Privacy Policy
This Privacy Policy explains how CARPEBO Single Member P.C. (trading as "Devebo") collects, uses, and protects personal data when you visit devebo.com or contact us. We process personal data in accordance with Regulation (EU) 2016/679 (the "GDPR"), Greek Law 4624/2019, and applicable ePrivacy rules.
1. Data controller
CARPEBO Single Member P.C. (trading as Devebo)
Registered office: 2nd km Xanthis – Lagous, 67100 Xanthi, Greece
Email: hello@devebo.com
We have not appointed a Data Protection Officer as we are not required to do so under Article 37 GDPR. For any privacy enquiry, write to the address or email above.
2. What personal data we collect
We collect only what we need for the purposes described in section 3.
2.1 Data you provide
- Contact data — when you email us at hello@devebo.com or otherwise reach out: your name, email address, and the content of your message.
- Project data — if you engage us for services, information you choose to share about your project, organisation, or systems.
2.2 Data collected automatically
- Technical & usage data — IP address, user-agent, device, approximate location (derived from IP), referrer, pages visited, and timestamps. This is collected via our hosting provider (Vercel) for security and reliability.
- Cookies & similar technologies — see our Cookies Policy for details. We do not set non-essential cookies without your prior consent.
- Analytics — only if you have given consent (see section 3).
3. Purposes & legal bases
| Purpose | Data | Legal basis (GDPR) |
|---|---|---|
| Responding to your enquiries | Contact data, project data | Art. 6(1)(b) — pre-contract steps at your request; or Art. 6(1)(f) — legitimate interest in handling enquiries |
| Performing services under a signed agreement | Contact data, project data | Art. 6(1)(b) — performance of a contract |
| Operating & securing the Site | Technical & usage data, strictly necessary cookies | Art. 6(1)(f) — legitimate interest in keeping the Site working and protected |
| Measuring use of the Site (analytics) | Aggregated usage data via cookies | Art. 6(1)(a) — your consent |
| Marketing & campaign measurement | Cookie identifiers | Art. 6(1)(a) — your consent |
| Complying with legal obligations (tax, accounting) | Invoice & client data | Art. 6(1)(c) — legal obligation |
4. Who we share data with
We do not sell personal data. We share it only with the following categories of processors, each bound by a written agreement under Article 28 GDPR:
- Hosting & CDN — Vercel Inc. (EU-region delivery; data may be processed in the United States subject to the EU–US Data Privacy Framework and Standard Contractual Clauses).
- Domain & infrastructure — Cloudflare, Hostinger (where used), bound by appropriate safeguards.
- Email — our email provider, used to receive and reply to your messages.
- Accountants & legal advisers — strictly where required for compliance.
- Public authorities — where we are legally required to disclose information.
5. International transfers
Some of our processors are located outside the European Economic Area (EEA). Where this is the case, we rely on adequacy decisions of the European Commission, the EU–US Data Privacy Framework, or Standard Contractual Clauses, supplemented as needed by technical and organisational measures.
6. How long we keep data
| Data category | Retention period |
|---|---|
| Email enquiries that do not lead to engagement | Up to 24 months from last contact |
| Client & project files | Duration of engagement + 5 years |
| Accounting & invoicing records | 10 years (Greek tax law) |
| Server logs | Up to 30 days |
| Cookie consent record | 12 months, then re-asked |
7. Your rights
Under the GDPR you have the right, in respect of your personal data, to:
- access it and obtain a copy (Art. 15);
- have it rectified if inaccurate or incomplete (Art. 16);
- have it erased in certain circumstances (Art. 17);
- restrict its processing (Art. 18);
- data portability (Art. 20);
- object to processing based on legitimate interests (Art. 21);
- withdraw your consent at any time, where processing is based on consent (Art. 7(3));
- lodge a complaint with the Hellenic Data Protection Authority — Kifissias 1-3, 11523 Athens, Greece — www.dpa.gr.
To exercise any of these rights, write to hello@devebo.com. We will respond within one month, as required by Article 12(3) GDPR.
8. Security
We apply appropriate technical and organisational measures to protect personal data, including TLS in transit, access controls, the principle of least privilege, and regular reviews of our processors. No system is perfectly secure; we will notify affected users and the Hellenic DPA of any breach within 72 hours where required by Article 33 GDPR.
9. Children
The Site is not directed at children under 16, and we do not knowingly collect data from them. If you believe a child has provided us with personal data, please contact us so we can delete it.
10. Automated decision-making
We do not carry out automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be flagged on the Site. Continued use of the Site after a change indicates your acceptance of the updated policy.
CARPEBO Single Member P.C. (trading as Devebo)
2nd km Xanthis – Lagous, 67100 Xanthi, Greece
Email: hello@devebo.com