Start the Change Now

 PRIVACY POLICY


Effective date: 18.12.2025

This Privacy Policy describes in detail how Karina Bancheva (“Controller”) collects, uses, stores, and protects personal data of visitors and clients of the website karina-psychology.com (“the Website”), as well as related services, online sessions, tests, and consultations, in accordance with Bulgarian and EU legislation (GDPR).


1. Data Controller

Data Controller: Karina Bancheva
Contact: karina@karina-psychology.com, tel. +359 897 840 445

2. Types of Data We Collect

  • Identification data: name, surname, date of birth (if needed), gender.

  • Contact data: email, phone number, address (as applicable).

  • Service-related information data: clinical/anamnestic information, test results, session notes, medical documents (if provided).

  • Payment data: bank/payment details (stored only to the necessary extent and/or via a payment provider).

  • Technical data: IP address, device information, logs, cookies, and analytical data.

3. Legal Basis for Processing

The processing of personal data is based on one or more of the following grounds:

  • Performance of a contract — when processing is necessary to provide agreed services.

  • Consent (Article 6(1)(a) GDPR) — where applicable (e.g. marketing, cookies when no other legitimate interest exists). Consent may be withdrawn at any time; withdrawal does not affect the lawfulness of processing before withdrawal.

  • Legal obligation — when required by law to retain certain data.

  • Vital interest — in extreme cases related to health (rarely applicable).

  • Legitimate interest of the controller — for site protection, fraud prevention, or service improvement (after balancing interests).

Special categories of personal data (e.g. health data) are processed only when necessary for providing healthcare services and when an appropriate legal basis exists (e.g. explicit consent and/or legal basis). Processing is carried out in accordance with Article 9 GDPR and applicable national law.

4. Purposes and Storage Periods

  • Data necessary for service provision: stored for the duration of the service and thereafter for a period in line with professional and legal requirements (e.g. accounting records — 5 years or as required by law).

  • Medical/anamnestic data: stored in accordance with legal and professional requirements (recommended: minimum 10 years from the last session — to be specified according to Bulgarian professional rules).

  • Marketing data: until consent is withdrawn.

  • Analytics and cookies data: until the expiration of the respective cookie (session or persistent) or deletion upon withdrawal of consent.

5. Data Subject Rights

Users have the rights guaranteed by GDPR:

  • Right of access (Article 15 GDPR) — to obtain a copy of their data.

  • Right to rectification (Article 16) — to correct inaccurate data.

  • Right to erasure (Article 17) — “right to be forgotten,” under certain conditions.

  • Right to restriction of processing (Article 18).

  • Right to data portability (Article 20).

  • Right to object (Article 21) — to processing based on legitimate interest or direct marketing.

  • Right not to be subject to automated decision-making (Article 22).

To exercise rights: send a written request to karina@karina-psychology.com or to the postal address. The Controller will respond within GDPR time limits (usually 1 month, with possible extensions).

6. Disclosure to Third Parties and International Transfers

  • Data may be shared with subprocessors supporting service delivery (platform providers, payment processors, IT providers, professional collaborators). These act as processors and are bound by data processing agreements.

  • If data is transferred outside the EU/EEA, this is done only with appropriate safeguards (e.g. Standard Contractual Clauses or other lawful mechanisms). Users will be informed when such transfers are planned.

7. Data Security

The Controller applies technical and organizational measures — encryption of communications (HTTPS), password protection, access restrictions, backups, etc. — to protect data. However, no system is 100% secure; in case of incidents, procedures are followed (see Section 9).

8. Personal Data Breach Procedure

In the event of a breach, the Controller will:

  • Assess the breach and take corrective measures.

  • If there is a risk to individuals’ rights and freedoms, notify the competent supervisory authority (Commission for Personal Data Protection — CPDP, Bulgaria) within 72 hours of becoming aware of the breach, as well as affected individuals if there is a high risk.

  • Provide the supervisory authority and/or affected individuals with information about the nature of the breach, consequences, and measures taken.

