Privacy Policy

Last updated: June 2026

1. Who we are

Brain Space Ltd. (Брейн Спейс ЕООД), company registration number (EIK): 205997378, is the data controller within the meaning of Art. 4(7) GDPR. The company is incorporated and operates in Bulgaria, with registered address: 2 Koloman St., 1618 Sofia, Bulgaria. We operate the website brainspace.dev and provide custom software development services. For privacy-related enquiries, contact us at [email protected].

2. Data we collect

Contact form submissions

When you use the contact form, we collect your name, email address, and the contents of your message. This data is used solely to respond to your enquiry.

Analytics data

We use Google Analytics 4 to collect anonymous usage data — which pages are visited and how long visitors stay. IP addresses are anonymised before storage. Analytics cookies are activated only after you have given explicit consent via our cookie banner.

Chat data

Our live chat widget (provided by Brevo) collects messages sent through the chat interface. Brevo acts as a data processor under GDPR. Chat cookies are activated only after you have given explicit consent.

3. Legal basis for processing

We process personal data only where a lawful basis under Art. 6 GDPR exists. The applicable basis for each activity is set out below:

Contact form and chat enquiriesBasis: Art. 6(1)(b) — steps taken at your request prior to entering a contract, and/or Art. 6(1)(f) — legitimate interests of the controller (responding to business enquiries).
Google Analytics 4 (analytics cookies)Basis: Art. 6(1)(a) — consent. You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Brevo (chat widget and cookies)Basis: Art. 6(1)(a) — consent. You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. How we use your data

  • To respond to enquiries submitted via the contact form or chat widget
  • To understand how visitors use the site so we can improve it
  • We do not sell or share personal data with third parties for marketing purposes

5. Data sharing and sub-processors

Your data may be processed by the following sub-processors, with whom we have executed Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR:

Google LLC — provision of Google Analytics 4. Google is certified under the EU–US Data Privacy Framework and applies Standard Contractual Clauses (SCCs) for data transfers to third countries.

Brevo SAS — provision of the live chat widget. Brevo is a French company incorporated in the EU and processes data primarily on servers within the EEA. Where sub-processors outside the EEA are used, Standard Contractual Clauses apply.

6. International data transfers

Google LLC is a US company. Data processed through Google Analytics 4 may be transferred to and processed in the United States — a third country that does not benefit from an automatic adequacy presumption under GDPR.

These transfers are safeguarded by the following mechanisms:

  • Adequacy decision — EU–US Data Privacy Framework, adopted by the European Commission in July 2023.
  • Standard Contractual Clauses (SCCs) pursuant to Commission Decision 2021/914/EU — applied as a supplementary safeguard.

To obtain a copy of the applicable safeguards, please contact us at [email protected].

7. Data retention

Contact form enquiries are retained for 12 months and then deleted. Analytics data is aggregated and cannot be used to identify individual visitors. Chat data is retained in accordance with Brevo's retention policy (up to 1 year), unless you request earlier deletion.

8. Your rights

Under GDPR you have the following rights in relation to your personal data:

  • Right of access (Art. 15) — to obtain confirmation of whether we process your data and a copy thereof
  • Right to rectification (Art. 16) — to request correction of inaccurate data
  • Right to erasure (Art. 17) — to request deletion of your data where grounds exist
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21) — including to processing based on legitimate interests
  • Right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of prior processing

To exercise these rights, contact us at [email protected]. We will respond within one month of receipt of your request (this period may be extended by a further two months for complex requests, of which you will be notified).

You may also lodge a complaint with the supervisory authority — Commission for Personal Data Protection (CPDP), 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria, website: cpdp.bg.

9. Automated decision-making

We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR.

10. Cookies

For detailed information on cookies used on this site, see our Cookie Policy.

11. Changes to this policy

If we make material changes to this policy, we will update the date at the top of the page. We recommend reviewing it periodically. Where changes affect processing based on consent, we will seek fresh consent where required.

This policy is prepared in accordance with Regulation (EU) 2016/679 (GDPR) and applies to the website brainspace.dev. In the event of any conflict between language versions, the Bulgarian version shall prevail for data subjects in Bulgaria and the EU.