Select Language

Privacy Policy

Version No. 1/04.05.2026

OneCare is a service designed to make access to professional services at your location easier and more convenient.

General provisions and identification of the Administrator

Art. 1. (1) This Privacy Policy ("the Policy") describes how "DocNow Medical Services" EOOD, EIK 208622091, with registered office and management address: 1404 Sofia, Triaditsa district, 109 Bulgaria Blvd., fl. 2, office 2.5, email: office@onecare.bg, tel.: +359 889 999 955 (hereinafter referred to as the "Company", "we", "us" or "our"), collects, uses, stores, shares and protects the personal data of natural persons in connection with the OneCare internet platform ("the Platform"), available at www.onecare.bg.

(2) The Company is a controller of Personal Data within the meaning of Art. 4, point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR") for the Processing operations for which it independently determines the purposes and means of the Processing.

(3) For certain operations in which the Company processes Personal Data on behalf of and under the instructions of the respective Provider (including, but not limited to, a medical establishment, a veterinary practice and others), the Company acts as a Processor of Personal Data within the meaning of Art. 28 GDPR. The allocation of roles is governed by a separate agreement between the Company and the Provider.

(4) For all questions related to the Processing of Personal Data, you may contact us at email: office@onecare.bg.

(5) When Processing Personal Data, the Company complies with the following principles in accordance with Art. 5 of the GDPR:

1. lawfulness, fairness and transparency - data are processed lawfully, fairly and in a transparent manner in relation to the data subject;

2. purpose limitation - data are collected for specific, explicit and legitimate purposes and are not processed in a manner incompatible with those purposes;

3. data minimisation - only data that are adequate, relevant and limited to what is necessary for the purposes of Processing are processed;

4. accuracy - data are kept accurate and, where necessary, kept up to date;

5. storage limitation - data are kept in a form which permits identification of the data subject for no longer than is necessary for the purposes of Processing;

6. integrity and confidentiality - data are processed in a manner that ensures appropriate security;

7. accountability - the Company is responsible for and able to demonstrate compliance with these principles.

Art. 2. (1) This Policy applies to the following categories of persons:

1. Users - natural persons who register, browse or use the Platform;

2. Service recipients - persons for whom the User requests a service, including children, third parties, as well as animals in veterinary services;

3. Providers - merchants, medical establishments, specialists and their employees or collaborators whose profiles are created on the Platform (if such profile functionality exists);

4. Visitors - persons who visit the Platform without registering;

5. Contact persons - persons who contact the Company via contact forms, email, telephone or another communication channel.

(2) This Policy applies together with the General Terms and Conditions for use of the OneCare Platform. In the event of a conflict on matters related to the protection of personal data, this Policy shall prevail.

(3) This Policy is available at www.onecare.bg and is provided to Users and Providers upon registration on the Platform.

What are cookies and similar technologies

Art. 1. (1) This Privacy Policy („Policy“) describes how „DocNow Medical Services“ EOOD, UIC 208622091, with registered office and management address: Sofia 1404, Triaditsa District, 109 Bulgaria Blvd., fl. 2, office 2.5, email: office@onecare.bg, tel.: +359 889 999 955 (hereinafter referred to as „the Company“, „we“, „us“ or „our“), collects, uses, stores, shares and protects the personal data of natural persons in connection with the OneCare internet platform („Platform“), available at www.onecare.bg.

(2) The Company is a controller of Personal Data within the meaning of Art. 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 („GDPR“) for Processing operations for which it independently determines the purposes and means of Processing.

(3) For certain operations in which the Company processes Personal Data on behalf of and under the instructions of the respective Contractor (including, but not limited to, a medical facility, veterinary practice and others), the Company acts as a Processor of Personal Data within the meaning of Art. 28 GDPR. The allocation of roles is governed by a separate agreement between the Company and the Contractor.

(4) For all questions related to the Processing of Personal Data, you can contact us by email: office@onecare.bg.

(5) When Processing Personal Data, the Company complies with the following principles in accordance with Art. 5 of the GDPR:

1. lawfulness, fairness and transparency - the data are processed lawfully, fairly and in a transparent manner in relation to the data subject;

2. purpose limitation - the data are collected for specified, explicit and legitimate purposes and are not processed in a manner incompatible with those purposes;

3. data minimisation - only data that are adequate, relevant and limited to what is necessary for the purposes of the Processing are processed;

4. accuracy - the data are kept accurate and, where necessary, kept up to date;

5. storage limitation - the data are kept in a form which permits identification of the data subject for no longer than is necessary for the purposes of Processing;

6. integrity and confidentiality - the data are processed in a manner that ensures an appropriate level of security;

7. accountability - the Company is responsible for and able to demonstrate compliance with these principles.

