01 Who We Are 02 Information We Collect 03 How We Use Your Data 04 Legal Basis for Processing 05 Sharing Your Information 06 International Transfers 07 Data Retention 08 Your Rights (GDPR) 09 Cookies & Tracking 10 Security Measures 11 Children's Privacy 12 Third-Party Links 13 Policy Changes 14 Contact & Complaints

Legal Document

Privacy Policy

Effective date: 05/05/2026

Last updated: 05/05/2026

Version: 1.0

Jurisdiction: Greece · EU (GDPR)

This Privacy Policy explains how SoftwareDevTeam ("we", "us", "our") collects, uses, stores, and shares personal data when you visit our website (softwaredevteam.gr), contact us about our services, or engage us on a project. It is written in compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and applicable Greek data protection law.

Plain-language commitment: We collect the minimum data necessary to provide our services and communicate with you. We do not sell personal data. We do not use it for advertising profiling. Where we use third-party tools, we hold them to the same standard.

Who We Are — Data Controller

The data controller responsible for your personal data is:

Data Controller Identity

SoftwareDevTeam
Nexlyr OÜ
Harju maakond, Tallinn,
Kesklinna linnaosa, Jõe tn 3-305,
Tallinn, Estonia, EU
VAT / Registration No.: 17424891
Email: privacy@softwaredevteam.gr
General enquiries: privacy@softwaredevteam.gr

As a data controller, we determine the purposes and means of processing your personal data. If we process data on your behalf as part of a software development engagement, we act as a data processor under a separate Data Processing Agreement (DPA) — this Policy covers our own website and business operations only, not those project-specific arrangements.

We have assessed that our processing activities do not require the mandatory appointment of a Data Protection Officer (DPO) under GDPR Article 37. However, all data protection enquiries should be directed to the contact details above and will be treated with the same care as if a DPO were appointed.

Information We Collect

2.1 Information you provide directly

When you use our contact forms, send us an email, or communicate with us through any channel, we may collect:

Identity data: Full name, job title, company or organisation name
Contact data: Email address, telephone number, postal address
Project data: Service requirements, budget range, project timeline, any technical information you choose to share in a project brief
Communication data: The content of emails, messages, and meeting notes exchanged during a business enquiry or engagement
Contractual data: Information contained in signed agreements, invoices, and purchase orders — including payment terms (we do not process or store payment card numbers directly)

2.2 Information collected automatically when you visit our website

When you browse our website, our servers and any analytics tools we use may automatically collect:

Technical data: IP address (truncated to the last octet where possible), browser type and version, operating system, device type, screen resolution
Usage data: Pages visited, time spent on pages, referring URL, links clicked, scroll depth
Session data: Date and time of visit, session duration

We collect this data using cookies and similar technologies. See Section 9 for full details of our cookie use.

2.3 Information we do not collect

We do not intentionally collect or process special category data (GDPR Article 9) — including health, racial or ethnic origin, political opinions, religious beliefs, biometric data, or data concerning sexual orientation. Please do not send us such information. We also do not collect financial account numbers, credit card data, government-issued identification numbers, or passwords.

How We Use Your Information

We use your personal data only for the following purposes:

Responding to enquiries: To reply to questions, provide quotes, and assess whether we can help with your project
Delivering services: To set up and manage an engagement, communicate during a project, deliver software, and provide post-launch support
Contractual administration: To issue invoices, process payments, and maintain records required for accounting and tax compliance under Greek and EU law
Website improvement: To understand how visitors interact with our website and identify areas for improvement using aggregated, anonymised analytics
Security: To monitor for suspicious activity, prevent fraud, and protect the security of our systems and communications
Legal compliance: To meet our obligations under applicable law, respond to lawful requests from authorities, and enforce our contractual rights
Follow-up communications: To send information about our services that may be relevant to you, where you have consented or where we have a legitimate interest (with an easy opt-out at any time)

