Privacy Policy

"Zika Group" Ltd is the data controller for all personal data collected through the Legas.ai platform. The company is registered in Bulgaria and operates the platform in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and the Bulgarian Personal Data Protection Act.

Company: "Zika Group" Ltd
UIC: 200383579
VAT: BG200383579
Registered address: Plovdiv, Bulgaria
Platform: legas.ai
Contact email: contact@legas.ai

No Data Protection Officer has been formally appointed. All data protection enquiries, requests, and complaints should be directed to contact@legas.ai. This contact point is monitored and responses are issued within the timeframes prescribed by applicable law.

The competent supervisory authority for data protection matters in Bulgaria is the Commission for Personal Data Protection (CPDP). Any data subject who considers that their personal data has been processed unlawfully by "Zika Group" Ltd may lodge a complaint with the CPDP directly, without being required to contact the Controller first.

Name: Commission for Personal Data Protection (CPDP)
Headquarters: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Correspondence address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Telephone: +359 2 915 3519
Email: kzld@cpdp.bg
Website: www.cpdp.bg

Data subjects also have the right to lodge a complaint with the supervisory authority of any EU member state in which they habitually reside or work, or in which the alleged infringement occurred. Complaints may be filed online through the CPDP website or by post to the address above.

This Privacy Policy explains what personal data "Zika Group" Ltd collects through the Legas.ai platform, why it is collected, how long it is kept, who it is shared with, and what rights data subjects have over it.

This Policy applies to all persons who visit legas.ai, create an account, use the document generation service, or otherwise interact with the platform. It covers data collected directly from users and data collected automatically through the platform's technical infrastructure.

This Policy does not apply to the content of GDPR documents generated by users for their own businesses. When a user generates a Privacy Policy or Employee Privacy Notice for their company, they are the data controller for that document and its underlying data. "Zika Group" Ltd processes that data only as a processor, on the user's behalf, for the purpose of generating the requested document.

This Policy is updated when the platform's data processing activities change or when applicable law requires an update. The version number and effective date at the top of this document indicate the current version.

When a user creates an account on Legas.ai, the following data is collected:

• Full name
• Email address
• Password, stored in hashed and encrypted form via Supabase authentication infrastructure. The plaintext password is never accessible to "Zika Group" Ltd.

This data is necessary to create and manage the user account, to authenticate the user on each login, and to send service-related communications. Without this data, an account cannot be created.

Legal basis: Article 6, paragraph 1, letter (b) of Regulation (EU) 2016/679. Processing is necessary for the performance of the contract between the user and "Zika Group" Ltd.When a user fills in the intake questionnaire to generate a GDPR document, the platform collects business information entered by the user. This information is not personal data about the user in most cases, but may include data that relates to identified individuals where, for example, a DPO email address or company representative email is provided.

Data collected through the intake questionnaire includes:

• Company name and company registration number
• Registered business address
• Website URL
• Data protection contact email address
• DPO email address, where applicable
• Industry sector and number of employees
• Country of registration
• Description of the company's data processing activities, third-party tools, legal bases, and data categories

This data is used exclusively to generate the requested GDPR document. It is stored in the user's account so that future documents can be pre-filled with the same business profile, reducing the time required to complete the questionnaire.

Legal basis: Article 6, paragraph 1, letter (b) of Regulation (EU) 2016/679. Processing is necessary for the performance of the contract.All payments on Legas.ai are processed by Stripe, Inc., a payment processor incorporated in the United States. When a user makes a purchase, the following data is involved:

• Payment card details — collected and processed by Stripe directly. "Zika Group" Ltd never sees, stores, or has access to card numbers, CVV codes, or expiry dates.
• Billing name and address — collected by Stripe at checkout.
• VAT identification number — collected where the user provides one for the purpose of applying the correct VAT treatment (reverse charge for EU B2B transactions).
• Transaction amount, currency, and date.
• Purchase history — stored in the Legas.ai database to determine which documents and plan the user has access to.

VAT identification numbers provided by EU business customers are verified against the EU VIES system at the time of purchase. The result of that verification is stored as part of the transaction record.

Invoices are generated automatically by Stripe and made available in the user's account dashboard. Invoice data is retained for 10 years in accordance with the Bulgarian Accountancy Act (ЗСч) and the Bulgarian Value Added Tax Act (ЗДДС).

