Privacy Policy - A Clear Guide to Data Protection and Compliance

Review your privacy policy every 90 days to ensure it accurately reflects how we collect, use, and share data across our services.

See also: Understanding Our Privacy Policy.

Maintain a processing activities inventory that documents data categories, purposes, lawful bases, recipients, cross-border transfers, and retention periods. This transparency helps teams align with policy and keeps audits straightforward.

Data minimization and purpose limitation guide what we collect and why. We store only what is strictly necessary for the intended purposes and configure defaults to limit optional data collection.

Provide clear rights handling for users to request access, correction, deletion, portability, and objection. Respond within 30 days, and escalate on complex requests.

Security controls include encryption in transit (TLS 1.2+) and at rest (AES-256), multi-factor authentication for administrators, and role-based access control. Conduct quarterly audits and timely patch management to reduce exposure.

Consent and contracts ensure data collection based on consent is documented, allow withdrawal, and maintain data processing agreements with every external processor handling our data.

Breach response plan: define detection workflows, notify authorities within 72 hours where required, and inform affected users when risk is high. Maintain incident logs and conduct post-incident reviews within 30 days.

Retention and disposal establish retention schedules, automate deletion after periods end, and securely purge backups. Review storage holdings at least twice a year to prevent unnecessary data.

Governance appoint a privacy lead or data protection officer, provide annual training for staff, and require DPIAs for high-risk processing projects. Maintain an auditable trail to support accountability.

What Information Do We Collect and Why?

Review your account settings to understand what we collect and why, so you can control permissions and protect your privacy. This information is intended to protect you - and to improve our services.

What information we collect

• Personal information: Name, email address, phone number, profile picture, and user ID. This data is intended to identify you and manage access, and we ensure our services are working smoothly for you.
• Usage data: Pages visited, features used, searches, and engagement timestamps. We collect this to improve reliability and performance, and to tailor your experience.
• Device and connection data: IP address, browser type, operating system, language, time zone, and device identifiers. This helps us deliver content accurately and detect issues.
• Location data: Approximate location from IP or explicit user-provided location. This enables localized features and faster support.
• Payment information: Tokens from payment processors, subscription details, and last four digits. We do not store full card numbers; tokens and references are used to process payments securely.
• Communications: Messages to support, feedback, and survey responses. We retain these to resolve issues and improve our services.
• Cookies and tracking technologies: Identifiers and analytics data to analyze site usage and services performance. You can manage preferences to control collection.

Why we collect

• To deliver and operate our services: Provide access, maintain features, and support your needs.
• To personalize your experience: Recommend content and adjust layouts based on usage.
• To protect you and our systems: Detect fraudulent activity, enforce policies, and maintain security.
• To analyze and improve: Run analytics to understand engagement, reliability, and growth.
• To comply with laws and contracts: Retain records as required and respond to lawful requests.
• To communicate: Inform you about updates, maintenance, and important notices related to your account and services.

You can exercise control by reviewing and updating your data in settings, exporting a copy, or requesting deletion. You may adjust cookie preferences and contact our privacy team with requests or questions.

How Long Is Information Stored and How Can It Be Deleted?

Set a 30-day window for deleting personal data after a deletion request and enable one-click deletion in your account settings to give users direct control.

Our policy is intended to balance privacy with usability. Data stored by our services are kept only as long as needed to operate the service, process requests, and comply with legal obligations. We review retention settings regularly to reduce risk and improve security, and our processes are designed to work reliably across all parts of our system.

Retention periods by data type

Personal data such as identifiers and contact details are deleted within 30 days after a deletion request or account closure, unless a longer period is required to complete a specific transaction or comply with a lawful obligation.

Billing and transactional records are retained for seven years to satisfy tax, auditing, and regulatory requirements; when possible, data is minimized and access is restricted during this period.

Usage data and analytics are kept in a form that supports service improvements; raw logs may remain for up to 90 days, while anonymized aggregates are retained longer only if needed for safety and performance tracking.

Backups contain data for up to 90 days in encrypted storage; after the retention window, backups are purged and new backups do not include the deleted content.

How deletion works

Users can initiate deletion through account settings or by contacting support. Once confirmed, the deletion process starts and completes within 30 days, removing data from active systems and purging it from related services.

During the process, data may be deactivated in working environments to prevent further use, and any data retained in backups is handled according to the retention rules. You will receive a confirmation when deletion is finished, along with a summary of what was removed.

What Are the Purposes and Legal Bases for Processing?

Define every processing purpose and attach a legal basis before collecting data.

As you document your practices, ensure the objectives are clear, limited to what is necessary, and aligned with user expectations. Our intended processing activities are mapped to lawful bases, and the working policy emphasizes transparency, minimization, and accountability. This mapping helps users understand why data is used and what controls apply.

To implement effectively, follow these steps: identify data categories, specify purposes, assign legal bases, set retention periods, and provide notice in plain language. Make consent genuinely voluntary, and document revocation options so users can withdraw at any time.

Mapping Purposes to Legal Bases

Purpose	Legal Basis	Data Collected	Retention	Notes
Account creation and management	Contract performance	Email, username, password, profile data	Until account deletion; backups up to 90 days	Ensures secure access and customer support
Payment processing and order fulfillment	Contract performance	Payment method, billing address, order history	7 years	Supports financial compliance and traceability
Fraud prevention and security	Legitimate interests	Usage data, IP, device IDs, transaction metadata	6-24 months	Balanced against user rights and data minimization
Marketing communications (with consent)	Consent	Email, preferences, interactions	Until consent withdrawn	Easy opt-out and accurate preference management
Legal compliance and regulatory obligations	Legal obligation	Account records, communications, tax data	As required by law (6-7 years common)	Includes handling of data subject requests

What Security Measures Protect Your Information and What If a Breach Occurs?

