Privacy Policy

Privacy Policy

Effective 12 May 2026

This Privacy Policy explains how MTK Trade LTD (trading as “Zendo”, “we”, “us”, or “our”) collects, uses, stores, and discloses personal data when you access or use the Zendo platform, available at zendomedics.com and any successor domain (the “Platform”).

1. Who we are

Zendo is an online marketplace that connects medical professionals (“Medics”) with event organizers (“Organizers”) who wish to engage them for events. We act as the data controller for personal data processed through the Platform under Regulation (EU) 2016/679 (GDPR) and the Bulgarian Personal Data Protection Act.

2. Personal data we collect

2.1 Data you provide directly

  • Account data: full name, email address, mobile telephone number, the city you are based in (town name and its approximate latitude/longitude), password (stored as a salted hash by our authentication provider), and selected role (Medic or Organizer).
  • Communication preferences: your choices about whether we may contact you by email and/or SMS/phone notifications about activity on the Platform.
  • Profile data: biography, avatar image, professional credentials, specialties, and availability windows you choose to publish.
  • Event data: event titles, descriptions, locations, dates, required skills, applications you submit, and messages exchanged through the Platform.
  • Ratings and reviews: ratings and free-text reviews you submit about other users after completed events.
  • Verification documents (Medics only): images and PDF files (e.g., diplomas, professional licences, certifications, ID documents) that Medics upload during account signup and any subsequent re-submission so that our administrators can perform a basic admission review of the account. These files are stored privately and are not displayed on a Medic's public profile or shared with Organizers. Once the admission review concludes — either with an approval or a rejection — the verification documents are deleted from our storage. Documents are only retained while the review is in progress or while we have requested additional documents from the Medic.
  • Communications: emails or messages you send us (e.g., support requests), and any notes our administrators record in the course of an admission review (e.g., when requesting additional documents).

2.2 Data collected automatically

  • Device and log data: IP address, browser type, device identifiers, pages viewed, referring URLs, timestamps, and basic diagnostic information generated by our hosting and analytics providers.
  • Cookies and similar technologies: session cookies used to keep you signed in and to remember language preferences. We do not use advertising or cross-site tracking cookies.

2.3 Data collected by payment processors

Payments are processed by Stripe Payments Europe, Ltd. We never receive or store your full payment card number, CVC, or banking credentials. Stripe provides us only with a transaction identifier, the last four digits of the card, the card brand, the billing country, and the success/failure status of the charge.

3. How we use personal data

  • To create and operate your account on the Platform.
  • To perform a basic administrative admission review of Medic credential documents before granting access to marketplace functionality, and to communicate the outcome of that review (approval or a request for additional documents).
  • To enable Medics and Organizers to find, contact, and engage one another.
  • To process payments and issue receipts for Platform fees.
  • To send you service notifications: transactional emails (account verification, password reset, application status, receipts) and, where you have opted in, SMS or other phone notifications about relevant Platform activity (you can turn these off at any time in your profile settings). Your telephone number is used to contact you and is not shown on your public profile or shared with other Users.
  • To enforce our Terms & Conditions, prevent fraud or abuse, and investigate violations.
  • To comply with legal obligations, including accounting, tax, and response to lawful requests by public authorities.
  • To improve the Platform's reliability, security, and user experience.

4. Legal bases for processing (GDPR Art. 6)

  • Performance of a contract (Art. 6(1)(b)) — to provide the Platform's core functionality once you register.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Platform, prevent abuse, and provide aggregated analytics.
  • Legal obligation (Art. 6(1)(c)) — to retain accounting records and respond to lawful authority requests.
  • Consent (Art. 6(1)(a)) — for optional communications you opt into, such as marketing emails and SMS/phone notifications. You may withdraw consent at any time in your profile settings.

5. Sharing and disclosure

We do not sell personal data. We share data only with the following categories of recipients, and only as needed:

  • Other Platform users. Your public profile (name, role, city, credentials you publish, ratings) is visible to other authenticated users. Organizers see Medics' applications and contact information needed to coordinate an event; Medics see Organizers' event details. Verification documents uploaded by Medics for the admission review are never shown to Organizers or to any other User — only Zendo administrators reviewing the account may view them.
  • Service providers (data processors) acting on our instructions under written data-processing agreements:
    • Supabase (database, authentication, file storage) — hosted in the EU.
    • Vercel (application hosting and edge delivery).
    • Stripe (payment processing).
    • Google Maps Platform (geocoding and map tiles, when you use location features).
  • Legal and regulatory authorities when required by law, court order, or to enforce our Terms.
  • Acquirers in the event of a merger, acquisition, or asset sale, subject to equivalent privacy protections.

6. International transfers

Some of our processors may transfer data outside the European Economic Area (e.g., Stripe and Google operate global infrastructure). Where this happens, transfers are protected by the European Commission's Standard Contractual Clauses or an adequacy decision.

7. Data retention

  • Account and profile data: kept while your account is active. Deleted (or anonymised) within 30 days of account closure, except where longer retention is required by law.
  • Verification documents (the actual files): retained only while the admission review is in progress (status “pending”) or while we have requested additional documents from the Medic (“changes requested”). Files are deleted immediately once the review concludes — whether the outcome is approval or rejection. Files are also deleted within 30 days of account closure.
  • The audit log of the admission review (admin notes, the rejection/approval decision, timestamps, the reviewing admin): retained for the lifetime of the account and for up to 3 years after account closure, so that we can demonstrate why an admission decision was made if challenged. The actual document files are not kept as part of this audit log.
  • Payment and accounting records: kept for the period required by Bulgarian accounting and tax law (currently 10 years from the end of the relevant fiscal year).
  • Event and rating data tied to other users may be retained in pseudonymised form to preserve the integrity of public reputation scores after your account is closed.
  • Backup copies are kept for up to 30 days and then overwritten.

8. Your rights (GDPR Chapter III)

Subject to the conditions set out in the GDPR, you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Request correction of inaccurate or incomplete data (Art. 16).
  • Request erasure of your data (“right to be forgotten”, Art. 17), subject to legal retention exceptions.
  • Restrict or object to certain processing (Art. 18 and 21).
  • Receive a portable copy of data you provided (Art. 20).
  • Withdraw consent at any time, where consent is the legal basis.
  • Lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP, cpdp.bg) or your local supervisory authority.

To exercise any of these rights, email mtk-trade@abv.bg from the address associated with your account. We respond within 30 days as required by law.

9. Security

We use industry-standard technical and organisational measures: HTTPS encryption in transit, encryption at rest for our database, hashed passwords, role-based access controls, and row-level security on sensitive tables. No system can be guaranteed completely secure; if a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify you and the supervisory authority in line with Art. 33–34 GDPR.

10. Children

The Platform is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us so we can delete it.

11. Cookies

We use only strictly necessary cookies (authentication session, language preference, CSRF protection). These cookies do not require consent under the ePrivacy Directive. If we introduce analytics or marketing cookies in the future, we will request your consent via a banner before setting them.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to your registered address and through a notice on the Platform at least 14 days before they take effect.

13. Contact

Questions, requests, or complaints? Contact us at mtk-trade@abv.bg.

Postal address: MTK Trade LTD, bul. Maria Luiza 105, Sredets District, Sofia 1202, Bulgaria.