Privacy Policy and Personal Data Processing

🔒 GDPR 🌎 EU

This Privacy Policy is drafted in accordance with EU Regulation 2016/679 (GDPR) and the legislation of the Republic of Bulgaria on personal data protection. We process your data responsibly, transparently, and lawfully.


1. General Provisions

1.1. This Privacy Policy (hereinafter - "Policy") defines the procedure for collecting, storing, using, and protecting the personal data of users (hereinafter - "User", "You") of the website nexthomeglobal.com (hereinafter - "Site"), operated by Next Home Global EOOD (hereinafter - "Operator", "We", "Company").

1.2. The Operator acts in accordance with Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation, GDPR), the Law of the Republic of Bulgaria on the Protection of Personal Data, and other applicable regulatory acts of the European Union and the Republic of Bulgaria.

1.3. Use of the Site constitutes unconditional acceptance by the User of this Policy and the terms of personal data processing. In case of disagreement, the User must cease using the Site.

1.4. This Policy applies exclusively to the Site. The Operator does not control and is not responsible for third-party websites that the User may access via links on the Site.


2. Data Controller Information

 Company Name
Next Home Global EOOD
 Address
Republic of Bulgaria, Bansko
 Phone
+359 889 577 225
 Website
https://nexthomeglobal.com
 Jurisdiction
Republic of Bulgaria (EU Member)

For all matters related to the processing of personal data, you may contact us using the details above.


3. What Personal Data We Collect

We collect and process the following categories of personal data:

 Identification Data
First name, last name, contact phone number, email address
 Preferences
Preferred city, property type, budget
 Communications
Content of messages, requests, correspondence via forms and messengers
 Technical Data
IP address, browser type, cookies, device data (see Section 8)
 Transactional
Payment information (via secure payment gateways)

We do not collect: special categories of data (race, ethnic origin, political opinions, religion, health status, biometric data), except where expressly required by law.

 4. Legal Basis for Processing (Art. 6 GDPR)

In accordance with the GDPR, we process personal data on the following legal bases:

 Consent (Art. 6(1)(a) GDPR)
Submitting feedback forms, newsletter subscription, use of cookies (except necessary)
 Contract Performance (Art. 6(1)(b) GDPR)
Consultations, property reservations, document preparation
 Legal Obligation (Art. 6(1)(c) GDPR)
Tax reporting, accounting, court decisions
 Legitimate Interests (Art. 6(1)(f) GDPR)
Security, fraud prevention, site usage analysis

5.1. Data is collected on a purely voluntary basis - the User provides it by filling out feedback forms, sending messages via messengers (WhatsApp, Telegram, Viber), or by phone call.


6. Purposes of Personal Data Processing

Consultations- providing information about properties
Viewing arrangements- booking property viewings
Transaction processing- preparing contracts and legal documents
Communication- responding to requests, status notifications
Newsletter- news, catalogue updates (only with consent)
Security- fraud prevention and safety assurance
Analytics- improving site performance and user experience
Obligations- compliance with EU and Bulgarian law

 7. Data Retention Periods and Deletion

7.1. Personal data is stored for the period necessary to achieve the purposes of processing, or until the User withdraws consent:

 Form Submissions
Up to 2 years from the last contact, or until consent is withdrawn
 Contractual Data
Up to 10 years (in accordance with Bulgarian tax law)
 Newsletter
Until the User unsubscribes
 Cookies
From session to 13 months (in accordance with ePrivacy)

7.2. Upon expiry of the retention periods, data is automatically deleted or fully anonymised. The User has the right to request early deletion of their data at any time (right to be forgotten, Art. 17 GDPR).


8. Use of Cookies and Similar Technologies

8.1. The Site uses cookies - small text files placed on the User's device to improve site performance.

8.2. Types of cookies we use:

 Necessary (Strictly Required)
Ensure correct site operation. Do not require consent (Art. 5(3) ePrivacy). Duration: session.
 Analytics
Google Analytics - anonymous visit statistics. Require consent. Duration: up to 13 months.
 Marketing
Facebook Pixel, Google Ads - personalised advertising. Require consent. Duration: up to 13 months.
 Functional
Language, currency, filter settings. Require consent. Duration: up to 12 months.

