PRIVACY POLICY of ExpandX | Prosperamo Group Ltd



We care about your personal data. With this policy we want to inform you what personal data we collect about you, what we use it for and how we handle it.

This website is operated by the Bulgarian legal entity of PROSPERAMO GROUP Ltd., under the its registered brand ExpandX, with company registration number under Bulgarian commercial law 204926435, with seat and management address in Sofia, 15-17 Viskyar Planina Str., Fl 2, Office 3 /hereinafter in this Policy briefly referred to as “ExpandX”/.

We are the data controller for your personal data and as such, we are responsible for processing and storing your data in a fair, transparent, and secure manner, taking into account your best interest.

This version of ExpandX’s Privacy Policy has been extended and modified in accordance with the requirements of the General Data Protection Regulation – GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council).



We have appointed a data protection officer (DPO), who oversees the data processing activities in our company.

Our Data Protection Officer /DPO/ is Ms Stanislava Petkova

Contact details:

You can direct any queries related to your personal data to our team at



The competent supervisory authority in Bulgaria is the Commission for Personal Data Protection (“CPDP”). CPDP supervises how we handle your personal data. As a data subject, you are entitled to bring a complaint before CPDP in regard to the processing of your personal data – contact information and more about the procedure may be found at



Through the contact form and the Newsletter subscription form, you may enter into our system the following categories of personal data:

  • First name
  • Last name;
  • E-mail
  • Company
  • Telephone Number

Various questionnaires, assessment and self-assessment forms and other similar tools for collection of information may from time to time be placed on the website. Such forms are aimed to assess certain marketing or web processes in companies or other legal entities (not individuals). The only categories of personal data we would request in such forms would be name, position in a company and contact details. We would never request any kind of special categories of data (a.k.a “sensitive” data) or any kind of other personal information not necessary for the purposes of the assessment.

For the purposes of provision of our marketing or web services, you may provide us with other categories personal data necessary for the respective service.

Automatic collection of information via cookies

We may also collect personal data via cookies. For more details, please consult our cookie policy



The main purpose we collect and use the aforementioned personal data is to communicate with you and to send you our newsletters, reports and other informational and promotional/marketing materials (if you have explicitly agreed to receive such).

If you use ExpandX’s marketing services, processing of personal data may be necessary for the provision of the respective service, as well as for invoicing and accounting purposes.

Your email, if presented to us in the context of the sale of a product or a service, may be used for the purposes of direct marketing of similar products or services.



We collect your data on grounds allowed by EU Regulation 2016/679, also known as the GDPR. The following grounds apply:



If you subscribed to our newsletters and other bulletins, the necessary personal data will be processed based on your consent, which you can revoke at any time by writing a short email to or by clicking on the “I don’t want to receive any more emails from” button, which can be found in every email you receive from us.

Performance of a contract

We collect, use and otherwise process personal data in order to perform our contractual obligations under the respective agreements for provision of marketing or web services.

For the purpose of performing our obligations to you, in some cases we may need to share your personal data with courier companies and financial / payment processing institutions (such as banks, money transfer service providers etc.).


Legitimate interest

After we have completed our contractual obligations to you as our client, we will keep storing personal data in order to make sure that this information is available for cases of official proceedings (e.g. if we are sued for damages), administrative and criminal investigations (e.g. if we are audited by the Revenue Agency), consumer claims and disputes etc.

Your email, presented to us in the context of the sale of a product or a service may be used for the purposes of direct marketing of similar products or services. In such cases the legal bases for the processing would also be legitimate interest in the sense of Art. 6, para 1, letter “f” of the GDPR.

* At the end of each marketing message you will be given the right to object against the processing of your personal data.


Performance of a legal obligation

In the context of our obligations under the tax laws to store certain payment documentation and to cooperate to the tax authorities in cases of inspection, personal data in invoices and agreements concerning the payment arrangements between us with be processed by ExpandX within the time limits, described in the next section.

The same legal ground applies in relation to our obligations under the Anti Money-Laundering law and in relation of any other case of cooperation/transfer of information to an official authority.



Your contact data, collected through our website and processed solely for the purposes of electronic communication and direct marketing is stored by us for indefinite period of time.

Each message you receive from us will provide you with the option to withdraw your consent to use your data OR to object against the receipt of similar messages in the future. In both cases, we will consider your actions as a clear signal that such correspondence is unwanted and your personal data will be deleted from our system immediately.

The data on the invoice shall be kept until the expiration of the legal term under Art. 38 TIPC, ie. up to 5 years after the expiry of the limitation period for repayment of the public obligation with which they are linked.