Legal basis: Article 6, paragraph 1, letter (b) of Regulation (EU) 2016/679 for payment processing; Article 6, paragraph 1, letter (c) for tax and accounting record retention, pursuant to the Accountancy Act (ЗСч) and the Value Added Tax Act (ЗДДС).Users receive a series of service-related emails via Brevo (Sendinblue SAS, France) in the period following account creation. These are not marketing newsletters and do not require a separate opt-in. They are communications directly related to the service the user has registered for.

The email sequence is:

• Day 1: A welcome email explaining how to generate the free GDPR & Cybersecurity Recommendations Report.
• Day 3: A reminder to generate the free report if the user has not yet done so.
• Day 7: Information about the compliance risks associated with missing GDPR documentation and the documents available on the platform.

In addition, users receive an annual document expiry reminder, sent 12 months after each document is generated. This reminder informs the user that their document may need to be reviewed and updated.

Users may unsubscribe from these emails at any time by clicking the unsubscribe link in any email. Unsubscribing does not affect access to the platform or the user's documents.

Legal basis: Article 6, paragraph 1, letter (b) of Regulation (EU) 2016/679 for the onboarding sequence; Article 6, paragraph 1, letter (f) for the annual expiry reminders. The legitimate interest is to ensure users are informed when their compliance documents may have become outdated.Legas.ai uses two analytics tools, which operate differently and have different implications for data privacy.

Plausible Analytics is a cookieless analytics tool. It collects only aggregated, anonymous traffic statistics: page views, approximate geographic region (country level), browser type, and referral source. No personal data is collected. No cookies are set. No consent is required under the ePrivacy Directive or GDPR. Data is processed by Plausible Analytics UAB, Lithuania, within the European Union.

PostHog is a product analytics tool that collects more detailed data about how users interact with the platform: which pages they visit, which features they use, how long they spend on each step, and session recordings. PostHog sets analytical cookies and processes data that can be linked to an individual user session. Consent is required before PostHog is activated, and it is requested through the cookie consent banner on first visit. PostHog Inc. is incorporated in the United States; data transfer is covered by Standard Contractual Clauses.

Legal basis for Plausible: no personal data processed; no legal basis required.
Legal basis for PostHog: Article 6, paragraph 1, letter (a) of Regulation (EU) 2016/679. Consent may be withdrawn at any time by adjusting cookie preferences.When a user clicks "Generate document", the completed intake questionnaire answers are transmitted to the Anthropic PBC Claude API, hosted in the United States, for the purpose of generating the document. This is the only point at which user-provided business data leaves the Legas.ai infrastructure.

Anthropic PBC processes this data as a data processor under a Data Processing Agreement with "Zika Group" Ltd. Anthropic does not use data submitted via the API to train its AI models, and does not retain the data beyond the duration of the API request. A Data Processing Agreement and Standard Contractual Clauses are in place to govern this transfer under Article 46 of Regulation (EU) 2016/679.

The generated document is returned from the API, saved to the Legas.ai Supabase database, and made available in the user's account. The intake questionnaire answers that produced the document are saved alongside it so that the user can regenerate or update the document using pre-filled fields.

Legal basis: Article 6, paragraph 1, letter (b) of Regulation (EU) 2016/679. Processing is necessary for the performance of the contract."Zika Group" Ltd does not apply automated decision-making with legal or similarly significant effects on data subjects within the meaning of Article 22 of Regulation (EU) 2016/679. The AI system generates document text based on user-provided input. It does not evaluate, score, classify, or make decisions about individual users. No profiling is carried out."Zika Group" Ltd does not collect or process special category data as defined in Article 9 of Regulation (EU) 2016/679 through the platform registration process or intake questionnaire. Users who include references to health data, biometric data, or other special category data in their questionnaire answers do so for the purpose of generating their own GDPR documents. In that context, "Zika Group" Ltd processes that data as a processor on the user's behalf, not as an independent controller.Legas.ai is not directed at persons under 18 years of age. "Zika Group" Ltd does not knowingly collect personal data from minors. Users must confirm at account creation that they are at least 18 years of age. If "Zika Group" Ltd becomes aware that a minor has created an account, that account will be closed and associated data deleted.

Personal data may be disclosed to the following authorities or bodies where required by law:

• National Revenue Agency of Bulgaria (НАП) — for VAT reporting, tax compliance, and related statutory obligations.
• Commission for Personal Data Protection (CPDP) — in the context of supervisory investigations or upon formal request.
• Bulgarian courts — in the context of legal proceedings to which "Zika Group" Ltd is a party.
• Other competent state or regulatory authorities — where disclosure is required by applicable Bulgarian or EU law.

