Privacy & GDPR
Personal Data Protection & GDPR Compliance
Last updated: July 7, 2026
Part A: Privacy Policy
1. Introduction and Controller Identity
1.1 About This Policy
This Privacy Policy describes how Partnely collects, uses, stores, processes, and protects your personal data when you use our website partnely.com and related services.
1.2 Data Controller
The data controller for your personal data is PARTNELY DIGITAL L.P.:
- Legal Name: PARTNELY DIGITAL L.P.
- Trade Name: PARTNELY
- Tax ID (AFM): 803126280
- GEMI No: 190176909000
- Email: info@partnely.com
1.3 Legal Framework
This Policy complies with:
- The General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
- The Greek Law 4624/2019 on personal data protection
- The ePrivacy Directive 2002/58/EC (as amended)
- The Law 3471/2006 on data protection in electronic communications
- Guidelines from the Hellenic Data Protection Authority (HDPA)
2. Categories of Personal Data We Collect
2.1 Data You Provide Directly
Registration and Account Data
- Email address (required)
- Password (stored encrypted with bcrypt)
- User role (Client/Professional)
- Email verification status
Profile Data (for Professionals)
- Full name or business name
- Business type (agency/freelancer)
- Professional description
- Services offered
- Location and contact details
- Photos and portfolio
Payment Data
- We do not store full card details
- Stripe Customer ID and Subscription ID
- Subscription type and billing period
2.2 Automatically Collected Data
- Technical Data: IP address, browser type, operating system
- Usage Data: Pages visited, time spent, actions
- Cookies: Session cookies, analytics cookies (with consent)
3. Purposes and Legal Basis for Processing
Contract Performance (Article 6(1)(b) GDPR)
- Account creation and management
- Platform services provision
- Payment and subscription processing
- User messaging exchange
Legitimate Interest (Article 6(1)(f) GDPR)
- System security and fraud prevention
Consent (Article 6(1)(a) GDPR & Article 5(3) ePrivacy)
- Marketing emails (revocable anytime)
- Analytics cookies and usage statistics, including server-side processing (via cookie banner)
4. Recipients and Data Transfers
Other Platform Users
When you post a Quote Request, your contact details (name, phone number and email address) become visible only to the professionals who submit a quote on that specific request — never publicly and never to professionals who have not submitted a quote. Legal basis: performance of the matching service you requested (performance of a contract) and the legitimate interest in operating the services marketplace.
Third-Party Service Providers
- Stripe, Inc.: Payment processing (USA - EU-US DPF)
- Cloudinary Ltd.: Image hosting (EU/US - GDPR DPA, SCCs)
- Resend Inc.: Email sending (USA - SCCs). Our notification/transactional emails do not include open-tracking pixels or click tracking.
- Neon Tech, Inc.: Database hosting (EU Frankfurt)
- Google LLC: Analytics - Google Analytics (USA - EU-US DPF) (consent only)
- Microsoft Corporation: User behavior analytics - Microsoft Clarity (USA - EU-US DPF; Microsoft acts as an independent controller) (consent only)
- Meta Platforms Ireland Ltd. / Meta Platforms, Inc.: Marketing & advertising - Meta Pixel & Conversions API (EEA/USA - EU-US DPF) (consent only)
- Klaviyo, Inc.: Email/SMS marketing automation (USA - EU-US DPF, SCCs) (consent only)
- Functional Software, Inc. (Sentry): Error & performance monitoring (USA - EU-US DPF)
- Vercel Inc.: Frontend hosting / CDN (USA - EU-US DPF)
The list above is the complete list of data recipients. The list in the Cookie Policy §4 covers only providers related to cookies/tracking.
Transfers Outside the EU
For transfers to third countries (mainly USA), we ensure adequate protection level through Standard Contractual Clauses (SCCs) and supplementary measures (encryption, pseudonymization).
5. Data Retention Period
- User account: Immediate permanent deletion from active systems upon request. Any residual copies in backups are retained for up to 7 days (database provider's backup policy).
- Messages: 3 years from last message
- Invoices & tax records: 5 years (Greek Law 4308/2014; up to 10 years in special cases provided by law)
- Stripe Customer ID & subscription metadata: Duration of the subscription relationship + 30 days
- Security logs: 12 months
- Backups: 7 days
6. Your Rights (GDPR)
Under the GDPR you have the rights of access, rectification, erasure, restriction, portability and objection, as well as the right to withdraw your consent at any time. A detailed description of each right (Articles 15-22) and how to exercise them is provided in Part B, §4 below.
Right to Complain
You can submit a complaint to the Hellenic Data Protection Authority (HDPA):
- Address: Kifisias 1-3, 115 23 Athens
- Phone: +30 210 6475600
- Email: contact@dpa.gr
- Website: www.dpa.gr
7. Data Security
Technical Measures
- TLS 1.3 encryption (HTTPS)
- Password encryption with bcrypt
- JWT Tokens with short lifespan
- HttpOnly Cookies for refresh tokens
- Rate Limiting and CORS Protection
- Security Headers (Helmet.js)
Breach Management
In case of data breach, we notify HDPA within 72 hours (if there is risk) and subjects without undue delay (if there is high risk).
8. Cookies
For detailed information about cookies we use, see the Cookie Policy.
9. Minors
Our Services are not directed to persons under 18 years old. We do not knowingly collect data from minors. If we become aware we have collected minor's data, we will delete it immediately.
