PRIVACY POLICY
YACHTPOINT BG OOD
Effective from: 4 June 2026 · Last updated: 4 June 2026
1. Who we are (Data Controller)
YACHTPOINT BG OOD is the controller of the personal data processed through the platform yachtpoint.bg.
- Name: YACHTPOINT BG OOD
- UIC (ЕИК): 208803797
- Registered address: Burgas, zh.k. Meden Rudnik, bl. 16, ent. 5, fl. 8, ap. 22, Bulgaria
- Data-protection contact email: info@yachtpoint.bg
- Website: yachtpoint.bg
We have not appointed a Data Protection Officer (DPO), as we are not required to under Art. 37 of Regulation (EU) 2016/679. For any question about your personal data, contact us at the email above.
2. Scope and definitions
This Policy explains how we process the personal data of two categories of data subjects:
- Customers — persons who use the platform to book a charter.
- Captains — persons (mostly private individuals) who offer charter services through the platform.
YachtPoint acts as an intermediary in the name of the Captain; the charter service is provided by the Captain. The personal data of both categories is processed as described below, with the Customer and Captain sections clearly separated.
This Policy should be read together with YachtPoint’s Cookie Policy and General Terms of Use.
3. What data we process — CUSTOMERS
| Purpose of processing | Data categories | Legal basis |
|---|---|---|
| Creating and managing a user account | Name, email, phone, username, password (encrypted) | Contract performance — Art. 6(1)(b) GDPR |
| Processing a booking and connecting with the Captain | Name, email, phone, booking details (vessel, date, time, package) | Contract performance — Art. 6(1)(b) |
| Processing payment and refunds | Payment data (processed by Stripe), amount, payment history | Contract performance — Art. 6(1)(b); legal obligation — Art. 6(1)(c) (accounting/tax) |
| Issuing a booking confirmation/document and accounting records | Name, booking and payment data | Legal obligation — Art. 6(1)(c) |
| Sending transactional messages (confirmations, booking notices) | Email, name, booking data | Contract performance — Art. 6(1)(b) |
| Publishing reviews and ratings of Captains | Customer name/username, review text, rating | Legitimate interests — Art. 6(1)(f) (maintaining a trustworthy platform with transparent reviews) |
| Fraud prevention and platform security | Technical data, device/IP data, activity | Legitimate interests — Art. 6(1)(f) |
| Defence and establishment of legal claims | Data relevant to the case | Legitimate interests — Art. 6(1)(f) |
4. What data we process — CAPTAINS
| Purpose of processing | Data categories | Legal basis |
|---|---|---|
| Captain registration and account management | First name, surname, email (verified), phone, address | Contract performance — Art. 6(1)(b) |
| Identity and eligibility verification (trader traceability) | ЕГН (or foreigner’s number), captain’s licence document, person type (individual/company), ЕИК/BULSTAT (for companies), photo | Legal obligation — Art. 6(1)(c) (Art. 30 of Regulation (EU) 2022/2065 — Digital Services Act); contract performance — Art. 6(1)(b) |
| Processing payouts to the Captain | Bank/payment details (via Stripe Connect) | Contract performance — Art. 6(1)(b); legal obligation — Art. 6(1)(c) |
| Publishing charter listings | Captain name/trading name, Captain’s profile photo, vessel data, vessel photos, prices, port/area | Contract performance — Art. 6(1)(b) |
| Accounting and tax records (incl. issuing a payment statement) | Identification and financial data | Legal obligation — Art. 6(1)(c) |
| Fraud prevention, security, legal claims | Relevant data | Legitimate interests — Art. 6(1)(f) |
4.1. Special protection of the ЕГН
The Captain’s national identification number (ЕГН) is a national identifier with heightened protection under Art. 87 GDPR and the Bulgarian Personal Data Protection Act (ЗЗЛД). We:
- collect and process the ЕГН solely for identity verification, trader traceability (Digital Services Act), and statutory invoicing and tax obligations;
- never disclose the ЕГН to Customers and do not display it publicly or on documents provided to Customers;
- store the ЕГН securely (access control, technical and organisational measures) and do not use it as a sole online identifier;
- restrict access to the ЕГН to what is strictly necessary.
5. Recipients of personal data
We share personal data only with the categories of recipients below, and only as necessary:
- Stripe — payment service provider (payment processing and payouts via Stripe Connect). See section 6 on international transfers.
