Group.eu

3. Overview of Processing Activities

This section provides a comprehensive overview of our data processing activities, including the types of data we process, the affected individuals, and our processing purposes.

3.1 Types of Data Processed

• Master Data: Names, titles, addresses, date of birth
• Contact Information: Email addresses, telephone numbers, postal addresses
• Account Data: User credentials, preferences, settings
• Content Data: Communications, form submissions, uploaded documents
• Contract Data: Service agreements, terms, client categories
• Payment Data: Billing information, payment history, transaction details
• Usage Data: Access logs, interaction patterns, feature usage
• Technical Data: IP addresses, device information, browser data
• Health-Related Data: Information disclosed during counseling sessions (special category data)
• Communication Metadata: Timestamps, communication channels, session identifiers

3.2 Categories of Data Subjects

• Clients and prospective clients
• Website visitors and platform users
• Employees and contractors
• Business and contractual partners
• Newsletter subscribers
• Participants in surveys or assessments
• Communication partners

3.3 Purposes of Processing

• Provision of psychological counseling services
• Contract fulfillment and client relationship management
• Communication and consultation scheduling
• Payment processing and financial administration
• Platform security and fraud prevention
• Service improvement and quality assurance
• Legal compliance and record-keeping
• Marketing communications (with consent)
• Technical infrastructure maintenance
• Statistical analysis and reporting

4. Legal Basis for Processing

We process personal data only where we have a lawful basis under the GDPR. The specific legal basis depends on the context and purpose of processing:

4.1 Consent (Art. 6(1)(a) GDPR)

Where you have given clear, informed consent for specific processing activities. You may withdraw consent at any time, which does not affect the lawfulness of processing based on consent before withdrawal.

4.2 Contract Performance (Art. 6(1)(b) GDPR)

Processing necessary for the performance of our counseling services contract with you, or to take steps at your request before entering into such a contract.

4.3 Legal Obligations (Art. 6(1)(c) GDPR)

Processing necessary to comply with legal obligations, including tax regulations, professional record-keeping requirements, and court orders.

4.4 Vital Interests (Art. 6(1)(d) GDPR)

In exceptional circumstances, we may process data to protect vital interests, such as in medical emergencies or crisis situations.

4.5 Legitimate Interests (Art. 6(1)(f) GDPR)

Processing necessary for our legitimate interests or those of third parties, provided these interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include:

• Ensuring platform security and preventing fraud
• Improving our services and user experience
• Efficient business administration
• Enforcing legal claims and defending against liability

4.6 Special Categories of Data (Art. 9 GDPR)

For health data and other special categories processed during counseling:

• Explicit Consent (Art. 9(2)(a) GDPR): With your explicit consent for counseling purposes
• Healthcare Provision (Art. 9(2)(h) GDPR): For preventive or occupational medicine, medical diagnosis, provision of health care or treatment
• Vital Interests (Art. 9(2)(c) GDPR): Where necessary to protect vital interests when you are physically or legally incapable of giving consent

5. Categories of Personal Data

5.1 Data Collected During Service Provision

Registration and Account Management:

• Full name, title, gender
• Date of birth (for age verification)
• Contact details (email, phone, address)
• Account credentials and security information
• Communication preferences

Counseling Services:

• Health information relevant to counseling
• Personal history and background information
• Session notes and treatment records
• Assessment results and questionnaire responses
• Emergency contact information
• Insurance or payment information

5.2 Automatically Collected Data

Technical Information:

• IP addresses and geolocation data
• Browser type and version
• Operating system and device information
• Access times and session duration
• Referring website information
• Cookie identifiers

Usage Information:

• Pages visited and features used
• Click paths and navigation patterns
• Search queries within our platform
• Error logs and performance data

6. Security Measures

We implement comprehensive technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.

6.1 Technical Measures

• Encryption: TLS/SSL encryption for data transmission and encryption at rest for sensitive data
• Access Control: Multi-factor authentication, role-based access controls, and regular access reviews
• System Security: Firewalls, intrusion detection systems, and regular security updates
• Data Backup: Regular encrypted backups with tested restoration procedures
• Monitoring: Continuous security monitoring and anomaly detection

6.2 Organizational Measures

• Confidentiality Agreements: All personnel sign strict confidentiality agreements
• Training: Regular data protection and security awareness training
• Access Management: Principle of least privilege and need-to-know basis
• Incident Response: Documented procedures for data breach response
• Vendor Management: Due diligence and contractual safeguards for third parties

6.3 Physical Security

• Secure facilities with controlled access
• Locked storage for physical records
• Clean desk policy
• Secure disposal of documents and media

7. Data Sharing and Recipients

We share personal data only when necessary and with appropriate safeguards in place. Recipients may include:

7.1 Service Providers

• IT Service Providers: Hosting, maintenance, and technical support
• Payment Processors: Secure payment handling and transaction processing
• Communication Providers: Email, messaging, and video conferencing services
• Professional Services: Legal advisors, accountants, and auditors (under confidentiality)