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

Legal Basis for Processing (GDPR Art. 6)

Every processing activity we carry out rests on one of the following lawful bases under Article 6 GDPR:

Processing Activity	Legal Basis	GDPR Article
Responding to contact form submissions and enquiries	Legitimate Interests — responding to business enquiries is a legitimate interest that does not override your privacy rights	Art. 6(1)(f)
Entering into and performing a service contract	Contract Performance — necessary to deliver agreed services	Art. 6(1)(b)
Invoicing, accounting, and financial records	Legal Obligation — required under Greek tax and accounting law (Law 4308/2014 and related legislation)	Art. 6(1)(c)
Analytics cookies and website usage tracking	Consent — collected only where you accept cookies via our consent banner	Art. 6(1)(a)
Essential cookies (site functionality)	Legitimate Interests — necessary for the website to function; consent exemption applies under ePrivacy Directive Art. 5(3)	Art. 6(1)(f)
Security monitoring, fraud prevention	Legitimate Interests — protecting our systems and clients is a compelling legitimate interest	Art. 6(1)(f)
Compliance with lawful authority requests	Legal Obligation	Art. 6(1)(c)
Direct marketing follow-up (existing contacts)	Legitimate Interests (soft opt-in, B2B context) or Consent where required — with opt-out in every communication	Art. 6(1)(f) / (a)

Where we rely on legitimate interests, we have carried out a balancing test and concluded that those interests are not overridden by your fundamental rights and freedoms. You may request a copy of any such balancing assessment.

Sharing Your Information

We do not sell, rent, or trade your personal data. We share it only in the following limited circumstances:

5.1 Service providers (data processors)

We engage certain trusted third-party service providers who process data on our behalf and under our written instructions. These include:

Provider / Category	Purpose	Location
Cloud hosting provider (e.g. AWS, Azure)	Website hosting and infrastructure	EU / EEA regions preferred; SCCs where applicable
Email service provider	Sending and receiving business email	EU / EEA or SCC-covered
Analytics provider (e.g. Google Analytics 4, Plausible)	Website usage analytics — only with your consent	EU / EEA or SCC-covered
Accounting software	Invoice management, financial records	EU / EEA
Legal & professional advisers	Legal advice, compliance, dispute resolution	Greece / EU

All processors are bound by data processing agreements compliant with GDPR Article 28 and may not use your data for any other purpose.

5.2 Legal requirements

We may disclose personal data when required to do so by law or in response to a valid request from a public authority (such as a court, regulator, or law enforcement body). We will, where lawfully permitted, notify you before complying with such a request.

5.3 Business transfers

If SoftwareDevTeam undergoes a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity as part of that transaction. We will notify affected individuals before any such transfer and ensure the receiving entity is bound by privacy obligations no less protective than this Policy.

International Data Transfers

We are based in Greece and operate within the European Economic Area (EEA). Where we use service providers located outside the EEA (for example, cloud infrastructure with US-based providers), we ensure that any transfer of personal data to a third country is lawfully protected by one or more of the following safeguards, in accordance with GDPR Chapter V:

Adequacy decisions: The European Commission has determined that certain countries offer an adequate level of protection (e.g. the EU–US Data Privacy Framework, where applicable)
Standard Contractual Clauses (SCCs): We incorporate the European Commission's approved SCCs (2021/914/EU) into contracts with third-country processors
Binding Corporate Rules (BCRs): Where a provider operates approved BCRs, we may rely on those instead
Supplementary technical measures: Where required by our transfer impact assessment (TIA), we implement additional safeguards such as end-to-end encryption and pseudonymisation

Your right to information

You may request a copy of the specific safeguards we rely on for any particular international transfer by contacting us at privacy@softwaredevteam.gr.

