Scrumling ("we", "us", the "Service") is operated by Sima Tech Ltd (Сима Тек ООД), a company registered in Bulgaria (UIC 206762842, VAT BG206762842), with registered office in Pernik, Bulgaria. Sima Tech Ltd is the data controller for personal data processed through scrumling.com in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Bulgarian data protection law.
1. What data we collect
We only collect what we need to run the course and improve it.
Account data
- Email address and display name (from sign-up or Google sign-in).
- Authentication identifiers issued by our auth provider.
Learning data
- Lessons you have completed and quiz attempts (score, pass/fail, timestamp).
- Language preference.
Technical data
- IP address and basic device/browser information for security and abuse prevention.
- Sign-in timestamps.
We do not knowingly collect data from children under 16. We do not process special categories of personal data (health, biometric, political opinions, etc.).
2. Why we process it (legal bases)
- Contract (Art. 6(1)(b) GDPR) — to create your account, deliver lessons, track progress, and issue certificates.
- Legitimate interests (Art. 6(1)(f) GDPR) — to keep the service secure, prevent abuse, and improve content.
- Consent (Art. 6(1)(a) GDPR) — for any non-essential cookies or marketing communications, where required.
- Legal obligation (Art. 6(1)(c) GDPR) — to comply with Bulgarian and EU law (accounting, tax, lawful requests).
3. Who we share it with (subprocessors)
We use a small number of trusted service providers under Data Processing Agreements. The current list of subprocessors is:
- Lovable (Lovable.dev, Inc.) — application build, deployment and hosting platform, and platform-level error reporting for the Scrumling web app.
- Supabase (Supabase, Inc.) — authentication, Postgres database and file storage, provisioned in the EU (Frankfurt) region via Lovable Cloud.
- Cloudflare, Inc. — global edge network, TLS termination, DDoS and bot protection for scrumling.com.
- Google Ireland Ltd. — optional "Sign in with Google" identity provider (only if you choose that sign-in method).
We do not currently use any third-party analytics, advertising, marketing-automation, session-replay or A/B-testing tools. We do not sell personal data and do not share it with advertisers. If we add a new subprocessor, we will update this list before it starts processing your data.
4. International transfers
We prefer EU/EEA hosting. Where a subprocessor processes data outside the EEA, transfers rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, adequacy decisions.
5. How long we keep it
- Account, progress and quiz records — for as long as your account exists. When you delete your account (or request erasure), we delete the records from the live database immediately and they are purged from encrypted database backups within 30 days.
- Authentication and sign-in logs (IP, timestamp, user-agent) — up to 90 days, then deleted.
- Edge / hosting security logs (Cloudflare bot and abuse protection) — up to 30 days.
- Platform error reports (uncaught errors captured by Lovable) — up to 90 days, used only for diagnosing bugs.
- Invoicing / accounting records — the Service is currently free, so we do not create any. If we introduce paid plans, invoice data will be kept for 10 years as required by Bulgarian accounting law and this policy will be updated first.
6. Your rights under the GDPR
Regardless of where you live in the EU/EEA, you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate data (Art. 16).
- Erase your data / be forgotten (Art. 17).
- Restrict or object to processing (Art. 18, 21).
- Data portability — receive your data in a machine-readable format (Art. 20).
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with a supervisory authority — in Bulgaria, the Commission for Personal Data Protection (CPDP), or the authority in your country of residence.
Send requests to privacy@simatech.bg. We respond within 30 days.
7. Security
We use encryption in transit (HTTPS/TLS), row-level access control on our database, managed authentication, and least-privilege service credentials. No online service is 100% secure; we notify affected users and the relevant supervisory authority of a personal data breach in line with Art. 33–34 GDPR.
8. Automated decision-making
Scrumling does not carry out automated decision-making or profiling that produces legal or similarly significant effects on you (Art. 22 GDPR).
9. Changes to this policy
We may update this policy to reflect changes in the service or the law. Material changes will be communicated on this page and, where appropriate, by email.