9. COOKIES

8.1. The website uses cookies and similar technologies. Purposes include: website functionality (necessary cookies), personalization, analytics, and marketing.

8.2. Upon first visit, the user sees a cookie banner/pop-up allowing consent choices (explicit consent for all except strictly necessary cookies).

8.3. Users may change cookie preferences at any time via browser settings or through the website’s cookie management tool.

8.4. A separate Cookie Policy must be published, describing specific cookies (name, provider, purpose, duration) and easily accessible.

10. TECHNICAL SECURITY AND INCIDENT MEASURES

9.1. The Controller applies adequate technical and organizational measures (encryption, firewalls, updates, access control, backups).

9.2. In case of an incident (data breach, unauthorized access), an internal procedure is activated: notifying responsible persons, limiting damage, forensic analysis, and notifying authorities and affected individuals where necessary.

9.3. Users are responsible for protecting their login credentials and must notify the Controller in case of misuse.

11. LIMITATION OF LIABILITY

10.1. The content of the website is for informational purposes. The Controller strives for accuracy but does not guarantee completeness, timeliness, or suitability for a specific purpose.

10.1The Controller is not liable for direct, indirect, incidental, special, or consequential damages, loss of profits, or revenue arising from the use of the website or services.

The maximum liability of the Controller is limited to the amount paid by the specific client in the last 12 months prior to the claim, unless otherwise required by law. This does not limit liability for intentional misconduct, gross negligence, or non-excludable consumer rights.

The user is responsible for providing accurate information and meeting technical requirements for online sessions.

12. CONFIDENTIALITY AND PROFESSIONAL SECRECY

12.1. All conversations and data collected during therapeutic sessions are treated as confidential and subject to professional secrecy under applicable ethical rules and law.

12.2. Exceptions include: risk to life or health, court order, legal reporting obligations (e.g. child abuse), or explicit written consent of the client.

12.3. Notes and medical records may be shared with other professionals only with written consent or legal requirement.

13. WORK WITH MINORS AND SPECIAL CASES

12.1. Services are primarily intended for adults (18+). Work with minors requires written parental/guardian consent and approval as required by professional rules.

12.2. The Controller may refuse services if unable to provide adequate support (e.g. cases requiring urgent psychiatric or medical intervention) and will refer to appropriate specialists.

12.3. In emergencies, the Controller does not provide emergency services via the website — in life-threatening situations, contact emergency services immediately.

14. LINKS TO THIRD PARTIES AND SERVICES

14.1. The website may contain links to external resources. The Controller is not responsible for third-party content or practices.

14.2. When using third-party services (payment providers, video conferencing platforms), data processing may be subject to their policies.

15. TERMINATION AND SUSPENSION

15.1. The Controller may temporarily suspend services (maintenance, updates, force majeure) with prior notice where possible.

15.2. In case of violations, the Controller may suspend or terminate access, notifying the user accordingly.

16. CHANGES TO TERMS

16.1. The Controller reserves the right to change these Terms. Changes will be published with an effective date.

16.2. Continued use of the website constitutes acceptance of changes. Significant changes may be communicated via email if contact is available.

17. APPLICABLE LAW, DISPUTE RESOLUTION AND SUPERVISORY AUTHORITIES

17.1. These Terms are governed by the laws of the Republic of Bulgaria and the European Union.

17.2. Disputes will first be resolved through negotiation; if unsuccessful, they fall under the competent Bulgarian courts.

17.3. Users may lodge complaints with the Commission for Personal Data Protection (CPDP), Bulgaria:
ul. “Prof. Al. Tsvetkov” No. 5, Sofia 1592, www.cpdp.bg

17.4. For online dispute resolution in the EU, users may use the European Commission ODR platform:

 https://ec.europa.eu/consumers/odr/.

18. CONTACTS AND EXERCISING RIGHTS

For any questions, data requests, complaints, or legal matters:

Email: karina@karina-psychology.com
Phone: +359 897 840 445

Requests for exercising rights must be submitted in writing with identification. The Controller may request additional information to verify identity.