See also: Beneficial Owner Register Cyprus: What Companies Must Know.

See also: Offshore Banking Information.

Enable two-factor authentication for all services now to add a critical layer of protection. Our security measures are designed to protect your data as intended.

We encrypt data at rest with AES-256 and in transit with TLS 1.2+ and we hash and salt passwords with bcrypt. Access controls rely on RBAC, MFA for sensitive actions, and strict session management to limit exposure. Our systems are monitored 24/7 by automated analytics that trigger alerts on anomalous behavior.

We segment networks, deploy a Web Application Firewall (WAF), and maintain IDS/IPS, continuous patching, and vulnerability management. Critical vulnerabilities are addressed within 24 hours; external penetration tests occur quarterly, and annual SOC 2 Type II audits verify controls.

Backups are encrypted and stored across multiple regions with an RTO of 4 hours and an RPO of 60 minutes. We retain logs for 12 months to support investigations, compliance needs, and service improvements. Our data handling minimizes personal data on a need-to-know basis and uses pseudonymization where feasible.

If a breach occurs, our incident response team is working to contain the incident and notify affected users within 72 hours, along with clear guidance to reset credentials and monitor accounts. We publish breach updates through our status page and provide personalized assistance via our privacy portal.

To help us protect your information, enable MFA, review account activity weekly, enable alerts, and keep your devices updated. Use strong, unique passwords and avoid reusing credentials across services. If you notice unusual activity, report it through our support channels immediately so we can respond quickly.

Who Do We Share Information With and How Do We Vet Third-Party Processors?

We share information only with trusted service providers that help deliver our services and ensure reliable operations. Before sharing, we map which data is needed and verify that partners are working - under clear, enforceable instructions. We require that they access data only as needed to perform their tasks and that they process it as intended.

Vet third-party processors with a formal workflow: identify categories of recipients, assess risk, verify security controls, and confirm subprocessor access. We check that vendors maintain encryption in transit and at rest, limit access, and have breach notification processes.

Data Processing Agreements spell out roles, data handling, and security measures. They cover data minimization, retention periods, deletion on contract termination, subprocessor rules, cross-border transfers with safeguards, and liability for violations.

Monitoring and audits: We conduct annual reviews, require attestations, and monitor incident reports. We require notifications within a defined window and verify evidence of controls. We maintain a current list of subprocessors and update customers when a change occurs.

Practical steps for customers: ask for the DPA, verify subprocessors, check data retention, and understand data subject rights support. If a vendor cannot provide clear documentation, switch providers.

What Rights Do You Have and How to Exercise Them (Access, Deletion, Objection)?

Submit an access request directly from your account dashboard or email [email protected] to start. We respond within 30 days, and you will receive a copy in CSV or JSON with categories, sources, and recipients. This policy gives you control as intended, ensure our - services are clear and usable.

Your rights at a glance

Access: You may view the data we store about you, including profile details, activity logs, and any information you provided in forms. Deletion: You may request removal of data from active systems, subject to legal obligations and legitimate business needs. Objection: You may object to processing, including direct marketing or processing based on our legitimate interests. We will honor valid requests that do not conflict with these obligations.

How to exercise each right

Access requests: verify your identity with a minimal set of identifiers (name, email, account ID) and submit through your account or [email protected]. We deliver a data export in your preferred format within 30 days and provide a summary of purposes, categories, and recipients.

Deletion requests: confirm identity, specify the data or scope to delete, and we will remove it from active systems within 30 days, except where retention is required by law or to complete a transaction. You will receive confirmation once the deletion is completed; data in backups may be purged within a subsequent period according to our retention policy.

Objection requests: describe the processing you object to and whether you prefer immediate cessation or temporary pause. We will pause processing during review and respond within 30 days; if we determine a valid reason to continue, we will notify you and provide the rationale. You can also update preferences in your account to stop marketing communications.

How We Update the Policy and Verify Ongoing Privacy Compliance?

Implementation recommendation: Establish a quarterly policy review cycle and automated change tracking. Our services are working as intended when we follow this approach - clear versioning, cross‑functional approvals, and timely user notifications.

We update the policy through a documented, auditable process that aligns with data handling in our products and services. Each update passes through defined stages, from triggers to publication, so we maintain accuracy and accountability.

Update workflow

• Triggers to update include regulatory changes, new data flows, feature launches, or vendor changes. We draft changes with a concise summary and map affected sections to processing activities.
• Version control and changelog: every update creates a new version with date, scope, and accessibility for users.
• Stakeholder approvals: privacy, legal, security, product, and engineering review and sign‑off.
• Impact assessment: reassess purposes, data categories, retention, and lawful bases; ensure alignment across our services and processing activities.
• Documentation: update DPIAs, data maps, vendor agreements, and retention schedules; attach supporting materials to the policy record.
• Publication and outreach: publish the revised policy on our site and notify users via release notes or in‑app notices.
• Accessibility and interoperability: ensure machine‑readable formats and clear links to related policies.

Ongoing verification

1. Quarterly privacy checks compare actual processing against the policy; fix gaps promptly.
2. Annual third‑party assessments where required by regulation or contracts; update controls accordingly.
3. Regular staff training and verification of completed modules; track completion rates.
4. Privacy KPIs: response times for data subject requests, consent management, incident containment, and breach notifications.
5. Audit trails: maintain a centralized change log and version history for internal reviews and external audits.
6. Continuous improvement: collect feedback from users and teams; implement refinements in the next cycle.