"Zika Group" Ltd does not volunteer personal data to any of these bodies beyond what is legally required.Personal data is shared with the following processors under Data Processing Agreements:

• Supabase Inc. (USA) — database hosting, user authentication, and document storage. Data is stored in the EU region. Standard Contractual Clauses apply for international transfer.
• Vercel Inc. (USA) — platform hosting, deployment, and edge network delivery. Standard Contractual Clauses apply.
• Anthropic PBC (USA) — AI document generation via the Claude API. Data is not retained beyond the API request. Standard Contractual Clauses apply.
• Brevo / Sendinblue SAS (France) — transactional email delivery. Data processed within the European Union. No international transfer.
• Stripe, Inc. (USA) — payment processing, subscription management, VAT calculation, and invoice generation. PCI-DSS compliant. Standard Contractual Clauses apply.
• PostHog, Inc. (USA) — product analytics. Only activated after user consent. Standard Contractual Clauses apply.
• Plausible Analytics UAB (Lithuania) — cookieless traffic analytics. No personal data processed. No DPA required.

Each processor is bound by a Data Processing Agreement that restricts the use of personal data to the specific purposes described above.Within "Zika Group" Ltd, access to personal data is restricted to those who need it to perform their specific duties. No personal data is shared with other employees or contractors beyond what is necessary. Access is revoked immediately when an employment or contractual relationship ends.

The following measures are in place to protect personal data against unauthorised access, loss, alteration, or disclosure:

• All data transmitted between users and the platform is encrypted using HTTPS with TLS 1.2 or higher.
• User passwords are hashed using industry-standard algorithms by Supabase. Plaintext passwords are never stored or accessible.
• Database access is controlled by Row Level Security (RLS) policies in Supabase, which prevent any user from accessing another user's data.
• API keys and secrets are stored as encrypted environment variables on Vercel. They are not embedded in source code.
• Sensitive environment variables are stored in Sensitive mode on Vercel, preventing them from being viewed even by account members.
• Payment card data is not stored by "Zika Group" Ltd. Stripe is PCI-DSS Level 1 certified.
• Access to production systems is limited to authorised personnel only.
• User data in Supabase is stored in the EU region to minimise the scope of international data transfers.
• All processors are selected on the basis of their security standards and are bound by Data Processing Agreements.
• In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the CPDP will be notified within 72 hours of the Controller becoming aware of the breach, pursuant to Article 33 of Regulation (EU) 2016/679. Where the breach is likely to result in a high risk, affected data subjects will be notified without undue delay pursuant to Article 34.

Several processors used by "Zika Group" Ltd are incorporated in the United States of America: Supabase Inc., Vercel Inc., Anthropic PBC, Stripe Inc., and PostHog Inc. Personal data may be transferred to these processors and is covered by Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, in accordance with Article 46 of Regulation (EU) 2016/679.

Brevo / Sendinblue SAS is incorporated in France and processes data within the European Union. No international transfer occurs for email delivery.

Plausible Analytics UAB is incorporated in Lithuania and processes data within the European Union. No international transfer occurs for analytics.

Where processors offer EU-region storage options, "Zika Group" Ltd selects EU-region configuration. Supabase database storage is configured for the EU region.

Data subjects may request information about the specific safeguards in place for international transfers by contacting contact@legas.ai.

The following data is retained for periods prescribed by Bulgarian law:

• Accounting records and financial documents, including invoices: 10 years from the end of the financial year to which they relate, pursuant to Article 12(1) of the Bulgarian Accountancy Act (ЗСч).
• VAT records and documentation: 10 years, pursuant to Article 102(3) of the Bulgarian Value Added Tax Act (ЗДДС).
• Records of contracts and related correspondence that may be relevant to legal claims: up to 5 years from the expiry of the relevant limitation period under the Bulgarian Obligations and Contracts Act (ЗЗД).

The following retention periods are set by "Zika Group" Ltd on the basis of operational necessity:

• User account data (name, email): retained for the duration of the account. Where a user deletes their account, account data is deleted within 30 days, subject to any outstanding statutory retention obligations.
• Generated documents and intake questionnaire answers: retained for the duration of the account. Users may delete individual documents from the dashboard at any time.
• Email communication logs: 12 months.
• PostHog analytics data: 12 months, configured within the PostHog account settings.
• Payment records and purchase history (excluding card data, which is not stored): 10 years, in line with the statutory accounting retention period.
• Withdrawal waiver consent records: 5 years from the date of the relevant purchase, in case of legal dispute.

Data will not be deleted where it is required for ongoing judicial, administrative, or regulatory proceedings, regardless of the retention period above.

The following rights are available to data subjects under Regulation (EU) 2016/679. Each right is subject to conditions and exceptions set out in the Regulation and in applicable national law.

