01About this policy
This Privacy Policy explains how COTRONIKA EOOD (“we”, “us”, “our”), the company that operates the UXO platform at uxo.bgand its related services (the “Service”), collects, uses, shares and protects personal data.
It covers the marketing website at uxo.bg, the customer-facing ordering apps that restaurants embed under the UXO brand, the staff dashboard used by restaurant teams, and the marketplace discovery surfaces — together, the Service.
This policy is written in plain English so you can understand what we do and what your rights are. Where we use technical terms from the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), we explain them.
02Who we are
COTRONIKA EOOD is a Bulgarian limited-liability company that operates UXO.
- Legal name
- COTRONIKA EOOD
- UIC / EIK
- 202457989
- VAT
- BG202457989
- Registered office
- Sofia 1700, Bulgaria
- Contact email
- [email protected]
We have not appointed a designated Data Protection Officer (DPO) because our processing operations do not meet the mandatory thresholds set out in Article 37 GDPR. You can still reach us for any privacy-related question at the email above.
03What personal data we collect
The categories of personal data we collect depend on how you interact with the Service.
Restaurant owner / staff account data (we are controller)
- Identity and contact details — name, email, phone number, preferred language.
- Business details — restaurant or company name, address, country, company registration and VAT numbers where applicable.
- Authentication data — hashed password, one-time codes sent to your email for sign-in and verification, session tokens.
- Billing data — plan, billing cycle, billing address, the last four digits of a payment card (we never receive the full card number, see Section 6), invoice history.
- Communications you send us — support emails, contact-form messages, replies to our service emails.
Guest / customer data placed through the Service by a restaurant (we are processor)
- Order data — items chosen, variants, notes to the kitchen, order time, table number or pickup/delivery details.
- Customer contact data — name, phone number, email and delivery address when the guest places a pickup, delivery or reservation order or chooses to receive status updates.
- Account data — when a guest creates a remote-ordering account, the email or phone they verify with, language preference, saved delivery addresses.
We process this category strictly on the documented instructions of the restaurant that owns the venue, under the terms of our Data Processing Agreement (see /legal/dpa). We do not sell, rent or use this data for our own marketing purposes.
Technical data we collect from anyone who uses the Service
- IP address, device type, browser, operating system, referring URL.
- Pages viewed, time spent, interactions with the interface, approximate location derived from IP.
- Functional cookies — for example the
uxo_localecookie that remembers your language choice across pages. - Analytics cookies set by Google Analytics on the uxo.bg marketing site (see Section 9 on cookies).
- Server logs — request URLs, status codes, timestamps, truncated User-Agent strings — retained for operational and security purposes.
04How we use personal data and the legal bases
We process personal data only where we have a lawful basis under Article 6 GDPR. The table below sets out the main purposes and the basis we rely on for each.
| Purpose | Legal basis |
|---|---|
| Provide and operate the Service, give you access to your account, render the customer-facing ordering interfaces | Performance of the contract (Art. 6(1)(b)) |
| Take payment, issue invoices, manage subscriptions, collect overdue amounts | Performance of the contract (Art. 6(1)(b)) |
| Send service emails (sign-in codes, password resets, account changes, payment receipts, security notices) | Performance of the contract (Art. 6(1)(b)) |
| Comply with our tax, accounting, anti-money-laundering and consumer-protection obligations | Legal obligation (Art. 6(1)(c)) |
| Protect the Service against fraud, abuse and security threats; investigate incidents | Our legitimate interest in keeping the Service safe (Art. 6(1)(f)) |
| Improve the Service — aggregate usage analysis, product research, error monitoring | Our legitimate interest in operating and improving the Service (Art. 6(1)(f)) |
| Send marketing emails about new UXO features and announcements to existing customers | Our legitimate interest in promoting the Service to existing customers, with an opt-out in every email (Art. 6(1)(f)) |
| Set analytics cookies on the uxo.bg marketing website | Your consent (Art. 6(1)(a)) |
| Process guest / customer order data on behalf of a restaurant | We act as processor; the restaurant determines and relies on its own legal basis under its agreement with the guest |
06International transfers
The Service runs on our own infrastructure in Bulgaria (EU). However, some of our sub-processors are based in the USA or operate global infrastructure. Where personal data is transferred outside the European Economic Area, we rely on the appropriate safeguards required by Chapter V GDPR:
- the European Commission’s Standard Contractual Clauses (Decision 2021/914) signed with the provider, and
- where the provider participates in the EU-US Data Privacy Framework, the adequacy decision of 10 July 2023 in combination with the provider’s self-certification.
