← SIGNET

Privacy Policy

Last updated: 16 July 2026 · Version 1.0
SIGNET OOD is in registration. Company identifiers appear here the day they are issued.
In one paragraph. SIGNET is a review-management service run by SIGNET OOD, a Bulgarian limited liability company, in Sofia, Bulgaria. If you are a client, we handle your Google Business Profile reviews on your instructions — you stay the controller, we are your processor. If you are a prospect we contacted, we hold your business contact details and public profile data, and you can tell us to stop at any time and we will, permanently. We do not sell data. We do not post fake reviews. This site sets no advertising or analytics cookies.

1. Who we are

SIGNET OOD ("SIGNET", "we") — a limited liability company (дружество с ограничена отговорност) registered in Sofia, Bulgaria (EU). Our name is entered in the Bulgarian Commercial Register in Cyrillic as „СИГНЕТ" ООД; "SIGNET OOD" is the Latin transliteration of that same company. "OOD" is the Bulgarian equivalent of a UK "Ltd", a German "GmbH" or a Dutch "BV" — a company whose members are not personally liable for its debts.

CompanySIGNET OOD — registered as „СИГНЕТ" ООД (Cyrillic, as entered in the Commercial Register)
ЕИК / company no.Registration with the Bulgarian Commercial Register (Търговски регистър) is pending. This page will state the ЕИК as soon as it is issued. Until then, we can be identified and reached at the email below, and we answer to it.
Registered officeSofia, Bulgaria. The full registered address is filed with the Commercial Register and will be published here on registration; we will provide it on request in the meantime.
Contact for all privacy matterspetar@signetreply.com

We have not appointed a Data Protection Officer. Article 37 GDPR does not require one for our size and activity; privacy questions go to the address above and are answered by a managing partner.

2. Which hat we are wearing

This matters, because it decides your rights and who answers to you.

SituationOur roleWhat it means
You are a client. We answer reviews on your Business Profile. Processor — you are the controller We act only on your documented instructions. The reviews, the replies and your customers' data remain yours. We sign a Data Processing Agreement (Art. 28 GDPR) with every client before work starts.
You are a prospect. We emailed you about your public profile. Controller We decided to contact you, so the responsibility is ours. Your rights below apply to us directly.
You left a review on a client's profile. Processor for that client We may draft a public reply to your review on the business's behalf. See §6 — this one probably brought you here.

3. What we collect, and why

3.1 Visitors to this website

Nothing. This site has no contact form, no analytics, no advertising, no tracking pixels and no cookies. The cost calculator runs entirely in your browser; the numbers you type are never transmitted to us and never leave your device.

One exception, and we would rather tell you than have you find it. This page loads typefaces from Google Fonts (fonts.googleapis.com, fonts.gstatic.com). That request discloses your IP address to Google LLC before we know anything about you. We do not receive it and cannot see it. We consider this a legitimate interest in presenting the site as designed (Art. 6(1)(f)), but it is a real disclosure to a third country and you are entitled to know. We intend to self-host these fonts and remove the request; until we have, this sentence stands.

3.2 Prospective clients (cold outreach)

If we contacted you, we hold: your business name, business address, business email, business phone, website, Google Business Profile URL, public rating and review count, publicly visible reviews on your profile, the name of a publicly listed owner or manager where shown, and our own notes on whether you look like a fit — plus a record of what we sent you and when.

Where we got it: the Google Places API, your public Google Business Profile, and your own website. All of it is published business information. We do not buy lists and we do not scrape private data.

Lawful basis: legitimate interest (Art. 6(1)(f)) — B2B outreach to a business about its own public profile, which Recital 47 recognises as capable of being a legitimate interest. We balanced this against your interests: we contact businesses rather than individuals, we write about something already public, we send few messages, and we stop permanently on request.

Retention: up to 24 months from last contact, then deleted. If you ask us to stop, we delete everything else and keep only your email address on a suppression list — indefinitely, and for the sole purpose of never contacting you again. That is legitimate interest too, and it works in your favour.

