iden / Privacy policy
Legal

Privacy Policy

How Flexcon EOOD processes personal data, and your rights under the GDPR.

Effective date: 1 April 2026 · Last updated: 21 April 2026
Controller: Flexcon EOOD · UIC 205202354 · Sofia, 47A Cherni vrah Blvd., floor 4, Bulgaria

1. Who we are

Flexcon EOOD ("we", "us", "Flexcon") is a Bulgarian limited liability company registered with UIC 205202354 and VAT BG205202354, with its registered office at Sofia, 47A Cherni vrah Blvd., floor 4, Bulgaria. Flexcon operates the iden platform (iden.software).

This policy covers personal data processing in two distinct capacities:

  • As a data controller — for personal data we collect directly from visitors to our website, prospective customers, and business contacts.
  • As a data processor — for personal data processed on behalf of our venue-operator customers who use iden to manage their own customer relationships. That processing is governed by the Data Processing Agreement between Flexcon and each customer.

2. Personal data we process as controller

When you visit our website

We log standard technical information (IP address, browser type, pages visited) for security and service-operation purposes. We do not use tracking cookies for advertising.

When you contact us

If you email us or book a demo, we process the contact information you provide (name, email, phone, company) and any information contained in your message. We use it to respond to you and, where relevant, to track the commercial conversation.

When you become a customer

We process contact and billing information for the individuals at your organization who interact with us — typically commercial, technical and finance contacts. We process this data for the purposes of contract performance and legal obligations (invoicing, accounting).

3. Personal data we process as processor

When our customers use iden to run their venues, they collect and process personal data about their own customers (the "end users"). Flexcon processes that data on behalf of the customer, under the terms of a written Data Processing Agreement and in compliance with Article 28 of the GDPR.

Depending on the modules activated, this may include:

  • Name, phone number, email address, date of birth
  • Waiver signature images and consent records
  • Booking and attendance history
  • Loyalty status, points, and reward redemptions
  • Transactional records from iden.pos (where deployed)
  • Photographs or identifying images, only if the customer configures them

We do not use end-user personal data for our own purposes. We do not sell it. We do not use it to train AI models. We process it strictly in line with the customer's documented instructions.

4. Legal bases

We rely on the following lawful bases under Article 6 GDPR:

  • Contract — to deliver iden to our customers and respond to inquiries.
  • Legitimate interest — to operate and secure the platform, prevent fraud, and engage in limited direct commercial communication with business contacts.
  • Legal obligation — to comply with Bulgarian accounting, tax, and NRA fiscal obligations.
  • Consent — for marketing communications where consent is required by applicable law.

5. Data retention

We retain personal data only as long as needed for the purpose it was collected, plus any period required by law.

  • Commercial contact data — for the duration of our commercial relationship and for three (3) years thereafter.
  • Billing & accounting data — ten (10) years, as required by Bulgarian law.
  • Fiscal records — as required by NRA Ordinance H-18 and applicable Bulgarian tax legislation.
  • End-user data processed on behalf of customers — retention periods are defined in each customer's configuration and Data Processing Agreement, and deleted on customer request or contract termination.
  • Website logs — ninety (90) days unless required for longer for security or legal reasons.

6. Subprocessors & international transfers

We use a small set of carefully selected subprocessors to deliver iden. A full list is available on the Trust & Compliance page. All customer data is hosted within the European Union (Frankfurt, Germany). The only non-EU operations involve Apple Wallet and Google Wallet pass distribution — those services operate under their respective Standard Contractual Clauses for EU data transfers.

7. Security

We implement technical and organizational measures appropriate to the sensitivity of the data we process. These include TLS 1.3 encryption in transit, AES-256 encryption at rest, PostgreSQL row-level security for tenant isolation, HMAC-signed capability tokens, Cloudflare Turnstile bot protection, and Upstash Redis rate limiting. See the Security posture section for details.

8. Your rights under the GDPR

Where Flexcon acts as controller, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request erasure (the "right to be forgotten") where applicable
  • Request restriction of processing
  • Object to processing based on legitimate interest
  • Data portability, where technically feasible
  • Withdraw consent at any time, where processing is based on consent
  • Lodge a complaint with a supervisory authority — in Bulgaria, the Commission for Personal Data Protection (cpdp.bg)

Where Flexcon acts as processor (for end-user data), requests should be addressed to the customer who controls that data — typically the venue you visited. We will support our customers in responding to such requests.

9. Contact

For any privacy question, data subject request, or to reach our privacy officer:

  • Email: privacy@iden.software
  • Post: Flexcon EOOD — Privacy · 1 Pozitano sq., fl. 7, 1000 Sofia, Bulgaria

10. Changes

We may update this policy from time to time. The "Last updated" date at the top of this page shows when the policy was last revised. Material changes affecting our customers will be communicated directly via email.