1. Who we are
SIGNET OOD ("SIGNET", "we") — a limited liability company (дружество с ограничена отговорност) registered in Sofia, Bulgaria (EU). Our name is entered in the Bulgarian Commercial Register in Cyrillic as „СИГНЕТ" ООД; "SIGNET OOD" is the Latin transliteration of that same company. "OOD" is the Bulgarian equivalent of a UK "Ltd", a German "GmbH" or a Dutch "BV" — a company whose members are not personally liable for its debts.
| Company | SIGNET OOD — registered as „СИГНЕТ" ООД (Cyrillic, as entered in the Commercial Register) |
|---|---|
| ЕИК / company no. | Registration with the Bulgarian Commercial Register (Търговски регистър) is pending. This page will state the ЕИК as soon as it is issued. Until then, we can be identified and reached at the email below, and we answer to it. |
| Registered office | Sofia, Bulgaria. The full registered address is filed with the Commercial Register and will be published here on registration; we will provide it on request in the meantime. |
| Contact for all privacy matters | petar@signetreply.com |
We have not appointed a Data Protection Officer. Article 37 GDPR does not require one for our size and activity; privacy questions go to the address above and are answered by a managing partner.
2. Which hat we are wearing
This matters, because it decides your rights and who answers to you.
| Situation | Our role | What it means |
|---|---|---|
| You are a client. We answer reviews on your Business Profile. | Processor — you are the controller | We act only on your documented instructions. The reviews, the replies and your customers' data remain yours. We sign a Data Processing Agreement (Art. 28 GDPR) with every client before work starts. |
| You are a prospect. We emailed you about your public profile. | Controller | We decided to contact you, so the responsibility is ours. Your rights below apply to us directly. |
| You left a review on a client's profile. | Processor for that client | We may draft a public reply to your review on the business's behalf. See §6 — this one probably brought you here. |
3. What we collect, and why
3.1 Visitors to this website
Nothing. This site has no contact form, no analytics, no advertising, no tracking pixels and no cookies. The cost calculator runs entirely in your browser; the numbers you type are never transmitted to us and never leave your device.
fonts.googleapis.com, fonts.gstatic.com). That request
discloses your IP address to Google LLC before we know anything about you. We do not receive it and
cannot see it. We consider this a legitimate interest in presenting the site as designed (Art. 6(1)(f)),
but it is a real disclosure to a third country and you are entitled to know. We intend to self-host these
fonts and remove the request; until we have, this sentence stands.
3.2 Prospective clients (cold outreach)
If we contacted you, we hold: your business name, business address, business email, business phone, website, Google Business Profile URL, public rating and review count, publicly visible reviews on your profile, the name of a publicly listed owner or manager where shown, and our own notes on whether you look like a fit — plus a record of what we sent you and when.
Where we got it: the Google Places API, your public Google Business Profile, and your own website. All of it is published business information. We do not buy lists and we do not scrape private data.
Lawful basis: legitimate interest (Art. 6(1)(f)) — B2B outreach to a business about its own public profile, which Recital 47 recognises as capable of being a legitimate interest. We balanced this against your interests: we contact businesses rather than individuals, we write about something already public, we send few messages, and we stop permanently on request.
Retention: up to 24 months from last contact, then deleted. If you ask us to stop, we delete everything else and keep only your email address on a suppression list — indefinitely, and for the sole purpose of never contacting you again. That is legitimate interest too, and it works in your favour.
3.3 Clients
Contact details, billing details, the profile we manage, your brand-voice profile, reviews on your profile and the replies we draft, and our correspondence. Processed to perform our contract with you (Art. 6(1)(b)) and, for invoices and accounting records, to meet Bulgarian legal obligations (Art. 6(1)(c)).
Retention: for the life of the engagement, then 12 months, except accounting records which Bulgarian law requires us to keep for up to 10 years.
