PRIVACY POLICY

Gem Team (Business)

Effective Date: June 11, 2026 | Version: 1.0

DIGITAL MARKETING AGENCY LTD, Republic of Bulgaria

This Privacy Policy (the “Policy”) describes how DIGITAL MARKETING AGENCY LTD, a limited liability company incorporated under the laws of the Republic of Bulgaria (Company No. (UIC): 204897396, VAT Registration No: BG204897396, registered office at bul. “Vasil Levski” No. 38, floor 2, Sredets District, Sofia, Republic of Bulgaria) (“DMA,” “we,” “us,” or “our”) collects, uses, and protects personal data in connection with the Gem Team business messaging and collaboration platform, including the Apps, the Admin Panel, and the Website (together, the “Service”). Capitalised terms not defined in this Policy have the meanings given to them in the Terms of Use (the “Terms”). This Policy is provided pursuant to Articles 13 and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”).

1. Our Role: Controller and Processor

1.1. DMA as Processor. The Service is offered to legal entities only. Where you use the Service as an End User of a Customer (for example, as an employee of the organisation that holds the account), the content of your communications and other Customer Data are controlled by that Customer. For such data, DMA acts as a processor on the Customer’s behalf and processes it in accordance with the Terms and the Data Processing Addendum available on the Website. If you wish to exercise data protection rights in respect of such data, please contact the relevant Customer (typically your employer) in the first instance; we will support the Customer in responding to your request.

1.2. DMA as Controller. This Policy applies to the processing for which DMA determines the purposes and means and acts as a controller, namely:

  • (a) account, registration, and billing-contact data;
  • (b) operational metadata, security, and diagnostic data processed in DMA’s own interest to operate, secure, and improve the Service;
  • (c) data of visitors to the Website;
  • (d) communications with us (including support requests);
  • and (e) data processed to comply with our own legal obligations and to establish, exercise, or defend legal claims.

2. Personal Data We Process

2.1. Account and Registration Data. Name, business email address, telephone number (where provided), job title, organisation details, Admin designation, account identifiers, language and configuration settings.

2.2. Subscription and Billing Data. Subscription plan, number of End Users, invoicing details, payment status, and transaction references. Payments are processed by the Payment Provider acting as merchant of record and as an independent controller; we do not receive or store full payment card numbers. The Payment Provider’s processing of your payment data is governed by its own privacy policy.

2.3. Communications Content. Text messages and real-time signalling between End Users are protected by end-to-end encryption based on the MLS protocol (RFC 9420). We do not hold, and are not technically able to access, the cleartext of such content. Files, media, and attachments are protected by encryption in transit and at rest, but not by end-to-end encryption, as described in Section 11.2 of the Terms.

2.4. Metadata. Operational metadata necessary for the functioning of the Service, including account and device identifiers, the existence and timing of communications between accounts, IP addresses, message routing data, file size and type, group and channel membership, and security and audit logs, as described in Section 11.3 of the Terms.

2.5. Diagnostic and Telemetry Data. Crash reports, error logs, and basic device and operating system information generated by the Apps, as described in Section 20 of the Terms. Where reasonably practicable, such data is collected in anonymised or pseudonymised form. Optional telemetry and analytics features, where offered, can be switched off in the Apps’ or Admin Panel’s settings.

2.6. Website Data. When you visit the Website, we process technical data such as IP address, browser type, device information, pages visited, and referral source. Cookies and similar technologies that are not strictly necessary are used only with your consent, which you can manage through the cookie settings on the Website.

2.7. Support and Correspondence. The content of your enquiries, abuse reports, and notices submitted to info@gemteam.eu or otherwise, together with related contact details and correspondence history.

3. Purposes and Legal Bases

3.1. We process personal data for the following purposes and on the following legal bases under Article 6(1) GDPR:

  • (a) providing and operating the Service – creating and administering accounts, transmitting and storing communications, providing support – on the basis of the performance of a contract (Article 6(1)(b)) or our legitimate interest in performing the contract with the Customer where the data subject is not a party to it (Article 6(1)(f));
  • (b) billing and account administration – Article 6(1)(b) and compliance with legal obligations (Article 6(1)(c));
  • (c) security, abuse prevention, and incident response – including processing of metadata and logs – on the basis of our legitimate interests in protecting the Service, our users, and third parties (Article 6(1)(f));
  • (d) maintenance, troubleshooting, and improvement – processing of diagnostic data – Article 6(1)(f), or your consent where required for optional telemetry (Article 6(1)(a));
  • (e) compliance with legal obligations – including accounting, tax, sanctions screening, and responding to binding orders of competent authorities – Article 6(1)(c);
  • (f) establishment, exercise, or defence of legal claims – Article 6(1)(f);
  • and (g) communications about the Service – service notices on the basis of Article 6(1)(b), and marketing communications only with your consent or as otherwise permitted by applicable law, with the right to opt out at any time (Article 6(1)(a) and (f)).

