Policy for Personal Data Protection

“Netcube" Ltd., UIC-201933296, headquartered in Sofia, 10 “Cherni Lom” str. , floor 5, Mail: support@myhost.io, hereinafter referred to as "Netcube" or "The company", is an "administrator" handling on its own behalf "personal data" within the meaning of The General Directive of The Data Protection Regulation (EU) 2016/679 of 27.04.2016, in force from 25.05.2018 /the Regulation/ and Directive 2002/58 / EC / Directive of the European Parliament and of the Council; Personal Data Protection Act (PDDA), and the other applicable law of the European Union and the Republic of Bulgaria.

Netcube will apply this policy to the processing and protection of personal data of the subjects – physical entities - present and potential users of the web page https://myhost.io/ - visitors (guests) or persons who have registered a user profile in accordance with the applicable General Conditions published on the same web page.

With this policy Netcube establishes, under the terms of transparency and prior notification, the principles, objectives, rules and rights of the subjects, in the observance and safeguarding of which the company accordingly processes "personal data" of the listed individuals, in accordance with the aforementioned regulations.

1. What is the content of the basic concepts used in this policy:

The concepts used in this policy and those listed here will have the following meaning:

"Personal data" means any information related to an identified personal entity that can be identified by the same data; ("Data subject") having been a current or potential user of Netcube goods provided through the myhost.io web pages - visitors or registered users in the same;

"Processing" means any operation or set of operations performed with personal data or a set of personal data by automatic or other means such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, disclosing by transmission, dissemination or other means by which data becomes available, arranged or combined, restricted, deleted or destroyed;

"Limitation of process" means the marking of stored personal data in order to limit its processing in the future;

"Administrator" means a physical or legal entity, a public body, an agency or other entity that alone or jointly with others determines the purposes and means of processing personal data;

"Personal data processor" means a physical or legal entity, a public authority, an agency or other entity that processes personal data on behalf of the administrator;

"Recipient" means a physical or legal entity, a public authority, an agency or other entity to which personal data is disclosed, whether or not a third party. At the same time, public authorities which may receive personal data in a specific investigation in accordance with Union law or the law of the Republic of Bulgaria shall not be considered as "recipients";

"Third party" means a physical or legal entity, a public authority, an agency or other authority other than the data subject, the administrator, the data processor and the persons directly entitled to process the personal data under the direct authority of the administrator or data processor;

"Data subject's consent" means any free expression, specific, informed and unambiguous indication of the will of the data subject, by means of a statement or clearly confirming action, which expresses his/her consent to processing of personal data related to him/her;

"Child" according to the Regulation any individual under the age of 16, although age may be reduced to 13 because of domestic law. Processing of personal data of a child is legal only if the parent or trustee of said child has given his/her consent. In such cases the Administrator shall make reasonable efforts to verify that the holder of parental responsibility for the child has given or has been authorized to give his/her consent;

"Profiling" means any form of automated processing of personal data consisting use of personal data for the assessment of certain personal aspects related to an individual and, in particular, for the analysis or forecasting of aspects related to his or her personal preferences, interests, behavior, location or movement;

"Privacy breach" means a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that is transmitted, stored or otherwise processed;

"Cookies" means a packet of information sent from the web server of myhost to the internet browser on a computer or other device of the user and then returned from the same browser upon request, when there is internet access to the server that has sent the cookies used by Netcube or a third party;

2. What are the basic principles for processing of personal data by Netcube:

Netcube performs personal data processing in compliance with the following principles:

• Personal data processing is done legally, in good faith and transparently with regard to the data subject;
• Processing is done only for the purposes specifically defined and explicitly set forth in this policy, preventing further data processing of the subject in a way incompatible with those purposes;
• Netcube minimizes processed personal data, that is to say, only this personal data that is appropriate, related and limited to what is necessary in connection with purposes for which they are being processed;
• Accuracy of processed personal data should be accurate and up-to-date, for which reason Netcube shall take reasonable steps and procedures to ensure the timely erasure and/or correction of inaccurate personal data, while taking into account the purposes for processing;
• Keeping personal data in a form that allows the data subject to be identified for a period no longer than is necessary for processing of personal data concerned;
• Processing personal data in a manner that ensures an appropriate level of personal data security, including protection against unlawful processing and/or accidental loss and/or damage and/or destruction, and in connection to this, Netcube implements appropriate technical and organizational measures;
• Assistance from Netcube to exercise the rights of the data subjects and ensure communication with them without undue delay in this respect;
• Netcube should be able at any time to identify to the competent supervisory authorities compliance with the above principles, current policy and applicable data protection legislation on its behalf.