Art. 2. (1) This Policy applies to the following categories of persons:

1. Users - natural persons who register, browse or use the Platform;

2. Service Recipients - persons for whom the User requests a service, including children, third parties, as well as animals in veterinary services;

3. Contractors - merchants, medical facilities, specialists and their employees or collaborators whose profiles are created in the Platform (if such profile functionality is available);

4. Visitors - persons who visit the Platform without registering;

5. Contact persons - persons who contact the Company through contact forms, email, telephone or another communication channel.

(2) This Policy applies together with the Terms and Conditions for use of the OneCare Platform. In the event of a conflict on matters related to personal data protection, this Policy shall prevail.

(3) This Policy is available at www.onecare.bg and is provided to Users and Contractors upon registration on the Platform.

Definitions

Art. 3. For the purposes of this Policy:

1. „Personal Data“ means any information relating to an identified natural person or a natural person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. „Processing“ means any operation or set of operations performed on Personal Data or on sets of Personal Data, by automated or other means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3. „Special categories of Personal Data“ means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

4. „Health Data“ means Personal Data related to the physical or mental health of a natural person, including the provision of health services, which reveal information about his or her health status.

5. „Controller“ means the Company when it independently determines the purposes and means of the Processing of Personal Data.

6. „Processor“ means the Company or another person that processes Personal Data on behalf of a controller.

7. All other definitions used but not expressly defined in this Policy have the meaning assigned to them in the OneCare Platform Terms of Use, in the GDPR, or in the Personal Data Protection Act („PDPA“).

Categories of personal data we collect

Categories of Personal Data under Art. 4. (1) Upon registration on the Platform, the Company collects the following Personal Data of the User:

1. full name;

2. email address;

3. phone number;

4. address;

5. date of birth;

6. personal identification number (EGN) or personal number of a foreigner (LNC), or date of birth for foreigners without EGN/LNC;

7. other data, at the Company's discretion.

(2) When requesting a service through the Platform, the Company may additionally collect:

1. address for performance of the service;

2. selected service category, specific service, date, time or time slot;

3. payment data and payment status, including transaction reference number, the last four digits and the type of card, where applicable. Full card details (card number, expiry date, security code) are entered directly into the secured environment of the payment processor and are not stored by the Company pursuant to para. 5 of this article;

we collect

4. notes, comments or additional information provided by the User;

5. information about health status, when the User voluntarily provides such information in connection with a medical service;

6. animal data for veterinary services, including species, sex, weight, age, breed, complaints and other relevant information.

(3) When the User requests a service for a third party - Recipient of the service, the data under paras. 1 and 2, insofar as necessary for the respective service, shall be provided by the User, who declares and warrants that they have obtained the consent of the third party for the Processing of their personal data in accordance with Art. 9 of the Terms and Conditions.

(4) The categories and scope of the Personal Data collected may be changed, expanded or reduced by the Company in view of the type of service, legal requirements, the technical capabilities of the Platform and the specific needs of the respective category of services, and the User will be informed of any material change.

(5) When providing online payment through the Platform, bank card data (card number, expiry date, security code) are entered by the User directly into the secured environment of the respective payment processor (payment service provider) and are not stored, recorded or processed by the Company. The Company receives from the payment processor only information about the result of the transaction (successful/unsuccessful), a reference number and, where applicable, the last four digits of the card and the type of card, insofar as this is necessary for payment identification, for the issuance of documents and for the Processing of any disputes, refunds or chargebacks. The processing of the full card data is carried out by the payment processor in compliance with the PCI DSS standard and its own terms and privacy policy.

(6) The Personal Data collected under this article may be processed in the Company's environment, in the environment of the technical providers under Art. 11, para. 1, item 2, or in combination, depending on the specific purpose of the Processing and the technical requirements of the Platform

Art. 5. (1) Upon creation of a Contractor profile on the Platform, the Company collects:

1. name (company name), BULSTAT/Company ID, legal form;

2. registered office and management address;

3. details of the representative - names, personal number, position;

4. email, phone, correspondence address;

5. data on registrations, permits, licenses, competencies, qualifications and insurance;

6. banking and/or payment details for transfer of remuneration;

7. schedule, availability and scope of the offered services.