The content of correspondence and documents produced in favor of the client will be kept by the controller until the expiry of the limitation period for initiating court trials under the Bulgarian Law, in general – up to 5 years from finalizing the respective consultancy service or up to five years from the termination of the subscription service contract. We believe we have the necessary legitimate interest in protecting ourselves in possible legal proceedings or initiating such. This legitimate interest is the legal ground on which we store the aforementioned data.



Any information received by ExpandX in the context of the performance of marketing and web services of any kind, including but not limited to digital marketing, content marketing, SEO, marketing strategy development, design, photo, video, web sites development, digital content development, online advertising and others.

The content of correspondence and documents produced in the customer’s favor such as opinions, written consultations, reports, contracts is not disclosed to any third parties, except at the client’s explicit request.

Transfer of personal data to other recipients is done in the following most common cases:

  1. Invoices, along with the personal data contained therein, is transmitted to an accounting company, acting as joint controller. According to our Personal Data Protection Agreement with the accounting company, ExpandX is responsible to answer to requests under Art. 15 ff GDPR both on its own behalf and on behalf of the joint controller.
  2. Invoice data, along with other categories of personal data may be disclosed to official authorities in cases of inquiries, inspections and revisions;
  3. At the client’s request the content of certain documents, along with the personal data contained therein, may be disclosed to third parties such as external consultants, courts or other official authorities.
  4. Upon delivery of hard copies name and contact details are provided to courier companies;

On behalf of the controller, personal data is reviewed and otherwise processed by ExpandX’s employees, senior management and shareholders. The quoted individuals have made the relevant confidentiality commitments in writing.

Any other transfers of your personal data, not mentioned above, will be communicated to you. Depending on the particular case, your consent on such a transfer may also be collected.



If the recipients of your data are located outside of the EU, we will provide appropriate safeguards that your data is processed with care and diligence that would be required of any EU-based recipient.

Such transfers will be subject to binding corporate rules, standard data protection clauses adopted by the EU Commission, and other data protection mechanism that take into account your rights.



According to GDPR уou have the right to:

  • Right to access;
  • Right to rectification;
  • Right to erasure (right to be forgotten);
  • Right to restrict processing;
  • Right to data portability;
  • Right to object against the processing;
  • Right to withdraw consent at any time.


Right to access

You have the right to obtain access to the personal data held about you by your request; you also have the right to request a copy of the personal data undergoing processing.


Right to rectification

You have the right to ask for incorrect, inaccurate or incomplete personal data to be corrected;

Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.


Right to erasure (right to be forgotten)

You have the right to request personal data to be erased when it’s no longer needed or if processing it is unlawful; Please note that Art. 17 of GDPR outlines in details the cases where we are obliged to erase your data. In some cases we would need to keep your data, even if erasure has been requested /for example for the purposes compliance with a legal obligation which requires processing by EU or local law/.


Right to restrict processing

Under certain circumstances you may have the right to request from us the restriction of processing your personal data. For example, you may exercise this right, when we no longer need your personal data for the purposes of the processing, but we still need to store it in our systems and use it for situations like exercise or defense of legal claims.


Right to data portability

Under certain circumstances you may have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format (i.e. in digital form) and you may have the right to request the transmission of those data to another entity without hindrance from us, if such transmission is technically feasible.


Right to object against the processing

Under certain circumstances you may have the right to object against the processing of your personal data and we can be required to no longer process your personal data. You can exercise this right for example when we use your email address for direct marketing purposes – in such cases once you object, we will no longer be able to send you any marketing materials.


Right to withdraw consent

When the processing of your personal data is based on your consent, you can withdraw your consent at any time without giving any reason to us. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.


How to exercise your rights:

To exercise your rights, you can contact us with a written request at or by regular mail to: Prosperamo Group Ltd | Sofia, 15-17 Viskyar Planina Street, Floor 2, office 3. You may also address your request to the DPO of the company. We will respond to your requests without undue delay and at the latest within 1 month.

Your written request under this Section can be filed on paper or electronically and should include:

  • Your name;
  • The email address by which you are registered in your personal account /optional, but highly recommendable/;
  • Description of your request;
  • Preferred communication channel /e.g. regular or electronic mail/;
  • Signature /in case filed on paper/;
  • Date of the request;
  • Correspondence address;
  • Power of Attorney – if filed on somebody else’s behalf.

You may be asked to provide information to confirm your identity (such as clicking a verification link or providing a verification code) in order to exercise your rights.



Information of any substantive or material changes in this Privacy Policy will be provided to you in advance of the change actually taking effect, so that you have the opportunity to reconsider your consent for data processing and to exercise you right to withdraw it.  Notifications of such changes are done by email and pop-up messages on our website.