Data Retention

We keep personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law. Our standard retention periods are:

Data Category	Retention Period	Basis
Website enquiries (no contract signed)	2 years from last contact	Legitimate interests; general limitation period
Client contact data (active relationship)	Duration of engagement + 5 years	Contract performance; statutory limitation period (Art. 937 Greek Civil Code)
Contracts, invoices, financial records	10 years from the end of the relevant tax year	Legal obligation under Greek tax law (Law 4308/2014)
Project files and deliverables	As agreed in contract; default 3 years unless IP transferred	Contract performance; legitimate interests
Email correspondence	3 years from last meaningful interaction	Legitimate interests
Analytics data (with consent)	26 months (GA4 default) or as configured	Consent
Essential cookie data	Session or up to 12 months as set by the cookie	Legitimate interests / ePrivacy exemption
Security / server logs	90 days	Legitimate interests (security monitoring)

When retention periods expire, data is securely deleted or irreversibly anonymised. Where data is required for ongoing legal claims, we may retain it for the duration of those proceedings.

Your Rights Under the GDPR

As a data subject under GDPR, you have the following rights. You can exercise any of them by contacting us at privacy@softwaredevteam.gr. We will respond within one calendar month (extendable by two further months for complex requests, with notice to you).

GDPR ART. 15

👁 Right of Access

Receive a copy of all personal data we hold about you, along with information about how and why we process it.

GDPR ART. 16

✏️ Right to Rectification

Have inaccurate or incomplete personal data corrected without undue delay.

GDPR ART. 17

🗑 Right to Erasure

Request deletion of your personal data where there is no compelling reason for continued processing. Note: legal retention obligations may prevent full erasure.

GDPR ART. 18

⏸ Right to Restriction

Ask us to restrict processing of your data — for example, while accuracy is contested or an objection is being assessed.

GDPR ART. 20

📦 Right to Portability

Receive your personal data in a structured, commonly used, machine-readable format (where processing is based on consent or contract and is carried out by automated means).

GDPR ART. 21

🛑 Right to Object

Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

GDPR ART. 7(3)

↩ Right to Withdraw Consent

Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. Cookie consent can be withdrawn via our cookie settings.

GDPR ART. 22

🤖 Right Against Automated Decisions

Not be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. We do not conduct such processing.

Verification

To protect your privacy, we may ask you to verify your identity before responding to a subject access or erasure request. This is to ensure we do not disclose or delete your data based on a request made by someone else. We will not charge a fee for exercising your rights unless requests are manifestly unfounded, repetitive, or excessive.

Cookies & Similar Technologies

Our website uses cookies — small text files stored on your device — to ensure the site functions correctly and, with your consent, to understand how it is used. We comply with the EU ePrivacy Directive (2002/58/EC as amended) and the Greek implementing legislation.

9.1 Cookie categories

Category	Purpose	Consent Required?	Typical Lifespan
Essential / Strictly Necessary	Required for the website to function (session management, security tokens, load balancing). Cannot be disabled without breaking site functionality.	No — exempt under ePrivacy Directive Art. 5(3)	Session or up to 1 year
Analytics / Performance	Aggregate data on page views, traffic sources, and user journeys to improve our website. Data is anonymised where possible.	Yes — only set after you accept via our consent banner	Up to 26 months
Preference	Remember choices you have made (e.g. cookie consent preference, language) so you are not asked repeatedly.	No for consent preference storage (technical necessity); Yes for others	12 months
Marketing / Targeting	We do not currently set marketing or advertising cookies on this website.	N/A	N/A

9.2 Managing your cookie preferences

When you first visit our website, a consent banner will ask for your permission to set non-essential cookies. You can change your preference at any time by:

Clicking "Cookie Settings" in the footer of any page on this site
Clearing cookies in your browser settings (note: this will reset your preference and you will be asked again)
Using your browser's built-in cookie controls or a browser extension to block specific cookies

Withdrawing consent for analytics cookies does not affect your ability to use the website. Essential cookies cannot be opted out of without impairing functionality.

