Privacy Policy 

Effective date: 12/1/2025

Introduction

Welcome to Bomdiu (“we,” “us,” or “our”). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect information when you visit our website or use the Bomdiu platform (the “Service”).

We operate in strict compliance with the EU General Data Protection Regulation (GDPR) and the Hellenic Data Protection Law (Law 4624/2019).

1. Roles and Responsibilities: Who Controls Your Data?

To understand how your data is handled, it is important to distinguish between our two roles:

1.1. When Bomdiu is the Data Controller

Scope: Website visitors, direct newsletter subscribers, and business contacts (Leads/Admin accounts) registering for the service. Responsibility: We decide why and how this data is processed (e.g., for billing, marketing to you, or technical website security).

1.2. When Bomdiu is the Data Processor

Scope: The operational data you upload to the platform (e.g., your staff lists, your buyer’s contact details, order histories, chat logs). Responsibility: Your Company (the Supplier or Buyer) is the Data Controller. You own this data. We act strictly as the Data Processor, handling this data only to provide the Service according to your instructions and our Data Processing Agreement (DPA).

We process data based on specific legal grounds defined in the GDPR.

2.1. Website Usage & Technical Data (Log Files)

When you visit bomdiu.com and other subdomains, e.g., app.bomdiu.com, our servers automatically record standard technical data.

  • Data Collected: IP address, browser type/version, operating system, referrer URL, date/time of access.
  • Purpose: System security, error debugging, and ensuring site stability.
  • Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR).

2.2. Account Registration & Administration

To use Bomdiu, you must register a business account.

  • Data Collected: Name, Business Email, Phone Number, Job Title, Company Name, Country/Region, Password (hashed).
  • Purpose: To create your account, verify your identity, and provide access to the platform (e.g., ensuring correct currency and tax settings based on region).
  • Legal Basis: Performance of Contract (Art. 6(1)(b) GDPR).

2.3. Platform Operational Data

As you use the service to manage orders, catalogs, and customers.

  • Data Collected: Order history, chat messages between Supplier and Buyer, catalog edits, delivery addresses.
  • Purpose: To fulfill the core function of the Bomdiu app (connecting suppliers and buyers).
  • Legal Basis: Performance of Contract (Art. 6(1)(b) GDPR).

2.4. Contact & Support Requests

When you use our contact forms or email support.

  • Data Collected: Name, Email, Message content.
  • Purpose: To answer your queries and provide customer support.
  • Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR) or Performance of Contract (if you are an existing client).

2.5. Marketing & Newsletters

  • Data Collected: Email address, Name.
  • Purpose: To send product updates, industry news, and offers.
  • Legal Basis: Consent (Art. 6(1)(a) GDPR). You may unsubscribe at any time via the link in the email.
  • Tracking: Our emails may use tracking pixels to see if the email was opened. This helps us optimize our content.

3. Cookies and Tracking Technologies

We use cookies strictly for the necessary functioning of our website. We do not use cookies for analytics or advertising.

3.1. Analytics (Anonymous & Cookieless)

We use PostHog, Umami (self-hosted), and Cloudflare Web Analytics to understand how our Service is used. All three tools are configured to run in “cookieless mode” with no user identifiers.

  • No Cookies: We do not place any analytics cookies on your device.
  • Anonymous: We do not track your unique User ID or IP address for analytics purposes. All data collected is aggregated and anonymous.
  • Self-Hosted Data: Data collected via Umami is stored on our own infrastructure and is not shared with third parties.

Strictly Necessary Cookies

  • Purpose: Essential for platform functionality. This includes maintaining your login session, security tokens (CSRF protection), and displaying the interface in your preferred language (based on your browser settings).
  • Legal Basis: Legitimate Interest (Exempt from Consent).

Analytics (Anonymous)

  • Purpose: We use anonymous, cookieless analytics (PostHog, Umami, Cloudflare) to measure general platform usage trends. No personal data is processed or stored on your device.
  • Legal Basis: Legitimate Interest (No Consent Required).

4. How We Share Your Data

We do not sell your personal data. We only share data in the following strictly necessary scenarios:

4.1. Platform Interactivity

To fulfill an order, minimal contact data (Name, Phone number relating to the specific order) is visible between the specific Supplier and Buyer involved in that transaction.

4.2. Third-Party Service Providers (Sub-Processors)

We use trusted third-party providers to help us run our business. They are contractually bound to protect your data.

  • Hosting: Cloudflare, PlanetScale, UpCloud (Infrastructure)
  • Email Services: Resend (Transactional emails)
  • Analytics & Performance: PostHog, Cloudflare (Anonymous Usage Data)

We may disclose data if required by law, a court order, or to protect the rights and safety of Bomdiu, our users, or the public.

4.4. International Transfers

If we transfer data outside the European Economic Area (EEA), we ensure it is protected by appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.

5. Data Security

We implement state-of-the-art technical and organizational measures (TOMs) to protect your data against manipulation, loss, destruction, and unauthorized access. These measures include:

  • SSL/TLS encryption for all data in transit.
  • Encryption of sensitive data at rest.
  • Strict access controls and authentication mechanisms.
  • Regular security audits and backups.

6. Data Retention

We retain your personal data only as long as necessary.

  1. Active Accounts: Retained for the duration of your contract/service usage.
  2. Business Records & Historic Data: As a B2B platform, we must maintain the integrity of order histories and transaction logs for all parties involved. Therefore, business data (such as confirmed orders, invoices, and related transaction logs) is retained to ensure consistency of records for the counter-party (Supplier or Buyer) and for financial reporting purposes, even after a specific contract is terminated.
  3. Post-Termination (Personal Data): Upon contract termination, we generally retain access to your personal account data for 90 days to allow for data export. After this period, personal identifiers (such as login credentials or private user preferences) may be anonymized, while the business records remain stored as described above.
  4. Legal Obligations: We retain billing and tax-related data for the period required by Hellenic Tax Law (typically 5-10 years).
  5. Marketing Data: Retained until you withdraw your consent (unsubscribe).

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

  1. Right to Access: Request a copy of the data we hold about you.
  2. Right to Rectification: Correct inaccurate or incomplete data.
  3. Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data. Please note: This right is not absolute. We cannot delete data that is required for mandatory business records (e.g., invoices, tax records, or order history) as described in Section 6.
  4. Right to Restriction: Request to pause processing of your data.
  5. Right to Data Portability: Receive your data in a structured, machine-readable format.
  6. Right to Object: Object to processing based on legitimate interest or direct marketing.

To exercise these rights: Please contact us at: contact@bomdiu.com

Right to Lodge a Complaint: If you believe we have violated your privacy rights, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):

8. Contact Information

Bomdiu IKE
Thessaloniki, Greece
contact@bomdiu.com
https://bomdiu.com

9. Changes to This Policy

We may update this Privacy Policy to reflect changes in our service or legal requirements. The latest version will always be available at this URL. Significant changes will be communicated via email or a platform notification.