Privacy Policy 

Introduction

Welcome to Bomdiu (“we,” “us,” or “our”). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect information when you visit our website or use the Bomdiu B2B platform for the food & beverage industry (the “Service”).

We operate in strict compliance with the EU General Data Protection Regulation (GDPR), the ePrivacy Directive (2002/58/EC) as transposed into Greek law, and the Hellenic Data Protection Law (Law 4624/2019).

1. Roles and Responsibilities: Who Controls Your Data?

To understand how your data is handled, it is important to distinguish between our two roles:

1.1. When Bomdiu is the Data Controller

Scope: Website visitors, direct newsletter subscribers, and business contacts (Leads/Admin accounts) registering for the service. Responsibility: We decide why and how this data is processed (e.g., for billing, marketing to you, or technical website security).

In some cases, your organization may create or manage your user account (e.g., by inviting you as a team member). In those situations, your organization may act as the Data Controller for the personal data associated with your use of the Service as a user, and Bomdiu acts as the Data Processor for that data. Bomdiu remains the Data Controller for our own business relationship data (e.g., billing, account administration, and direct communications with our customer).

1.2. When Bomdiu is the Data Processor

Scope: The operational data you upload to the platform (e.g., your staff lists, your buyer’s contact details, order histories, chat logs). Responsibility: Your Company (the Supplier or Buyer) is the Data Controller. You own this data. We act strictly as the Data Processor, handling this data only to provide the Service according to your instructions and our Data Processing Agreement (DPA).

2. Data We Collect and Legal Basis

We process data based on specific legal grounds defined in the GDPR.

2.1. Website Usage & Technical Data (Log Files)

When you visit bomdiu.com and other subdomains, e.g., app.bomdiu.com, our servers automatically record standard technical data.

• Data Collected: IP address, browser type/version, operating system, referrer URL, date/time of access.
• Purpose: System security, error debugging, and ensuring site stability.
• Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR).

2.2. Account Registration & Administration

To use Bomdiu, you must register a business account.

• Data Collected: Name, Business Email, Phone Number, Job Title, Company Name, Country/Region, Password (hashed).
• Purpose: To create your account, verify your identity, and provide access to the platform (e.g., ensuring correct currency and tax settings based on region).
• Legal Basis: Performance of Contract (Art. 6(1)(b) GDPR).

2.3. Platform Operational Data

When you use the Service to manage orders, catalogs, and customers.

• Data Collected: Order history, chat messages between Supplier and Buyer, catalog edits, delivery addresses.
• Purpose: To fulfill the core function of the Bomdiu app (connecting suppliers and buyers).
• Legal Basis: Performance of Contract (Art. 6(1)(b) GDPR).

2.4. Contact & Support Requests

When you use our contact forms or email support.

• Data Collected: Name, Email, Phone Number, Company Name.
• Purpose: To answer your queries, provide customer support, and follow up on business inquiries.
• Legal Basis: Performance of Contract (Art. 6(1)(b) GDPR) for existing clients; Legitimate Interest (Art. 6(1)(f) GDPR) for prospective contacts. Our legitimate interest is responding to business inquiries directed to us.

2.5. Marketing & Newsletters

• Data Collected: Email address, Name.
• Purpose: To send product updates, industry news, and offers.
• Legal Basis: Consent (Art. 6(1)(a) GDPR). You may unsubscribe at any time via the link in the email.
• Tracking: Our emails may use tracking pixels to measure open rates and click-through rates (via our email and CRM platforms). This tracking is part of the marketing consent you provide when subscribing. You can opt out of all marketing emails (including tracking) at any time via the unsubscribe link.

2.6. Business Communications & CRM

We use Pipedrive (Pipedrive OÜ, Estonia) to manage our sales pipeline and business email communications.

• Data Collected: Business email address, name, company name, job title, and email interaction data (opens, clicks, timestamps).
• Purpose: Sales pipeline management, business outreach, and engagement measurement.
• Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR). In a B2B context, processing business contact data for sales communications represents a minimal impact on data subjects’ rights.
• Scope: This applies to direct business emails only (e.g., sales outreach, follow-ups). Marketing newsletters are covered separately under Section 2.5.
• Opt-out: You can request that email interaction tracking be disabled for your communications by contacting privacy@bomdiu.com.

3. Cookies and Tracking Technologies

We use cookies and similar technologies where necessary for the functioning and security of our website and Service. We do not use cookies for advertising. Our analytics are configured to be cookieless.

3.1. Analytics (Cookieless)

We use PostHog (cookieless), Umami (self-hosted, cookieless), and Cloudflare Web Analytics (cookieless; collects only minimal technical data for aggregate analytics — Cloudflare may process IP addresses for analytics and network security, but we do not use these data to identify individuals) to understand how our Service is used.

