Privacy Policies
of URBO Studio



1.1.”GDPR” or “Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

1.2. “Employee” means a person who is in an employment relationship with the Personal Data Administrator.

1.3. “Data” or “Personal Data” means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is an individual who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.4. “Recipient” means the natural or legal person, government body, agency or other body to which the personal data is disclosed, whether or not it is a third party.

1.5. “Data Subject” or “Personal Data Subject” is any person whose personal data is processed by the Personal Data Controller.

1.6. “Processing” means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, distribution or other way in which the data is made available, arranged or combined, restricted, deleted or destroyed;

1.7. “Processor of personal data” means a natural or legal person, public body, agency or other structure that processes personal data on behalf of the Controller;

1.8. “Controller” or “UPASS” means “UPASS” AD, EIK 207327088, registered at the address: Sofia 1124, Dobromir Hriz St. N3.

1.9. “URBO STUDIO Studio” means cloud-based technology software developed by UPASS for managing, booking and paying for events, services, activities, attractions and other services.

1.10. “Customer” means an entity or individual who uses or has used the URBO Studio Software and Services.

“End User” means a person who, through the URBO Studio Software, books and/or pays for a service provided by the Customer.

1.11. “Policy” means this Privacy Policy.

1.12. “Services” means access to the Software and use of all functionalities, depending on the selected monthly price plan, that the Customer can use.


2.1. In this Data Protection Policy (“Policy”), we provide information on who is the administrator of your data, what personal data we collect about you, why we collect it and what we do with it in an easy and understandable way. Personal data is any data with which we can directly or indirectly identify you.

2.2. This policy applies to the use of this website, namely: /“Website”/.

2.3. The data protection policy contains information about how we process your data when you interact with us through this Website and when:

Including visiting any of our web pages and sub-pages;

using our services and enter into a contract with us;

sending an inquiry;

interacting with us in any other way.

2.4. Your data is processed by “UPASS” JSC, entered in the Commercial Register at the Registration Agency with UIC 207327088 (“UPASS”).

2.5. As a personal data administrator, UPASS is guided by the following principles:

2.5.1. personal data are processed only if there is a legal basis for the processing;

2.5.2. personal data are processed only in connection with specific and clearly defined purposes;

2.5.3. only the minimum amount of data necessary to achieve the objectives of the previous point is processed;

2.5.4. UPASS takes reasonable measures to keep the personal data accurate and up-to-date, as well as for their timely deletion after the basis for processing ceases, except to the extent that there are archiving obligations in relation to UPASS;

2.5.5. personal data are processed in a way that ensures an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures;

2.6. The administrator is responsible and must be able to demonstrate compliance with the principles set out above.

2.7. The Administrator collects Personal Data for the purposes of identifying and communicating with the Clients, concluding, administering and executing contracts for the provision of services offered by the Administrator, conducting its own activity (direct marketing), exercising the legal obligations of the Administrator and preventing, establishing and investigation of all types of violations and abuses committed through illegal use of the services we offer and which may damage the interests of UPASS, its partners, customers or other persons.

2.8. This policy contains the basic principles and procedures for collecting, processing and storing personal data of the Clients on the URBO STUDIO platform, developed, maintained and provided by the Administrator for the purpose of managing, booking and paying for the Client’s services from end users. Before starting to use the platform and the services provided through it, you should carefully read and familiarize yourself with this policy. When registering a business profile on the platform, you will have the opportunity to consent to the processing of your data by the Administrator. Giving such consent binds you to the terms of this Policy.

2.9. The data subject is not entitled to use URBO STUDIO if he has not familiarized himself with the Policy and/or does not accept it. Therefore, before using the platform, the Administrator requires the Clients to agree to the Policy. In cases where the Client does not agree with the Policy or the relevant part thereof, he has no right to use URBO STUDIO and/or the services provided through the platform.

2.10. In order to consent to the processing of their data and to accept this Policy, Customers must be 18 years of age or an adult under the law of the country of which they are citizens. The Administrator may request identification data of the Clients to determine whether they are of legal age at the time of consent.

