WWW.BLENDEDLEADING.COM
Version: 1.0 / Effective date: 01.06.2026

1. Who we are and what this Policy is

This Privacy Policy (the “Policy”) explains how “Lean Digital Solutions” EOOD, with registered office and address of management: city of Sofia, postal code 1303, Vazrazhdane district, 12 Chiprovtsi Str., floor 2, UIC 202204879 (“Blended Leading”, “we”, “us”, “our”), collects, uses, shares and protects your personal data as a visitor of the website www.blendedleading.com and its subdomains (the “Site”).

This Privacy Policy describes how Blended Leading processes your personal data when you visit our website, fill in a contact form, request a demo/pilot, subscribe to our newsletter, or otherwise interact with the site. It does NOT govern processing within our application/platform – for that information please refer to the separate Application Privacy Policy.

For the purposes of personal data processed through the Site, Blended Leading acts as a controller within the meaning of Art. 4(7) of Regulation (EU) 2016/679 (“GDPR”).

This Policy has been drafted in accordance with the GDPR, the Bulgarian Personal Data Protection Act, the Bulgarian Electronic Commerce Act, the Bulgarian Electronic Communications Act (for cookies), the ePrivacy Directive 2002/58/EC (as transposed), the guidelines of the European Data Protection Board (EDPB) and the Bulgarian Commission for Personal Data Protection (CPDP), and applicable EU law.

2. Key definitions

  • “Personal Data” – any information relating to an identified or identifiable natural person within the meaning of Art. 4(1) GDPR.
  • “Processing” – any operation on personal data (collection, storage, use, disclosure, deletion etc.) under Art. 4(2) GDPR.
  • “Cookies” – small text files placed on your device when you visit the Site.
  • “Visitor” / “You” – any natural person who visits or interacts with the Site.

 3. What personal data we collect and for what purposes

The type of personal data we collect depends on how you interact with the Site. The table below summarises the main processing categories:

Activity
Data
Purpose
Legal basis

Site visit (technical data)

IP address, browser type, operating system, pages visited, timestamps, referrer

Ensuring the functioning and security of the Site

Art. 6(1)(f) GDPR – legitimate interest

Contact form

Name, surname, email, company, job title, phone (if provided), enquiry content

Responding to your enquiry, offering services

Art. 6(1)(b) GDPR (pre-contractual measures) and/or (f) – legitimate interest

Demo/pilot request (calendar booking)

Name, surname, work email, company, job title, selected time slot, time zone, any comments

Organising the demo/pilot, pre-contractual negotiations

Art. 6(1)(b) GDPR – pre-contractual measures

Newsletter subscription

Email (optionally name); metadata about opens/clicks in emails

Sending marketing messages, news, blog articles

Art. 6(1)(a) GDPR – consent

Cookies and similar technologies

Cookie identifiers, analytics data, marketing indicators

Functionality, analytics, marketing

Strictly necessary – Art. 6(1)(f); Others – consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy)

Email correspondence (direct enquiries)

Email address, name, correspondence content

Responding and maintaining correspondence

Art. 6(1)(b) and/or (f) GDPR

Compliance with legal obligations (accounting, tax, responding to authorities' orders)

Relevant data

Compliance with legal obligations

Art. 6(1)(c) GDPR

We do NOT process through the Site special categories of personal data within the meaning of Art. 9 GDPR (such as health data, racial or ethnic origin, political views etc.) and we do not ask you to provide such data.

4. Cookies and similar technologies

4.1 What cookies are

Cookies are small text files placed on your device (computer, tablet, phone) when you visit the Site. They allow the Site to recognise you on subsequent visits, remember your preferences, and provide you with better functionality. In addition to cookies, we may use similar technologies such as local storage, pixel tags, and web beacons. For the purposes of this Policy, all such technologies are referred to as “cookies”.

4.2 Categories of cookies we use

  • Strictly necessary cookies: Necessary for the basic functioning of the Site (e.g. session, security, load balancing). They are loaded without consent. Legal basis: Art. 6(1)(f) GDPR – legitimate interest; Art. 5(3) ePrivacy – exemption.
  • Functional cookies: Allow the Site to remember your preferences (language, region). Loaded after consent.
  • Analytics cookies: Help us understand how visitors use the Site (e.g. Google Analytics, [Hotjar/other]). Loaded only after consent.
  • Marketing / advertising cookies: Used to display relevant advertising on third-party platforms (e.g. LinkedIn Insight Tag, Meta Pixel, Google Ads). Loaded only after consent.

A detailed and up-to-date list of the specific cookies we use (provider, purpose, duration, type) is available in our separate Cookie Policy and in the consent banner on the Site. You can manage your preferences at any time via the “Cookie Settings” link in the footer of the Site.

4.3 Consent management

On your first visit to the Site, we display a cookie banner that allows you to:

  • accept all cookies;
  • reject all cookies that are not strictly necessary;
  • customise your choice by category.

Non-strictly-necessary cookies are loaded ONLY after we obtain your explicit consent. You may withdraw your consent at any time via “Cookie Settings”. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

In addition, you may manage cookies through your browser settings (Chrome, Firefox, Safari, Edge etc.). Please note that disabling certain cookies may affect the functioning of the Site.

5. Newsletter and marketing communications

If you have subscribed to our newsletter, we send you news, blog articles, and information about our services. We do so only after obtaining your freely given, specific, informed and unambiguous consent, expressed through ticking a separate (un-prefilled) checkbox upon subscription.

For confirmation we use a “double opt-in” mechanism, sending you a confirmation link to the provided email address. We only add you to our mailing list after confirmation.

You have the right to withdraw your consent and unsubscribe at any time through:

  • the “Unsubscribe” link at the bottom of every email;
  • a written request to dpo@leandigitalsolutions.com.

