Data Processing Agreement (DPA)
Last Updated: June 20, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the merchant, customer, or organization using Blubbl ("Controller") and Vachev Engineering Ltd. operating as Blubbl ("Processor").
This DPA applies where Processor processes Personal Data on behalf of Controller in connection with the provision of the Blubbl platform and related services.
1. Parties
Controller
The Controller is the merchant, organization, or individual using the Blubbl platform to collect, store, manage, or otherwise process personal information relating to customers, website visitors, subscribers, employees, or other individuals.
Processor
The Processor is:
Vachev Engineering Ltd.
Andrei Saharov 13
Varna, Bulgaria
Email: [email protected]
2. Definitions
For purposes of this DPA:
GDPR
Means Regulation (EU) 2016/679 (General Data Protection Regulation).
Personal Data
Means any information relating to an identified or identifiable natural person.
Processing
Means any operation performed on Personal Data including collection, storage, use, disclosure, transmission, deletion, or destruction.
Data Subject
Means the individual to whom Personal Data relates.
Controller
Means the entity determining the purposes and means of processing Personal Data.
Processor
Means the entity processing Personal Data on behalf of the Controller.
Subprocessor
Means any third party engaged by Processor to assist in processing Personal Data.
3. Scope and Purpose
Processor provides ecommerce, website management, content management, AI-powered tools, marketing functionality, integrations, and related services.
Processor processes Personal Data solely for the purpose of providing the Services described in the applicable agreement.
Processor shall not process Personal Data for purposes unrelated to providing the Services except where required by law.
4. Categories of Data Subjects
Depending on how Controller uses the Services, Personal Data may relate to:
- Customers
- Prospective customers
- Newsletter subscribers
- Website visitors
- Employees
- Contractors
- Business contacts
- End users of stores powered by Blubbl
5. Categories of Personal Data
Personal Data processed may include:
Identification Data
- Names
- Usernames
- Account identifiers
Contact Data
- Email addresses
- Telephone numbers
- Shipping addresses
- Billing addresses
Transaction Data
- Orders
- Purchases
- Refunds
- Payment-related metadata
Technical Data
- IP addresses
- Device information
- Browser information
- Usage logs
Marketing Data
- Subscription preferences
- Campaign interactions
- Communication history
Content Data
- Uploaded files
- Product information
- Customer notes
- Support communications
AI Feature Data
- Prompts submitted to AI services
- Generated outputs
- AI-assisted content
6. Duration of Processing
Processor shall process Personal Data for the duration of the Services and thereafter as required for:
- Data retention obligations
- Security purposes
- Backup retention
- Legal compliance
Unless otherwise required by law:
- Deleted account data may remain recoverable for up to 30 days.
- Backup copies may remain for up to 90 days.
7. Controller Obligations
Controller shall:
- Comply with applicable privacy laws.
- Obtain necessary consents.
- Provide legally required notices.
- Respond to Data Subject requests.
- Ensure lawful collection of Personal Data.
Controller remains solely responsible for determining the lawful basis for processing Personal Data.
8. Processor Obligations
Processor shall:
- Process Personal Data only on documented instructions from Controller.
- Implement reasonable security measures.
- Maintain confidentiality obligations.
- Assist Controller in meeting GDPR obligations where reasonably required.
- Notify Controller of Personal Data breaches where legally required.
Processor shall not sell Personal Data.
Processor shall not use Personal Data to train proprietary machine learning models.
9. Confidentiality
Processor shall ensure that personnel with access to Personal Data:
- Are bound by confidentiality obligations.
- Receive appropriate access controls.
- Access Personal Data only when necessary.
10. Security Measures
Processor maintains technical and organizational measures including, where appropriate:
Access Controls
- Role-based permissions
- Authentication controls
- Administrative access restrictions
Infrastructure Security
- Firewalls
- Monitoring systems
- Logging systems
- Vulnerability management
Data Security
- Encryption in transit
- Secure backups
- Controlled access to infrastructure
Operational Security
- Incident response procedures
- Change management procedures
- Security monitoring
Processor may modify security measures provided overall security is not materially reduced.
11. Subprocessors
Controller authorizes Processor to engage subprocessors as necessary to provide the Services.
Current subprocessors may include:
Infrastructure Providers
- Hetzner
Email Providers
- Resend
AI Providers
- OpenAI
Analytics Providers
- Google Analytics
- Google Tag Manager
- Microsoft Clarity
- Meta
Authentication Providers
- Apple
- Microsoft
Processor may add or replace subprocessors from time to time.
An updated list of subprocessors may be maintained by Processor.
12. International Transfers
Processor may transfer Personal Data internationally where necessary to provide the Services.
Where required by law, Processor shall implement appropriate safeguards, including:
- Standard Contractual Clauses
- Contractual protections
- Other lawful transfer mechanisms
13. Assistance with Data Subject Requests
Processor shall provide reasonable assistance to Controller regarding requests relating to:
- Access
- Correction
- Deletion
- Restriction
- Portability
- Objection
Controller remains responsible for responding to such requests.
14. Personal Data Breaches
Processor shall notify Controller without undue delay after becoming aware of a Personal Data breach affecting Controller's Personal Data where notification is required by applicable law.
Notifications may include:
- Nature of the incident
- Categories of affected data
- Likely consequences
- Remediation measures
15. Audits
Where required by applicable law and subject to reasonable notice, confidentiality obligations, security requirements, and protection of other customers, Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.
Processor may satisfy audit requests through:
- Security documentation
- Compliance reports
- Written responses
- Independent assessments
16. Return and Deletion of Data
Upon termination of Services and subject to applicable law:
- Controller may export available data during the account lifecycle.
- Processor may delete Personal Data following applicable retention periods.
- Backup retention may continue for up to 90 days.
Processor may retain information where required by law.
17. Liability
Liability arising under this DPA shall be governed by the liability provisions contained in the applicable Terms and Conditions unless otherwise required by law.
18. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the Republic of Bulgaria.
19. Contact Information
Questions regarding this DPA may be directed to:
Vachev Engineering Ltd.
Andrei Saharov 13
Varna, Bulgaria
Email: [email protected]