3. On what grounds and for what purposes Netcube processes your personal data:

1. Netcube, on the basis of a pre-contractual relationship and a contract for remote hosting services, as well as on your registration as a user of myhost.io site, will collect personal data set out in this policy in order to: identify you as a party in pre-contractual relations and conclusion of contract for remote hosting services with the subject of goods offered through the web site myhost; execution of obligations under the set remote contract; communication during operation and termination of said remote contract; fulfillment of obligations arising from the law - for example, from the Consumer Protection Act, Personal Data Protection Act, etc .; assist in the exercise of your rights and legitimate interests arising from the said remote contract or from a statutory instrument;
2. On the basis of its legitimate interests in order to: exercise rights arising from remote contracts, judicial protection of such rights, including enforcement; fulfillment of obligations arising from law or other general or individual administrative acts;
3. Netcube, on the basis of laws and regulations of domestic law, carries out processing of personal data in order to fulfill the duties assigned to it by same legal acts, such as: keeping accurate and reasoned bookkeeping and commercial logs; issuing of invoices and other primary accounting documents, based on the contracts concluded remotely through the web page;
4. Based on the consent of the data subject, Netcube will process your personal data for the purposes of direct marketing;
5. Netcube, based on its legitimate interests or expressed consent by the data subject, processes information about the data subject - visitors to the web pages at myhost.io, respectively the e-shop using automated technologies, including usage of cookies of the company and of third parties - its partners, in order to: secure the use of the web page; optimal use and improvement of the latter's functionality; satisfying consumer expectations according to their interests; performance of statistical analysis concerning use of the webpage; providing advertising; other forms of direct marketing by electronic means;
6. Netcube may process legitimate personal data of data subjects for purposes other than those set forth in the preceding paragraphs only if not prohibited by law and after the other purposes have been transparently established; by duly informing the data subjects when there is a reason for lawful processing of personal data;

4. Types - categories of personal data processed by Netcube:

Depending on specific grounds and purposes of processing set out in Section 3, Netcube processes the following types and categories of personal data, in accordance with the principles set out in Section 2, either simultaneously or separately:

1. For the purposes set out in point (I) of Section 3:

   - name (in your capacity as a natural person-user and/or in the capacity of a legal entity-client of our hosting services); address; e-mail address; phone number; order number;

2. For the purposes set out in Section (II) of Section 3, Netcube processes the following personal data:

   - Names (in your capacity of a natural person-user and / or in the capacity of a legal entity-client of our hosting services); address; e-mail address; phone number; order number;

3. For the purposes set forth in Section (III) of Section 3, Netcube processes the following personal data:

   - name (in your capacity as a natural person-user and /or in the capacity of a legal entity-client of our hosting services); address; e-mail address; phone number; order number;

4. For the purposes set forth in Section (IV) of Section 3, Netcube processes the following personal data:

   - Names (in your capacity of a natural person-user and/or in the capacity of a legal entity-client of our hosting services); address; e-mail address; phone number; order number, IP address;

5. For the purposes set forth in (V) of Section 3, Netcube processes the following data automatically:
   • When visiting the web sites of myhost.io, Netcube, or third parties - its partners from which Netcube uses services such as: Google, Facebook, HotJar, Mailchimp. and other; performing automated data processing, including use of cookies, collecting the following information on behalf of Netcube: IP address; terminal data used; data about the browser used and operating system of terminal device; information about user behavior and activities; order information;
   • For the most part, the data in question is anonymous, that is, it is used in a form that does not allow identification of a particular individual, or the latter is virtually impossible, but it is technically necessary to ensure successful internet session of respective user on the web pages, seamlessly using the functionality of the latter; link security and protection from abuse.
   • However, if data collection in this automated manner combined with unique identifiers, including some of Netcube's or its cookies’ partner, enables profiling and /or identification of individuals, Netcube will treat the same data, as personal.
   • For more information about automated data collection and processing technologies, including cookies used Netcube and its partners, you can get acquainted with the Cookies Policy, duly posted on the company's official address: https://myhost.io/cookie_policy.php
   • In any case, and in spite of the above, the user is also entitled to exercise his/her right to withdraw his/her consent to use/accept cookies in the same way and just as easily as he/she has provided in connection with their acceptance. For this purpose, Netcube provides an opportunity to electronically withdraw consent. See more about this feature in the Cookies Policy, duly posted on the official website: myhost.

5.Terms of storing and processing personal data. Destruction of personal data:

Netcube stores the personal data on paper and/or in electronic format. Storage as a type of processing is performed by Netcube with implementation of appropriate technical and organizational measures ensuring secure and effective protection of personal data.