We may process certain metadata from sent emails (opens, clicks) for the purpose of improving the quality of our communications. This processing is also based on your consent and may be discontinued through your subscription settings or by unsubscribing.

6. Recipients of your personal data

We do not sell your personal data and do not provide them to third parties for their own marketing. We may share your data with the following categories of recipients:

  • Hosting services provider: for storage and operation of the Site.
  • Email marketing platform provider: for sending the newsletter.
  • Calendar service provider: for scheduling demo/pilot meetings.
  • Analytics tools provider: for Site usage analytics (only after consent).
  • CRM and sales tools provider: for managing enquiries.
  • Accountants, auditors, legal advisors: to the extent necessary for the performance of our legal and contractual obligations.
  • Competent governmental authorities: where required by law (e.g. NRA, CPDP, court, prosecution).

With all providers acting as processors on our behalf, we have entered into agreements under Art. 28 GDPR imposing confidentiality and security obligations.

7. International data transfers

Your personal data is processed primarily within the European Union / European Economic Area (EU/EEA). To the extent that some of our providers (e.g. certain analytics or marketing tools) process data outside the EU/EEA, we ensure one or more of the following safeguards in accordance with Chapter V of the GDPR:

  • transfer to a country recognised by the European Commission as ensuring an adequate level of protection (Art. 45 GDPR);
  • Standard Contractual Clauses (SCCs) adopted under Commission Implementing Decision (EU) 2021/914 (Art. 46(2)(c) GDPR);
  • Transfer Impact Assessment (TIA) and supplementary technical and organisational measures (encryption, pseudonymisation etc.);
  • for transfers to the United States – verification whether the provider is certified under the EU-U.S. Data Privacy Framework (where applicable).

8. Retention periods

We retain your personal data only for as long as necessary to achieve the purposes for which it was collected, or as required to comply with legal obligations. Specific periods are:

Category
Retention period

Contact form data (without a subsequent contract)

Up to 12 months from the last contact, unless a contractual relationship is initiated

Demo/pilot request data

Up to 24 months from the last contact

Newsletter subscription email

Until consent is withdrawn / up to 24 months of inactivity

Server logs and technical data

Up to 6 months (except in case of a security incident)

Cookies

According to type (session – until browser is closed; persistent – until expiry or user deletion; see Cookie Policy)

Correspondence (emails with clients/visitors)

Up to 5 years from case closure (limitation periods)

Documents required by law (accounting, tax)

According to applicable law (typically 10 years)

Upon expiry of these periods, your personal data is deleted or irreversibly anonymised.

9. Data security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, loss or destruction in accordance with Art. 32 GDPR, including:

  • encryption in transit (HTTPS/TLS) across the entire Site;
  • encryption at rest for sensitive data;
  • access control based on the principle of least privilege;
  • regular backups and recovery testing;
  • incident and security breach response procedures;
  • staff training on data protection.

In case of a personal data breach posing a risk to your rights, we will notify the competent supervisory authority within 72 hours of becoming aware of it (Art. 33 GDPR), and where the risk is high – you personally as well (Art. 34 GDPR).

10. Your rights

As a data subject you have the following rights under the GDPR:

  • Right to information and access (Arts. 13–15 GDPR): to obtain confirmation of whether we process your data and a copy thereof.
  • Right to rectification (Art. 16 GDPR): to request the correction of inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”) (Art. 17 GDPR): to request the deletion of your data under certain conditions.
  • Right to restriction (Art. 18 GDPR): to request temporary suspension of processing.
  • Right to portability (Art. 20 GDPR): to receive your data in a structured, commonly used and machine-readable format.
  • Right to object (Art. 21 GDPR): to object to processing based on legitimate interests and to direct marketing (in any case).
  • Right to withdraw consent (Art. 7(3) GDPR): where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing before the withdrawal.
  • Right to lodge a complaint (Art. 77 GDPR): with the Bulgarian Commission for Personal Data Protection (CPDP – www.cpdp.bg) or with the supervisory authority in your country of habitual residence.

You may exercise your rights by contacting us using the details in Section 12. We will respond without undue delay and in any case within one month of receipt of your request (with a possible extension of two further months in complex cases, of which we will notify you).

The exercise of your rights is free of charge. For manifestly unfounded or excessive requests (in particular due to repetition), we may charge a reasonable fee or refuse to act on the request in accordance with Art. 12(5) GDPR.

For identification purposes, we may request additional information if we have reasonable doubts about your identity.

11. Automated decision-making

We do not take decisions based solely on automated processing which produce legal effects concerning you or similarly significantly affect you within the meaning of Art. 22 GDPR in connection with your use of the Site.

12. Contact details

For questions regarding this Policy, exercising your rights or other data protection matters, you may contact us:

Header Col 1
Table Header

Controller

"Lean Digital Solutions" EOOD

Address

city of Sofia, postal code 1303, Vazrazhdane district, 12 Chiprovtsi Str., floor 2

UIC

202204879

Privacy email

dpo@leandigitalsolutions.com

DPO

Kamen Kanev

Supervisory authority

Bulgarian Commission for Personal Data Protection (CPDP) 

www.cpdp.bg | kzld@cpdp.bg

13. Changes to the Policy

We reserve the right to amend this Policy in order to reflect changes in legislation, practices, or Site functionalities. The current version is at all times available on the Site. In case of material changes, we will notify you through a prominent notice on the Site and/or (for newsletter subscribers) by email prior to their entry into force.

14. Final provisions

This Policy applies in accordance with Regulation (EU) 2016/679, the Bulgarian Personal Data Protection Act, the Bulgarian Electronic Commerce Act, the Bulgarian Electronic Communications Act, the ePrivacy Directive 2002/58/EC, and the guidelines of the EDPB and CPDP.