2.11. The URBO STUDIO platform provides services, the use of which requires the provision of data to third parties (for example, registration via a Facebook profile). The Administrator notifies the Clients in advance of the cases in which it may disclose their data to third parties, specifying who these persons are. Customers can review the applicable terms and data protection policies of these individuals at any time.

2.12. Before requesting consent for data processing, the Administrator provides the Data Subjects with the following information:

2.12.1. the data that identifies the administrator and the contact details for them and, where applicable, those of the administrator’s representative;

2.12.2. the contact details of the data protection officer, where applicable;

2.12.3. the purposes of the processing for which the personal data are intended, as well as the legal basis for the processing;

2.12.4. the types and categories of personal data for the processing of which consent is requested;

2.12.5. the recipients or categories of recipients of the personal data, if any;

2.12.6. where applicable, the controller’s intention to transfer the data to a third country or an international organisation, and the presence or absence of a Commission decision on the adequate level of protection or in the case of data transfer pursuant to Article 46 or 47 or Article 49(1) , second paragraph with a reference to the appropriate or applicable guarantees and the means of obtaining a copy of them or information on where they are available.

2.13. Data is stored for the periods specified for each type of personal data provided for in this Policy. Storage is carried out in accordance with the procedures provided for in the Policy.

2.14. Regardless of the provisions of the Policy, the Administrator has the right to provide personal data to public authorities when the data is requested by these authorities in the exercise of their powers (e.g. the authorities of the Ministry of Internal Affairs, the investigation, the prosecution or the court for the purposes of administrative, civil, criminal proceedings as evidence or in other cases established by law).


3.1. In order to provide the use of the services, the Administrator processes the following Data of the Customers and the contact persons indicated by them:

Legal entity or the three names of a natural person


FLP(financially liable person) and address of registration

Mailing address

Phone number

E-mail address

Bank account IBAN

3.2. For the provision of the Services to End Users, the Administrator processes the following Data of End Users:

First Name;

Last Name;


Email address;

Phone number;

Bank or other payment card data;

Public profiles of the Client in social networks.

3.2. For the purposes of direct marketing, the Administrator may process the following Customer Data:

First Name;

Last Name;

Email address;

Phone number;

Contact address.

3.3. In order to receive offers for the services provided by the Administrator, the Client must consent to the processing of his data for direct marketing purposes. This consent may be given at the time of registration or at any time thereafter by the Customer logging into their personal profile and selecting a feature to receive marketing communications.

3.4. The data specified in item 3.2. and 3.3., are received directly from the Customer. In cases where the Client is a legal entity, he can provide the Administrator with data of his employees. In these cases, the Client is obliged to notify his employees about the data provided to UPASS and to provide UPASS with contact details of the natural persons – Subjects of the personal data, so that UPASS can provide them with information, according to the requirements of the Regulation.

3.5. The legal grounds for processing personal data are:
– Art. 6, paragraph 1, letter a) of the Regulation (the Client’s consent to the processing of personal data for one or more specific purposes);
– Art. 6, paragraph 1, letter b) of the Regulation (processing necessary for the performance of a contract);
– Art. 6, paragraph 1, letter f) of the Regulation (necessary for the purposes of the legitimate interests of the controller or a third party).

3.6. The administrator processes the personal data of customers for the following purposes:

3.6.1. identification of the Clients;

3.6.2. signing, administration and execution of contracts for the provision of the Services offered by UPASS;

3.6.3. communication and sending notifications to the Clients related to the use of the Services;

3.6.4. ensuring the normal functioning and use of URBO STUDIO by each Client;

3.6.5. maintaining and administering the Services, including detecting and resolving technical or functionality issues, developing and improving the Services;

3.6.6. receiving and processing received signals, complaints or requests of Customers or End Users;

3.6.7. direct marketing (notifying Customers of changes in services, launching new services, etc.)

3.6.8. resolving disputes between Customers, Customers and End Users or between a Customer and the Administrator;

3.6.9. prevention, detection and investigation of all types of violations and abuses committed through illegal use of the Services offered by us, the Services offered by our Customers and which may damage the interests of UPASS, its partners, customers or other persons;

3.6.10. Compliance with legal obligations of the administrator.

3.7. For those described in item 3.7. purposes it may be necessary to process some or all of the above categories of Data.