9.3 Third-party cookies

If we use a third-party analytics service (such as Google Analytics 4), that provider may set its own cookies subject to its own privacy policy. We have configured such tools with IP anonymisation enabled and have signed Data Processing Agreements with each provider. You may also opt out directly via browser tools such as the Google Analytics Opt-out Browser Add-on.

Security Measures

We implement appropriate technical and organisational measures (TOMs) to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (GDPR Article 32). These include:

Encryption in transit: All connections to our website are encrypted using TLS 1.2 or higher (HTTPS). Sensitive data in transit between systems is encrypted end-to-end where feasible.
Encryption at rest: Personal data stored on our servers and cloud infrastructure is encrypted at rest using AES-256 or equivalent.
Access controls: Personal data is accessible only to team members who require it to perform their role. Access is controlled by role-based permissions, strong authentication (MFA where applicable), and regular access reviews.
Pseudonymisation: Where appropriate, we pseudonymise personal data to reduce the risk to data subjects in the event of a security incident.
Vendor security: Third-party service providers are assessed for security posture before engagement and are required to maintain equivalent standards under contract.
Incident response: We maintain a documented data breach response procedure. In the event of a breach likely to result in risk to your rights and freedoms, we will notify the Hellenic Data Protection Authority (HDPA) within 72 hours and affected individuals without undue delay, as required by GDPR Articles 33–34.
Regular review: Our security measures are reviewed periodically and updated to account for evolving threats and best practices.

Security Disclosure

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security. If you have reason to believe your interaction with us is no longer secure, please notify us immediately at privacy@softwaredevteam.gr.

Children's Privacy

Our website and services are directed exclusively at business professionals and organisations. We do not knowingly collect personal data from anyone under the age of 16 years (or such higher age as may apply in a given EU Member State under GDPR Article 8).

If we become aware that personal data has been submitted to us by or on behalf of a person under the applicable age threshold, we will delete that data promptly. If you believe a minor has provided us with personal information, please contact us at privacy@softwaredevteam.gr.

Links to Third-Party Websites

Our website may contain hyperlinks to external websites, including our social media profiles (LinkedIn, GitHub), client websites, and partner resources. These sites are operated by third parties and are governed by their own privacy policies, for which we take no responsibility.

Clicking a link to a third-party site takes you outside our environment. We encourage you to read the privacy notice of every website you visit. The presence of a link on our site does not constitute endorsement of the third party's privacy practices.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time — for example, to reflect changes in our processing activities, applicable law, or regulatory guidance. When we do, we will:

Update the "Last updated" date at the top of this page
Increment the version number and maintain a brief changelog
For material changes that significantly affect how we process your data, provide prominent notice on our website and, where we hold your email address, notify you directly

Your continued use of our website or services after a material change constitutes acceptance of the revised Policy, unless we are legally required to obtain your explicit consent again. We recommend checking this page periodically.

Previous versions of this Policy are available on request.

Contact Us & How to Lodge a Complaint

For any questions about this Privacy Policy, to exercise your rights, or to raise a concern about our data processing, please contact us:

Data Privacy Contact

SoftwareDevTeam

Attn: Data Privacy

Kesklinna linnaosa, Jõe tn 3-305

Tallinn, Estonia, EU

Email: privacy@softwaredevteam.gr

We aim to respond to all privacy requests within 5 working days and to complete them within one calendar month.

Supervisory Authority

If you are not satisfied with our response, you have the right to lodge a complaint with the competent supervisory authority:

Hellenic Data Protection Authority (HDPA)

Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα

Kifisias 1–3, 115 23 Athens, Greece

Tel: +30 210 647 5600

Web: www.dpa.gr

Email: contact@dpa.gr

If you are located in another EU Member State, you may also complain to the supervisory authority in your country of habitual residence.

Commitment

We take all privacy complaints seriously and will work constructively to resolve any concern you raise. We would always encourage you to contact us directly in the first instance before escalating to a supervisory authority — in most cases we can resolve issues quickly and without the need for formal regulatory intervention.