However, Netcube will not store personal data for a longer period than established in this policy than is necessary to achieve the established purposes for which data was collected.

In certain cases, Netcube may store data longer than set in this policy, only if personal data is processed for purposes of archiving in the public interest, scientific or historical research and for statistical purposes, and only to perform appropriate technical and organizational measures to safeguard the rights and freedoms of the data subject.

Once the deadlines have expired, personal data will be destroyed by ensuring data protection by applying appropriate technical or organizational measures.

Duration of data storage by Netcube is as follows:

1. For the purposes set out in point (I) and (II) of Section 3, Netcube stores personal data according to point (I) and (II) of section 4 for the duration of individual contract, but not more than expiration of limitation periods for emerging financial obligation implementation between the parties, regardless of termination/cancellation of the contract, except for this personal data referred to in this point, that needs to be stored for a longer term under current legislation and in accordance with other reasons for processing set by Netcube;
2. For the purposes set out in point (III) of Section 3, Netcube stores personal data in point (III) of section 4 for a period of 10 (ten) years set from January 1 of the year following the relevant reporting period during which this data was collected/generated;
3. For the purposes set forth in (IV) of Section 3, Netcube stores personal data under point (IV) of section 4 until the data subject's consent for processing of personal data is withdrawn, unless there is another legal basis for processing, and in particular storing the same data;
4. For the purposes set forth in Section (V) of Section 3, Netcube shall store personal data per point (V) of Section 4 for a maximum period of 24 months, or until the data subject exercises his/her right to be forgotten. More information on cookie duration, Netcube provides in the Cookies Policy, published on the official website of the company myhost.

6. Compulsory/voluntary providing of personal data and consequences of failure to provide:

Provision of personal data for the purpose of concluding a remote contract is mandatory. The same is stipulated in the General Terms and Conditions posted on the webpage of the remote contract.

Failure to provide personal data by the entities for the stated purposes will result in the impossibility to provide hosting services and remote contracts with the seller Netcube, respectively the execution of these contracts.

Failure to consent to the use of some of the cookies may result in the webpage being misused or, in particular, not capable to be used in its full functionality.

In other cases, submission of personal data by the data subject is not mandatory and is a voluntary act/a specific decision on the part of the data subject.

7. What are the third parties to whom personal data processed by Netcube can be provided:

Netcube may legitimately provide personally processed data to the entities addressed by this policy to another person outside its organization, a "processor of personal data" to process such personal data on behalf of the administrator.

Netcube will use only third parties - "personal data processors" that provide sufficient guarantees for the application of appropriate technical and organizational measures in such a way that the processing is accordance with the Regulation requirements and the applicable law of the Republic of Bulgaria. Netcube guarantees that personal processing will be done only on the basis of a documented order by the administrator - that is, of Netcube. Relationship between Netcube and "processor of personal data" is governed by a contract or agreement to an existing contract governing: data subjects affected by processing; type and purpose of processing; processing period; types and categories of personal data that are subject to processing; rights, obligations and responsibilities of the administrator and processor as well as other obligations and responsibilities of the parties.

1. Persons processing personal data on behalf of Netcube, on the basis of a contract/agreement concluded in accordance with the current Regulations and the Personal Data Protection Act (PDPA), may be:
   • persons performing: accounting and/or legal protection and assistance services and/or other consultancy services, to be outsourced by Netcube;
   • persons performing courier services assigned by Netcube;
   • persons performing IT services related to the development and maintenance of Netcube's awarding websites;
   • persons providing payment services, in accordance with the Payment Services and Payment Systems Act, assigned by Netcube;
   • persons providing direct marketing services, provided that the data subject has consented to the processing of that data for the purposes of direct marketing;
   • Providers of notification/information services for sending notifications/messages, including e-mail/SMS to Netcube users;
   • Providers of hosting services;
   • a person – “personal data processor” included as such by any of the foregoing “personal data processors”, but subject to the provisions of applicable law;

   Netcube may provide lawful access to personal data, in its capacity as administrator, to another person outside its organization, the "personal data administrator", that processes the same personal data on its own behalf and on its own account.

   Access to personal data in these cases is performed in order to fulfill the administrative obligations of Netcube, fulfillment of its procedural obligation, protection of rights and exercise of procedural rights in connection with it, fulfillment of obligations arising from a legal act of the current law and/or on the basis of a contract.