4.1. In order to ensure the payment functionality of the Services, the Administrator collects data on the payment cards used by the End Users. These data are entered directly into the system of the payment operator selected by the Client for payment processing. UPASS offers the possibility to pay for services through the following payment operators:

“First Investment Bank” JSC, registered in the Commercial Register of the Republic of Bulgaria with UIC 831094393 (FIB). Information on the General Terms and Conditions and the Privacy and Data Protection Rules of FIB can be found on FIB’s website (

“EPAY” JSC, registered in the Trade Register of the Republic of Bulgaria with UIC 131409398 (Epay). Information on the General Terms and Conditions and the Privacy and Data Protection Rules of Epay can be found on the company’s website (

“Borica” JSC, registered in the Commercial Register of the Republic of Bulgaria with UIC 201230426 (Borica). Information on the General Terms and Conditions and the Privacy and Data Protection Rules of Borica can be found on the company’s website (

“DSK Bank” JSC, registered in the Commercial Register of the Republic of Bulgaria with UIC 121830616 (DSK). Information on the General Terms and Conditions and the Privacy and Data Protection Rules of DSK can be found on the company’s website (

“TBI Bank” JSC, registered in the Commercial Register of the Republic of Bulgaria with UIC 131134023 (TBI). Information on TBI’s General Terms and Conditions and Privacy and Data Protection Rules can be found on the company’s website (

Stripe, Inc. registered in the territory of San Francisco, USA under company number US22939338 (Stripe). Information on Stripe’s Terms and Conditions and Privacy and Data Protection Policy can be found on the company’s website (

VIVA PAYMENT SERVICES SINGLE MEMBER S.A., registered on the territory of the Republic of Greece with TIN 997671771 (Vivawallet). Information on Vivawallet’s Terms and Conditions and Privacy and Data Protection Policy can be found on the company’s website (

4.2. The administrator uses servers owned by Amazon Web Services Inc (“Amazon”), located in the European Union, on the territory of the Federal Republic of Germany, to store the personal data. The data is stored in encrypted form, so Amazon cannot read it. More information about Amazon’s security and data protection policy can be found at

4.3. Data disclosure ceases at the moment of withdrawal of the Customer’s consent. Within 3 days after that moment, UPASS notifies the Recipients of the withdrawal of consent and the need to delete the data disclosed by UPASS, unless the Recipient processes the same data on another legal basis.

4.4. The Administrator concludes agreements with all Recipients, in which they guarantee the provision of the required level of data protection according to the Regulation.


5.1. UPASS can process data on behalf of third parties – Service Providers. In these cases, UPASS acts as a personal data processor within the meaning of Art. 4, item 8 of the Regulation.

5.2. In the cases under this point, the third parties – Service Providers/Clients, are responsible for complying with their obligations as administrators of personal data and for applying the required level of data protection.

5.4. The data under this point may also include such data that UPASS does not process in its capacity as Administrator, for example data on the health status of users or other special categories of personal data. Such data are processed only after the express consent of the Data Subjects.


6.1. The administrator stores the personal data of the Clients until they have a registered profile in the URBO STUDIO system.

6.2. The data is corrected or deleted at the moment of performing the corresponding action by the Customer in the settings of his profile in URBO STUDIO. Correcting or deleting the data and their backup copies from the servers used by UPASS may take technological time according to the server owner’s policy, but no more than 30 days after the request by the Customer by performing the action on the Customer’s side.

6.3. In the event that, on the date of account deletion, the Client has an unresolved dispute with UPASS regarding the payment of due amounts or compensation for damages, the data is stored for a period of 3 months after the final resolution of the dispute with a written agreement or an effective court decision.

6.4. In the event that an investigation is conducted against the Client to establish abuse or a violation by competent authorities and UPASS is notified of the investigation by the relevant authorities, the data is stored for a period of 3 months after the final completion of the investigation.

6.5. After the expiration of the described terms, the personal data is destroyed by the Administrator in a way that does not allow their restoration and/or reproduction.

6.6. The data processed by UPASS on behalf of third parties are processed by these persons under the conditions and within the terms determined by them.


