GDPR · Personal data protection

Privacy Policy

This page explains how helt processes personal data through the website, demo-booking flow, and platform access. Plain language, no invented “partners,” no decorative compliance theater.

Last updated: April 19, 2026

1. Data controller

The controller for your personal data is Helt DPK, a company registered in the Republic of Bulgaria.

For any questions about personal-data processing or to exercise your GDPR rights, write to us at office@heltgp.com.

2. What data we collect

The categories of data depend on how you interact with helt.

For demo bookings we process name, email, optional phone and practice name, the selected slot, and the consent record.

When a medical practice uses the platform, the practice remains the controller of patient data and helt acts as a processor under Article 28 GDPR.

When you simply browse the website, we keep only the minimum technical information needed for operation, security, and aggregated product analytics.

3. Purposes and legal bases

We use demo-form data to organize the meeting, send confirmation and calendar material, and continue the conversation you explicitly initiated.

The legal bases are consent, steps taken at your request before entering into a contract, legitimate interest for support and communication, and legal obligations where accounting or contractual relations require them.

We do not perform automated decision-making or profiling with legal effects for you.

4. The role of helt in relation to medical practices

For patient health data, the doctor or practice is the controller and helt provides the software infrastructure as a processor.

helt does not use patient data for advertising, data resale, or training models on special-category personal data for its own purposes.

5. Recipients and processors

Access is limited to a small number of employees and contracted processors needed for hosting, email delivery, video calls, and analytics.

We do not send data to ad networks, data brokers, or analytics platforms that reuse the information for their own purposes.

  • Hosting providers in the EU/EEA
  • SMTP provider for email delivery
  • Video meeting provider
  • Aggregated website analytics

6. Retention

Demo-booking data is retained for up to 12 months after the meeting unless the relationship moves into a contractual phase.

Customer data is retained for the term of the contract and any applicable legal retention periods. Patient data retention follows the controller’s instructions and Bulgarian healthcare law.

7. Transfers outside the EEA

As a default rule, we do not transfer personal data outside the European Economic Area.

If a technical service ever requires such a transfer, we rely on Standard Contractual Clauses and additional technical safeguards.

8. Your rights

You may have the right to access, correct, delete, restrict, port, object to processing, and withdraw consent where the law allows.

We answer requests without undue delay and generally within 30 days.

9. Security

We apply encryption in transit, encryption at rest, role-based access, audit trails, backups, and data-minimization principles.

Both the free core and the paid tier share the same security foundation.

10. Cookies and analytics

We use only the technical mechanisms needed for the website to function and aggregated product analytics.

PostHog is configured without marketing-tracking cookies and with masking of form inputs.

11. Right to complain

If you believe we process personal data unlawfully, you can lodge a complaint with the Bulgarian Commission for Personal Data Protection:

  • Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
  • Phone: +359 2 915 3 518
  • Web: www.cpdp.bg

12. Changes to this policy

When we make material changes, we publish an updated version of this page and revise the date at the top.

If the change affects active customers, we also send an additional notice.

Back to the homepage