• PostHog is configured in cookieless mode.
• Session Replay: We may use PostHog’s session replay feature to record how authenticated users interact with the Bomdiu platform. Session replays capture page navigation, clicks, scrolls, and on-screen content to help us identify usability issues, troubleshoot bugs, and improve the platform experience. Session replays are associated with internal organization and customer identifiers (pseudonymous internal identifiers). We do not record keystrokes, passwords, or sensitive form inputs. Session replay data is stored on PostHog’s EU Cloud infrastructure.
• Organization & Customer Identification: For authenticated users of the Bomdiu platform, we associate analytics events with the organization and customer account using internal platform identifiers only. These identifiers are opaque IDs generated by our system — they do not directly identify individuals (e.g., they are not names, email addresses, or advertising identifiers). Where these identifiers can be linked to a natural person through additional information under our control, we treat them as personal data and apply appropriate GDPR safeguards. We use this association to provide and improve our Service, including customer support, troubleshooting, and understanding how organizations use the platform. This identification applies only within the Bomdiu platform context and is not used for cross-site tracking, profiling of natural persons, or advertising.
• Legal Basis: Performance of Contract (Art. 6(1)(b) GDPR) for customer support and service delivery; Legitimate Interest (Art. 6(1)(f) GDPR) for product analytics and improvement. We have conducted a Legitimate Interest Assessment confirming that this identification — limited to opaque internal IDs in a B2B context — does not override users’ rights and freedoms.
• No Cookies or Advertising Identifiers: We do not place any analytics cookies on your device. We do not use advertising identifiers or similar tracking technologies.
• IP Address Processing: IP addresses may be processed for analytics purposes, including understanding platform usage, deriving coarse geographic location, improving the Service, and ensuring security. We do not sell IP address data or share it for advertising purposes.
• Self-Hosted Data: Data collected via Umami is stored on our own infrastructure and is not shared with third parties.

3.2. Cookie Categories and Legal Basis

Strictly Necessary Cookies

• Purpose: Essential for platform functionality. This includes maintaining your login session, security tokens (CSRF protection), and displaying the interface language (based on your browser settings, and if you explicitly select a different language, we may store that preference locally).
• Legal Basis: Legitimate Interest (Exempt from Consent).

Platform Analytics & Session Replay (No Cookies)

• Purpose: We use cookieless analytics tools (PostHog, Umami, Cloudflare) and session replay (PostHog) to measure platform usage, understand how organizations use our Service, troubleshoot issues, and improve the user experience. For details on the data collected, organization and customer identification, and session replay, see Section 3.1. No analytics cookies are placed on your device.
• Legal Basis: Performance of Contract (Art. 6(1)(b) GDPR) for service delivery and customer support; Legitimate Interest (Art. 6(1)(f) GDPR) for product analytics and improvement. We have conducted a Legitimate Interest Assessment (available on request) confirming that this processing — including the use of internal platform identifiers, IP addresses, and session replay in a B2B context — does not override users’ rights and freedoms.

4. How We Share Your Data

We do not sell your personal data. We only share data in the following strictly necessary scenarios:

4.1. Platform Interactivity

To fulfill an order, minimal contact data (Name, Phone number relating to the specific order) is visible between the specific Supplier and Buyer involved in that transaction.

4.2. Third-Party Service Providers (Sub-Processors)

We use trusted third-party providers to help us run our business. They are contractually bound to protect your data.

Provider	Service	Data Location	Transfer Mechanism
Cloudflare	CDN, Database, Hosting, Analytics, AI, Transactional Email	EU (primary), US	EU-US DPF; SCCs
PlanetScale	Database	EU	SCCs
UpCloud	Infrastructure	EU	N/A (EEA only)
PostHog	Analytics, Session Replay	EU (EU Cloud)	N/A (EEA only)
Gemini Enterprise Agent Platform	AI processing	EU region	SCCs; Google DPA
Pipedrive	CRM & business email communications	EU (Estonia)	N/A (EEA only)
Better Auth	Authentication, abuse protection	US	SCCs

Note: Umami is self-hosted on our own infrastructure and is not a sub-processor.

4.3. Legal Requirements

We may disclose data if required by law, a court order, or to protect the rights and safety of Bomdiu, our users, or the public.

4.4. International Transfers

If we transfer data outside the European Economic Area (EEA), we ensure it is protected by appropriate safeguards as required by Chapter V of the GDPR. The specific mechanisms we rely on include:

• EU Standard Contractual Clauses (SCCs) — used with all sub-processors that may process data outside the EEA.
• EU-US Data Privacy Framework (DPF) — relied upon only for providers that are certified under the DPF. We verify certification status periodically.
• Supplementary measures — where required by Transfer Impact Assessments (TIAs), we implement additional technical or organizational safeguards such as encryption in transit and at rest.

