partnely

Privacy & GDPR

Personal Data Protection & GDPR Compliance

Last updated: December 2024

Part A: Privacy Policy

1. Introduction and Controller Identity

1.1 About This Policy

This Privacy Policy describes how Partnely collects, uses, stores, processes, and protects your personal data when you use our website partnely.com and related services.

1.2 Data Controller

The data controller for your personal data is PARTNELY DIGITAL L.P.:

  • Legal Name: PARTNELY DIGITAL L.P.
  • Trade Name: PARTNELY
  • Tax ID (AFM): 803126280
  • GEMI No: 190176909000
  • Email: info@partnely.com

1.3 Legal Framework

This Policy complies with:

  • The General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
  • The Greek Law 4624/2019 on personal data protection
  • The ePrivacy Directive 2002/58/EC (as amended)
  • The Law 3471/2006 on data protection in electronic communications
  • Guidelines from the Hellenic Data Protection Authority (HDPA)

2. Categories of Personal Data We Collect

2.1 Data You Provide Directly

Registration and Account Data

  • Email address (required)
  • Password (stored encrypted with bcrypt)
  • User role (Client/Professional)
  • Email verification status

Profile Data (for Professionals)

  • Full name or business name
  • Business type (agency/freelancer)
  • Professional description
  • Services offered
  • Location and contact details
  • Photos and portfolio

Payment Data

  • We do not store full card details
  • Stripe Customer ID and Subscription ID
  • Subscription type and billing period

2.2 Automatically Collected Data

  • Technical Data: IP address, browser type, operating system
  • Usage Data: Pages visited, time spent, actions
  • Cookies: Session cookies, analytics cookies (with consent)

3. Purposes and Legal Basis for Processing

Contract Performance (Article 6(1)(b) GDPR)

  • Account creation and management
  • Platform services provision
  • Payment and subscription processing
  • User messaging exchange

Legitimate Interest (Article 6(1)(f) GDPR)

  • Service and user experience improvement
  • System security and fraud prevention
  • Usage analytics and statistics

Consent (Article 6(1)(a) GDPR)

  • Marketing emails (revocable anytime)
  • Analytics cookies (via cookie banner)

4. Recipients and Data Transfers

Third-Party Service Providers

  • Stripe, Inc.: Payment processing (USA - SCCs)
  • Cloudinary Ltd.: Image hosting (EU/US - GDPR DPA)
  • Resend Inc.: Email sending (USA - SCCs)
  • Neon Tech, Inc.: Database hosting (EU Frankfurt)
  • Google LLC: Analytics (USA - SCCs)

Transfers Outside the EU

For transfers to third countries (mainly USA), we ensure adequate protection level through Standard Contractual Clauses (SCCs) and supplementary measures (encryption, pseudonymization).

5. Data Retention Period

  • User account: Until deletion + 30 days
  • Messages: 3 years from last message
  • Payment data: 10 years (tax legislation)
  • Security logs: 12 months
  • Backups: 30 days

6. Your Rights (GDPR)

According to GDPR, you have the following rights:

  • Right of Access (Article 15): Copy of your data
  • Right to Rectification (Article 16): Correction of inaccurate data
  • Right to Erasure (Article 17): "Right to be Forgotten"
  • Right to Restriction (Article 18): Restriction of processing
  • Right to Portability (Article 20): Download data in JSON/CSV
  • Right to Object (Article 21): Object to processing
  • Consent Withdrawal (Article 7(3)): Anytime

How to Exercise Your Rights

Via Platform: Settings → Account
Via Email: info@partnely.com
Response time: 30 days

Right to Complain

You can submit a complaint to the Hellenic Data Protection Authority (HDPA):

  • Address: Kifisias 1-3, 115 23 Athens
  • Phone: +30 210 6475600
  • Email: contact@dpa.gr
  • Website: www.dpa.gr

7. Data Security

Technical Measures

  • TLS 1.3 encryption (HTTPS)
  • Password encryption with bcrypt
  • JWT Tokens with short lifespan
  • HttpOnly Cookies for refresh tokens
  • Rate Limiting and CORS Protection
  • Security Headers (Helmet.js)

Breach Management

In case of data breach, we notify HDPA within 72 hours (if there is risk) and subjects without undue delay (if there is high risk).

8. Cookies

For detailed information about cookies we use, see the Cookie Policy.

9. Minors

Our Services are not directed to persons under 18 years old. We do not knowingly collect data from minors. If we become aware we have collected minor's data, we will delete it immediately.

10. Policy Changes

We may periodically update this Policy. In case of substantial changes, we will notify you via email and publish a notice on the website.