7.1. The Data Subject has the right to exercise the following rights under the Regulation:

7.1.1. Right to be informed – to receive information about what data related to him is being processed by the Administrator, for what purpose, for what period it is stored and to whom it is provided;

7.1.2. Right of access – to receive a copy of the related personal data processed by the Administrator;

7.1.3. Right to erasure, if any of the requirements of Art. 17, paragraph 1 of the Regulation;

7.1.4. Right to rectification – to request the controller to correct inaccurate personal data relating to him without undue delay;

7.1.5. Right to restriction of data processing, in the cases described in Art. 18, paragraph 1 of the Regulation;

7.1.6. Right to data portability – to receive the personal data concerning him and which he has provided to an administrator in a structured, widely used and machine-readable format and to transfer this data to another administrator;

7.1.7. Right to object to the processing of personal data relating to him which is based on Article 6, paragraph 1(e) or (f), including profiling based on said provisions;

7.1.8. Right not to be subject to a decision based solely on automated processing.

7.2. When exercising the rights specified in item 6.1., the Administrator fulfills his obligations according to the regulation in the following terms, counting from the receipt of a request submitted by a data subject: Request from the data subject Period Right to information 14 days Right to access 14 days Right to correction In the user profile – immediately On the servers used by UPASS – the technological time required for the correction, but no more than 30 days Right to deletion In the user profile – immediately On the servers used by UPASS – the technological time required for the deletion, but not more than 30 days. Right to restriction of processing 3 days, Right to data portability 14 days, Right to object 14 days.

7.3. The exercise of the Data Subjects’ rights described above is free of charge.

7.4. When the requests of a Data Subject are manifestly unfounded or excessive, in particular due to their repetition, the Administrator has the right to reasonably refuse to take action on the Subject’s request or to impose a reasonable fee taking into account the administrative costs of providing the information or communication or undertaking of the requested actions.

7.5. Requests to exercise the rights of the Data Subjects according to the Regulation shall be submitted to the data protection officer, and when no one has been designated – to the person specified in item 11.1.

7.6. In order to verify the validity of the request and to protect the personal data of third parties, the Administrator may request names, social security number and identity document number of a Data Subject when submitting a request to exercise his rights under the Regulation for the purposes of identification of the Data Subject. These data are stored by the Administrator for a period of 1 year from the submission of the relevant request to exercise a right and can be used solely for the purposes of identifying the Data Subject in the event of a report of a violation or abuse committed by him in connection with the submitted request.

7.7. The Administrator shall notify any Recipient to whom the personal data has been disclosed of any rectification, deletion or restriction of processing, unless this is impossible or requires a disproportionately large effort. The Administrator informs the data subject about these Recipients if the data subject so requests.


8.1. In the event that it appoints a Data Protection Officer, the Administrator shall notify the Data Subjects of this fact, indicating the contact details of the officer.

8.2. The Data Protection Officer has the rights and obligations described in the Regulation and Policy, as well as in the job description, if the person is an employee of the Administrator, or in the service contract, if the person performs the position under a contract for the provision of services.


9.1. If the employees of the Administrator having the right to access the data notice violations of data security (inaction or actions by persons that may lead to or have led to a risk to data security), they immediately notify the Administrator and those designated by him contact persons as well as the Data Protection Officer, if any.

9.2. The Administrator makes decisions on the necessary measures to remedy the data security breach and its consequences, as well as to notify the affected persons, when applicable, taking into account the risk factors for a data security breach, the degree of impact of the breach, the possible damages and consequences thereof.

9.3. When applicable, the Administrator shall notify the Commission for the Protection of Personal Data immediately, but no later than 72 hours after the violation has been detected, indicating:

9.3.1. a description of the nature of the personal data breach, including, if possible, the categories and approximate number of affected data subjects and the categories and approximate amount of affected personal data records;

9.3.2. a contact person from whom more information can be obtained;

9.3.3. description of the possible consequences of the personal data security breach;

9.3.4. a description of the measures taken or proposed by the administrator to deal with the breach of personal data security, including measures to reduce possible adverse consequences.

9.4. In the cases under the preceding point, the Administrator shall notify the affected Data Subjects of the security breach without undue delay, but no later than one week after the breach has been discovered.

