Privacy Policy — Cyprus24h Cloud Accounting

Draft — pending lawyer review. This policy is a working draft. It reflects our actual data practices but will be updated following Cyprus legal review.

1. Who we are

[YOUR LEGAL NAME], sole trader in Cyprus
Address: [BUSINESS ADDRESS], Cyprus
Email: support@cyprus24h.com

We are the data controller for the personal data we collect about you as our customer — billing details, support correspondence, audit logs, and similar.

For data your business uploads INTO the Service about your own customers, employees, suppliers, etc., you are the data controller and we are the data processor. That relationship is governed by our Data Processing Agreement (DPA), which forms part of our Terms of Service.

2. What personal data we collect

Account data (you provide):

Email address
Display name / business name
Password (stored as a bcrypt hash — we never see your plain password)
Optional: TOTP secret if you enable two-factor authentication

Usage data (collected automatically):

IP address of login and significant actions, in audit logs
Browser/device user-agent string
Timestamps of logins, signups, and key actions
Error logs (may include URL paths but not request bodies)

Communications:

Support emails you send us
Optional: usage telemetry, only if we add it later with notice

What we do NOT collect:

We do not use third-party advertising trackers
We do not sell personal data to anyone
We do not use Google Analytics or similar invasive trackers
We do not process payment card data directly (handled by the payment processor when billing is introduced — see Section 8)

3. Why we collect it (legal bases under GDPR)

What	Why	Legal basis
Email, password hash	To create and secure your account	Contract (Art. 6(1)(b) GDPR)
Audit logs (login IPs, actions)	Security, fraud prevention, abuse investigation	Legitimate interest (Art. 6(1)(f))
Email address (transactional emails)	To send welcome, password reset, suspension notices	Contract
Support correspondence	To resolve your support requests	Contract
Billing details (when applicable)	To bill you and meet accounting obligations	Contract, Legal obligation

We do not use your data for advertising or profile-building.

4. How long we keep it

Account data: while your account exists, plus 30 days after termination for export, then deleted (subject to legal retention requirements below).
Audit logs: retained while needed for security and statutory compliance, typically up to 6 years (Cyprus accounting retention).
Mail logs: 90 days (auto-pruned).
Backups: tenant data backups taken during operation are retained on our infrastructure as described in the DPA. After your final deletion, backups expire on our normal rotation, no longer than 90 days, after which they're irretrievable.
Support correspondence: 2 years after last contact.
Billing records: 6 years (Cyprus tax requirement).

5. Where data is stored

All Customer Data and account data is stored on infrastructure located in Cyprus, specifically on a network-attached storage device at our premises in Cyprus.

Encrypted off-site backups are kept at Amazon Web Services (AWS) S3, EU region, under AWS's standard EU-region terms (data processing within the European Economic Area, EU Standard Contractual Clauses where applicable).

We do not transfer personal data outside the EEA except where the recipient is bound by appropriate safeguards (e.g. EU Standard Contractual Clauses) or under one of the GDPR's other lawful transfer mechanisms.

6. Who has access

You and the users you invite to your tenant
Us — specifically, [YOUR LEGAL NAME] as the sole operator (plus any named sub-processors listed in the DPA Annex)
Service providers strictly for hosting, email delivery, error monitoring (listed in the DPA Annex)
Authorities when legally required, after exhausting reasonable challenges

We do not sell, rent, or share your data with marketers or data brokers.

7. Your rights under GDPR

You can:

Access the personal data we hold about you
Correct inaccurate data
Delete your data (right to be forgotten), subject to retention obligations above
Restrict processing in certain circumstances
Port your data — receive an export in a structured format (the in-product backup feature does this)
Object to processing based on legitimate interest
Complain to the Office of the Commissioner for Personal Data Protection of Cyprus — though we'd appreciate a chance to fix things first

To exercise any right, email support@cyprus24h.com. We respond within 30 days.

8. Cookies and tracking

We use only essential cookies — your session cookie (to keep you logged in) and a CSRF protection token. We do not use:

Advertising cookies
Third-party analytics cookies
Tracking pixels in emails

Because we only use strictly necessary cookies, we do not display a cookie banner under the ePrivacy Directive's strict-necessity exception. If we add analytics later (e.g. self-hosted Plausible, Fathom), we will update this policy and seek consent where required.

9. Children

The Service is for businesses and individuals aged 18 or older. We do not knowingly collect data from anyone under 18.

10. Security

We implement reasonable technical and organisational measures including:

Passwords stored only as bcrypt hashes
TLS for all connections (HTTPS)
Optional two-factor authentication for operator and tenant admin accounts
Per-tenant data isolation (separate SQLite databases per tenant)
Audit logging of all significant actions
Automated backups before destructive operations
Network access restricted to authorised endpoints

No system is perfectly secure. If we discover a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you and the Cyprus Data Protection Commissioner within 72 hours of becoming aware, as required by Article 33 GDPR.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified to you by email at least 30 days before they take effect.

12. Contact

Data Controller contact: [YOUR LEGAL NAME], support@cyprus24h.com

Cyprus has no mandatory Data Protection Officer requirement for small-scale processors of non-special-category data, so we have not appointed a DPO. If our processing changes in scope or sensitivity, we will reassess.

For complaints, contact:

Office of the Commissioner for Personal Data Protection
1 Iasonos Street, 1082 Nicosia, Cyprus
Tel: +357 22 818 456
Email: commissioner@dataprotection.gov.cy
Website: https://www.dataprotection.gov.cy