5. Data Security

We implement appropriate technical and organizational measures (TOMs) designed to protect your data against manipulation, loss, destruction, and unauthorized access. These measures include:

• SSL/TLS encryption for all data in transit.
• Encryption of sensitive data at rest.
• Strict access controls and authentication mechanisms.
• Regular security audits and backups.

6. Data Retention

We retain your personal data only as long as necessary.

1. Active Accounts: Retained for the duration of your contract/service usage.
2. Business Records & Historic Data: As a B2B platform, we must maintain the integrity of order histories and transaction logs for all parties involved. Therefore, business data (such as confirmed orders, invoices, and related transaction logs) is retained to ensure consistency of records for the counter-party (Supplier or Buyer) and for financial reporting purposes, even after a specific contract is terminated.
3. Post-Termination (Personal Data): Upon contract termination, we generally retain access to your personal account data for 90 days to allow for data export. After this period, personal identifiers (such as login credentials, user profile details, or private user preferences) may be deleted or anonymized, while the business records remain stored as described above. Please note that transactional records (e.g., invoices, delivery addresses, order-related communications) may still contain limited personal data where required for record integrity, legal obligations, or legitimate business purposes.
4. Legal Obligations: We retain billing, invoice, and tax-related data for 5 years from the end of the relevant tax year, as required by the Greek Code of Tax Procedures (Law 4987/2022, Art. 36). This period may extend to 10 years where tax audits are pending or in cases of tax evasion investigations.
5. Marketing Data: Retained until you withdraw your consent (unsubscribe).
6. Technical Logs: Server access logs are retained for a maximum of 90 days for security and debugging purposes.
7. Backups: Backups are retained for a maximum of 30 days according to our backup rotation schedule and are encrypted at rest. Data deleted from production may persist in backups until those backups are overwritten or expire, but backup data is not actively processed and is only restored in disaster recovery scenarios.

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

1. Right to Access: Request a copy of the data we hold about you.
2. Right to Rectification: Correct inaccurate or incomplete data.
3. Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data. Please note: This right is not absolute. We cannot delete data that is required for mandatory business records (e.g., invoices, tax records, or order history) as described in Section 6.
4. Right to Restriction: Request to pause processing of your data.
5. Right to Data Portability: Receive your data in a structured, machine-readable format.
6. Right to Object: Object to processing based on legitimate interest or direct marketing.
7. Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Response Time: We will respond to all data subject requests within 30 days of receipt, as required by Art. 12(3) GDPR. If the request is complex, we may extend this period by an additional 60 days, and we will inform you of the extension within the initial 30-day period.

Automated Decision-Making: We do not engage in automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR). If this changes in the future, we will update this policy and obtain your explicit consent where required.

To exercise these rights: Please contact us at: privacy@bomdiu.com

Right to Lodge a Complaint: If you believe we have violated your privacy rights, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):

• Website: www.dpa.gr
• Email: contact@dpa.gr

8. Data Controller Information

Bomdiu SINGLE MEMBER PC
GEMI: 190310106000
VAT: EL803131996
Geor. Gennimata 21
555 35 Thessaloniki
Greece
Phone: +30 6975771534
Email: contact@bomdiu.com
Website: https://bomdiu.com

Data Protection Officer: Given the nature and scale of our data processing activities, we have determined that the appointment of a Data Protection Officer (DPO) is not required under Art. 37 GDPR. For all privacy-related inquiries, please contact us at privacy@bomdiu.com.

9. AI-Assisted Processing

We use artificial intelligence to assist with extracting and organizing business data from documents such as invoices and orders. We may also provide embedded AI features within the Service (e.g., in-product assistance).

• Providers: We may run AI inference on Cloudflare infrastructure (including open-source models) and/or use third-party AI providers (such as Gemini Enterprise Agent Platform) depending on the feature.
• Data minimization: We process only the data necessary to provide the feature.
• Legal basis: Performance of Contract (Art. 6(1)(b) GDPR) — AI features are part of the Service functionality you have contracted for.
• No model training: Your data is not used to train AI models. Third-party AI providers process your data solely for inference and do not retain it for training purposes.
• No automated decisions: This processing does not involve automated decision-making that produces legal effects concerning you or similarly significantly affects you as an individual.
• Human oversight: AI-generated outputs (e.g., extracted invoice data) are presented for user review and confirmation before any action is taken.

10. Data Protection Impact Assessments

Where our processing activities are likely to result in a high risk to individuals’ rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs) in accordance with Art. 35 GDPR. This includes assessments of our AI-assisted processing features and large-scale data processing activities. DPIAs are reviewed periodically and updated when processing activities change materially.

11. Children’s Data

Bomdiu is a business-to-business (B2B) platform. We do not knowingly collect personal data from individuals under 16 years of age. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our service or legal requirements. We will provide at least 30 days’ notice before material changes take effect. The latest version will always be available at this URL. Notification of changes will be sent via email or displayed as a platform notification.