Privacy Policy

1. Introduction and Controller

Welcome to OP GROUP (op-group.eu). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how "Overpower Machinery" Ltd ("Company," "Data Controller," "we," or "us") collects, uses, and shares information about you when you use our heavy machinery brokerage and logistics services.

This Policy is fully compliant with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Bulgarian Personal Data Protection Act (PDPA).

• Controller Name: Overpower Machinery Ltd
• Address: Sofia, Bulgaria
• Email: [email protected]

2. Categories of Data Processed

To operate as a robust intermediary, we collect and process the following categories of data:

• 2.1. Identity Data: Full Name, Passport/ID Copy (for AML/KYC purposes), Job Title, Company Representative Capacity.
• 2.2. Contact Data: Billing Address, Delivery Address, Email Address, Phone Numbers (Mobile/Landline).
• 2.3. Financial & Transaction Data: Bank Account details (IBAN/SWIFT), VAT Numbers, Proof of Funds (Bank Statements), Invoicing History.
• 2.4. Logistics Data: Customs declarations (EORI numbers), Transport manifests (CMR), Delivery Location GPS data.
• 2.5. Technical Data: IP addresses, Browser type, Time zone settings (via Cookies).

3. Purposes and Legal Basis for Processing

We rely on specific legal grounds for each processing activity:

3.1. Performance of a Contract (Art. 6(1)(b) GDPR)

To fulfill our Service Agreement with you, we must process your Identity, Contact, and Logistics Data. This includes:

• Sourcing machines and determining technical specifications;
• Negotiating prices and drafting Purchase Contracts;
• Organizing transport, hiring trucks, and arranging delivery details.

3.2. Compliance with Legal Obligations (Art. 6(1)(c) GDPR)

As a regulated business, we are required by law to process certain data:

• Customs & Export Control: We process Identity, Logistics, and EORI data to clear goods through borders (e.g., Turkey/Serbia to EU).
• Anti-Money Laundering (AML): We are legally obligated under the Measures Against Money Laundering Act (MAMLA) to verify your identity. This requires processing Passport/ID copies and Proof of Funds.
• Tax & Invoicing: We must process Transaction and Financial data for accounting and tax reporting to the National Revenue Agency (NAP).

3.3. Legitimate Interests (Art. 6(1)(f) GDPR)

We have a legitimate commercial interest in processing your Contact Data to respond to your inquiries, provide quotes, and manage the ongoing business relationship.

3.4. Consent (Art. 6(1)(a) GDPR)

For Marketing purposes (such as sending newsletters or offers), we will process your Contact Data only if you have explicitly provided your Consent (Opt-in). You have the right to withdraw this consent at any time.

4. Sharing of Your Data (Data Dealers)

We do not sell your data. However, as an intermediary, extensive data sharing is required to execute the transaction. We share data with:

4.1. Contractual Partners (Necessary for fulfillment):

• Sellers/Suppliers: To draft the Purchase Contract.
• Transport Companies: Haulage firms need your Delivery Address and Phone Number for the driver.
• Partners: Companies and institutions that engage in business with us.
• Inspection Agencies: SGS/Dekra or independent mechanics verifying the machine.

4.2. Legal & Regulatory Authorities:

• Customs Agency: For Import/Export declarations.
• National Revenue Agency (NAP): For VIES reporting and tax audits.
• Financial Intelligence Directorate (FID): If a suspicious transaction report (STR) is required.

4.3. Service Providers:

• Cloud Hosting (e.g., Google Cloud, AWS) – secure storage.
• Accounting Firms – external auditors.

5. International Data Transfers

Our business often involves sourcing machinery from outside the EEA (e.g., China, Turkey, USA).

When we transfer your personal data to a Seller or Transporter in a "Third Country":

• 5.1. Adequacy Decisions: We rely on EU Commission decisions where available (e.g., UK, Japan).
• 5.2. Standard Contractual Clauses (SCCs): In the absence of an adequacy decision (e.g., Turkey, China), we implement the EU's Standard Contractual Clauses with the recipient to ensure a similar level of protection.

By requesting a machine from a non-EEA country, you explicitly acknowledge that data transfer is necessary for the performance of the contract (Art. 49(1)(b) GDPR).

6. Data Retention Periods

• Tax/Accounting Records: 10 years (statutory limitation under Bulgarian Tax/Accounting Law).
• Contract/Liability Data: 5 years after the end of the contractual relationship (general statute of limitations).
• AML/KYC Files: 5 years after the transaction.
• Marketing Data: Until you withdraw consent (Unsubscribe).

7. Your Rights

You have the right to:

• 7.1. Access: Request a copy of all data we hold about you.
• 7.2. Rectification: Correct wrong addresses or names.
• 7.3. Erasure ("Right to be Forgotten"): Request deletion, unless we must keep it for tax/AML reasons.
• 7.4. Restriction: Pause processing during a dispute.
• 7.5. Portability: Get your data in a machine-readable format.
• 7.6. Object: Object to processing based on "Legitimate Interest".

To exercise these rights, email: [email protected]

8. Cookie Policy

• 8.1. Strictly Necessary Cookies: Essential for the website to function (e.g., session security). These cannot be switched off.
• 8.2. Analytics Cookies: (e.g., Google Analytics) Help us understand visitor traffic. These are optional and require your consent via the Cookie Banner.

9. Security

We use SSL encryption on our website and secure, password-protected cloud storage for your documents. Access to KYC data is restricted to authorized Compliance officers only.

10. Complaints

You have the right to lodge a complaint with the supervisory authority:

• Commission for Personal Data Protection (CPDP)
• Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
• Website: www.cpdp.bg