INDASTRA operates the website indastraonline.com
(the "Service"), a B2B marketplace for industrial equipment.
This Privacy Policy explains how we collect, use and protect personal data
in compliance with Regulation (EU) 2016/679 (GDPR).
2. Data We Collect
2.1 Data you provide directly
Contact & quote requests: Full name, email address, phone number (optional), company name (optional), message content.
Server logs: IP address (stored as a one-way hash), browser type, operating system, referring URL, pages viewed, timestamp.
Cookies: Session identifiers, language preference, cookie consent state. See Section 7 for full details.
Analytics: Aggregate usage data via Google Analytics 4 (only when consent is granted). GA4 anonymises IP addresses by default.
2.3 Data we do NOT collect
We do not collect sensitive personal data (health, religion, political opinion, biometric data) or payment card details.
3. Legal Basis for Processing
Processing activity
Legal basis (GDPR Art. 6)
Responding to quote/contact requests
Art. 6(1)(b) — performance of pre-contractual measures at your request
Analytics & cookies (non-essential)
Art. 6(1)(a) — consent
Security logging & fraud prevention
Art. 6(1)(f) — legitimate interests
Legal compliance
Art. 6(1)(c) — legal obligation
4. How We Use Your Data
To respond to your quote requests and technical inquiries.
To send you a confirmation email after form submission.
To analyse website traffic and improve user experience (with consent).
To detect and prevent fraudulent or abusive behaviour.
To comply with legal obligations (e.g. record-keeping).
We do not sell, rent or trade your personal data to third parties for marketing purposes.
5. Data Sharing
We share data only where necessary:
Email service provider: Mail is sent via our hosting server (PHP mail() or SMTP). Your email and name are included in the email envelope.
Google Analytics: Aggregate, anonymised usage statistics. Data is processed by Google LLC (USA) under Standard Contractual Clauses. Only active when you consent.
Hosting provider (Beget): Server logs are accessible to the hosting provider for infrastructure management.
Law enforcement: We may disclose data if required by Bulgarian or EU law.
6. Retention Period
Data type
Retention period
Quote request (lead) records
3 years from submission date
Server access logs (hashed IP)
90 days
Session data (CSRF, rate-limit)
24 hours (session lifetime)
Cookie consent preference
12 months (localStorage)
Google Analytics data
14 months (GA4 default)
7. Cookies
We use cookies and similar local storage technologies.
For full details, including how to manage cookies, see our
Cookie Policy.
Category
Purpose
Consent required
Essential (session)
CSRF protection, login state, language preference
No
Functional (localStorage)
Cookie consent preference storage
No
Analytics (Google Analytics 4)
Aggregate traffic analysis
Yes
8. Your Rights (GDPR)
Under GDPR you have the following rights regarding your personal data:
Right of access (Art. 15)
You may request a copy of all personal data we hold about you.
Right to rectification (Art. 16)
You may request correction of inaccurate or incomplete data.
Right to erasure (Art. 17)
You may request deletion of your data where there is no legal basis for continued processing.
Right to restriction (Art. 18)
You may request that we restrict processing in certain circumstances.
Right to portability (Art. 20)
You may receive your data in a machine-readable format and transfer it to another controller.
Right to object (Art. 21)
You may object to processing based on legitimate interests.
Right to withdraw consent
Where processing is based on consent, you may withdraw it at any time via the cookie banner or by contacting us.
To exercise any right, email info@indastraonline.com
with the subject "GDPR Request". We will respond within 30 days.
You also have the right to lodge a complaint with the
Commission for Personal Data Protection (CPDP) of Bulgaria:
www.cpdp.bg.
9. International Transfers
Your data may be processed by Google LLC (USA) when you consent to analytics cookies.
Google is certified under the EU–US Data Privacy Framework and processes data under
Standard Contractual Clauses. No other international transfers occur.
10. Children's Privacy
INDASTRA is a B2B platform intended for business users aged 18 and over.
We do not knowingly collect data from individuals under 16.
If you believe a minor has submitted data, contact us immediately.
11. Changes to This Policy
We may update this policy to reflect changes in law or our practices.
Material changes will be announced on the website.
The "Last updated" date at the top of this page indicates when the latest revision was made.
Continued use of the Service after a change constitutes acceptance of the updated policy.