(2) For medical specialists, veterinarians and other employees or associates of the Contractor whose profiles are displayed on the Platform, the Company may process:

1. full names, professional title, specialty, position;

2. unique identification number (UIN) or other professional identifier;

3. professional photo, short biography, education and qualifications data;

4. schedule, locations and availability.

(3) The processing of data under para. 2 is carried out on the basis of the contractual relations between the Company and the Contractor, and where the Processing goes beyond the minimum necessary for identification - on the basis of a separate declaration-consent of the respective specialist or employee.

Art. 6. (1) Upon visiting and using the Platform, the following data are automatically collected:

1. IP address;

2. browser type and version, operating system;

3. date, time and duration of visits;

4. pages visited and actions performed on the Platform;

5. traffic source (referrer URL);

6. unique device identifiers (device IDs), where applicable;

7. cookie data and similar technologies in accordance with Section VIII of this Policy.

(2) In the future, as the Platform develops, it may additionally collect location data (with the User's explicit consent), notification delivery identifiers and other technical identifiers necessary for the functioning of mobile or other functionalities. If such collection is introduced, the User will be duly informed.

Art. 7. When you contact the Company by email, contact form, telephone or another communication channel, the Company processes the data you provide (names, contact details, content of the message and any other information you choose to provide) for the purposes of processing your inquiry and maintaining correspondence. Communication may also take place via instant messaging applications (including Viber, WhatsApp, Telegram, Signal and others), as well as via an embedded chat (chat widget) on the Platform. When the chat on the Platform is technically linked to an instant messaging application (e.g. WhatsApp), messages sent by the User via the chat are routed and processed through the infrastructure of the respective application provider, which the User is informed about through a visible notice in the chat interface.

Art. 8. (1) Where you have given separate, voluntary and explicit consent by signing a declaration-consent, the Company and/or the Contractor may take and use your photos, video and audio-visual materials for marketing, representative and informational purposes, described in detail in the respective declaration.

(2) The photographing and public use of photos and videos is not a condition for provision of the service and does not affect your right to receive the service without such photographing.

(3) Consent to photographing may be withdrawn at any time with effect for the future, in accordance with the procedure described in the relevant declaration and in Section X of this Policy.

Purposes and legal bases for Processing

Art. 9. (1) The Company processes Personal Data for the following purposes and on the following legal bases under the GDPR:

1. Registration and maintenance of a user profile - legal basis: Art. 6(1)(b) GDPR (performance of a contract);

2. Requesting, arranging, administering and performing a specific service - legal basis: Art. 6(1)(b) GDPR (performance of a contract);

3. Processing Personal Data in connection with medical and healthcare services, including data concerning health status - legal basis: Art. 9(2)(h) GDPR (provision of health care) in conjunction with Art. 6(1)(b) GDPR;

4. Processing payments, issuing fiscal, payment and accounting documents - legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR (legal obligation);

5. Providing mandatory pre-contractual information under the Consumer Protection Act - legal basis: Art. 6(1)(c) GDPR (legal obligation);

6. Performance of accounting, tax, insurance and other regulatory obligations - legal basis: Art. 6(1)(c) GDPR (legal obligation);

7. Sending marketing messages (newsletters, promotional emails, SMS, notifications and others) - legal basis: Art. 6(1)(a) GDPR (consent);

8. Analytics, statistics and improvement of the Platform and the user experience - legal basis: Art. 6(1)(f) GDPR (the Company’s legitimate interest in improving its services);

9. Security of the Platform, prevention of abuse, unauthorized access and fraud - legal basis: Art. 6(1)(f) GDPR (legitimate interest);

10. Establishment, exercise or defense of legal claims - legal basis: Art. 6(1)(f) GDPR (legitimate interest) and/or Art. 9(2)(e) GDPR for special categories;

11. Recording and public use of photos and videos for marketing, representative and informational purposes - legal basis: Art. 6(1)(a) GDPR (consent), and where the footage reveals health information - Art. 9(2)(a) GDPR (explicit consent);

12. Creation, maintenance and display of a profile of the Contractor and its specialists on the Platform - legal basis: Art. 6(1)(b) GDPR (performance of the contract between the Company and the Contractor), and for public display of photos and extended information - Art. 6(1)(a) GDPR (consent of the specialist);

13. Processing of complaints, reports, inquiries and communication - legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest);

14. Sending transactional and informational messages (including reminders for a booked appointment, notifications of changes in the service, request status and others), including by SMS, email, Viber, WhatsApp, Telegram, Signal or another instant messaging application - legal basis: Art. 6(1)(b) GDPR (performance of a contract).

