Privacy Policy

This Privacy Policy explains how POTAMITIS IOANNIS ANDREAS, trading as WEB ARTWORKS ("we", "us"), collects, uses, and protects personal data in connection with the Ypodoxi platform. We are established at Katastari, 291 00 Zakynthos, Greece (VAT No. EL136368852) and act as the data controller for all personal data processed through this service.

This policy applies to all visitors to ypodoxi.gr and to subscribers (property owners) who use the Ypodoxi platform. It is written in accordance with Regulation (EU) 2016/679 (GDPR) and Greek Law 4624/2019.

1. Data We Collect

From subscribers (property owners):

• Full name, email address, phone number
• Property name, address, and description
• Billing information (card details are handled directly by Stripe — we never see or store full card numbers)
• Account activity: login timestamps, features used, pages visited

From website visitors:

• IP address and browser/device information (server access logs)
• Cookie data — see our Cookie Policy

On behalf of property owners (data processor role):

When a guest makes a booking through a property website built on Ypodoxi, the guest's personal data (name, email, phone, travel dates) is collected on behalf of the property owner. In this context Ypodoxi acts as a data processor and the property owner is the data controller. Property owners are responsible for having a lawful basis to collect their guests' data and for informing guests accordingly.

2. How We Use Your Data

• Providing, operating, and improving the Ypodoxi platform
• Billing, subscription management, and issuing invoices
• Sending service-related communications (receipts, renewal reminders, maintenance notices, feature updates)
• Responding to support requests
• Security monitoring, fraud prevention, and abuse detection
• Complying with legal and regulatory obligations

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Legal Basis for Processing (GDPR Article 6)

• Contractual necessity (Art. 6(1)(b)): processing required to deliver the subscription service you signed up for, including account management and billing.
• Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, service improvement, and sending service-related communications.
• Legal obligation (Art. 6(1)(c)): retention of financial records as required by Greek and EU tax law.

4. How Long We Keep Your Data

• Account data: retained for the duration of your subscription plus 5 years after termination (general legal record-keeping)
• Financial and invoicing records: 10 years from the date of the transaction (Greek tax law requirements)
• Server access logs: 90 days on a rolling basis
• Support correspondence: 3 years from the last interaction

After the applicable retention period, data is deleted or irreversibly anonymised.

5. Third Parties We Share Data With

We engage the following sub-processors and only share the minimum data necessary for each to perform its function:

• Stripe, Inc. — payment processing. Stripe processes billing data under its own privacy policy: stripe.com/privacy.
• Hetzner Online GmbH — server hosting in EU data centres (Germany and Finland). Privacy policy: hetzner.com/legal/privacy-policy.

We do not use third-party advertising networks or analytics services that track users across websites.

6. Your Rights Under GDPR

As a data subject within the EU/EEA you have the following rights:

• Right of access (Art. 15): request a copy of the personal data we hold about you
• Right to rectification (Art. 16): correct inaccurate or incomplete data
• Right to erasure (Art. 17): request deletion of your data where no overriding legal basis applies
• Right to restriction (Art. 18): ask us to pause processing in certain circumstances
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format
• Right to object (Art. 21): object to processing based on legitimate interests
• Right to lodge a complaint: with the Hellenic Data Protection Authority (HDPA / ΑΠΔΠΧ) at dpa.gr

To exercise any of these rights, contact us at mail@webartworks.com. We will respond within 30 days. Identity verification may be required before we act on your request.

7. International Data Transfers

Stripe, Inc. is headquartered in the United States. Data transfers to Stripe are governed by EU Standard Contractual Clauses (SCCs) in accordance with GDPR Chapter V.

All property website data and subscriber account data is stored on servers located within the European Union (Hetzner, Germany).

8. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+), access controls, and regular security reviews. No system is completely secure. In the event of a personal data breach that is likely to result in risk to individuals, we will notify the HDPA within 72 hours and affected individuals without undue delay, as required by GDPR Art. 33–34.

9. Cookies

We use a limited number of cookies. For full details, please read our Cookie Policy.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email at least 14 days before they take effect. The "last updated" date at the top of this page always reflects the current version.

11. Contact and Supervisory Authority

For any questions about this policy or to exercise your data rights:

• Email: mail@webartworks.com
• Operator: POTAMITIS IOANNIS ANDREAS | WEB ARTWORKS
• Address: Katastari, 291 00 Zakynthos, Greece
• Phone: +30 26950 83086
• Website: webartworks.com

Supervisory authority: Hellenic Data Protection Authority (HDPA / ΑΠΔΠΧ), 1–3 Kifissias Avenue, 115 23 Athens, Greece — dpa.gr