8.3. Upon first visit to the Site, the User is shown a cookie consent banner with the ability to select categories. Necessary cookies are activated automatically, others — only after consent.

8.4. The User can change cookie settings at any time via the control panel on the Site or in the browser settings.


9. Your Rights Under the GDPR (Arts. 15-22)

As a data subject, you have the following rights:

Right of access (Art. 15)- request a copy of your data we process
Right to rectification (Art. 16)- request correction of inaccurate or incomplete data
Right to erasure - "right to be forgotten" (Art. 17)- request deletion of data
Right to restriction of processing (Art. 18)- temporarily suspend processing
Right to data portability (Art. 20)- receive data in a structured format
Right to object (Art. 21)- object to processing based on legitimate interests
Right to withdraw consent (Art. 7(3))- at any time without consequences
Right to lodge a complaint (Art. 77)- contact the supervisory authority (CPDP Bulgaria)

9.1. To exercise any of the above rights, please contact us at [email protected] or by phone at +359 889 577 225. We will respond within 30 calendar days of receiving the request.

9.2. If you believe that the processing of your data violates the GDPR, you have the right to lodge a complaint with the Commission for Personal Data Protection of the Republic of Bulgaria (CPDP): www.cpdp.bg, Sofia, 2 Prof. Tsvetan Lazarov Blvd.


10. Disclosure of Personal Data to Third Parties

10.1. We do not sell and do not transfer your personal data to third parties for marketing purposes without your explicit consent.

10.2. Data may be disclosed to the following categories of recipients only to the extent necessary to fulfil the processing purposes:

 Notaries and Lawyers
For real estate transaction processing
 Banks and Payment Gateways
For payment processing
 IT Providers
Hosting, CRM, analytics (Google, Meta) — under Data Processing Agreements (DPA)
 Government Bodies
Upon lawful request from courts or regulators

10.3. All data recipients are bound by confidentiality and must ensure a level of protection corresponding to GDPR requirements. When transferring data outside the EEA, we use EU Standard Contractual Clauses (SCC) or transfer data to countries with an adequate level of protection.


11. Personal Data Security Measures

We apply a comprehensive set of organisational and technical measures to protect your data:

SSL/TLS encryption- all data transmitted via secure HTTPS protocol
Database encryption- data stored in encrypted form
Access restriction- data accessible only to authorised personnel
Regular audits- system security checks
Staff training- employees undergo data protection training
DPAs with providers- data processing agreements with all contractors
Breach notification- in case of incident, we notify you and the regulator within 72 hours


12. International Data Transfers

12.1. The majority of data is processed within the European Economic Area (EEA) - servers are located in Bulgaria (EU Member).

12.2. Some services (Google Analytics, Facebook, Telegram, WhatsApp) may process data on servers in the USA. In such cases, we ensure data protection through:

 EU Standard Contractual Clauses (SCC)
Contracts concluded with Google, Meta, and other providers
 EC Adequacy Decision
Transfer to countries recognised by the EU Commission as having an adequate level of protection
 User Consent
Explicit consent to transfer data to specific providers


13. Automated Decision-Making and Profiling

13.1. We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR).

13.2. We may use automated tools to analyse site behaviour (Google Analytics), but this data is anonymised and not used for individual service provision decisions.


14. Data Concerning Minors

The Site and services are intended for persons aged 18 and over. We do not knowingly collect or process personal data of minors. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us — we will promptly delete such data.


15. Changes to the Privacy Policy

15.1. We reserve the right to update this Policy in connection with changes in legislation or data processing practices. The updated version takes effect from the moment it is posted on the Site.

15.2. We notify Users of significant changes by posting a prominent notice on the Site or sending an email (to newsletter subscribers).

15.3. Last updated: 18 June 2026.


16. Contact Information and Exercise of Rights

To exercise your rights, ask questions, or file complaints:

 Phone
+359 889 577 225
 WhatsApp
+359 889 577 225
 Commission for Personal Data Protection (CPDP)
Sofia, 2 Prof. Tsvetan Lazarov Blvd., www.cpdp.bg

Request processing time - up to 30 calendar days. In complex cases, the period may be extended by a further 2 months with notification to the User.