Privacy Policy

The data controller responsible for your personal data is Cloudless, operated by Themistoklis Baltzakis, based in Greece, EU. For data protection inquiries, contact us at:

Email: tbaltzakis@cloudless.gr

Information you provide directly:

Name, email address, company name, and message content when you submit our contact form. Email address when you subscribe to our newsletter. Account credentials when you register. Payment information when you purchase products or services (processed by Stripe — we never store card details).

Information collected automatically:

IP address (anonymised for analytics), browser type and version, device type, operating system, pages visited, time spent on pages, referring URL. This data is only collected if you consent to analytics cookies.

We process your personal data on the following legal bases: (a) Consent — for newsletter subscriptions, analytics cookies, and marketing cookies. You may withdraw consent at any time. (b) Contract performance — to fulfil orders and deliver services you have purchased. (c) Legitimate interest — for fraud prevention, security, and improving our services. (d) Legal obligation — for tax and accounting records required by Greek and EU law.

We use cookies in three categories: (1) Necessary cookies — required for the site to function (session management, consent preferences, security). These cannot be disabled. (2) Analytics cookies — help us understand how visitors use the site. Only set with your consent. (3) Marketing cookies — used for targeted advertising. Only set with your consent. You can manage your preferences at any time via the cookie settings link in our footer, or in your browser settings.

Read our full Cookie Policy

We use your data to: respond to your contact form enquiries, process and fulfil orders, send newsletter updates (only with consent), improve our website and services, comply with legal obligations, prevent fraud and ensure security, and — with consent — personalise content and advertising.

We share data only with processors that are necessary to deliver our services: Stripe (payment processing, US — EU-US Data Privacy Framework certified), Amazon Web Services (hosting and email via SES, EU region), and AWS Cognito (authentication). We do not sell your personal data. Each third-party processor is bound by a Data Processing Agreement (DPA) and processes data only on our instructions.

Some of our processors (e.g. Stripe) are based in the United States. These transfers are protected by the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or your explicit consent, in accordance with GDPR Chapter V.

Contact form submissions: 2 years, then deleted. Newsletter subscriptions: until you unsubscribe. Purchase records: 7 years (Greek tax law requirement). Account data: until you request deletion. Analytics data: 14 months (anonymised). Cookie consent records: 1 year.

Under the GDPR, you have the right to:

Access — request a copy of your personal data. Rectification — correct inaccurate data. Erasure — request deletion of your data ("right to be forgotten"). Restriction — limit how we process your data. Portability — receive your data in a machine-readable format. Objection — object to processing based on legitimate interest. Withdraw consent — at any time, without affecting prior processing.

Under the CCPA/CPRA (California residents):

Right to know what personal data we collect and why. Right to delete your personal data. Right to opt out of the sale of personal data (we do not sell your data). Right to non-discrimination for exercising your privacy rights.

To exercise any of these rights, email us at tbaltzakis@cloudless.gr. We will respond within 30 days (GDPR) or 45 days (CCPA).

Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.

We implement appropriate technical and organisational measures to protect your data, including: HTTPS/TLS encryption in transit, encryption at rest for stored data, access controls and authentication, regular security reviews, and incident response procedures.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) at www.dpa.gr, or your local supervisory authority if you reside in another EU/EEA country.

We may update this Privacy Policy from time to time. Material changes will be communicated via a notice on our website. The "Last updated" date at the top reflects the most recent revision.