2. Persons receiving access to personal data through Netcube and processing such data on their own behalf as administrators may be:
   • administrative bodies, agencies, committees and other public bodies and structures in connection with the implementation of administrative - legal and regulatory obligations of Netcube;
   • pre-trial authorities and/or courts for the performance of procedural obligations and/or exercising procedural rights of Netcube, provided by the current legislation of the Union and the Republic of Bulgaria;
   • state or private court officials exercising the procedural rights of Netcube provided by the current legislation of the Union and the Republic of Bulgaria;
   • third parties - private successors of Netcube, such as debtors of receivables of debtors of Netcube;
   • commercial companies - universal successors of Netcube based on the relevant transformation of Netcube;

8. What are the sources of personal data processed by Netcube:

Netcube, for the fulfillment of the relevant objectives set forth in Section 3 of this policy, collects and stores data primarily from the subjects of the latter, such as: names, address, e-mail address, telephone, IP address, tax identifiers and others; as well as personal data generated by the company itself, such as the number of a particular hosting service request.

However, Netcube may collect personal data, for its legitimate interests and from publicly available sources, for the purpose of exercising judicial protection of its rights or collection of its claims, namely:

• Commercial register and register of non-profit legal entities at the Registry Agency - www.registryagency.bg and www.brra.bg;;
• Property register of the Registry Agency - www.registryagency.bg and www.icadastre.bg;
• Central Registry for Special Pledges at the Ministry of Justice - www.justice.government.bg;
• Register Bulstat at the Registry Agency - www.registryagency.bg, www.bulstat.bg;
• Central Registry of Debtors to the Chamber of Private Enforcement Agents - https://newregistry.bcpea.org;
• Public and National
• Public, Court and State Executive Registries;
• Other publicly available sources;

9.Transfer of data to third countries:

In certain cases of personal data processing it is possible to transfer it to recipients processing this data on behalf of Netcube in third countries outside the European Union. Netcube ensures that in such cases, recipients of personal data should be based in economic sectors of countries included in a specific list approved by the European Commission published in the Official Journal of the European Union and/or Netcube whom as an administrator should have concluded an agreement for data processing containing standard data protection clauses approved by the European Commission, ensuring an adequate level of protection.

To date, information generated by the use of Google cookies when providing and using the services of the latter company by Netcube administrator, namely: IP address of user; end device identifier; type of browser and operating system used; information about user behavior and activities; is handled directly by Google, which acts as a processor on behalf of Netcube and is directed to US-based servers. Netcube warrants that it has properly arranged its relationship with Google for this type of data processing and transfer, based on an agreement containing standard data protection clauses approved by the European Commission that ensuring an adequate level of protection; Netcube also ensures that Google is an organization that has joined the EU-US framework and the Privacy Shield Framework program, administered by the US Department of Commerce International Trade Administration, approved by the European Commission as of 12.07.2016, as appropriate to provide a mechanism for companies on both sides of the Atlantic to comply with the requirements of confidentiality and protection data when transferred to the United States.

10. What are the rights of data subjects:

Netcube will process personal data of the respective entities, assisting in exercising their rights and communicating without undue delay, within the time limits provided by the Regulation or the PDPA.

All listed rights of the data subjects will be exercised by a written application submitted by the entity or its authorized representative to Netcube at the following address: 10 "Cherni Lom" street floor 5, including by electronic mail to the following email: support@myhost.io, with the minimum content required under the Personal Data Protection Act (PDPA).

Personal data subjects have the following rights guaranteed by the Regulation and domestic law:

• Right to access personal data

The data subject has the right of access to the personal data related to him/her and to receive feedback from Netcube within date of receipt of request and under the terms of the Regulation and PDPA;

• Right to correct personal data

The data subject has the right to ask the administrator to correct inaccurate personal data related to him/her and to receive feedback from Netcube for the actions he/she has taken in time of received request and under the terms of the Regulation and PDPA;

• Right to erasure (right of subject to be forgotten)

The data subject has the right to request from Netcube to delete related personal data and the administrator has the obligation to delete them when any of the following legal base is applicable:

- personal data is not necessary for purposes established by the Netcube for which it is assembled or otherwise processed;

- the data subject consent for data processing has been duly withdrawn and at the time of withdrawal there is no other legal basis for data processing by Netcube;

- the data subject opposes processing pursuant to Article 21 (1), (exercising right of objection) as of Regulation (EU) 2016/679 of 27.04.2016, in force of 25.05.2018 (“The Regulation”) and has no legal ground for data processing, or the data subject objects to the processing under Article 21 (2) of that Regulation;

- data subject personal data has been tampered with unlawfully;

- personal data must be erased in order to comply with a legal obligation under Union law or the law of the Republic of Bulgaria, which law applies to the administrator;

personal data have been collected in relation to the information society provision services under Art. 8 (1) of the Regulation;

Netcube shall inform the data subject about the actions taken by it regarding exercise of this right within a period of one month from receipt of request/application and under the terms of the Regulation and of the PDPA.

