Reset Password

  1. Home
  2. GDPR Privacy Policy
Your search results

Privacy Policy and Personal Data Protection (GDPR Privacy Policy)

Effective Date: May 8, 2026

Personal Data Controller: SER SCHEMA EOOD (UIC/EIK: 207233087), a registered person under the VAT Act.

Manager: Ilia Pavlovich Rybakov

Registered Office Address: Republic of Bulgaria, Nesebar (8240), Sunny Beach West, “Casa Bravo 2” Complex, Floor 2, Apartment D22.

This Policy defines the official stance of SER SCHEMA EOOD (hereinafter referred to as the “Company”, “Operator”, or “Controller”) regarding the collection, processing, storage, and comprehensive security management of personal data provided by users of the Rentalistic platform (rentalistic.com). This Policy is drafted in strict accordance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation — GDPR) and the national Personal Data Protection Act of the Republic of Bulgaria (Закон за защита на личните данни).

1. General Provisions

  • 1.1. This Policy establishes the legal grounds, purposes, retention periods, and strict conditions for processing personal data, alongside the technical and organizational measures implemented by the Company to protect the fundamental rights and freedoms of individuals during data processing.

  • 1.2. The use of any services on the rentalistic.com website—including, but not limited to, site navigation, real estate booking, long-term rental applications, and Personal Account registration—constitutes the full, informed, and unconditional consent of the user (hereinafter referred to as the “Data Subject”) to the terms of this Policy and the processing conditions specified herein.

2. Types and Categories of Processed Data

  • 2.1. The Controller collects and processes information that the Data Subject provides voluntarily, consciously, and on their own initiative while interacting with the platform. These data points include:

    • Identification Data: Surname, first name, and patronymic (if applicable);

    • Contact Data: Current phone number, email address;

    • Passport Data: Citizenship, ID/passport number, date of issue, date of birth (this information is critically necessary for legal check-in procedures and mandatory registration with state authorities);

    • Financial Data: Payment credentials and bank card details required for invoicing, processing transactions, and issuing refunds (handled via the secure gateways of our certified partner, the payment system viva.com).

  • 2.2. If the Data Subject voluntarily elects to log in via third-party authentication services (such as Google Authentication or Facebook Login), the Company receives and processes only the publicly available profile information for which the Data Subject gave explicit consent to share (including a unique digital user ID, name, and the email address tied to that third-party account).

  • 2.3. While interacting with the Rentalistic platform (which operates on the WordPress CMS), the Company automatically collects non-identifiable technical data transmitted by the user’s device in the background. This includes: IP address, cookie file data, browser type and version, operating system, access times, and referrer URLs (previously visited web pages). This technical information is used by the Controller exclusively for web analytics, security monitoring, and user experience (UX) optimization.

3. Purposes and Legal Bases for Processing

  • 3.1. Personal data processing is performed by the Controller strictly when lawful grounds exist as explicitly outlined in Article 6 of the GDPR. The primary legal purpose for processing is the execution of a short-term or long-term residential rental contract to which the Data Subject is a party. This includes: processing and confirming bookings, executing mutual financial settlements, and providing high-quality customer and technical support.

  • 3.2. By virtue of the direct and mandatory requirements of the Tourism Act of the Republic of Bulgaria and the Foreigners Act, the Company is under a strict legal obligation to collect the passport data of all guests and ensure its timely transmission to the Unified Tourist Information System (ESTI) of the Ministry of Tourism, as well as to relevant bodies of the Ministry of Interior. Refusal by the Data Subject to provide this information makes the provision of accommodation services legally impossible and results in booking cancellation.

  • 3.3. The Company processes data on the grounds of its Legitimate Interest to ensure informational and physical security, prevent fraudulent payment card transactions, protect the property of the Company and real estate owners, and conduct internal analytical research on the rental market.

  • 3.4. The use of personal data for sending informational and promotional materials (direct marketing) is conducted by the Company exclusively upon receiving the prior, explicit consent of the Data Subject (e.g., subscribing to an email newsletter or checking a corresponding consent box during booking). This consent may be withdrawn by the Data Subject at any time without any negative consequences.