9.5. When the range of affected subjects cannot be established, the Administrator shall notify those Data Subjects most likely to be affected by the breach.

9.6. In the cases under the previous point, as well as when the notification of the affected subjects would lead to a disproportionate effort, the Administrator makes a public announcement or takes another similar measure so that the Data Subjects are equally effectively informed.


10.1. The organizational and technical data security measures implemented by the Administrator ensure a level of security that corresponds to the nature of the data processed by the Administrator and the risk of data processing, including, but not limited to, the measures specified in this section.

10.2. Personal data security measures include at least:

10.2.1. Administrative measures (establishing a procedure for the security of documents and computer data and their archives and organization of work in various spheres of activity, training of the personnel currently employed and upon leaving work / dismissal, etc.);

10.2.2. Technical and software protection (administration of servers, information systems and databases, support of workplaces, protection of operating systems, monitoring (control) of user access, protection from computer viruses, encryption of the memory of the devices on which personal information is stored data, etc.);

10.2.3. Contractual measures (conclusion of contracts or agreements with all Data Recipients and persons who may gain access to personal data in connection with the provision of services to the Administrator to ensure that these persons apply a level of personal data protection consistent with the requirements of the Regulation);

10.3. The Administrator introduces a procedure for restoring Personal Data in case of accidental data loss. The Administrator makes backup copies of the data available in the system. Data is retrieved according to the internal procedure using Amazon Web Services software from the backup libraries. In case of justified deletion of Personal Data, the stored backup copies are also deleted within 30 days of doing so.

10.4. The measures guaranteeing the security of personal data, which the Administrator applies, include:

10.4.1. Use of VPN technology for remote connection to the Administrator’s internal network;

10.4.2. Use of a digital certificate to identify users accessing the Administrator’s database;

10.4.3. Registration of access to Personal Data processed by the Administrator, including login identifier, date, time, duration, login result (successful, unsuccessful). These records are kept by the Administrator for at least 1 (one) year from the date of the relevant access;

10.4.4. Use of security protocols and/or passwords when providing personal data via external data transfer networks;

10.4.5. Control over the security of personal data on external data carriers and e-mail and their deletion after use, by transferring them to the Administrator’s databases;

10.4.6. Recording of actions to restore personal data (when, who and by what means performed the actions);

10.5. Personal data collected in electronic form are not printed and stored on paper, except when this is expressly requested by the Data Subject or by a public authority within its competence or is necessary to comply with an obligation of the Administrator under the Regulation or national legislation.


11.1. For more information about the personal data processed by the Administrator, the Regulation and the Policy, as well as for exercising the rights of the Subjects of personal data according to the Regulation, the Administrator designates the following contact person: Andrey Rumenov Lilov

Email:, Tel. 0700 70 270


12.1. The policy can be amended by the Administrator in case of changes in the scope of the processed data, the purposes and methods of their processing, changes in the legal acts regulating the processing of personal data, or for other reasons.

12.2. The policy and amendments to it come into force from the date of their acceptance and publication on the Internet in a way that makes them available to URBO STUDIO users.

12.3. The Administrator shall notify the Data Subjects of any amendment to the Policy. Insofar as it is a unilateral act of the Administrator, express consent to it may not be required. When the amendment of the Policy is related to a change in the scope of the processed data, the purposes or methods of their processing, the Administrator requires the prior consent of the Data Subjects. In cases where the processing is necessary to provide the Services of the Administrator through the URBO STUDIO platform, the consent of the Data Subjects may be a mandatory condition for granting access to the Platform.

12.4. In cases where they believe that there is a violation of the regulations in the field of personal data protection, Data Subjects can file a complaint with the Commission for Personal Data Protection. More information can be found at

12.5. The Administrator is not responsible for the accuracy of the data provided by the Clients, does not carry out checks in this sense and does not guarantee the actual identity of the individuals who provided the data. In all cases of doubts on the part of the Data Subjects, of detected fraud and/or abuse, they have the right to notify the Administrator, without this affecting their rights to report to the competent public authorities.

12.6. Customers are responsible for their violations of the rights of others in connection with the protection of their personal data or other rights of theirs.


Be the first to learn about the latest trends in your industry

Sign up for our email newsletter