3.4 Reviewers (people who leave reviews on a client's profile)
We process the display name, star rating, review text and date that you chose to publish on Google. We do this as our client's processor, so that the business can reply to you publicly. We do not collect your email, your account, your purchase history or any information about you beyond your published review. We do not attempt to identify you.
4. Who we share it with
We do not sell personal data. We share it only with the following processors, each under contract:
| Who | What they get | Where | Transfer safeguard |
|---|---|---|---|
| Zoho Corporation (email) | Our email correspondence with you | EU data centre | Within EEA |
| Netlify (hosting) | Our operational tool and its stored records | USA | Standard Contractual Clauses |
| Google (Places API / Business Profile) | Business profile lookups; replies we publish for clients | USA | Standard Contractual Clauses |
| Anthropic (AI drafting) | Review text and brand-voice profile, to draft a reply | USA | Standard Contractual Clauses |
| SerpApi (optional review retrieval) | Public profile URLs | USA | Standard Contractual Clauses |
| Our accountant | Invoices and accounting records | Bulgaria | Within EEA |
We may also disclose data where legally compelled (court order, regulator, tax authority), and to a professional adviser bound by confidentiality where we need advice.
5. International transfers
Some processors above are in the United States. Those transfers rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. You can ask us for details of the safeguards for any specific transfer, and we will give them.
6. If you left a review and you want us to stop
You did not choose to deal with SIGNET — you reviewed a business. So this section owes you a straight answer.
We cannot delete your review. It lives on Google, not on our systems, and only you or Google can remove it. We have no power there and we will not pretend otherwise.
What we can do: the business's public reply is written by us on their instruction. If you object to how it is worded, write to petar@signetreply.com, tell us which business and which review, and we will raise it with them and delete our own working copy of your review text where we are not required to keep it.
Because we act as the business's processor, formal GDPR requests about your review are usually for them to answer as controller. Send it to us anyway — we will tell you who the controller is and pass it on, rather than leave you to find them.
7. Your rights
Under the GDPR (and the UK GDPR if you are in the United Kingdom) you have the right to:
- Access — a copy of the personal data we hold about you.
- Rectification — correction of anything inaccurate.
- Erasure — deletion, where we have no overriding reason to keep it.
- Restriction — tell us to hold it but stop using it.
- Portability — receive it in a machine-readable format.
- Object — including an absolute right to object to direct marketing. If you tell us to stop emailing you, we stop. There is no balancing test and we do not ask why.
Write to petar@signetreply.com. We answer within 30 days, free of charge. We will ask you to confirm your identity only where we genuinely cannot otherwise tell it is you — never as an obstacle.
Complaints
If we get it wrong, tell us first — we would rather fix it. You are entitled to complain to a supervisory authority regardless:
- Bulgaria — Commission for Personal Data Protection (КЗЛД), Sofia — cpdp.bg
- UK — Information Commissioner's Office — ico.org.uk
- Ireland — Data Protection Commission — dataprotection.ie
- Netherlands — Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
- Or the authority in your own EU country of residence.
8. Security
Access to our systems is restricted to the two managing partners and protected by a passphrase and provider-level authentication. API keys are held server-side and are never exposed to a browser. Email runs on Zoho's EU infrastructure with SPF, DKIM and DMARC enforced. Data in transit is encrypted (TLS).
We are a two-person company and we will not overstate this: we do not hold special-category data, we do not take payment card details on our own systems, and the personal data we handle is overwhelmingly information businesses have already published themselves.
9. Children
Our service is sold to businesses and is not directed at children. We do not knowingly process children's data. A published review may occasionally have been written by a minor; we process only what is public and never seek to identify any reviewer.
10. What we will never do
- Sell, rent or trade personal data.
- Write, post, solicit or incentivise fake reviews — for any client, at any price.
- Publish a reply in a client's name that the client has not approved, where our agreement requires approval.
- Use a client's data for anything other than the service they engaged us for.
11. Changes
If we change this policy materially we will update the date above and, for clients, tell you by email before it takes effect. Prospects and clients are never retroactively opted into anything.