(2) Where the Processing is based on your consent, you have the right at any time to withdraw your consent without affecting the lawfulness of the Processing carried out before the withdrawal. Withdrawal of consent is as easy as giving it.

(3) Where the Processing is based on the Company’s legitimate interest, you have the right to object to the Processing pursuant to Art. 21 GDPR, in accordance with Section X of this Policy.

Processing

Art. 10. (1) For certain types of services offered through the Platform (medical, veterinary, child care-related, and others), the Processing of Special Categories of Personal Data is possible, in particular data concerning health status.

(2) The Processing of Special Categories of Personal Data is carried out on one or more of the following legal bases:

1. Art. 9(2)(h) GDPR - when Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, or the management of health or social systems and services;

2. Art. 9(2)(a) GDPR - explicit consent of the data subject, when the other legal bases are not applicable;

3. Art. 9(2)(f) GDPR - for the establishment, exercise or defense of legal claims.

(3) For non-medical services (cleaning, gardening, household services and similar), Special Categories of Personal Data are generally not processed. If, for a particular service, the Processing of such data becomes necessary, the User will be explicitly informed and consent will be requested when necessary.

(4) The Company processes data concerning health status under conditions of professional secrecy and in compliance with the technical and organizational protection measures provided for in this Policy and in the applicable legislation.

Recipients and sharing of Personal Data

Art. 11. (1) The Company may share Your Personal Data with the following categories of recipients, to the extent necessary to achieve the purposes described in this Policy:

1. Service providers - healthcare facilities, medical professionals, veterinary practices, cleaning companies, childcare specialists, gardeners and other persons providing services through the Platform, insofar as sharing is necessary for requesting, arranging and performing the specific service;

2. Technical providers (data processors) - persons who provide the Company with technical, infrastructure, hosting, communication, application, payment, support and other services necessary for the operation of the Platform, including but not limited to:

a) platform infrastructure and application services provider (white-label) - this provider is granted access to Personal Data to the extent necessary for the technical operation of the Platform, including for routing requests, sending transactional and informational messages, maintaining communication between the User and the Service Provider, as well as for other technical and application functionalities. Depending on the specific functionality and the technical architecture of the Platform, certain categories of Personal Data (including, but not limited to, telephone numbers, email addresses and physical addresses) may be processed both in the Company's environment and in the white-label provider's environment, in whole or in part, with the Company determining the scope of sharing in accordance with the data minimization principle under Article 5, paragraph 1, letter “c” of the GDPR. The Company stores in its own environment, without providing them to the white-label provider, those categories of data which it has determined are not necessary for the technical operation of the Platform;

b) Amazon Web Services (AWS) - hosting and cloud infrastructure;

c) SendGrid - email delivery services;

d) other technical providers that may be added, replaced or removed by the Company;

e) Viber Media S.à r.l. (Rakuten Group) - messaging services via Viber;

f) WhatsApp Ireland Limited (Meta Platforms Group) - messaging services via WhatsApp and/or technical routing of messages from the embedded chat in the Platform;

g) Telegram Messenger Inc. - messaging services via Telegram;

h) Signal Messenger LLC - messaging services via Signal.

3. Analytics and advertising providers - Google (Google Analytics), Meta Platforms (Facebook Pixel) and other similar providers used for analytics, measuring the effectiveness of advertising campaigns and improving the Platform, under the terms of Section VIII of this Policy;

4. Professional consultants - lawyers, accountants, auditors, tax consultants and other persons providing the Company with legal, accounting, tax or audit services;

5. Marketing partners - marketing agencies, designers, content specialists and other persons assisting the Company in carrying out advertising and marketing activities, insofar as this is necessary and where there is a corresponding legal basis;

6. Payment intermediaries and banks - banks, payment service providers, payment processors (including PayNovus, Stripe, PayPal or another provider specified on the Platform), POS terminal operators, card schemes (Visa, Mastercard, etc.) and other persons involved in payment processing, to whom transaction data and, where applicable, bank card data are transmitted directly by the User through the secure environment of the payment processor;

7. Government authorities and institutions - the Commission for Personal Data Protection (CPDP), the Commission for Consumer Protection (CCP), the National Revenue Agency (NRA), courts, the prosecutor's office, police and other competent authorities, when disclosure is required by law or by an act of a competent authority.

