PRIVACY POLICY – PROTECTION OF PERSONAL DATA
A. Introduction
This document constitutes the privacy policy—personal data protection policy—and is intended to inform users about the processing of their personal data by the company named“BENEFIT BRIDGE SINGLE-MEMBER LIMITED LIABILITY COMPANY,”which is headquartered in Glyfada, 218 D. Gounari Street, with Tax Identification Number (AFM): 803023291, Tax Office: KEFODE ATTICA, as legally represented (hereinafter the “Company”), which also acts as the Data Controller for such data. The Company treats the protection of its users’ personal data with the utmost seriousness and care, in compliance with European and Greek legislation. The Company reserves the right to adapt the terms of this policy in accordance with the applicable legal framework at any given time. Consequently, these terms may be amended and updated at any time without prior notice, and users of the website and the mobile application (hereinafter collectively referred to as the “website”) should regularly review these terms for any changes.
B. What Is Personal Data?
Personal data is any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person (hereinafter “Personal Data or Data”).
C. Collection and Processing of Personal Data – Purpose of Processing – Legal Basis for Processing
The Company collects and processes the personal data of its users, which is provided either by the user themselves by filling out the relevant contact form and/or by sending an email, and/or by registering (creating a user account) and logging in to the Company’s website, or through the use of the services provided by the Company (e.g., IP data).
This data is absolutely essential and necessary and may include the following (depending on our Company’s relationship, collaboration, or transaction with the respective user):
- Full name
- User's email address
- Cell phone number
- If the person is the ultimate beneficial owner (UBO) of the account *
- PEP (Politically Exposed Person) Status. PEP Position or Role *
- Home address (country, street address, city, ZIP code)
- Tax information (tax jurisdiction(s), tax identification number(s))*
- Connection to Lithuania (for non-Lithuanian citizens)*
- Purpose of account*
- Source of income*
- Monthly gross revenue*
- Personal data collected to ensure strong authentication*
- Any other information that the user provides in the contact form (e.g., a resume for a potential job opening) or in the relevant email,
- Identification details (date of issue, expiration date, ID number, country of issue, type of document)*
- Date of Birth
- Personal identification number (if applicable)*
- ID photo (front, back, etc.)*
- Remote identification data (face photo, selfie, video, etc.)*
- IBAN and other payment details*
- Data related to complaints (name, contact information, content, and circumstances of the complaint),
- Technical data related to the user’s device and internet connection (such as IP address, etc.) or information related to the user’s browsing activity on the website (e.g., cookie preferences)
* only if you are a BB cardholder
Data processing is carried out on the basis of the user’s consent and/or to provide our contractual services, and/or to serve our legitimate interests (in a manner that is reasonably expected as part of our business operations and that does not substantially affect the user’s rights, freedoms, or interests), and/or to comply with applicable law.
Processing covers a wide range of operations that can be performed on personal data by manual or automated means. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure, or destruction of personal data. The General Data Protection Regulation (GDPR) applies to the processing of personal data, in whole or in part, by automated means, as well as to non-automated processing, provided that the processing is part of a structured filing system.
D. Personal Data Security
The Company is committed to safeguarding the personal data of its users and, to this end, has implemented appropriate technical and organizational security measures to protect the personal data of its users. The Company does not disclose, transfer, or otherwise make available for sale or for other commercial purposes, nor does it publish the personal data of users/visitors to third parties, except in cases where this is required by applicable law and only to the competent authorities and/or for the exercise and defense of the Company’s legitimate interests and rights.
In addition, all appropriate organizational and technical measures are taken to ensure data security and protect data from accidental or unauthorized destruction, accidental loss, alteration, unauthorized disclosure or access, and any other form of unauthorized processing. By way of example, the measures taken by the Company include preventive security procedures, technical and physical mechanisms to restrict access and control the granting of access rights, and our website uses an encryption protocol and technical security measures when collecting or transmitting information via the contact form.
In addition, the information used to identify the account user is the Username and the Personal Secret Security Code (Password), which constitute the user’s personal access credentials. Each time the user correctly enters the above information, they are granted secure access to their personal account.
The authentication process is carried out using appropriate technical and organizational security measures, including encryption in transit when data is transferred over the Internet to and from the Company’s servers (servers), as well as their secure storage on the Company’s information systems.
Furthermore, users are given the option to change their Personal Security Password at any time they wish, using the relevant feature on the platform. Once entered, the new password undergoes a secure hashing process and is stored in a way that prevents it from being recovered in a readable format.
For security reasons, the Company does not have access to the user’s full password and cannot disclose or retrieve it. Therefore, the user is solely responsible for maintaining the confidentiality of their credentials and must take all necessary measures to prevent unauthorized access, such as, in particular, refraining from disclosing the password to third parties and changing it regularly.
If the user becomes aware of or suspects any unauthorized use of their account or a breach of their credentials, they are required to notify the Company immediately and change their password without delay.
