Privacy Policy 

Effective date: 1/15/2026

Introduction

Welcome to Bomdiu (“we,” “us,” or “our”). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect information when you visit our website or use the Bomdiu suite of B2B products for the food & beverage industry (the “Service”).

We operate in strict compliance with the EU General Data Protection Regulation (GDPR) and the Hellenic Data Protection Law (Law 4624/2019).

1. Roles and Responsibilities: Who Controls Your Data?

To understand how your data is handled, it is important to distinguish between our two roles:

1.1. When Bomdiu is the Data Controller

Scope: Website visitors, direct newsletter subscribers, and business contacts (Leads/Admin accounts) registering for the service. Responsibility: We decide why and how this data is processed (e.g., for billing, marketing to you, or technical website security).

In some cases, your organization may create or manage your user account (e.g., by inviting you as a team member). In those situations, your organization may act as the Data Controller for the personal data associated with your use of the Service as a user, and Bomdiu acts as the Data Processor for that data. Bomdiu remains the Data Controller for our own business relationship data (e.g., billing, account administration, and direct communications with our customer).

1.2. When Bomdiu is the Data Processor

Scope: The operational data you upload to the platform (e.g., your staff lists, your buyer’s contact details, order histories, chat logs). Responsibility: Your Company (the Supplier or Buyer) is the Data Controller. You own this data. We act strictly as the Data Processor, handling this data only to provide the Service according to your instructions and our Data Processing Agreement (DPA).

We process data based on specific legal grounds defined in the GDPR.

2.1. Website Usage & Technical Data (Log Files)

When you visit bomdiu.com and other subdomains, e.g., app.bomdiu.com, our servers automatically record standard technical data.

  • Data Collected: IP address, browser type/version, operating system, referrer URL, date/time of access.
  • Purpose: System security, error debugging, and ensuring site stability.
  • Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR).

2.2. Account Registration & Administration

To use Bomdiu, you must register a business account.

  • Data Collected: Name, Business Email, Phone Number, Job Title, Company Name, Country/Region, Password (hashed).
  • Purpose: To create your account, verify your identity, and provide access to the platform (e.g., ensuring correct currency and tax settings based on region).
  • Legal Basis: Performance of Contract (Art. 6(1)(b) GDPR).

2.3. Platform Operational Data

When you use the Service to manage orders, catalogs, and customers.

  • Data Collected: Order history, chat messages between Supplier and Buyer, catalog edits, delivery addresses.
  • Purpose: To fulfill the core function of the Bomdiu app (connecting suppliers and buyers).
  • Legal Basis: Performance of Contract (Art. 6(1)(b) GDPR).

2.4. Contact & Support Requests

When you use our contact forms or email support.

  • Data Collected: Name, Email, Phone Number, Company Name.
  • Purpose: To answer your queries, provide customer support, and follow up on business inquiries.
  • Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR) or Performance of Contract (if you are an existing client).

2.5. Marketing & Newsletters

  • Data Collected: Email address, Name.
  • Purpose: To send product updates, industry news, and offers.
  • Legal Basis: Consent (Art. 6(1)(a) GDPR). You may unsubscribe at any time via the link in the email.
  • Tracking: Our emails may use tracking pixels to see if the email was opened. This helps us optimize our content.

2.6. Anti-Abuse Verification (e.g., Turnstile)

To protect our forms and Service from spam, fraud, and automated abuse, we may use anti-bot verification tools (such as Cloudflare Turnstile).

  • Data Collected: Verification token/challenge response, IP address (typically processed transiently for verification), and technical signals about your browser/device used to determine whether traffic is abusive.
  • Purpose: Spam prevention, fraud prevention, and service security.
  • Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR).

3. Cookies and Tracking Technologies

We use cookies and similar technologies where necessary for the functioning and security of our website and Service. We do not use cookies for advertising. Our analytics are configured to be cookieless.

3.1. Analytics (Anonymous & Cookieless)

We use PostHog, Umami (self-hosted), and Cloudflare Web Analytics to understand how our Service is used. All three tools are configured to run in “cookieless mode” with no user identifiers.

  • No Cookies: We do not place any analytics cookies on your device.
  • No Direct Identifiers: We do not use analytics to track you using persistent identifiers such as your account User ID, advertising identifiers, or similar IDs.
  • Privacy-Friendly IP Handling: Technical data such as IP address may be processed transiently for delivering the Service, security, and deriving coarse location or aggregated metrics. We do not aim to store full IP addresses in our analytics datasets or use analytics to identify you.
  • Self-Hosted Data: Data collected via Umami is stored on our own infrastructure and is not shared with third parties.

Strictly Necessary Cookies

  • Purpose: Essential for platform functionality. This includes maintaining your login session, security tokens (CSRF protection), and displaying the interface language (based on your browser settings, and if you explicitly select a different language, we may store that preference locally).
  • Legal Basis: Legitimate Interest (Exempt from Consent).

