partnely

Privacy & GDPR

Personal Data Protection & GDPR Compliance

Last updated: July 7, 2026

Part A: Privacy Policy

1. Introduction and Controller Identity

1.1 About This Policy

This Privacy Policy describes how Partnely collects, uses, stores, processes, and protects your personal data when you use our website partnely.com and related services.

1.2 Data Controller

The data controller for your personal data is PARTNELY DIGITAL L.P.:

  • Legal Name: PARTNELY DIGITAL L.P.
  • Trade Name: PARTNELY
  • Tax ID (AFM): 803126280
  • GEMI No: 190176909000
  • Email: info@partnely.com

1.3 Legal Framework

This Policy complies with:

  • The General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
  • The Greek Law 4624/2019 on personal data protection
  • The ePrivacy Directive 2002/58/EC (as amended)
  • The Law 3471/2006 on data protection in electronic communications
  • Guidelines from the Hellenic Data Protection Authority (HDPA)

2. Categories of Personal Data We Collect

2.1 Data You Provide Directly

Registration and Account Data

  • Email address (required)
  • Password (stored encrypted with bcrypt)
  • User role (Client/Professional)
  • Email verification status

Profile Data (for Professionals)

  • Full name or business name
  • Business type (agency/freelancer)
  • Professional description
  • Services offered
  • Location and contact details
  • Photos and portfolio

Payment Data

  • We do not store full card details
  • Stripe Customer ID and Subscription ID
  • Subscription type and billing period

2.2 Automatically Collected Data

  • Technical Data: IP address, browser type, operating system
  • Usage Data: Pages visited, time spent, actions
  • Cookies: Session cookies, analytics cookies (with consent)

3. Purposes and Legal Basis for Processing

Contract Performance (Article 6(1)(b) GDPR)

  • Account creation and management
  • Platform services provision
  • Payment and subscription processing
  • User messaging exchange

Legitimate Interest (Article 6(1)(f) GDPR)

  • System security and fraud prevention

Consent (Article 6(1)(a) GDPR & Article 5(3) ePrivacy)

  • Marketing emails (revocable anytime)
  • Analytics cookies and usage statistics, including server-side processing (via cookie banner)

4. Recipients and Data Transfers

Other Platform Users

When you post a Quote Request, your contact details (name, phone number and email address) become visible only to the professionals who submit a quote on that specific request — never publicly and never to professionals who have not submitted a quote. Legal basis: performance of the matching service you requested (performance of a contract) and the legitimate interest in operating the services marketplace.

Third-Party Service Providers

  • Stripe, Inc.: Payment processing (USA - EU-US DPF)
  • Cloudinary Ltd.: Image hosting (EU/US - GDPR DPA, SCCs)
  • Resend Inc.: Email sending (USA - SCCs). Our notification/transactional emails do not include open-tracking pixels or click tracking.
  • Neon Tech, Inc.: Database hosting (EU Frankfurt)
  • Google LLC: Analytics - Google Analytics (USA - EU-US DPF) (consent only)
  • Microsoft Corporation: User behavior analytics - Microsoft Clarity (USA - EU-US DPF; Microsoft acts as an independent controller) (consent only)
  • Meta Platforms Ireland Ltd. / Meta Platforms, Inc.: Marketing & advertising - Meta Pixel & Conversions API (EEA/USA - EU-US DPF) (consent only)
  • Klaviyo, Inc.: Email/SMS marketing automation (USA - EU-US DPF, SCCs) (consent only)
  • Functional Software, Inc. (Sentry): Error & performance monitoring (USA - EU-US DPF)
  • Vercel Inc.: Frontend hosting / CDN (USA - EU-US DPF)

The list above is the complete list of data recipients. The list in the Cookie Policy §4 covers only providers related to cookies/tracking.

Transfers Outside the EU

For transfers to third countries (mainly USA), we ensure adequate protection level through Standard Contractual Clauses (SCCs) and supplementary measures (encryption, pseudonymization).

5. Data Retention Period

  • User account: Immediate permanent deletion from active systems upon request. Any residual copies in backups are retained for up to 7 days (database provider's backup policy).
  • Messages: 3 years from last message
  • Invoices & tax records: 5 years (Greek Law 4308/2014; up to 10 years in special cases provided by law)
  • Stripe Customer ID & subscription metadata: Duration of the subscription relationship + 30 days
  • Security logs: 12 months
  • Backups: 7 days

6. Your Rights (GDPR)

Under the GDPR you have the rights of access, rectification, erasure, restriction, portability and objection, as well as the right to withdraw your consent at any time. A detailed description of each right (Articles 15-22) and how to exercise them is provided in Part B, §4 below.

Right to Complain

You can submit a complaint to the Hellenic Data Protection Authority (HDPA):

  • Address: Kifisias 1-3, 115 23 Athens
  • Phone: +30 210 6475600
  • Email: contact@dpa.gr
  • Website: www.dpa.gr

7. Data Security

Technical Measures

  • TLS 1.3 encryption (HTTPS)
  • Password encryption with bcrypt
  • JWT Tokens with short lifespan
  • HttpOnly Cookies for refresh tokens
  • Rate Limiting and CORS Protection
  • Security Headers (Helmet.js)

Breach Management

In case of data breach, we notify HDPA within 72 hours (if there is risk) and subjects without undue delay (if there is high risk).

8. Cookies

For detailed information about cookies we use, see the Cookie Policy.

