Privacy Policy
This Privacy Policy describes how Sci-High Foundation (“the Foundation”, “we”) collects, uses, stores, and protects personal data of users of the public website sci-high.org and the festival management platform accessible at the same domain (“the Platform”). Both surfaces are covered by a single document because users move between them and are subject to a unified data-protection regime.
We process personal data in accordance with Regulation (EU) 2016/679 (“GDPR”), the Bulgarian Personal Data Protection Act (“PDPA”), and applicable Bulgarian legislation.
The Bulgarian-language version of this Policy is the authoritative legal text. This English version is provided for reference. In case of discrepancy, the Bulgarian text prevails.
1. Data controller
Sci-High Foundation 70-72 Cherni Vrah Blvd., Sofia, Bulgaria Bulstat / EIK: {{TODO — fill in the Foundation’s registration number}} Email: [email protected]
Data Protection Officer (DPO): {{TODO — fill in DPO details, or confirm that no statutory obligation to appoint one applies}}
Registration with the Commission for Personal Data Protection (CPDP): {{TODO — registration number, or confirm that the Foundation is not subject to registration}}
2. Personal data we process
Depending on your role and the channel through which you interact with us, we process the following categories:
Account and Platform profile
- Name, email address, preferred language
- Profile picture (avatar) and short bio (optional)
- Role at the Festival (organizer, jury, volunteer, visitor, mentor, team moderator, or team representative)
Festival participation data
- Team registration, including a roster of students (name, gender, and optionally a short bio)
- School, category, and mentor information
- Uploaded content (video, descriptions, links to external resources)
Voting
- Linkage between visitor and the team voted for
- Time of vote
Correspondence and support
- Content of messages sent via contact forms (school, mentor, partner, parent, general inquiries)
- Email, phone (if provided), and context of the inquiry
Donations
- Minimum information required to route the donation (name, email, amount)
- Payment data is handled directly by the relevant payment provider — we do not see or store card numbers
Audit log
- Which user performed which operation in the Platform, and when — for security, troubleshooting, and compliance
Technical data
- IP address, browser type, language settings, access time — collected by the hosting provider for abuse protection and service stability
3. Purposes and legal bases
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Account registration and maintenance | Performance of a contract (Art. 6(1)(b)) |
| Festival participation (teams, voting, jury) | Performance of a contract (Art. 6(1)(b)) |
| Processing contact-form inquiries | Legitimate interest (Art. 6(1)(f)) and consent |
| Sending transactional emails (invitations, notifications) | Performance of a contract |
| Audit log and security | Legitimate interest (protecting the Platform and its users) |
| Donation processing and accounting | Legal obligation (Art. 6(1)(c)) — Bulgarian Accountancy Act |
| Service improvement | Legitimate interest |
Special regime for minors (Art. 8 GDPR)
The Platform allows registration of teams that include minor students. Their participation does NOT go through direct registration — student data (name, gender, optional short bio) are entered by the team moderator (teacher or appointed coordinator) or by the school, who, by accepting the Terms of Use, represent and warrant that:
- They have obtained valid consent from the parents or legal guardians of each student in accordance with Art. 8 GDPR and the PDPA,
- They have informed parents and students about the scope of data to be processed by the Foundation,
- They bear responsibility for the basis and scope of processing of these data until they reach the Foundation.
The Foundation processes minor data on the basis of this warranty, without individually verifying parental consent for each student. Upon withdrawal of consent or a request for erasure from a parent, the team moderator is obliged to notify the Foundation immediately at [email protected].
4. Recipients and processors
Personal data may be disclosed to the following categories of recipients:
Technical service providers (data processors)
| Provider | Service | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage, edge functions | US / EU |
| Cloudflare Inc. | Hosting, CDN, bot protection (Turnstile) | US / EU (edge) |
| Resend Inc. | Transactional email delivery | US |
| Google LLC | Maps and geolocation (Maps JavaScript API, Maps Static API) | US / EU |
| Stripe, Inc. | Online donation processing (when active) | US / EU |
| GlobalGiving Foundation | Donation routing through corporate matching programs | US |
| Benevity, Inc. | Donation routing through corporate matching programs | Canada |
For every provider that processes personal data on our behalf we have a Data Processing Agreement (DPA) in place under Art. 28 GDPR.
Other categories of recipients
- State authorities — upon a legal basis and a written request
- Foundation accountants and auditors — to the extent necessary to discharge accounting obligations
- Partners of a specific Festival — only where your participation implies it (e.g., conferral of a special award), and within a scope disclosed to you in advance
5. Transfers outside the EEA
Some processors operate outside the European Economic Area (EEA). Transfers of personal data to these providers are based on Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, or on an adequacy decision (where applicable).
6. Retention periods
| Data category | Retention |
|---|---|
| Account and profile | Until the user deletes the account, or after 24 months of inactivity |
| Festival participation (teams, students, mentors) | For the duration of the Festival + 12 months for reference and archiving |
| Visitor votes | For the duration of the Festival + 6 months |
| Contact-form correspondence | Up to 12 months from the last contact |
| Transactional emails (outbound) | Up to 30 days in the dispatch queue |
| Audit log | Up to 24 months |
| Donation records and accounting documentation | Up to 10 years (Accountancy Act) |
| Hosting provider technical logs | Up to 30 days |
After these periods, data is deleted or anonymized, unless another law requires a longer retention period.
7. Your rights
As a data subject you have the following rights under GDPR and the PDPA:
- Right of access — to obtain confirmation and a copy of the personal data we process about you
- Right to rectification — to request correction of inaccurate or incomplete data
- Right to erasure (“right to be forgotten”) — under Art. 17 GDPR
- Right to restriction — of processing under Art. 18 GDPR
- Right to data portability — to receive your data in a structured, machine-readable format
- Right to object — to processing based on legitimate interest
- Right to withdraw consent — where processing is based on consent, without affecting the lawfulness of past processing
- Right not to be subject to automated decision-making — the Platform does not perform automated decision-making with legal effect on you
To exercise these rights, please send a request to [email protected] from the email address associated with your account. We respond within 30 days of receiving the request.
Complaint to a supervisory authority
You have the right to lodge a complaint with the Commission for Personal Data Protection (CPDP):
- Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia, Bulgaria
- Email: [email protected]
- Website: https://www.cpdp.bg
8. Cookies and similar technologies
The Platform uses a strictly limited set of cookies:
- Authentication session cookie — required to maintain a logged-in session on the Platform
- Cloudflare Turnstile — required to protect contact forms from automated abuse (bots)
We do not use marketing analytics, profiling, or retargeting tools. We do not pass data to advertising networks or social platforms.
9. Security
We apply technical and organisational measures to protect personal data, including:
- Traffic encryption (HTTPS / TLS)
- Database-level access control (Row Level Security)
- User action logging
- Periodic review of authorisations
- Secure database backups
Despite these efforts, no method of transmission or storage on the internet is absolutely secure. In the event of a security breach that may pose a high risk to your rights, we will notify you in accordance with Art. 34 GDPR.
10. Changes to this Policy
We reserve the right to update this Privacy Policy. The current version and the effective date are published at the top of this page. The change history is maintained in the project’s public repository (Git). For material changes affecting your rights, we will notify you by email or via a Platform notification.
11. Contact
For questions about this Policy or the processing of your personal data:
Sci-High Foundation 70-72 Cherni Vrah Blvd., Sofia [email protected]