Analytics (Anonymous)

  • Purpose: We use anonymous, cookieless analytics (PostHog, Umami, Cloudflare) to measure general platform usage trends. No personal data is processed or stored on your device.
  • Legal Basis: Legitimate Interest (No Consent Required).

4. How We Share Your Data

We do not sell your personal data. We only share data in the following strictly necessary scenarios:

4.1. Platform Interactivity

To fulfill an order, minimal contact data (Name, Phone number relating to the specific order) is visible between the specific Supplier and Buyer involved in that transaction.

4.2. Third-Party Service Providers (Sub-Processors)

We use trusted third-party providers to help us run our business. They are contractually bound to protect your data.

  • Cloudflare (US/EU) — CDN, Database, Hosting, Web Analytics, AI runtime (embedded AI features)
  • PlanetScale (US/EU) — Database
  • UpCloud (US/EU) — Infrastructure
  • Resend (US/EU) — Transactional emails
  • PostHog (US/EU) — Analytics
  • Google Vertex AI (US/EU) — AI processing (only for features that rely on this provider)

Note on self-hosted analytics: Umami is self-hosted and runs on our own infrastructure; it is not used as an external third-party service provider.

We may disclose data if required by law, a court order, or to protect the rights and safety of Bomdiu, our users, or the public.

4.4. International Transfers

If we transfer data outside the European Economic Area (EEA), we ensure it is protected by appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.

5. Data Security

We implement appropriate technical and organizational measures (TOMs) designed to protect your data against manipulation, loss, destruction, and unauthorized access. These measures include:

  • SSL/TLS encryption for all data in transit.
  • Encryption of sensitive data at rest.
  • Strict access controls and authentication mechanisms.
  • Regular security audits and backups.

6. Data Retention

We retain your personal data only as long as necessary.

  1. Active Accounts: Retained for the duration of your contract/service usage.
  2. Business Records & Historic Data: As a B2B platform, we must maintain the integrity of order histories and transaction logs for all parties involved. Therefore, business data (such as confirmed orders, invoices, and related transaction logs) is retained to ensure consistency of records for the counter-party (Supplier or Buyer) and for financial reporting purposes, even after a specific contract is terminated.
  3. Post-Termination (Personal Data): Upon contract termination, we generally retain access to your personal account data for 90 days to allow for data export. After this period, personal identifiers (such as login credentials, user profile details, or private user preferences) may be deleted or anonymized, while the business records remain stored as described above. Please note that transactional records (e.g., invoices, delivery addresses, order-related communications) may still contain limited personal data where required for record integrity, legal obligations, or legitimate business purposes.
  4. Legal Obligations: We retain billing and tax-related data for the period required by Hellenic Tax Law (typically 5-10 years).
  5. Marketing Data: Retained until you withdraw your consent (unsubscribe).
  6. Technical Logs: Server access logs are retained for a maximum of 90 days for security and debugging purposes.
  7. Backups: Backups are retained for limited periods according to our backup rotation schedules and are securely stored. Data may persist in backups until those backups are overwritten or expire.

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

  1. Right to Access: Request a copy of the data we hold about you.
  2. Right to Rectification: Correct inaccurate or incomplete data.
  3. Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data. Please note: This right is not absolute. We cannot delete data that is required for mandatory business records (e.g., invoices, tax records, or order history) as described in Section 6.
  4. Right to Restriction: Request to pause processing of your data.
  5. Right to Data Portability: Receive your data in a structured, machine-readable format.
  6. Right to Object: Object to processing based on legitimate interest or direct marketing.
  7. Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise these rights: Please contact us at: contact@bomdiu.com

Right to Lodge a Complaint: If you believe we have violated your privacy rights, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):

8. Data Controller Information

Bomdiu SINGLE MEMBER PC
GEMI: 190310106000
VAT: EL803131996
Geor. Gennimata 21
555 35 Thessaloniki
Greece
Phone: +30 231 176 8265
Email: contact@bomdiu.com
Website: https://bomdiu.com

Privacy Contact: For all privacy-related inquiries, please contact us at contact@bomdiu.com.

9. AI-Assisted Processing

We use artificial intelligence to assist with extracting and organizing business data from documents such as invoices and orders. We may also provide embedded AI features within the Service (e.g., in-product assistance). Where used, we may run AI inference on Cloudflare infrastructure (including open-source models) and/or use third-party AI providers (such as Google Vertex AI) depending on the feature. We process only the data necessary to provide the feature. This processing is intended to handle business data (and may include limited personal data contained in such documents or platform content) and does not involve automated decision-making that produces legal effects concerning you or similarly significantly affects you as an individual.

10. Children’s Data

Bomdiu is a business-to-business (B2B) platform. We do not knowingly collect personal data from individuals under 16 years of age. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our service or legal requirements. We will provide at least 30 days’ notice before material changes take effect. The latest version will always be available at this URL. Notification of changes will be sent via email or displayed as a platform notification.