- The Captain — upon booking, the Customer data needed to perform the charter is provided to the relevant Captain (see the General Terms on the timing and extent of disclosure).
- Hosting provider — SuperHosting.BG (Bulgaria), within the EEA.
- Analytics and advertising providers — see section 7 and the Cookie Policy (Meta Pixel, Google Ads, Google Analytics, Google Fonts) — only after consent.
- National Revenue Agency (NRA / НАП) — solely where required by tax legislation (e.g., audits, lawful requests).
- Accountant / external advisers — as necessary and under confidentiality.
- Competent authorities — upon lawful request.
We have concluded (or will conclude before processing) an Art. 28 GDPR data-processing agreement with each processor.
6. International data transfers
Some recipients process data outside the European Economic Area (EEA):
- Stripe transfers data to Stripe, LLC in the United States. The transfer is protected by EU Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.
- Google (Google Ads, Google Analytics, Google Fonts), Meta (Meta Pixel) and Cloudflare (Turnstile) may transfer data to the United States, protected by Standard Contractual Clauses and/or the EU-U.S. Data Privacy Framework. These services load only after your consent (see the Cookie Policy).
You may request a copy of the applicable safeguards at info@yachtpoint.bg.
7. Cookies, analytics and advertising
The site uses cookies and similar technologies. Strictly necessary cookies (e.g., language — Polylang; WooCommerce session and cart; Stripe cookies at checkout) are needed for the site to function and do not require consent.
Optional cookies and technologies — for analytics (Google Analytics), advertising (Meta Pixel, Google Ads), form protection (Cloudflare Turnstile) and fonts (Google Fonts) — load only after your explicit consent via the consent banner. You can accept or reject these cookies and change your choice at any time via the “Cookie settings” link in the site footer.
A detailed list of all cookies (name, provider, purpose, duration, category) is set out in the Cookie Policy.
8. Retention periods
| Data category | Period | Basis |
|---|---|---|
| Accounting and tax documents (bookings, payments, invoices) | 10 years, from 1 January of the year following the reporting period | Accountancy Act, Art. 12; ДОПК, Art. 38 |
| Captain verification data (Digital Services Act) | Minimum 6 months after the relationship ends; longer where the same data is kept as accounting/tax records | Art. 30(5) of Regulation (EU) 2022/2065 |
| Account data | Duration of the account + the limitation period for claims | Art. 6(1)(b)/(f) |
| Cookie-consent records | Typically up to 12 months, after which consent is renewed | Proof of consent |
Where different periods apply to the same data, the longest applicable statutory period applies.
9. Your rights
As a data subject, you have the right to:
- access your personal data (Art. 15);
- request rectification of inaccurate data (Art. 16);
- request erasure (“right to be forgotten”) (Art. 17), to the extent we are not legally required to retain it;
- request restriction of processing (Art. 18);
- receive your data in a portable format — portability (Art. 20);
- object to processing based on legitimate interests (Art. 21);
- withdraw consent at any time, without affecting the lawfulness of processing before withdrawal (Art. 7(3));
- not be subject to a decision based solely on automated processing producing legal effects (Art. 22). We do not carry out such automated decision-making.
How to exercise your rights: send a request to info@yachtpoint.bg. We will respond without undue delay and within one month (extendable by a further two months for complex or numerous requests, of which we will notify you). Exercising your rights is free of charge, except for manifestly unfounded or excessive requests.
10. Right to complain to the supervisory authority
If you believe we process your data unlawfully, you have the right to lodge a complaint with:
Commission for Personal Data Protection (KZLD / Комисия за защита на личните данни)
Address: 2 Prof. Tsvetan Lazarov Blvd, Sofia 1592, Bulgaria
Email: kzld@cpdp.bg | Website: www.cpdp.bg | Tel.: +359 2 915 3 518
You also have the right to a judicial remedy.
11. Data security
We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss or disclosure, including encryption of sensitive data (such as the ЕГН), access control and secure storage. Payments are processed through the certified provider Stripe; we do not store full payment-card data.
12. Children
The platform and services are intended for adults (aged 18 and over). We do not knowingly collect personal data of minors. If we discover we have collected such data without the necessary consent or basis, we will delete it.
13. Changes to this Policy
We may update this Policy. The current version is published on the website with a last-updated date. We will notify you of material changes by appropriate means.
14. Language
This Policy is drawn up in Bulgarian, which is the legally binding version. This English translation is provided for convenience only; in case of discrepancy, the Bulgarian version prevails.
