Torexis ← Back to Torexis.com
Legal & Data Protection

Privacy Policy

This Privacy Policy explains how Torexis collects, uses, and protects personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation — GDPR) and applicable Bulgarian and EU data-protection law. Last updated: 12 June 2026.

1. Data Controller

The data controller for all personal data processed through this website and its contact form is:

Torexis Ltd
Registered in Bulgaria (EU)
Registered address: Sofia, Bulgaria
Email: hello@torexis.com
Website: www.torexis.com

Where the terms “we”, “us” or “our” appear in this policy, they refer to Torexis Ltd as the data controller.

2. Data Protection Contact

Torexis processes only limited categories of personal data (business contact information submitted voluntarily via a single contact form) and does not, as a core activity, carry out large-scale systematic monitoring of individuals or process special-category data. Accordingly, the appointment of a formal Data Protection Officer is not mandatory under GDPR Article 37 for our current processing activities.

All data-protection enquiries, subject-access requests, and complaints should be directed to:

Data Protection Contact — Torexis Ltd
Email: privacy@torexis.com
(Alternative: hello@torexis.com)

We will respond to all data-protection requests within 30 days of receipt, in line with Article 12 GDPR.

3. Personal Data We Collect

We collect personal data only when you voluntarily submit our contact form. No tracking pixels, third-party analytics, or passive data-collection mechanisms are currently active.

FieldData TypePurposeMandatory
Full namePersonal identifierAddressing you in our responseYes
Work email addressContact dataSending our replyYes
Company / organisationProfessional dataAssessing engagement eligibilityYes
Role / titleProfessional dataRouting to correct team memberNo
Topic of interestBusiness dataRouting enquiry to relevant expertiseYes
Message / challenge descriptionFree-text contentUnderstanding your specific requirementYes

We do not collect special-category data (Art. 9 GDPR), criminal conviction data (Art. 10 GDPR), or data relating to minors. We do not use automated profiling or automated decision-making with legal or similarly significant effects (Art. 22 GDPR).

4. Legal Basis for Processing

All processing of personal data submitted via the contact form is based on one or more of the following lawful bases under Article 6 GDPR:

  • Art. 6(1)(b) — Performance of a contract / pre-contractual steps. Where you contact us to discuss a potential engagement or proof-of-concept, processing your contact data is necessary to take steps at your request before entering into a contract.
  • Art. 6(1)(f) — Legitimate interests. We have a legitimate interest in responding to business enquiries from qualified prospects and in maintaining records of those communications. This interest is not overridden by your data-protection rights, given the B2B nature of the processing and the limited sensitivity of the data involved. You have the right to object at any time (see Section 8).
  • Art. 6(1)(a) — Consent. Where we send follow-up commercial communications beyond the direct response to your enquiry, we will obtain your explicit consent and maintain a record of that consent.

5. How We Use Your Data

  • Responding to your specific enquiry within one business day
  • Assessing whether a 16-Week POC engagement is technically and commercially feasible for your organisation
  • Scheduling follow-up calls or demonstrations if requested
  • Maintaining records of business communications as required by applicable law
  • Sending follow-up information about Torexis products or services, where you have provided consent or where legitimate interest applies

We do not sell, rent, or exchange personal data with third parties for marketing purposes. We do not build automated profiles or serve targeted advertising.

6. Data Retention

Processing ContextRetention PeriodBasis
Enquiry with no resulting engagement24 months from last contactLegitimate interest
Enquiry resulting in a POC or contract7 years from contract endLegal obligation (Bulgarian commercial law, Art. 6(1)(c) GDPR)
Consent-based marketing communicationsUntil consent is withdrawnConsent (Art. 6(1)(a) GDPR)
Email correspondence3 years from last communicationLegitimate interest

Data is securely deleted or anonymised at the end of the applicable retention period. You may request earlier deletion at any time (see Section 8).

7. Cookies and Tracking Technologies

This website currently uses no third-party analytics, advertising, or tracking cookies. Any session-level technical cookies are strictly necessary for the operation of the page and do not transmit personal data to external services.

If we introduce analytics or tracking tools in the future, we will update this policy and, where required by ePrivacy law, seek your consent before placing any non-essential cookies.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. To exercise any of them, email privacy@torexis.com. We will respond within 30 days and will not charge a fee for reasonable requests.

  • Right of Access (Art. 15). You may request a copy of all personal data we hold about you and information about how it is processed.
  • Right to Rectification (Art. 16). You may ask us to correct inaccurate or incomplete personal data.
  • Right to Erasure (Art. 17). You may ask us to delete your personal data where there is no legitimate continuing purpose for retention. This right does not apply where we are required to retain data to comply with a legal obligation.
  • Right to Restriction of Processing (Art. 18). You may ask us to restrict how we use your data while a dispute is being resolved.
  • Right to Data Portability (Art. 20). Where processing is based on consent or on contract, you may request your personal data in a structured, machine-readable format, or direct transfer to another controller where technically feasible.
  • Right to Object (Art. 21). You may object at any time to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds, or processing is necessary for legal claims.
  • Right to Withdraw Consent (Art. 7(3)). Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
  • Right Not to Be Subject to Automated Decisions (Art. 22). We do not use automated decision-making or profiling with legal or similarly significant effects.

9. International Data Transfers

Torexis is headquartered in the EU (Bulgaria) and operates on a sovereign, on-premises or EU-cloud-first architecture. Personal data submitted via the contact form is processed and stored within the EEA by default.

Where we use third-party processors located outside the EEA (e.g., email delivery infrastructure), we ensure transfers are made subject to appropriate safeguards under Article 46 GDPR, including:

  • Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914 — in place with all relevant sub-processors
  • Adequacy Decisions (Art. 45 GDPR) — where the recipient country has been granted an adequacy decision by the European Commission (e.g., EU–US Data Privacy Framework where applicable)

A list of current sub-processors and their locations is available on request via privacy@torexis.com.

10. Third-Party Service Providers

We may share personal data with the following categories of trusted processors acting strictly on our instructions under data-processing agreements compliant with Article 28 GDPR:

  • Email infrastructure provider — to deliver and receive email correspondence
  • Web hosting provider — to serve this website
  • CRM / contact management software — to manage business enquiries

We do not disclose personal data to government authorities except where required by binding legal obligation or court order. We will notify you of any such disclosure where legally permitted to do so.

11. Security Measures

We implement technical and organisational measures appropriate to the risk, consistent with our position as a platform providing sovereignty and compliance architecture to regulated industries:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Access controls limiting data access to personnel with a need to process it
  • Pseudonymisation of contact data where feasible in internal workflows
  • Regular review of processor sub-agreements and security posture

In the event of a personal data breach presenting a risk to your rights and freedoms, we will notify the Bulgarian Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware, and affected individuals without undue delay, in accordance with Articles 33–34 GDPR.

12. Right to Lodge a Complaint

If you believe we have processed your personal data in violation of the GDPR, you have the right to lodge a complaint with the competent supervisory authority. As Torexis is established in Bulgaria, our lead supervisory authority is:

Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd, Sofia 1592, Bulgaria
Phone: +359 2 915 3519
Email: kzld@cpdp.bg
Website: www.cpdp.bg

We would appreciate the opportunity to address your concern directly before a supervisory authority complaint is filed. Please contact us first at privacy@torexis.com.

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities or regulatory guidance. The date at the top of this policy indicates when it was last revised. Material changes affecting existing data subjects will be communicated by email or via a prominent notice on this page.

Continued use of this website after a policy update constitutes acknowledgement of the revised policy.