(2) The Company does not sell, rent or provide Your Personal Data for a fee to third parties for their own marketing purposes.

Transfer of data outside the European Economic Area

Art. 12. (1) As a rule, personal data processed through the Platform are stored on servers located in the European Union („EU“) / European Economic Area („EEA“).

(2) Despite para. 1, in certain circumstances limited transfer of Personal Data outside the EEA may occur, including but not limited to:

1. when technical support is provided by infrastructure or application service providers whose personnel are outside the EEA, where access is necessary to resolve technical issues, for maintenance, or to ensure service continuity;

2. during backup, copy, and disaster recovery operations;

3. when using analytics and advertising providers (e.g., Google, Meta), whose servers may be outside the EEA;

4. when publishing content on social networks (Facebook, Instagram, TikTok, YouTube, LinkedIn, etc.), where applicable;

5. when sending messages via instant messaging applications (Viber, WhatsApp, Telegram, Signal, and others), whose infrastructure may include servers outside the EEA.

(3) Where transfer of data outside the EEA is necessary, the Company provides appropriate safeguards in accordance with the GDPR.

(4) The Company makes efforts to minimize the transfer of data outside the EEA and, where possible, to restrict access to Personal Data by personnel outside the EEA.

(5) You can obtain more information about the specific safeguards applied in the transfer of data outside the EEA by contacting us at office@onecare.bg.

Cookies and similar technologies

Art. 13. (1) The Platform uses cookies and similar tracking technologies. Detailed information about the types of cookies, the purposes of their use, the ways to manage your preferences, and your rights in connection with them is contained in a separate Cookie Policy, available at www.onecare.bg.

(2) The Cookie Policy is an integral part of this Privacy Policy.

Retention periods for personal data

Art. 14. (1) The Company retains personal data for a period no longer than necessary to achieve the purposes for which the data are processed, taking into account the applicable statutory retention periods.

(2) The main retention periods are as follows:

1. Data related to a user profile - for the duration of the profile’s existence and for up to 6 months after deletion of the profile, unless a longer period is necessary to comply with a legal obligation or to protect legal claims;

2. Data related to a specific request and provision of a service - for a period of 5 years from the date of performance or termination of the service agreement, in accordance with the general limitation period under the Obligations and Contracts Act;

3. Accounting and tax documents, including invoices and payment documents - for a period of 10 years, counted from 1 January of the year following the year to which they relate, in accordance with the Accountancy Act and the Tax and Social Security Procedure Code;

4. Medical documentation uploaded through the Platform by the Contractor - the Company retains such documentation in its capacity as a Data Processor on the instructions of the Contractor. The retention periods are determined by the Contractor in accordance with the applicable healthcare legislation;

5. Data for marketing communications - until consent is withdrawn or until unsubscribing from the relevant communication;

6. Cookie data - in accordance with the periods set in the settings of the respective cookie, but no more than 2 years;

7. Data from communications (forms, complaints, correspondence) - for a period of 5 years from the last communication, unless a longer period is necessary to protect legal claims;

8. Data of Contractors and their specialists - for the duration of the contractual relationship between the Company and the Contractor and for a period of 5 years after its termination;

9. Photos and video materials - until consent is withdrawn, except for materials that have already been lawfully published, indexed, archived, or stored outside the factual control of the Company.

(3) After the applicable retention period expires, the Company deletes or anonymizes the personal data unless their retention is necessary to comply with a legal obligation, to protect legal claims, or on another applicable legal basis.

(4) The specific retention periods may vary depending on the type of service, the applicable legislation, and the specific circumstances. Upon request, the Company provides information about the applicable retention period with respect to specific categories of data.

(5) The Company periodically reviews the need to retain the Personal Data and the adequacy of the established periods, taking into account regulatory changes, the purposes of the Processing, and the principle of data minimization.

