Back to home

Privacy Policy

Version 0.2Last updated: 6 May 2026

Privacy Policy Last updated: [Date]

  1. Data Controller The controller of your personal data is: • Company name: [Company Name Ltd] • Registration number: [HE xxxxxx] • Address: [Full registered address in Cyprus] • Contact email: [contact@example.com] • DPO email (if applicable): [dpo@example.com]

  2. Data We Collect 2.1 Data you provide • Identification: first name, last name • Contact details: email, mobile phone number • Account details: username, password (stored hashed with bcrypt/argon2) • Company details (when registering as a legal entity): name, VAT number, address 2.2 Data collected automatically • Device ID (IDFA on iOS / GAID on Android) — only with your consent • Device type, operating system and app version • IP address (for security and fraud prevention) • Usage logs: timestamps, pages/screens visited, actions (only with analytics consent)

  3. Purposes and Legal Basis for Processing Purpose Data Legal basis Account creation and management Name, email, password Article 6(1)(b) — Performance of contract Provision of app services Account and usage data Article 6(1)(b) — Performance of contract Sending marketing emails / SMS Email, phone, name Article 6(1)(a) — Consent Profiling and personalisation Behaviour data, preferences Article 6(1)(a) — Consent Security and fraud prevention IP, device ID, logs Article 6(1)(f) — Legitimate interest Compliance with legal obligations All of the above where required Article 6(1)(c) — Legal obligation

  4. Retention Period • Account data: for as long as you maintain an active account + 12 months after deletion • Marketing data: until consent is withdrawn or 24 months of inactivity • Security logs: 12 months • Billing data: 6 years (Cyprus tax obligation)

  5. Recipients of the Data Your data may be shared with: • Processors (cloud hosting providers, e.g. AWS, Google Cloud) • Email/SMS providers (e.g. SendGrid, Twilio) • Analytics providers (only if you have given consent) • Public authorities, where there is a legal obligation All of the above are bound by Data Processing Agreements (DPA) under Article 28 GDPR.

  6. Transfers Outside the EU Where your data is transferred outside the European Economic Area (e.g. to US-based servers), this is done on the basis of Standard Contractual Clauses (SCCs) of the European Commission or to countries with an adequacy decision.

  7. Your Rights Under the GDPR, you have the following rights: • Right of access (Article 15) • Right of rectification (Article 16) • Right to erasure / "right to be forgotten" (Article 17) • Right to restriction of processing (Article 18) • Right to data portability (Article 20) • Right to object (Article 21) • Right to withdraw consent at any time (Article 7(3)) — withdrawal does not affect the lawfulness of processing prior to it • Right not to be subject to automated decision-making (Article 22) To exercise your rights: [privacy@example.com] Right to lodge a complaint with the supervisory authority: Office of the Commissioner for Personal Data Protection of Cyprus, www.dataprotection.gov.cy.

  8. Security We apply the following technical and organisational measures: • Data encryption at-rest (AES-256) and in-transit (TLS 1.3) • Password hashing with bcrypt/argon2 • Role-based access control (RBAC) • Regular back-ups and disaster recovery procedures • Annual security audits and penetration testing

  9. Data Breach In the event of a data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and within 72 hours (Articles 33–34 GDPR).

  10. Amendments We reserve the right to amend this Privacy Policy. Material changes will be notified through the application or by email at least 30 days before they come into effect.

Document hash: a5730363907ec709d5e398350f6fcd166fce68c40212b9be88254b21bdb98a10