3.2. No Automated Decision-Making. We do not make decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you.

4. Recipients of Personal Data

4.1. We disclose personal data only to:

  • (a) our sub-processors and service providers, in particular cloud infrastructure providers hosting the Service in data centre regions located in Europe (the current list of sub-processors is available on the Website);
  • (b) the Payment Provider, acting as an independent controller and merchant of record;
  • (c) our professional advisers (legal, accounting, audit) bound by confidentiality obligations;
  • (d) competent courts, regulators, and public authorities where required by applicable law or a binding order;
  • and (e) an acquirer or successor in connection with a merger, reorganisation, or sale of all or substantially all of our assets, subject to appropriate safeguards. We do not sell personal data.

5. International Transfers

5.1. The Service is hosted in data centre regions located in Europe. Where personal data is transferred outside the European Economic Area (for example, certain operational and security data described in Section 11.5 of the Terms), we rely on an adequacy decision of the European Commission, the Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914) together with supplementary measures where required, or another valid transfer mechanism under Chapter V of the GDPR. You may request further information about the safeguards applied by contacting us as set out in Section 9.

6. Retention

6.1. We retain personal data for no longer than necessary for the purposes for which it is processed:

  • (a) account and Customer Data – for the term of the Terms, followed by the thirty (30) day Export Window and deletion or anonymisation in accordance with Sections 5.7–5.8 of the Terms, subject to overwriting of standard backups in accordance with our backup cycle;
  • (b) login activity and Admin action logs – thirty (30) days, subject to longer retention required by applicable law or for the investigation of incidents;
  • (c) billing and accounting records – for the periods required by Bulgarian accounting and tax legislation (generally up to ten (10) years);
  • (d) support correspondence and records relating to potential claims – for the duration of the applicable limitation (prescription) periods (generally up to five (5) years under Bulgarian law);
  • and (e) data processed on the basis of consent – until withdrawal of consent, unless another legal basis applies.

7. Security

7.1. We implement appropriate technical and organisational measures to protect personal data, including end-to-end encryption of text messages (MLS, RFC 9420), encryption in transit (TLS 1.2 or higher), encryption at rest at the level of the underlying object storage, access controls, logging, and personnel confidentiality undertakings, as further described in Section 11 of the Terms and Annex II of the Data Processing Addendum. No system is completely secure, and we cannot guarantee the absolute security of personal data.

8. Your Rights

8.1. Subject to the conditions and limitations of the GDPR, you have the right to:

  • (a) access your personal data and receive a copy of it;
  • (b) rectification of inaccurate or incomplete personal data;
  • (c) erasure of personal data;
  • (d) restriction of processing;
  • (e) data portability;
  • (f) object to processing based on legitimate interests, on grounds relating to your particular situation, and to object at any time to processing for direct marketing purposes;
  • and (g) withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

8.2. Exercising Your Rights. You may exercise these rights by contacting us at info@gemteam.eu. We may need to verify your identity before responding. We will respond without undue delay and in any event within one month, which may be extended by two further months where necessary, taking into account the complexity and number of requests. Where your request concerns Customer Data controlled by a Customer, we will forward it to the relevant Customer in accordance with Section 1.1.

8.3. Complaints. You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. The supervisory authority for DMA is the Bulgarian Commission for Personal Data Protection (Komisia za zashtita na lichnite danni), 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Republic of Bulgaria, www.cpdp.bg. We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority.

9. Contact

9.1. Questions, requests, and notices concerning this Policy and the processing of personal data may be directed to: DIGITAL MARKETING AGENCY LTD, bul. “Vasil Levski” No. 38, floor 2, Sredets District, Sofia, Republic of Bulgaria, attn: Georgi Tabakov, Director (CEO), or by email to info@gemteam.eu.

10. Minors

10.1. The Service is offered to legal entities only and is not directed at, or intended for use by, minors. We do not knowingly collect personal data of minors. If you believe that a minor has provided personal data to us, please contact us and we will take appropriate steps to delete such data.

11. Changes to this Policy

11.1. We may update this Policy from time to time. The current version is at all times available on the Website. Where a change materially affects your rights, we will give reasonable advance notice by email, in-Service notification, or a prominent notice on the Website before the change takes effect. The date of the latest revision is indicated at the top of this Policy.

12. Language

12.1. This Policy may be made available in other language versions for convenience. In the event of any inconsistency or discrepancy between the English version and any translation, the English version prevails.