E. Special Categories of Personal Data (if applicable)
The Company may process special categories of personal data, as defined in Article 9(1) of the GDPR, when such data are included in documents that ConnectPay (see paragraph I below) submits, uploads, or otherwise makes available to the Company.
When processing special categories of personal data, the Company undertakes to:
1. implements appropriate technical and organizational measures to ensure the security and confidentiality of such data, including encryption and access controls,
2. ensures that processing is limited to what is strictly necessary for the performance of the Services,
3. prevents unauthorized access to, disclosure of, or processing of special categories of data through appropriate security measures, commensurate with the nature of the data,
4. implements additional safeguards or compliance measures if it determines that this is necessary.
F. Recipients
Data processing is carried out in accordance with the principle of necessity by our Company’s specifically authorized personnel, who are contractually bound to maintain confidentiality and protect personal data, as well as by our third-party partners, as listed below (see paragraph I), who are also contractually bound to maintain confidentiality and protect personal data, in compliance with the applicable legal framework and by implementing all necessary technical and organizational security measures.
G. Data Retention
The Company will store and retain users’ personal data for at least eight years or for as long as necessary to provide services to them, fulfill our legal obligations, and exercise our rights.
H. User Rights
Website users may contact the Company (email address: info@benefitbridge.gr) to request access to their data, request its correction, erasure, or portability, request a restriction on its processing, and to object to—or withdraw their consent for—the processing of their personal data.
Any user—as a data subject—may exercise their rights at any time by contacting the Company using the contact information provided below (see Section IA).
In addition, every Data Subject has the right to file a written complaint with the competent supervisory authority regarding the protection of their personal data, which is the Hellenic Data Protection Authority (1-3 Kifissias Ave., P.O. Box 115 23, Athens, +30 210 6475600, email: contact@dpa.gr).
X. Transfer of Data to Third Countries
Users' personal data is stored on servers within the European Union. However, in order to provide certain services, we may use third-party service providers (data processors) located in the United States of America.
To ensure that personal data receive a level of protection that is essentially equivalent to that guaranteed by European Union law, the following appropriate safeguards apply, as appropriate:
• EU–U.S. Data Privacy Framework (DPF): For providers based in the U.S. that have been certified under the above framework, the transfer is based on the European Commission’s adequacy decision of July 10, 2023.
• Standard Contractual Clauses (SCCs): For service providers not subject to the above framework, the Standard Contractual Clauses approved by the European Commission are used, which contractually bind the recipient to ensure a level of protection in accordance with Regulation (EU) 2016/679 (GDPR).
• Supplementary measures: Where necessary, a Transfer Impact Assessment (TIA) is conducted, and additional technical and organizational measures (such as, for example, encryption) are implemented to enhance data security and confidentiality.
In any case of transfer of personal data to third countries, including the United States, every reasonable effort is made to ensure that such data is adequately protected, in accordance with the provisions of EU and national law, as well as the provisions of this Privacy Policy.
I. List of Partners and Subcontractors
1. “ConnectPay,” registration number UAB 304696889, with its registered office in Vilnius, Lithuania, at Algirdo St., No. 38, an Electronic Money Institution (EMI) licensed by the Bank of Lithuania (BoL), which has notified its intention to provide services in Greece and with which our Company has signed a distribution agreement so that it may provide its services as its authorized distributor in Greece, as notified to the Bank of Greece.
“Wallester AS,” with registration number 11812882 and registered office at 4 F.R. Kreutzwaldi Street, 10120 Tallinn, Estonia, incorporated under Estonian law, is a company with which Connect Pay and our Company have entered into an agreement for the issuance of BB cards bearing the VISA logo.