You can request a copy of the safeguards in place for a specific transfer by emailing [email protected].
07How long we keep personal data
We keep personal data only for as long as we need it for the purposes set out in this policy or for as long as the law requires.
- Account data
- Kept while your subscription is active. Deleted (or irreversibly anonymised) within three months of the end of your subscription, except where we have to keep specific records for longer to meet a legal obligation (for example, accounting and tax records that the Accountancy Act and the VAT Act require us to keep for at least ten years).
- Order data and guest customer data
- Kept for as long as the restaurant’s subscription is active, and deleted within three months of subscription closure, subject to the same accounting / tax-retention exceptions above.
- Sign-in codes and password-reset tokens
- Expire automatically within the time-to-live set in the Service (typically minutes to hours) and are then deleted.
- Server logs and security telemetry
- Kept for up to ninety days unless tied to a specific incident under investigation.
- Marketing-email opt-out records
- Kept indefinitely so we can honour the opt-out even after you close your account.
08Your rights
Under the GDPR you have the following rights in relation to personal data we hold about you:
- Access (Art. 15) — ask for a copy of the personal data we hold about you.
- Rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
- Erasure (Art. 17) — ask us to delete your data where one of the grounds in the GDPR applies.
- Restriction (Art. 18) — ask us to limit how we use your data while a dispute is resolved.
- Portability (Art. 20) — receive the data you have provided to us in a structured, commonly used, machine-readable format and ask us to transmit it to another controller where technically feasible.
- Objection (Art. 21) — object to processing based on our legitimate interests, including direct marketing, on grounds relating to your particular situation.
- Withdraw consent (Art. 7(3)) — where we rely on your consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
- Lodge a complaint with a supervisory authority. In Bulgaria, the relevant authority is the Commission for Personal Data Protection (Комисия за защита на личните данни), www.cpdp.bg.
To exercise any of these rights, write to [email protected]. We will respond within one month of receiving your request, as required by Article 12(3) GDPR. We may extend that period by up to two further months where the request is complex; if we do, we will tell you within the first month and explain why.
If your request concerns guest / customer data that a restaurant has placed through the Service, please address it to the restaurant in the first instance — they are the controller. We will support them in responding.
10Security
We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures include:
- encryption in transit (TLS) for all traffic to and from the Service;
- encryption at rest for backups and sensitive data stores;
- role-based access controls and the principle of least privilege for staff accessing production systems;
- multi-tenancy isolation that ensures one restaurant cannot access another’s data;
- hashing of passwords with a salted, slow algorithm; sign-in tokens that expire and rotate;
- audit logs of administrative actions, server logs retained for operational and security review;
- routine backups, security patching and supplier reviews of the sub-processors listed in Section 5.
No system is perfectly secure. If a personal data breach affects you, we will notify you and the relevant supervisory authority where the GDPR requires us to do so (Art. 33-34).
11Children
The Service is not directed to children under the age of sixteen, and we do not knowingly collect personal data from them. If you become aware that a child has provided us with personal data, please contact us at [email protected] so we can delete it.
12Changes to this policy
We may update this policy from time to time to reflect changes in the Service, in our sub-processors, or in applicable law. When we do, we will change the “Last updated” date at the top of this page. If the changes are material, we will give you reasonable advance notice — typically by email if you have an account with us, or by a banner on the Service.
13Contact
For any question about this policy or how we handle personal data, write to [email protected] or by post to COTRONIKA EOOD, Sofia 1700, Bulgaria.