Data subjects' rights

Art. 15. (1) Pursuant to the GDPR and applicable legislation, you have the following rights in relation to your Personal Data:

1. Right of access (Art. 15 GDPR) - to obtain confirmation whether the Company processes your Personal Data and, if so, to obtain access to them and to information about the Processing;

2. Right to rectification (Art. 16 GDPR) - to request rectification of inaccurate Personal Data or completion of incomplete data;

3. Right to erasure („right to be forgotten“) (Art. 17 GDPR) - to request erasure of your Personal Data where there are grounds provided for in the GDPR, except where Processing is necessary for compliance with a legal obligation, for the establishment, exercise or defense of legal claims, or on another basis provided for by law;

4. Right to restriction of Processing (Art. 18 GDPR) - to request restriction of the Processing in the cases provided for by the GDPR;

5. Right to data portability (Art. 20 GDPR) - to receive your Personal Data in a structured, commonly used and machine-readable format and to transfer them to another controller, where the Processing is based on consent or on a contract and is carried out by automated means;

6. Right to object (Art. 21 GDPR) - to object to the Processing of your Personal Data where the Processing is based on the Company's legitimate interest, including Processing for direct marketing purposes;

7. Right not to be subject to a decision based solely on automated Processing, including profiling (Art. 22 GDPR) - where applicable;

8. Right to withdraw consent - where the Processing is based on your consent, you have the right to withdraw it at any time, without affecting the lawfulness of the Processing carried out before the withdrawal.

(2) To exercise your rights under para. 1, you may send a request by email to: office@onecare.bg. The Company may request additional information to establish your identity before taking action on the request.

(3) The Company responds to requests under para. 1 within 1 month of receipt. This period may be extended by up to two additional months where necessary, taking into account the complexity and number of requests, of which the Company informs the data subject.

(4) The exercise of the rights under para. 1 is free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive nature, the Company may charge a reasonable fee or refuse to act on the request.

(5) Where personal data are processed by the Company in its capacity as processor acting on the instructions of the Contractor, the Company may forward the request to the relevant Contractor, who is the controller for those data.

Marketing communications

Art. 16. (1) The Company may send marketing messages to Users and Contractors who have given their explicit consent to this. Consent may be withdrawn at any time, without affecting the lawfulness of the Processing carried out before the withdrawal.

(2) Detailed information about the types of marketing communications, the channels, frequency, unsubscribe methods and your rights is contained in a separate Marketing Policy, available at www.onecare.bg.

(3) The Marketing Policy constitutes an integral part of this Privacy Policy.

(4) Messages related to a request, payment, change, cancellation, rescheduling, service status, appointment reminder, security, policy updates and other material elements of the legal relationship do not constitute marketing messages and do not require separate marketing consent. These messages may be sent by email, SMS, Viber, WhatsApp or through another communication channel specified by the User or used within the Platform.

Personal data security

Art. 17. (1) The Company applies appropriate technical and organizational measures to protect personal data against unauthorized or unlawful access, accidental loss, destruction, damage, alteration, or disclosure, including but not limited to:

1. encryption of data during transmission (SSL/TLS) and at rest (AES-256 or equivalent standard);

2. data backup;

3. monitoring, logging, and incident notification for security incidents;

4. periodic review and updating of security measures.

(2) The Company cannot guarantee the absolute security of the data, as no system for transmitting or storing data via the Internet is completely secure. Upon establishing a personal data security breach, the Company shall notify the competent supervisory authority and the affected data subjects in accordance with Art. 33 and Art. 34 of the GDPR, where applicable.

(3) Users and Contractors are obliged to keep their access data (username and password) confidential and to notify the Company immediately if they suspect unauthorized access to their profile.

(4) Where any Processing, in particular when using new technologies or when carrying out large-scale Processing of special categories of data, is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall carry out a prior data protection impact assessment (DPIA) pursuant to Art. 35 of the GDPR before commencing the Processing.

(5) The Company applies the principles of data protection by design and by default within the meaning of Art. 25 of the GDPR, integrating appropriate technical and organizational measures for the protection of Personal Data in the design and development of the Platform and ensuring, by default, the processing only of data necessary for each specific purpose.

(6) The Company maintains a record of processing activities under Art. 30 of the GDPR, which contains information on the purposes of the Processing, categories of data subjects and data, recipients, storage periods, and a description of the technical and organizational security measures.