2. Subcontractors
| # | Vendor | Legal entity | EU entity / representative | Registration No. | Registered / Headquarters Address | Data center / EU region | Contact | Service to BenefitBridge |
| 1 | Supabase | Supabase, Inc. (Delaware) | Supabase Pte. Ltd. (Singapore — ToS counterparty) | DE file no. 7816270 [moderate confidence] | 548 Market St, San Francisco, CA 94104, USA [mailbox] | EU: Frankfurt (AWS eu-central-1) | privacy@supabase.com | Database |
| 2 | Grandhosting Ltd | Grandhosting Ltd (Cyprus) | — (the EU entity itself) | HE 488909; VAT CY60338088T | 36 Lordou Vyronos, 1096 Nicosia, Cyprus | EU — servers in Germany (ISO 27001-certified EU data centers) | support@grandhosting.gr | Hosting |
| 3 | Vercel | Vercel Inc. (Delaware) | — | DE file no. NOT PUBLIC (5857312 unverified) | 440 N Barranca Ave #4133, Covina, CA 91723, USA | EU functional region: Frankfurt (fra1) | privacy@vercel.com | Web hosting |
| 4 | Cloudflare R2 | Cloudflare, Inc. (Delaware; NYSE: NET) | — | DE file no. 4710875 (GLEIF); SEC CIK 0001477333 | 101 Townsend St, San Francisco, CA 94107, USA | EU jurisdiction via the Data Localization Suite [verify] | privacyquestions@cloudflare.com / dpo@cloudflare.com | Storage |
| 5 | Better Stack | Better Stack, Inc. (Delaware) | Operational base: Prague, Czech Republic | Czech IČO 7053550 (U.S. entity, registered abroad); DE file no. NOT PUBLIC | Registered agent: 651 N Broad St, Ste 206, Middletown, DE 19709, USA [Prague office unconfirmed] | Primarily the EU (subprocessors: Google in Ireland, Hetzner in Germany) + the U.S. | hello@betterstack.com | Log aggregation, uptime monitoring, on-call alerting |
| 6 | iDenfy | UAB “iDenfy” (Lithuania) | — (the EU entity itself) | Reg. code 304617621; VAT LT100011161819 | 7-212 Gričiupio St., LT-51372 Kaunas, Lithuania | EU — AWS Europe (Dublin) | dpo@idenfy.com | Identity Verification (KYC/IDV) for ConnectPay Onboarding |
| 7 | GatewayAPI | ONLINECITY.IO ApS (Denmark) | — (the EU entity itself) | CVR 27364276 | Buchwaldsgade 50, 5000 Odense C, Denmark | EU region in use (GatewayAPI.eu / EU setup; core database: Google Belgium) | (via dashboard / privacy@gatewayapi.com) [verify] | SMS |
| 8 | Resend | Plus Five Five, Inc. (doing business as Resend) | — | Delaware (file no. NOT PUBLIC); CA foreign #5428684, WA #605084474 | 2261 Market St #5039, San Francisco, CA 94114, USA | Email region: Ireland (eu-west-1) — mail.benefit-bridge.gr verified | support@resend.com | Transactional emails |
| 9 | Sentry | Functional Software, Inc. (doing business as Sentry) | Sentry Software Netherlands B.V. (Amsterdam) | DE file no. 5214647 + CA C3808470 (both confirmed via GLEIF) | 45 Fremont St, 8th Floor, San Francisco, CA 94105, USA | EU region: Frankfurt, Germany (all plans) | compliance@sentry.io | Error/Crash Monitoring |
| 10 | Novus | Novus Conceptus O.E. (Greek O.E.) | — (the EU entity itself) | GEMI 154255449000; Tax ID NOT PUBLIC (behind the authenticated GEMI portal) | 43 Spyrou Leivada, Parga 48060, Greece | Greece (EU) | info@timologisi.online / info@novusconceptus.com | Greek e-invoicing |
| 11 | Discord | Discord Inc. (Delaware) | Discord Netherlands B.V. (Chamber of Commerce No. 82229864) | DE file no. 5128862 | 444 De Haro St, Suite 200, San Francisco, CA 94107, USA / EU: Schiphol Blvd 195, Schiphol, NL | US | privacy@discord.com / dpo@discord.com | Internal Operations |
| 12 | Termly | Termly Inc. (Delaware) | — | Delaware (file no. NOT PUBLIC); registered agent: Dover, DE | 906 W 2nd Ave, Ste 100, Spokane, WA 99201, USA (registered agent: Dover, DE) | US default; EU DC option upon request | privacy@termly.io | Cookie Consent Management |
| 13 | Expo (EAS) | 650 Industries, Inc. (California) | — | CA file no. C3618919 | 624 University Ave, FL1, Palo Alto, CA 94301, USA | US only | Privacy via the form at expo.dev/contact (no email) | Mobile app |
| 14 | Apple | Apple Inc. (California) | Apple Distribution International Ltd. (Cork, Ireland; CRO 470672) | CRO 470672; LEI 54930027SQL2KPSDBM58 | One Apple Park Way, Cupertino, CA 95014, USA / EU: Hollyhill Industrial Estate, Cork T23 YK84, Ireland | EU App Store via Apple Distribution International; APNs Global | (Developer Program account) | App Store distribution |
| 15 | Google (Play / FCM) — FUTURE | Google LLC (California; Alphabet) | Google Ireland Limited (Dublin; CRO 368047) | CRO 368047; LEI YYPPRNO5HB304LHFVG31 | 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA / EU: Gordon House, Barrow St, Dublin 4, D04 E5W5, Ireland | Play/Contracting with the EU via Google Ireland; FCM Global | (Play Console / Firebase account) | Google Play distribution |
| 16 | Qboxmail | Qboxmail Srl | — (the EU entity itself) | REA PO 525585; Tax ID/VAT No. 02338120971 | Via Pollative 111/O, 59100 Prato (PO), Italy | EU (Italy) [verify email storage region] | privacy@qboxmail.it / dpo@qboxmail.it | Hosted email provider |
IA. Communication
If you have any questions regarding this policy, the manner in which your personal data is collected and processed, our subcontractors, etc., please contact the Company using the contact information below:
- By email: info@benefit-bridge.gr
- By phone: 2107177777
- By mail to the following address:
"BENEFIT BRIDGE SINGLE-MEMBER LIMITED LIABILITY COMPANY,"
Glyfada, 218 D. Gounari Street, ZIP Code 16674
Latest version of this policy: May 2026