• Right to information and access (Article 15): to obtain confirmation of whether personal data is being processed and, where it is, to receive a copy of that data together with information about the purposes, legal bases, recipients, retention periods, and other processing details.
• Right to rectification (Article 16): to have inaccurate personal data corrected and incomplete data completed, without undue delay. Where data has been shared with third parties, "Zika Group" Ltd will notify those recipients of the correction unless doing so is impossible or involves disproportionate effort.
• Right to erasure (Article 17): to request deletion of personal data where the data is no longer necessary for the purpose for which it was collected, where consent has been withdrawn and no other legal basis applies, or where processing is unlawful. This right does not apply where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for exercising the right of freedom of expression.
• Right to restriction of processing (Article 18): to request that processing be suspended where the accuracy of data is contested, where processing is unlawful but erasure is opposed, where data is no longer needed by the Controller but is required by the data subject for legal claims, or where an objection has been submitted and its outcome is pending.
• Right to data portability (Article 20): to receive personal data in a structured, commonly used, machine-readable format, and to have that data transmitted directly to another controller where technically feasible. This right applies only where processing is based on consent or contract and is carried out by automated means.
• Right to object (Article 21): to object to processing based on legitimate interests. Where the objection is justified and the Controller cannot demonstrate compelling legitimate grounds that override the interests of the data subject, processing must cease.
• Right to withdraw consent (Article 7(3)): where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
• Right to lodge a complaint: with the CPDP at the address set out in Section II, or with the supervisory authority of any EU member state in which the data subject habitually resides or works.
• Right to obtain compensation (Article 82(1)): for material or non-material damage resulting from an infringement of Regulation (EU) 2016/679 by "Zika Group" Ltd or any processor acting on its behalf.

Requests to exercise any of the rights listed in Section IX may be submitted by email to contact@legas.ai. Requests should include sufficient information to identify the data subject and describe the right being exercised. Where identity cannot be verified from the information provided, the Controller may request additional verification before processing the request.

"Zika Group" Ltd will respond within one month of receiving a valid request. Where a request is complex or where a large number of requests have been received, the response period may be extended by a further 30 days. In that case, the data subject will be notified of the extension and the reasons for it within the first month.

The first response is free of charge. Where requests are manifestly unfounded or excessive, defined as more than 2 requests of the same substance within any 12-month period, "Zika Group" Ltd may charge a reasonable fee based on administrative costs or refuse to act on the request. The data subject will be notified of any such decision and of their right to complain to the CPDP.

A register of all rights requests received and actions taken in response is maintained by "Zika Group" Ltd, pursuant to the accountability principle in Article 5(2) of Regulation (EU) 2016/679.

"Zika Group" Ltd processes personal data in accordance with the following principles, set out in Article 5 of Regulation (EU) 2016/679:

• Lawfulness, fairness, and transparency: personal data is processed on a valid legal basis and users are informed of the processing through this Policy.
• Purpose limitation: data is collected for the specific purposes described in Section IV and is not used for any other purpose without a separate legal basis.
• Data minimisation: only the data necessary for the stated purpose is collected. The intake questionnaire requests only what is needed to generate the relevant document.
• Accuracy: reasonable steps are taken to ensure that personal data is accurate. Users can update their profile data directly through the platform dashboard.
• Storage limitation: data is not retained beyond the periods set out in Section VIII, subject to statutory obligations.
• Integrity and confidentiality: the technical and organisational measures described in Section VI are applied to protect personal data against unauthorised access, loss, and destruction.

The following terms have the meanings given to them in Article 4 of Regulation (EU) 2016/679:

• Personal data: any information relating to an identified or identifiable natural person.
• Data subject: the natural person to whom personal data relates.
• Processing: any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
• Controller: the entity that determines the purposes and means of the processing of personal data. In relation to this Policy, the Controller is "Zika Group" Ltd.
• Processor: an entity that processes personal data on behalf of the Controller under a contractual obligation.
• Consent: a freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of their personal data. Consent may be withdrawn at any time.
• Personal data breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
• Pseudonymisation: the processing of personal data in such a way that it can no longer be attributed to a specific individual without the use of additional information kept separately.
• Third country: a country that is not a member of the European Economic Area.
• Supervisory authority: an independent public authority responsible for monitoring the application of data protection law. In Bulgaria, this is the CPDP.
• Standard Contractual Clauses (SCCs): contractual clauses adopted by the European Commission providing appropriate safeguards for international data transfers under Article 46 of Regulation (EU) 2016/679.