(7) The Company ensures internal control over compliance with this Policy and the applicable personal data protection legislation, including through periodic internal audits, training of personnel with access to Personal Data, and maintaining documentation of the accountability activities carried out.

(8) The Company determines the scope of the Personal Data processed in its own environment and in the environment of the technical providers under Art. 11, para. 1, item 2. This allocation may be changed by the Company over time depending on the development of the Platform, the introduction of new functionalities, security requirements, and applicable legislation, without this constituting an amendment to this Policy.

Distribution of roles between the Company and the Contractor

Art. 18. (1) The Platform acts as an online marketplace and intermediary between the User and the Contractor. The allocation of roles regarding the Processing of Personal Data is as follows:

1. The Company is an independent controller for the registration and maintenance of user profiles, its own terms and policies, its own accounting, tax and legal services, the security and operation of the Platform, marketing communications, analytics, and any other operation where it independently determines the purposes and means of Processing;

2. The Contractor is an independent controller for the provision of the service itself, the medical or other professional assessment, the creation and storage of medical and other professional documentation, the performance of obligations to regulatory authorities, and any other operation where it independently determines the purposes and means;

3. The Company is a Processor of Personal Data on behalf of the Contractor for the technical receipt and routing of requests, hosting and storing documents, issuing invoices on behalf of the Contractor, processing payments on behalf of the Contractor, and other operations where the Company acts on the Contractor's instructions;

4. For certain operations where the Company and the Contractor jointly determine the purposes and essential means of the Processing (e.g., management of the request process, patient access to documents, integrated invoicing and payment process), they may act as joint controllers within the meaning of Art. 26 GDPR, with the internal allocation of responsibilities governed by a separate agreement.

(2) The specific allocation of roles between the Company and each individual Contractor shall be governed by a personal data protection agreement, which is an integral part of the contractual relationship between them.

(3) Regardless of the internal allocation of roles, the data subject may exercise their rights against either party, to the extent permitted by applicable law.

Protection of children's personal data

Art. 19. (1) The Platform is intended for legally capable natural persons. Minors cannot independently create user profiles and cannot independently request services through the Platform.

(2) When the User requests a service for their minor child, they provide data about the child in their capacity as parent or legal representative, act on the child's behalf, and are responsible for the lawfulness of the provision of the data.

(3) When providing a service to a minor requires Processing of Special Categories of Personal Data (e.g. health data), the Processing is carried out on the basis of Art. 9, para. 2, let. "h" GDPR and/or on the basis of consent of the parent/legal representative, where applicable.

(4) If the Company establishes that it has collected Personal Data of a minor without the consent of a parent or legal representative, it shall take measures to delete it as soon as possible.

Right to appeal

Art. 20. (1) If you believe that the Processing of Your Personal Data infringes the GDPR or the applicable personal data protection legislation, you have the right to lodge a complaint with:

1. Commission for Personal Data Protection (CPDP) - address: Sofia 1592, 2 “Prof. Tsvetan Lazarov” Blvd.; website: www.cpdp.bg; email: kzld@cpdp.bg;

2. the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement, where applicable.

(2) The right to lodge a complaint is not conditional on the prior exercise of the rights under Section X of this Policy, but the Company encourages you to first contact us at office@onecare.bg so that we can resolve the matter.

Changes to the Privacy Policy

Art. 21. (1) The Company has the right at any time to amend, supplement or replace this Policy, including in the event of changes in the applicable legislation, the technical and organizational conditions, the categories of processed data, the providers, or the functionalities of the Platform.

(2) The current version of the Policy is published on the Platform at www.onecare.bg, stating the date of the last update.

(3) In the event of substantial changes affecting the rights of data subjects, the Company notifies Users and Contractors by email, a message in the profile, a notice on the Platform, or in another appropriate manner.

(4) Continued use of the Platform after the amendment enters into force shall be deemed acknowledgment of the current version of the Policy, insofar as this is permissible under applicable law.

Final provisions

Art. 22. (1) This Policy has been adopted by the manager of the Company and enters into force as of 04.05.2026.

(2) For matters not regulated in this Policy, the provisions of the GDPR, the Personal Data Protection Act, the General Terms of Use of the OneCare Platform, and the applicable Bulgarian and European legislation shall apply.

(3) The invalidity of a separate provision of this Policy does not render the remaining provisions invalid.

Cookie Policy