11. Contact

For any questions about the Privacy Policy:

  • General Questions: info@partnely.com
  • Data Protection Officer (DPO): info@partnely.com
  • Rights Requests: info@partnely.com

Part B: GDPR Compliance

1. Compliance Statement

Partnely is committed to full compliance with the General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679, as well as Greek personal data protection legislation (Law 4624/2019).

Our commitment:

  • Lawfulness, objectivity, and transparency in processing
  • Purpose limitation - processing only for specified purposes
  • Data minimization - collection of only necessary data
  • Data accuracy and updating
  • Storage limitation
  • Integrity and confidentiality

2. Partnely's Role

2.1 Data Controller

Partnely acts as Data Controller for:

  • User account data (email, password, profile)
  • Transaction data (subscriptions, payments)
  • Communication data (messages between users)
  • Analytics and cookies data

2.2 Data Processor

For certain functions, Partnely works with third-party providers acting as Data Processors. All are bound by Data Processing Agreements (DPA).

3. Legal Bases for Processing

We process data only when there is a valid legal basis:

Legal BasisGDPR ArticleUse Examples
Consent6(1)(a)Marketing emails, analytics cookies
Contract Performance6(1)(b)Account creation, payments, messages
Legal Obligation6(1)(c)Tax documents, compliance with authorities
Legitimate Interest6(1)(f)Security, fraud prevention, service improvement

4. Your Rights - Detailed (Articles 15-22 GDPR)

📋 Right of Access

Copy of all data we hold about you

✏️ Right to Rectification

Correction of inaccurate or incomplete data

🗑️ Right to Erasure

"Right to be forgotten" - data deletion

⏸️ Right to Restriction

Restriction of processing under conditions

📦 Right to Portability

Download data in readable format (JSON/CSV)

✋ Right to Object

Object to marketing or profiling

🔄 Consent Withdrawal

Anytime, without affecting past processing

🤖 Automated Decisions

Right to human intervention

Exercising Rights

  • Email: info@partnely.com
  • Via platform: Settings → Privacy → My Rights
  • Response time: Within 30 days (extendable to 60 days)
  • Cost: Free (except excessive/unfounded requests)

5. Data Transfers to Third Countries

When we transfer data outside the European Economic Area (EEA), we ensure adequate protection level:

ProviderLocationProtection Mechanism
StripeUSAEU-US Data Privacy Framework, SCCs
Google AnalyticsUSAEU-US DPF + IP Anonymization
CloudinaryUSA/EUSCCs, EU region option
ResendUSAStandard Contractual Clauses

SCCs: Standard Contractual Clauses approved by the European Commission
EU-US DPF: EU-US Data Privacy Framework (Adequacy Decision July 2023)

6. Technical and Organizational Measures (Article 32)

6.1 Technical Measures

  • 🔐 Encryption: TLS 1.3 for data in transit
  • 🔑 Password encryption: bcrypt with salt
  • 🎫 JWT Tokens: 15-minute access tokens, 7-day refresh tokens
  • 🍪 HttpOnly Cookies: For refresh tokens
  • 🛡️ Security Headers: Helmet.js, CSP, HSTS
  • 🚫 Rate Limiting: Brute force protection
  • 📊 Monitoring: Anomaly tracking

6.2 Organizational Measures

  • 📋 Security policies and procedures
  • 👥 Staff training
  • 🔒 Access restriction (need-to-know basis)
  • 📝 Action logging (audit log)
  • 🔍 Periodic security audits

7. Data Breaches (Articles 33-34)

Response Procedure

  1. Detection: Immediate incident recognition
  2. Assessment: Risk and impact evaluation
  3. HDPA Notification: Within 72 hours (if risk exists)
  4. User Notification: Without delay (if high risk exists)
  5. Corrective measures: Damage limitation, restoration
  6. Documentation: Incident and action recording

Security Incident Contact

Email: info@partnely.com
Availability: 24/7 monitoring

8. Data Protection Officer (DPO)

We have appointed a Data Protection Officer according to Article 37 of GDPR:

  • Email: info@partnely.com
  • Responsibilities: Compliance oversight, training, liaison with HDPA

9. Right to Complain

If you believe your data processing violates GDPR, you have the right to submit a complaint:

Hellenic Data Protection Authority (HDPA)

  • 📍 Kifisias Avenue 1-3, 115 23 Athens
  • 📞 +30 210 6475600
  • 📧 contact@dpa.gr
  • 🌐 Submit Complaint

10. Contact for GDPR

For data protection and GDPR matters:

  • General Questions: info@partnely.com
  • Data Protection Officer: info@partnely.com
  • Rights Requests: info@partnely.com
  • Security Incidents: info@partnely.com

Related Documents

→ Terms of Service & Refunds→ Cookie Policy→ Disclaimer→ Contact

If you have questions, please contact us.