Privacy & GDPR

Effective from 01.03.2026.
Website/Platform: https://experience.pendara.bg (“The Platform”)

1) Who we are (Personal Data Controller)

Administrator (Data Controller): „"Pendara Academy" Ltd.
UIC: 208213852
Address: Plovdiv, 21 Nikolay Haitov Street
Contact email regarding personal data: office@pendara.bg
Phone (optional): [fill in]

If we have appointed Data Protection Officer (DPO), we will publish his/her contacts here. If there is no DPO appointed, you can exercise your rights via the email above.

2) What this policy applies to

This policy describes:

  • what personal data we collect and use;
  • for what purposes and on what legal basis (GDPR);
  • with whom we share data (including Hosts/Organizers and service providers);
  • how long we keep them;
  • what rights you have and how to exercise them;
  • how we use cookies and embedded services.

The Policy applies to visitors, users, customers, host candidates, and hosts/organizers who use the Platform.

3) Main roles: Platform, Hosts and Service Execution

The platform connects Clients with Hosts/Organizers, which offer:

  • Experiences and Accommodation (usually: deposit through the Platform + balance with the Host);
  • Events and Tours (usually: 100% advance payment through the Platform);
  • Vouchers (100% payment through the Platform, validity 12 months).

Important about personal data:

  • To fulfill a reservation/purchase, we share with the Host/Organizer data necessary for implementation (e.g. name, contact phone/email, booking details).
  • The Host/Organizer processes this data independently for the purposes of service performance, accountability and legal obligations, and is responsible for its own privacy policy.

4) What personal data do we process?

4.1. Data when visiting the site

  • IP address (or part thereof), device/browser type, language, pages and actions (logs/technical data);
  • cookies and identifiers (see section 12).

4.2. Registration and profile data (if you use profiles)

  • name/nickname, email, phone (optional), password (stored as a hash), settings/preferences;
  • reservation/purchase history and vouchers.

4.3. Reservation/purchase details

  • name and surname, email, telephone;
  • reservation details: date/time/number of guests/accommodation details, notes (if you fill in);
  • billing details (if applicable/if you require them): company, UIC, address;
  • payment status/transaction ID (reference data only).

We do not store full card data. Payments are processed by a payment operator/bank: [fill in: Stripe/PayPal/bank operator/other].

4.4. Data when purchasing/using a voucher

  • voucher delivery email, name (optional), voucher code/identifier;
  • usage history and balance (if the system supports partial usage).

4.5. Data when applying “Add offer” (hosts/organizers)

  • names and contact details;
  • town/location;
  • information about the activity, the offer, prices/availability, photos/media;
  • if necessary: company/UIC data and documents (if you require verification).

4.6. Communication and support

  • email/form correspondence (content, date/time, attachments);
  • We do not process call recordings unless explicitly stated.

4.7. Comments (comments are active)

When you leave a comment, we process:

  • the data in the comment form (e.g. name/email, content of the comment);
  • IP address and browser user agent – for protection against spam and abuse.

If you use Gravatar, an anonymized “hash” of the email can be sent to Gravatar for avatar verification. Gravatar Policy: https://automattic.com/privacy/. After the comment is approved, the avatar can be publicly visible to the comment.

4.8. Media (uploading images)

If you upload images (e.g. hosts/offers), we recommend that they do not contain EXIF GPS (location data) because visitors can extract it.

5) For what purposes do we use the data and on what legal basis?

We only process personal data when we have a basis under GDPR:

5.1. Performance of a contract / pre-contractual actions (Art. 6, par. 1, b. GDPR)

  • processing reservations/purchases;
  • confirmations, changes, cancellations;
  • issuance/delivery and management of vouchers;
  • servicing pre-purchase requests;
  • sharing the necessary data with the Host/Organizer for implementation.

5.2. Legal obligation (Art. 6, par. 1, b. “c” GDPR)

  • accounting/tax reporting (if you issue documents);
  • fulfillment of obligations under consumer legislation;
  • responding to lawful requests from government authorities.

5.3. Legitimate interest (Art. 6, par. 1, b. “e” GDPR)

  • site security, fraud/abuse prevention;
  • logs and problem diagnostics;
  • protection against legal claims;
  • moderate, reasonable analytics for service improvement (when it does not require cookie consent).

5.4. Consent (Art. 6, par. 1, b. “a” GDPR)

  • marketing messages/newsletter (if you have one);
  • certain categories of cookies (analytical/marketing) where consent is required by law;
  • publishing certain content when necessary (for example, photos if they are not part of the contractual performance).

