1. Who We Are
Atlantic Club of Bulgaria (Non-profit Association) (“we”, “us”, “our”) is the data controller for the Hello Space festival website at https://www.hello-space.eu. We are registered in Bulgaria (UIC: 000681189) with registered address: 111 Bulgaria Blvd., Entrance A, Floor 5, Ap. 14, Manastirski Livadi Quarter, Triaditza District, Sofia 1404, Bulgaria.
This Privacy Policy explains what personal data we collect through the website, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) 2016/679 and the Bulgarian Personal Data Protection Act (PDPA).
2. Data We Collect
2.1 Free Ticket Registration (WP Plugin)
When you register for a free festival ticket via our website plugin, we collect:
- Full name
- Email address
- Phone number
This data is processed by the WordPress ticketing plugin installed on our server. No payment information is collected — attendance is free.
2.2 Newsletter / Mailing List Sign-up
Our newsletter sign-up form is operated by a third-party email marketing provider. When you subscribe we collect:
- Email address (and optionally your name, if provided)
This data is transmitted to and stored by our third-party newsletter provider. You may unsubscribe at any time using the link in any newsletter email.
2.3 Competition Submissions
For drawing and STEM competitions, artwork files and the following data are submitted by email (hello_space@abv.bg):
- Participant first name, surname, school name, grade/age group
- Parent or guardian email address (for participants under 16)
- Artwork image file (JPG/PNG/GIF, max 5 MB)
2.4 Technical & Analytics Data
When you browse the site, data is automatically collected via tracking scripts (see Cookie Policy for full details):
- Google Analytics 4 (GA4): anonymised page views, session duration, device type, browser
- Google Tag Manager: manages loading of tracking scripts
- Meta (Facebook) Pixel: page view events, for audience measurement and ad performance
- Google Ads / Remarketing tag: records ad interactions to measure conversion
- YouTube embeds: when you play embedded video, Google may set cookies
- IP address (partially anonymised via GA4 IP masking)
3. Legal Basis for Processing
|
Consent — Art. 6(1)(a) |
Newsletter sign-up; analytics & advertising cookies (GA4, Meta Pixel, Google Ads); photo/video publication of minors. |
|
Contract — Art. 6(1)(b) |
Ticket registration: processing your booking and sending confirmation. |
|
Legitimate Interests — 6(1)(f) |
Website security, fraud prevention, aggregated analytics to improve the festival. |
|
Legal Obligation — 6(1)(c) |
Compliance with Bulgarian accounting, tax, and reporting obligations where applicable. |
For participants under 16: processing is based on parental/guardian consent under GDPR Article 8(1) and the Bulgarian PDPA.
4. How We Use Your Data
- Processing and confirming free ticket reservations
- Sending festival news, programme updates, and announcements via newsletter (subscribers only)
- Judging competitions and notifying winners
- Publishing winner names on the website and social media (with consent)
- Measuring website performance and advertising effectiveness
- Complying with legal obligations
We do NOT sell your data, use it for automated profiling, or share it with advertisers for direct targeting beyond the Meta Pixel and Google Ads measurement functions described above.
5. Data Sharing & Third-Party Processors
|
Ticket Plugin |
WordPress plugin installed on our hosting server — stores ticket registration data (name, email, phone). Hosted in Bulgaria. |
|
Newsletter Provider |
Mailjet — stores subscriber email addresses outside the EU. Standard Contractual Clauses (SCCs) are in place. |
|
Google (GA4 / GTM / Ads / YouTube) |
Analytics, tag management, ad measurement, and video embeds. Google LLC, USA. SCCs in place. See: policies.google.com/privacy |
|
Meta Platforms |
Facebook / Instagram Pixel — audience and ad performance measurement. Meta Platforms Ireland Ltd. See: facebook.com/privacy/policy |
|
Co-organiser |
STEAM and Space Cluster Bulgaria — may access aggregated participant statistics for event planning. No personal data shared without a data sharing agreement. |
6. International Data Transfers
Google and Meta services involve transfers of data to the USA and other countries outside the EEA. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Chapter V. Newsletter data may also be transferred outside the EEA; applicable SCCs are in place with the provider.
7. Retention Periods
|
Ticket registration data |
12 months after the festival date, then deleted. |
|
Newsletter subscriber data |
Until you unsubscribe, then deleted within 30 days. |
|
Competition submissions |
24 months; up to 5 years with explicit consent for archiving/promotion. |
|
Email correspondence |
24 months from last contact. |
|
GA4 analytics data |
14 months (default retention), then auto-deleted by Google. |
|
Meta Pixel / Google Ads data |
Per Meta and Google’s own retention policies (typically 180 days for standard events). |
8. Your Rights
- Right of Access (Art. 15): Request a copy of your personal data.
- Right to Rectification (Art. 16): Correct inaccurate data.
- Right to Erasure (Art. 17): Request deletion of your data.
- Right to Restriction (Art. 18): Limit how we process your data.
- Right to Data Portability (Art. 20): Receive your data in machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests.
- Right to Withdraw Consent: At any time, without affecting prior lawful processing.
Submit requests to: info@hello-space.eu. We respond within 30 days.
You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP): www.cpdp.bg | kzld@cpdp.bg | +359 2 915 3523.
9. Security
- SSL/TLS encryption on all data in transit
- Access controls limiting data access to authorised staff
- Regular security reviews of plugins and hosting environment
- Data processors required to maintain equivalent security standards
In the event of a personal data breach likely to result in risk to your rights, we will notify the CPDP within 72 hours and affected individuals without undue delay.
10. Changes to This Policy
We may update this policy periodically. The current version is always available at https://www.hello-space.eu. Material changes will be announced on the homepage at least 14 days before they take effect.