4. Data Transfer to Third Parties and Data Processors

  • 4.1. The Company guarantees that personal data is not sold, rented, or shared with unauthorized third parties, except as explicitly established by law or when objectively necessary to execute the Rental Contract. Authorized state recipients of data include the regulatory authorities of the Republic of Bulgaria (Ministry of Tourism, National Revenue Agency — NAP, internal affairs bodies) within the scope of the Controller’s mandatory statutory compliance.

  • 4.2. To ensure the seamless technical operation of the rentalistic.com platform and payment processing, strictly limited access to data may be granted to certified partners of the Company (Data Processors). These include:

    • Server infrastructure and hosting providers (Hostinger servers);

    • Financial institutions and acquiring operators (viva.com payment system) for secure card payment processing;

    • CRM system developers and transactional email delivery services;

    • Analytical and advertising platforms (Google Analytics, Meta Platforms).

      Strict Data Processing Agreements (DPAs) are active with all the aforementioned partners, legally binding them to use the data solely under the direct instruction of the Controller and to ensure data protection according to GDPR standards.

  • 4.3. If the Data Subject orders additional accompanying services through the Rentalistic website (such as arranging an individual transfer or renting a car), the minimum necessary contact details may be shared with the direct provider of the service (subcontractor) solely for logistics and customer communication.

5. Cross-Border Data Transfers

  • 5.1. Given the integration of international cloud services, payment gateways, and analytical tools, a portion of anonymized or encrypted data may be transferred to and processed on servers located outside the European Economic Area (EEA). In such instances, the Company takes all necessary legal and technical precautions to ensure that cross-border transfers are executed in strict compliance with Chapter V of the GDPR, including the utilization of Standard Contractual Clauses (SCCs) approved by the European Commission.

6. Retention Periods and Protection Measures

  • 6.1. Personal data is stored in a form that permits identification of the Data Subject for no longer than is objectively necessary for the initial processing purposes. Personal and financial data required for accounting and tax reporting, as well as guest registration info in the ESTI system, are subject to mandatory archival storage for 5 (five) years in accordance with the effective legislation of the Republic of Bulgaria. Upon expiration of this period, the data is safely and irreversibly destroyed.

  • 6.2. The Company implements a modern framework of legal, organizational, and software-technical measures engineered to protect data against unauthorized or accidental access, destruction, modification, blocking, copying, distribution, and other cyber threats. These measures include: the mandatory use of data encryption protocols (SSL/TLS certificates), role-based logical access controls for employees handling CMS databases, and strict physical access monitoring at equipment locations.

7. Rights of the Data Subject

  • 7.1. In full alignment with GDPR regulations, the Data Subject possesses the following set of non-infringable rights:

    • Right of Access: Request official confirmation from the Controller as to whether their data is being processed and obtain a full extract thereof;

    • Right to Rectification: Demand the immediate correction of inaccurate, outdated, or incomplete personal data;

    • Right to Erasure (“Right to be Forgotten”): Demand the total removal of their personal data from Rentalistic databases, except in cases where data retention is directly required by law (e.g., for NAP tax audits);

    • Right to Restriction of Processing: Demand a temporary restriction on data processing during dispute resolution scenarios (e.g., while verifying its accuracy);

    • Right to Data Portability: Receive their data in a structured, machine-readable format to transmit it to another operator.

  • 7.2. To exercise any of the aforementioned rights, the Data Subject must submit an official written request to the Controller’s email address: contact@rentalistic.com. The request must include details allowing for the unambiguous identification of the applicant. The legally mandated timeframe for reviewing and providing a response to such a request is up to 30 (thirty) calendar days from the date of receipt.

8. Final Provisions

  • 8.1. SER SCHEMA EOOD reserves the sovereign right to make unilateral amendments and additions to this Policy in the event of changes to applicable European or Bulgarian legislation, or during the modernization of the platform’s internal technical workflows.

  • 8.2. The current and active version of the document is always accessible for public review on this page of the website. Continued use of the rentalistic.com platform by the Data Subject following the official publication of a new revision of the Policy is unconditionally recognized as their consent to all modified terms.