7.2 Legal and Regulatory Disclosures

We may disclose data when required by law, including:

• Court orders and legal proceedings
• Law enforcement requests (with proper authorization)
• Regulatory compliance and audits
• Child protection or safety emergencies

7.3 Professional Collaboration

With your explicit consent, we may share information with:

• Other healthcare providers involved in your care
• Clinical supervisors (anonymized where possible)
• Insurance providers (for reimbursement)

8. International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards:

8.1 Transfer Mechanisms

• Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate protection
• Standard Contractual Clauses: EU-approved contract terms for data protection
• Binding Corporate Rules: For transfers within corporate groups
• Explicit Consent: Where you have specifically consented to the transfer

8.2 US Data Transfers

For transfers to the United States, we rely on:

• EU-US Data Privacy Framework certification
• Standard Contractual Clauses with additional safeguards
• Your explicit consent where appropriate

9. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, and to comply with legal obligations.

9.1 Retention Periods

• Counseling Records: Minimum 4 years after last contact, or longer if required by professional standards
• Financial Records: 10 years as required by tax law
• Business Correspondence: 6 years for general business records
• Technical Logs: Maximum 6 weeks unless needed for security investigations
• Marketing Consents: Until withdrawn or 3 years of inactivity
• Cookie Data: As specified in our Cookie Policy

9.2 Deletion Procedures

Upon expiration of retention periods:

• Electronic data is securely overwritten or cryptographically erased
• Physical documents are securely shredded
• Backups are purged according to rotation schedules
• Deletion is verified and documented

9.3 Exceptions

We may retain data beyond standard periods when:

• Required by law or legal proceedings
• Necessary for establishing, exercising, or defending legal claims
• You have provided consent for extended retention
• Anonymization is possible instead of deletion

10. Your Rights as a Data Subject

Under the GDPR, you have comprehensive rights regarding your personal data:

10.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation about whether we process your personal data and to request:

• A copy of your personal data
• Information about processing purposes
• Categories of data processed
• Recipients or categories of recipients
• Retention periods or criteria
• Your rights regarding the data
• Source of data (if not collected from you)
• Information about automated decision-making

10.2 Right to Rectification (Art. 16 GDPR)

You have the right to request immediate correction of inaccurate personal data and completion of incomplete data.

10.3 Right to Erasure/"Right to be Forgotten" (Art. 17 GDPR)

You may request deletion of your personal data when:

• The data is no longer necessary for the original purpose
• You withdraw consent (where consent is the legal basis)
• You object to processing based on legitimate interests
• The data has been unlawfully processed
• Deletion is required by law

Note: This right is subject to exceptions, particularly for compliance with legal obligations or for establishing, exercising, or defending legal claims.

10.4 Right to Restriction of Processing (Art. 18 GDPR)

You may request restriction of processing when:

• You contest the accuracy of data (during verification period)
• Processing is unlawful but you oppose erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing (during balance of interests assessment)

10.5 Right to Data Portability (Art. 20 GDPR)

Where processing is based on consent or contract and is automated, you have the right to:

• Receive your data in a structured, commonly used, machine-readable format
• Transmit this data to another controller
• Have data transmitted directly between controllers (where feasible)

10.6 Right to Object (Art. 21 GDPR)

10.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

10.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, particularly:

• In your country of residence
• At your place of work
• Where the alleged infringement occurred

Bulgarian Data Protection Authority:
Commission for Personal Data Protection
2 Prof. Tsvetan Lazarov Blvd.
Sofia 1592, Bulgaria
Website: www.cpdp.bg

10.9 Rights Regarding Automated Decision-Making (Art. 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. We do not currently engage in such automated decision-making.

11. Cookie Policy

We use cookies and similar tracking technologies to enhance your experience on our platform.

11.1 What Are Cookies?

Cookies are small text files stored on your device that help us:

• Remember your preferences and settings
• Understand how you use our services
• Improve platform performance
• Provide relevant content
• Ensure security

11.2 Types of Cookies We Use

Essential Cookies: Necessary for platform functionality

• Session management
• Security tokens
• Load balancing
• User preferences

Performance Cookies: Help us understand platform usage

• Analytics data
• Error reporting
• Performance metrics

Functionality Cookies: Enable enhanced features

• Language preferences
• Accessibility settings
• Personalization

Marketing Cookies: Used with consent for:

• Relevant advertising
• Campaign effectiveness
• Remarketing (with consent)

11.3 Cookie Duration

• Session Cookies: Deleted when you close your browser
• Persistent Cookies: Remain for specified periods (up to 2 years)

11.4 Managing Cookies

You can control cookies through:

• Our cookie preference center (link in footer)
• Browser settings
• Opt-out links in our communications
• Global opt-out platforms:
  • Europe: www.youronlinechoices.eu
  • US: www.aboutads.info/choices

12. Business Services and Processing

We process data in connection with our psychological counseling services and related business operations.