9. Minors

Our Services are not directed to persons under 18 years old. We do not knowingly collect data from minors. If we become aware we have collected minor's data, we will delete it immediately.

10. Policy Changes

We may periodically update this Policy. In case of substantial changes, we will notify you via email and publish a notice on the website.

11. Contact

For any questions about the Privacy Policy:

  • General Questions: info@partnely.com
  • Data Protection Contact: gdpr@partnely.com
  • Rights Requests: gdpr@partnely.com

Part B: GDPR Compliance

1. Compliance Statement

Partnely is committed to full compliance with the General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679, as well as Greek personal data protection legislation (Law 4624/2019).

Our commitment:

  • Lawfulness, objectivity, and transparency in processing
  • Purpose limitation - processing only for specified purposes
  • Data minimization - collection of only necessary data
  • Data accuracy and updating
  • Storage limitation
  • Integrity and confidentiality

2. Partnely's Role

2.1 Data Controller

Partnely acts as Data Controller for:

  • User account data (email, password, profile)
  • Transaction data (subscriptions, payments)
  • Communication data (messages between users)
  • Analytics and cookies data

2.2 Data Processor

For certain functions, Partnely works with third-party providers. Providers acting as Data Processors are bound by Data Processing Agreements (DPA) under Article 28 GDPR, which apply through each provider's standard terms (e.g. Stripe, Google, Klaviyo, Meta). Some providers (e.g. Microsoft Clarity) act as independent controllers under their own terms. The complete list of providers, with their role and transfer mechanism, is set out in the "Data Recipients and Transfers" section (§4).

3. Legal Bases for Processing

We process data only when there is a valid legal basis:

Legal BasisGDPR ArticleUse Examples
Consent6(1)(a) & Article 5(3) ePrivacyMarketing emails, analytics cookies and usage statistics
Contract Performance6(1)(b)Account creation, payments, messages
Legal Obligation6(1)(c)Tax documents, compliance with authorities
Legitimate Interest6(1)(f)System security, fraud prevention

4. Your Rights - Detailed (Articles 15-22 GDPR)

Right of Access

Copy of all data we hold about you

Right to Rectification

Correction of inaccurate or incomplete data

Right to Erasure

"Right to be forgotten" - data deletion

Right to Restriction

Restriction of processing under conditions

Right to Portability

Download data in readable format (JSON/CSV)

Right to Object

Object to marketing or profiling

Consent Withdrawal

Anytime, without affecting past processing

Automated Decisions

Right to human intervention

Exercising Rights

  • Email: gdpr@partnely.com
  • Via platform: Settings → Privacy → My Rights
  • Response time: Within 30 days (extendable to 60 days)
  • Cost: Free (except excessive/unfounded requests)

5. Data Transfers to Third Countries

When we transfer data outside the European Economic Area (EEA), we ensure adequate protection level:

ProviderLocationProtection Mechanism
StripeUSAEU-US Data Privacy Framework, SCCs
Google AnalyticsUSAEU-US DPF (no Google Signals)
Microsoft (Clarity)USAEU-US DPF (Microsoft as independent controller)
Meta (Pixel/CAPI)EEA/USAEU-US DPF, SCCs
KlaviyoUSAEU-US DPF, SCCs
CloudinaryUSA/EUSCCs, EU region option
ResendUSAStandard Contractual Clauses

SCCs: Standard Contractual Clauses approved by the European Commission
EU-US DPF: EU-US Data Privacy Framework (Adequacy Decision July 2023)

We verified the active EU-US DPF certifications of the providers above on the official dataprivacyframework.gov registry (last checked: July 2026).

6. Technical and Organizational Measures (Article 32)

6.1 Technical Measures

  • Encryption: TLS 1.3 for data in transit
  • Password encryption: bcrypt with salt
  • JWT Tokens: 15-minute access tokens, 7-day refresh tokens
  • HttpOnly Cookies: For refresh tokens
  • Security Headers: Helmet.js, CSP, HSTS
  • Rate Limiting: Brute force protection
  • Monitoring: Anomaly tracking

6.2 Organizational Measures

  • Security policies and procedures
  • Staff training
  • Access restriction (need-to-know basis)
  • Action logging (audit log)
  • Periodic security audits

7. Data Breaches (Articles 33-34)

Response Procedure

  1. Detection: Immediate incident recognition
  2. Assessment: Risk and impact evaluation
  3. HDPA Notification: Within 72 hours (if risk exists)
  4. User Notification: Without delay (if high risk exists)
  5. Corrective measures: Damage limitation, restoration
  6. Documentation: Incident and action recording

Security Incident Contact

Email: info@partnely.com
Availability: Best-effort monitoring during business hours. Outside business hours, notifications are received and answered within 48 hours.

8. Data Protection Contact

We have designated a contact point for questions and requests regarding your personal data:

  • Email: gdpr@partnely.com
  • Responsibilities: Handling data protection questions and requests, liaison with the HDPA
  • Response time: Within 30 days (Article 12(3) GDPR)

9. Right to Complain

If you believe your data processing violates GDPR, you have the right to submit a complaint:

Hellenic Data Protection Authority (HDPA)

10. Contact for GDPR

For data protection and GDPR matters:

  • General Questions: info@partnely.com
  • Data Protection Contact: gdpr@partnely.com
  • Rights Requests: gdpr@partnely.com
  • Security Incidents: info@partnely.com

If you have questions, please contact us.