3.3 Clients

Contact details, billing details, the profile we manage, your brand-voice profile, reviews on your profile and the replies we draft, and our correspondence. Processed to perform our contract with you (Art. 6(1)(b)) and, for invoices and accounting records, to meet Bulgarian legal obligations (Art. 6(1)(c)).

Retention: for the life of the engagement, then 12 months, except accounting records which Bulgarian law requires us to keep for up to 10 years.

3.4 Reviewers (people who leave reviews on a client's profile)

We process the display name, star rating, review text and date that you chose to publish on Google. We do this as our client's processor, so that the business can reply to you publicly. We do not collect your email, your account, your purchase history or any information about you beyond your published review. We do not attempt to identify you.

4. Who we share it with

We do not sell personal data. We share it only with the following processors, each under contract:

WhoWhat they getWhereTransfer safeguard
Zoho Corporation (email)Our email correspondence with youEU data centreWithin EEA
Netlify (hosting)Our operational tool and its stored recordsUSAStandard Contractual Clauses
Google (Places API / Business Profile)Business profile lookups; replies we publish for clientsUSAStandard Contractual Clauses
Anthropic (AI drafting)Review text and brand-voice profile, to draft a replyUSAStandard Contractual Clauses
SerpApi (optional review retrieval)Public profile URLsUSAStandard Contractual Clauses
Our accountantInvoices and accounting recordsBulgariaWithin EEA
On AI drafting, plainly. Review text is sent to Anthropic's API to draft a reply. It is public text you already published. Under Anthropic's commercial API terms, inputs are not used to train their models. A human — a practising attorney — reads every draft before anything is published in a client's name. Nothing publishes automatically.

We may also disclose data where legally compelled (court order, regulator, tax authority), and to a professional adviser bound by confidentiality where we need advice.

5. International transfers

Some processors above are in the United States. Those transfers rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. You can ask us for details of the safeguards for any specific transfer, and we will give them.

6. If you left a review and you want us to stop

You did not choose to deal with SIGNET — you reviewed a business. So this section owes you a straight answer.

We cannot delete your review. It lives on Google, not on our systems, and only you or Google can remove it. We have no power there and we will not pretend otherwise.

What we can do: the business's public reply is written by us on their instruction. If you object to how it is worded, write to petar@signetreply.com, tell us which business and which review, and we will raise it with them and delete our own working copy of your review text where we are not required to keep it.

Because we act as the business's processor, formal GDPR requests about your review are usually for them to answer as controller. Send it to us anyway — we will tell you who the controller is and pass it on, rather than leave you to find them.

7. Your rights

Under the GDPR (and the UK GDPR if you are in the United Kingdom) you have the right to:

Write to petar@signetreply.com. We answer within 30 days, free of charge. We will ask you to confirm your identity only where we genuinely cannot otherwise tell it is you — never as an obstacle.

Complaints

If we get it wrong, tell us first — we would rather fix it. You are entitled to complain to a supervisory authority regardless:

8. Security

Access to our systems is restricted to the two managing partners and protected by a passphrase and provider-level authentication. API keys are held server-side and are never exposed to a browser. Email runs on Zoho's EU infrastructure with SPF, DKIM and DMARC enforced. Data in transit is encrypted (TLS).

We are a two-person company and we will not overstate this: we do not hold special-category data, we do not take payment card details on our own systems, and the personal data we handle is overwhelmingly information businesses have already published themselves.

9. Children

Our service is sold to businesses and is not directed at children. We do not knowingly process children's data. A published review may occasionally have been written by a minor; we process only what is public and never seek to identify any reviewer.

10. What we will never do

11. Changes

If we change this policy materially we will update the date above and, for clients, tell you by email before it takes effect. Prospects and clients are never retroactively opted into anything.

SIGNET is not a law firm. SIGNET OOD does not provide legal services or legal advice, and nothing in this policy is legal advice. Petar Menkov is a practising attorney admitted to the Sofia Bar Association and reviews published replies in his personal professional capacity as a quality and risk check; that does not create a lawyer–client relationship with SIGNET OOD or with him, and no communication with SIGNET is privileged.