12.1 Service Provision

For counseling services, we process:

• Client identification and verification data
• Service agreements and consent forms
• Session scheduling and attendance records
• Clinical notes and treatment documentation
• Progress assessments and outcomes
• Billing and insurance information

12.2 Professional Obligations

We maintain records to comply with:

• Professional standards and ethics codes
• Licensing and regulatory requirements
• Quality assurance and supervision needs
• Continuing education documentation

12.3 Special Considerations for Counseling Data

Health data from counseling sessions receives enhanced protection:

• Access limited to treating professionals
• Enhanced encryption and security measures
• Strict confidentiality protocols
• Release only with explicit consent or legal requirement

13. Payment Processing

We offer secure payment options through trusted payment service providers.

13.1 Payment Data Processing

We process payment information including:

• Cardholder name and billing address
• Payment method details
• Transaction amounts and dates
• Invoice and receipt information

13.2 Payment Security

• PCI DSS compliance
• Tokenization of payment data
• Secure payment gateways
• No storage of full payment card numbers

13.3 Supported Payment Methods

We accept payments via:

• Credit/Debit Cards (Visa, Mastercard, American Express)
• PayPal
• Bank transfers (SEPA, wire transfer)
• Digital wallets (Apple Pay, Google Pay)
• Local payment methods (iDEAL, Bancontact, EPS, etc.)

14. Third-Party Services and Integrations

We use carefully selected third-party services to enhance our platform functionality.

14.1 Communication Services

• Video Conferencing: Opentalk, Zoom, Microsoft Teams, Google Meet (for online sessions)
• Messaging: WhatsApp, Telegram (with end-to-end encryption where available)
• Email Services: Professional email providers with security features

14.2 Cloud Services

• Storage: Secure cloud storage for documents and backups
• Productivity: iCloud, Google Workspace, Microsoft 365 (for administration)
• Infrastructure: Professional hosting services

14.3 Analytics and Optimization

• Web Analytics:Matomo, Privacy-focused analytics tools
• Performance Monitoring: Service uptime and quality metrics
• User Experience: Heatmaps and session recordings (anonymized)

14.4 Marketing Tools

With consent, we may use:

• Email marketing platforms
• Social media integrations
• Customer relationship management (CRM) systems
• Marketing automation tools

14.5 Third-Party Safeguards

For all third-party services, we ensure:

• Data processing agreements are in place
• Adequate security measures are implemented
• GDPR compliance is verified
• Data minimization principles are followed
• Regular reviews and audits are conducted

15. Social Media Presence

We maintain profiles on social media platforms to communicate with our community and share information about mental health and our services.

15.1 Platforms We Use

• Facebook and Instagram (Meta Platforms)
• LinkedIn
• YouTube
• Twitter/X
• Pinterest
• TikTok

15.2 Data Processing on Social Media

When you interact with our social media profiles:

• The platform provider processes your data according to their privacy policy
• We may see analytics about our page performance
• We process any direct messages according to this policy
• Public interactions are visible to other users

15.3 Joint Controllership

For certain platforms (e.g., Facebook Pages), we are joint controllers with the platform provider for initial data collection. We have entered into appropriate agreements defining respective responsibilities.

16. Children's Privacy

Our services are generally intended for individuals aged 16 and above. For counseling services involving minors:

• We obtain parental/guardian consent where required
• We follow applicable laws regarding minor's healthcare rights
• We implement age-appropriate privacy protections
• We respect evolving capacity for privacy decisions

17. Changes to This Policy

We may update this privacy policy to reflect:

• Changes in our services or processing activities
• New legal requirements or guidance
• Improved privacy practices
• Feedback from users and stakeholders

We will notify you of significant changes through:

• Email notifications to registered users
• Prominent notices on our platform
• Requests for renewed consent where required

18. Definitions

Key terms used in this policy:

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data, including collection, storage, use, and deletion
• Controller: The entity that determines the purposes and means of processing
• Processor: An entity that processes personal data on behalf of the controller
• Data Subject: The individual whose personal data is processed
• Consent: Freely given, specific, informed, and unambiguous agreement to processing
• Special Categories of Data: Data revealing racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation

19. Contact Information

For all privacy-related questions, concerns, or to exercise your rights, please contact:

When contacting us about your data:

• Please provide sufficient information to identify yourself
• Specify which right you wish to exercise
• We will respond within one month (extendable for complex requests)
• We may request identity verification for security
• There is no fee unless requests are manifestly unfounded or excessive

Alternative Communication Channels:

• Postal mail to our registered address
• Secure messaging through our platform
• Encrypted email (PGP key available on request)

This privacy policy represents our commitment to protecting your personal data and privacy rights. We encourage you to read it carefully and contact us if you have any questions or concerns.

This document was last reviewed and updated in July 2025.