Data Processing Agreement (DPA)

Last Updated: June 20, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the merchant, customer, or organization using Blubbl ("Controller") and Vachev Engineering Ltd. operating as Blubbl ("Processor").

This DPA applies where Processor processes Personal Data on behalf of Controller in connection with the provision of the Blubbl platform and related services.

1. Parties

Controller

The Controller is the merchant, organization, or individual using the Blubbl platform to collect, store, manage, or otherwise process personal information relating to customers, website visitors, subscribers, employees, or other individuals.

Processor

The Processor is:

Vachev Engineering Ltd.
Andrei Saharov 13
Varna, Bulgaria

Email: [email protected]

2. Definitions

For purposes of this DPA:

GDPR

Means Regulation (EU) 2016/679 (General Data Protection Regulation).

Personal Data

Means any information relating to an identified or identifiable natural person.

Processing

Means any operation performed on Personal Data including collection, storage, use, disclosure, transmission, deletion, or destruction.

Data Subject

Means the individual to whom Personal Data relates.

Controller

Means the entity determining the purposes and means of processing Personal Data.

Processor

Means the entity processing Personal Data on behalf of the Controller.

Subprocessor

Means any third party engaged by Processor to assist in processing Personal Data.

3. Scope and Purpose

Processor provides ecommerce, website management, content management, AI-powered tools, marketing functionality, integrations, and related services.

Processor processes Personal Data solely for the purpose of providing the Services described in the applicable agreement.

Processor shall not process Personal Data for purposes unrelated to providing the Services except where required by law.

4. Categories of Data Subjects

Depending on how Controller uses the Services, Personal Data may relate to:

  • Customers
  • Prospective customers
  • Newsletter subscribers
  • Website visitors
  • Employees
  • Contractors
  • Business contacts
  • End users of stores powered by Blubbl

5. Categories of Personal Data

Personal Data processed may include:

Identification Data

  • Names
  • Usernames
  • Account identifiers

Contact Data

  • Email addresses
  • Telephone numbers
  • Shipping addresses
  • Billing addresses

Transaction Data

  • Orders
  • Purchases
  • Refunds
  • Payment-related metadata

Technical Data

  • IP addresses
  • Device information
  • Browser information
  • Usage logs

Marketing Data

  • Subscription preferences
  • Campaign interactions
  • Communication history

Content Data

  • Uploaded files
  • Product information
  • Customer notes
  • Support communications

AI Feature Data

  • Prompts submitted to AI services
  • Generated outputs
  • AI-assisted content

6. Duration of Processing

Processor shall process Personal Data for the duration of the Services and thereafter as required for:

  • Data retention obligations
  • Security purposes
  • Backup retention
  • Legal compliance

Unless otherwise required by law:

  • Deleted account data may remain recoverable for up to 30 days.
  • Backup copies may remain for up to 90 days.

7. Controller Obligations

Controller shall:

  • Comply with applicable privacy laws.
  • Obtain necessary consents.
  • Provide legally required notices.
  • Respond to Data Subject requests.
  • Ensure lawful collection of Personal Data.

Controller remains solely responsible for determining the lawful basis for processing Personal Data.

8. Processor Obligations

Processor shall:

  • Process Personal Data only on documented instructions from Controller.
  • Implement reasonable security measures.
  • Maintain confidentiality obligations.
  • Assist Controller in meeting GDPR obligations where reasonably required.
  • Notify Controller of Personal Data breaches where legally required.

Processor shall not sell Personal Data.

Processor shall not use Personal Data to train proprietary machine learning models.

9. Confidentiality

Processor shall ensure that personnel with access to Personal Data:

  • Are bound by confidentiality obligations.
  • Receive appropriate access controls.
  • Access Personal Data only when necessary.

10. Security Measures

Processor maintains technical and organizational measures including, where appropriate:

Access Controls

  • Role-based permissions
  • Authentication controls
  • Administrative access restrictions

Infrastructure Security

  • Firewalls
  • Monitoring systems
  • Logging systems
  • Vulnerability management

Data Security

  • Encryption in transit
  • Secure backups
  • Controlled access to infrastructure

Operational Security

  • Incident response procedures
  • Change management procedures
  • Security monitoring

Processor may modify security measures provided overall security is not materially reduced.

11. Subprocessors

Controller authorizes Processor to engage subprocessors as necessary to provide the Services.

Current subprocessors may include:

Infrastructure Providers

  • Hetzner

Email Providers

  • Resend

AI Providers

  • OpenAI

Analytics Providers

  • Google Analytics
  • Google Tag Manager
  • Microsoft Clarity
  • Meta

Authentication Providers

  • Google
  • Apple
  • Facebook
  • Microsoft

Processor may add or replace subprocessors from time to time.

An updated list of subprocessors may be maintained by Processor.

12. International Transfers

Processor may transfer Personal Data internationally where necessary to provide the Services.

Where required by law, Processor shall implement appropriate safeguards, including:

  • Standard Contractual Clauses
  • Contractual protections
  • Other lawful transfer mechanisms

13. Assistance with Data Subject Requests

Processor shall provide reasonable assistance to Controller regarding requests relating to:

  • Access
  • Correction
  • Deletion
  • Restriction
  • Portability
  • Objection

Controller remains responsible for responding to such requests.

14. Personal Data Breaches

Processor shall notify Controller without undue delay after becoming aware of a Personal Data breach affecting Controller's Personal Data where notification is required by applicable law.

Notifications may include:

  • Nature of the incident
  • Categories of affected data
  • Likely consequences
  • Remediation measures

15. Audits

Where required by applicable law and subject to reasonable notice, confidentiality obligations, security requirements, and protection of other customers, Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.

Processor may satisfy audit requests through:

  • Security documentation
  • Compliance reports
  • Written responses
  • Independent assessments

16. Return and Deletion of Data

Upon termination of Services and subject to applicable law:

  • Controller may export available data during the account lifecycle.
  • Processor may delete Personal Data following applicable retention periods.
  • Backup retention may continue for up to 90 days.

Processor may retain information where required by law.

17. Liability

Liability arising under this DPA shall be governed by the liability provisions contained in the applicable Terms and Conditions unless otherwise required by law.

18. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Republic of Bulgaria.

19. Contact Information

Questions regarding this DPA may be directed to:

Vachev Engineering Ltd.
Andrei Saharov 13
Varna, Bulgaria

Email: [email protected]