You can withdraw your consent at any time without affecting the lawfulness of the processing prior to the withdrawal.

6) Who we share data with (recipients)

We share data only when necessary and in minimal volume:

  1. Hosts/Organizers – contact and reservation details needed for execution (name, phone/email, date, number of guests, notes).
  2. Payment operators/banks – for payment processing (they are independent administrators of payment data). [fill in who]
  3. Hosting provider and technical support – for the operation and security of the site. [fill in: ETN Hosting/other]
  4. Email provider/SMTP service – for sending transactional emails (confirmations, password resets, etc.). [fill in: WP Mail SMTP via hosting/other]
  5. Anti-spam/security (if you use plugins/services) – to filter comments/attacks.
  6. Analytical and advertising tools (if active, e.g. GA4, Meta Pixel) – only with applicable consent/settings.
  7. Government authorities/regulators/court – when required by law.

7) Data transfer outside the EU/EEA

Some of the providers (e.g. analytics, email, payment services) may process data outside the EU/EEA. In these cases, we provide appropriate safeguards, e.g.:

  • an adequacy decision of the European Commission, or
  • Standard Contractual Clauses (SCC) and additional measures, where applicable.

8) How long do we store the data (terms)

We only retain data for as long as necessary for the purposes:

  • Reservations/orders and related correspondence: usually up to 5 years (for provability/disputes), unless otherwise required by law.
  • Accounting and tax documents: up to 10 years (or according to applicable law).
  • User profile: while the account is active; upon deletion – certain data may be retained if we have a legal obligation or legitimate interest (e.g. defense of claims).
  • Comments and metadata: by default, they are stored indefinitely to recognize and approve subsequent comments and for discussion context (we may delete them upon request if there is no reason to keep them).
  • Security logs/technical logs: usually 6–12 months (or according to service settings).
  • Marketing consents: until withdrawal/unsubscription or up to 2 years of inactivity (optional).

9) What rights do you have?

Under GDPR you have the right:

  • on access to your personal data;
  • on correction of inaccurate data;
  • on deletion (“the right to be forgotten”) – where applicable;
  • on restriction of processing;
  • on portability (for data processed on contract/consent and automated);
  • on objection against processing based on legitimate interest;
  • yes withdraw consent (when we process on this basis);
  • to submit complaint to a supervisory authority.

How to exercise your rights

Write to us at: office@pendara.bg
To protect your data, we may request additional identification (reasonable and proportionate).

Supervisory authority

Commission for Personal Data Protection (CPDP) – Bulgaria.

10) Automated decisions and profiling

We do not make decisions that have legal consequences for you in a fully automated manner, unless necessary to prevent fraud/abuse (e.g. automatic anti-spam/anti-fraud filters). If we use such a mechanism, you can request human intervention and clarification.

11) Data security

We implement appropriate technical and organizational measures (access control, restricted rights, encrypted connections/SSL, backup policies, protection against abuse). However, no system can guarantee 100% security.

12) Cookies – what we use and how to manage them

12.1. What are cookies?

Cookies are small files that a site saves in your browser to work correctly, remember settings, or measure traffic.

12.2. Types of cookies we may use

  1. Strictly necessary – profile login, cart/reservation, security. (Do not require consent.)
  2. Functional – remember preferences (language, view).
  3. Analytical – statistics and improvements (e.g. Google Analytics), usually with consent when necessary.
  4. Marketing – remarketing/advertising (e.g. Meta Pixel), only with consent.

12.3. Comments and cookies

If you leave a comment, you may choose to store your name, email, and website in cookies for your convenience. These cookies are stored for 1 year.

12.4. Account login

  • temporary cookie when visiting login (to check if the browser accepts cookies) – deleted when the browser is closed;
  • login cookies – 2 days;
  • settings cookies – 1 year;
  • „"Remember me" – 2 weeks;
  • When you log out, login cookies are removed.

12.5. Cookie management

You can manage cookies by:

  • the site's cookie banner/settings (if active);
  • browser settings (delete/block).
    Please note that blocking strictly necessary cookies may disrupt the operation of the Platform.

13) Embedded content from other sites

Pages/posts may include embedded content (videos, maps, posts, etc.). These services may collect data and use cookies as if you were visiting their site directly.

14) Password reset

If you request a password reset, your IP address may be included in the reset email - for security purposes.

15) Policy changes

We may update this policy as changes occur in the service or in the law. The current version is always posted on this page with an “Effective Date” date.