Netcube informs the data subjects that the right to be forgotten is not an absolute subjective right and the administrator may not allow a deletion request in one of the cases expressly provided for in Article 17 (3) of the Regulation as well as in cases where the administrator may have to prove that he/she is not in a position to identify the data subject who exercised that right;

• Right to restrict processing of personal data

Data subject has the right to request from Netcube to restrict the processing of personal data when there is one of the following reasons:

- accuracy of personal data is disputed by the data subject for a period that allows Netcube to verify its accuracy;

- processing is illegal, but the data subject does not want the personal data to be deleted, but instead requiring a limitation of its use by Netcube;

- Netcube does not need more personal data for the purposes of processing, but the data subject requires it to identify, exercise or protect legal claims;

- the data subject has objected to Netcube against processing of data under Article 21 (1) of the Regulation pending verification that administrator’s legal grounds have an advantage over the interests of the data subject;

Where processing is limited to exercising the right to restrict processing, such data shall only be processed, with the exception of its storage, only with the consent of the data subject or for the establishment, exercising or protecting legal claims, or for protection of rights of the data subject. another physical entity, or on important grounds of public interest to the Union or a Member State.

When a data subject has requested a limitation of processing, Netcube will inform him/her before revocation of processing restriction is lifted.

In any case, Netcube shall inform the data subject about exercising right of limitation, the actions taken after receipt of request/application, and under the terms of the Regulation and the PDPA.

• Right of withdrawal of consent of the data subject

Data subject shall have the right to withdraw his/her consent if processing is based on Article 6 (1) (a) or Article 9 (2) (a) of the Regulation. Right of withdrawal may be exercised at any time, without prejudice to the lawfulness of processing by consent, before it is withdrawn;

• Right to personal data portability

Data subject is entitled to the portability of data, which means that he/she may ask the administrator to obtain the personal data processed by the latter in a structured and machine readable format to be transferred to another administrator or for Netcube to perform direct transfer of data to the other administrator, if technically feasible.

• Right of objection

Netcube informs the data subjects that, separately and independently of other listed rights, they are entitled under Article 21 of the Regulation at any time and on grounds relating to their particular situation to object to processing of personal data as based on Article 6 (1) of the Regulation (e), that is to say, "processing is necessary for the performance of a task in the public interest or in exercise of official authority conferred to the administrator"; or point (5/f), i.e., "processing necessary for the purposes of legitimate interests of the administrator or a third party, except where the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child, including profiling, based on said regulations". When exercising this right in such cases, Netcube will discontinue processing of personal data unless it can prove that there are convincing laws and grounds for processing, that take precedence over the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.

When processing personal data for the purposes of direct marketing, the data subject is entitled at any time to object to the processing of personal data related to him/her for this type of marketing, including profiling insofar as it relates to direct marketing. When the data subject opposes processing for direct marketing purposes, processing of personal data for these purposes is terminated.

In context of information use by the information society, and notwithstanding Directive 2002/58 / EC, the data subject may exercise his/her right of objection by automated means using technical specifications.

Where personal data is processed for the purpose of scientific or historical research or for statistical purposes pursuant to Article 89 (1), the data subject may, on the basis of his or her particular situation, object to processing of personal data relating to him/her other than if processing is necessary for performance of task carried out for reasons of public interest.

• The entity has a right not to be the subject of a decision based solely on automated processing involving profiling

The data subject has the right not to be the subject of a decision based solely on automated processing involving profiling which produces legal consequences for him/her or similarly affects him/her significantly.

• Right to information and assistance

Netcube shall provide the data subject with information on actions taken in connection with jis/her request to exercise the rights of entities referred to in Articles 15-22 of the Regulation without undue delay and in any case within 30 days of receipt of request unless the PDPA provides longer term.

When the data subject submits a request by electronic means, the information is to be provided, if possible.

• Right to appeal to supervisors:

Without prejudice to any other administrative or judicial remedy, any data subject shall have the right to appeal to the supervisory authority in the Member State of habitual residence, place of work or place of suspected infringement if the data subject considers that processing of personal data related to it violates the provisions of the General Regulation about protection of personal data.

Competent supervisory authority to which a complaint may be lodged: Personal Data Protection Commission, address: Sofia 1592, "Prof. Tsvetan Lazarov” No. 2, e-mail: kzld@cpdp.bg, website: www.cpdp.bg.

UPDATING PERSONAL DATA PROTECTION POLICY:

Netcube has the right to periodically update this Privacy Policy. Upon change in this policy, a message will be published on our website, as well as the updated Policy for Personal Data Protection