10. Policy Changes
We may periodically update this Policy. In case of substantial changes, we will notify you via email and publish a notice on the website.
11. Contact
For any questions about the Privacy Policy:
- General Questions: info@partnely.com
- Data Protection Contact: gdpr@partnely.com
- Rights Requests: gdpr@partnely.com
Part B: GDPR Compliance
1. Compliance Statement
Partnely is committed to full compliance with the General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679, as well as Greek personal data protection legislation (Law 4624/2019).
Our commitment:
- Lawfulness, objectivity, and transparency in processing
- Purpose limitation - processing only for specified purposes
- Data minimization - collection of only necessary data
- Data accuracy and updating
- Storage limitation
- Integrity and confidentiality
2. Partnely's Role
2.1 Data Controller
Partnely acts as Data Controller for:
- User account data (email, password, profile)
- Transaction data (subscriptions, payments)
- Communication data (messages between users)
- Analytics and cookies data
2.2 Data Processor
For certain functions, Partnely works with third-party providers. Providers acting as Data Processors are bound by Data Processing Agreements (DPA) under Article 28 GDPR, which apply through each provider's standard terms (e.g. Stripe, Google, Klaviyo, Meta). Some providers (e.g. Microsoft Clarity) act as independent controllers under their own terms. The complete list of providers, with their role and transfer mechanism, is set out in the "Data Recipients and Transfers" section (§4).
3. Legal Bases for Processing
We process data only when there is a valid legal basis:
| Legal Basis | GDPR Article | Use Examples |
|---|---|---|
| Consent | 6(1)(a) & Article 5(3) ePrivacy | Marketing emails, analytics cookies and usage statistics |
| Contract Performance | 6(1)(b) | Account creation, payments, messages |
| Legal Obligation | 6(1)(c) | Tax documents, compliance with authorities |
| Legitimate Interest | 6(1)(f) | System security, fraud prevention |
4. Your Rights - Detailed (Articles 15-22 GDPR)
Right of Access
Copy of all data we hold about you
Right to Rectification
Correction of inaccurate or incomplete data
Right to Erasure
"Right to be forgotten" - data deletion
Right to Restriction
Restriction of processing under conditions
Right to Portability
Download data in readable format (JSON/CSV)
Right to Object
Object to marketing or profiling
Consent Withdrawal
Anytime, without affecting past processing
Automated Decisions
Right to human intervention
Exercising Rights
- Email: gdpr@partnely.com
- Via platform: Settings → Privacy → My Rights
- Response time: Within 30 days (extendable to 60 days)
- Cost: Free (except excessive/unfounded requests)
5. Data Transfers to Third Countries
When we transfer data outside the European Economic Area (EEA), we ensure adequate protection level:
| Provider | Location | Protection Mechanism |
|---|---|---|
| Stripe | USA | EU-US Data Privacy Framework, SCCs |
| Google Analytics | USA | EU-US DPF (no Google Signals) |
| Microsoft (Clarity) | USA | EU-US DPF (Microsoft as independent controller) |
| Meta (Pixel/CAPI) | EEA/USA | EU-US DPF, SCCs |
| Klaviyo | USA | EU-US DPF, SCCs |
| Cloudinary | USA/EU | SCCs, EU region option |
| Resend | USA | Standard Contractual Clauses |
SCCs: Standard Contractual Clauses approved by the European Commission
EU-US DPF: EU-US Data Privacy Framework (Adequacy Decision July 2023)
We verified the active EU-US DPF certifications of the providers above on the official dataprivacyframework.gov registry (last checked: July 2026).
6. Technical and Organizational Measures (Article 32)
6.1 Technical Measures
- Encryption: TLS 1.3 for data in transit
- Password encryption: bcrypt with salt
- JWT Tokens: 15-minute access tokens, 7-day refresh tokens
- HttpOnly Cookies: For refresh tokens
- Security Headers: Helmet.js, CSP, HSTS
- Rate Limiting: Brute force protection
- Monitoring: Anomaly tracking
6.2 Organizational Measures
- Security policies and procedures
- Staff training
- Access restriction (need-to-know basis)
- Action logging (audit log)
- Periodic security audits
7. Data Breaches (Articles 33-34)
Response Procedure
- Detection: Immediate incident recognition
- Assessment: Risk and impact evaluation
- HDPA Notification: Within 72 hours (if risk exists)
- User Notification: Without delay (if high risk exists)
- Corrective measures: Damage limitation, restoration
- Documentation: Incident and action recording
Security Incident Contact
Email: info@partnely.com
Availability: Best-effort monitoring during business hours. Outside business hours, notifications are received and answered within 48 hours.
8. Data Protection Contact
We have designated a contact point for questions and requests regarding your personal data:
- Email: gdpr@partnely.com
- Responsibilities: Handling data protection questions and requests, liaison with the HDPA
- Response time: Within 30 days (Article 12(3) GDPR)
9. Right to Complain
If you believe your data processing violates GDPR, you have the right to submit a complaint:
Hellenic Data Protection Authority (HDPA)
- Kifisias Avenue 1-3, 115 23 Athens
- +30 210 6475600
- contact@dpa.gr
- Submit Complaint
10. Contact for GDPR
For data protection and GDPR matters:
- General Questions: info@partnely.com
- Data Protection Contact: gdpr@partnely.com
- Rights Requests: gdpr@partnely.com
- Security Incidents: info@partnely.com
Related Documents
If you have questions, please contact us.
