GDPR Compliance

Effective date: October 10, 2025 · Last updated: May 20, 2026

This GDPR Compliance Notice supplements the Tefteri Privacy Policy and applies to users located in the European Economic Area (EEA), the United Kingdom, and Switzerland. It describes how we comply with the General Data Protection Regulation (GDPR) and similar data protection laws.

1. Data Controller

Tefteri ("we", "us", or "our") is the controller of your personal data processed through the Tefteri mobile application. You can reach us at:

Data Protection Contact
Email: privacy@pavlossta.com

2. Categories of Personal Data

We process the following categories of data:

Identification data: Your email address and Firebase user identifier collected during sign-in, plus basic Google profile information such as display name and profile photo if provided by Google.
Health-related notes: Visits, reminders, doctor categories, timestamps, optional free-text descriptions, and contact/details text you add. These may include special categories of personal data under Article 9 GDPR if you choose to include health information.
Usage/account data: Sync metadata such as created/updated timestamps, session tokens, and technical data required for security and troubleshooting.

We do not collect location data, contact lists, or biometric identifiers.

3. Purposes and Legal Bases

Purpose	Legal basis
Provide and maintain the App, authenticate users, and sync entries across devices	Article 6(1)(b) GDPR — Performance of a contract
Store optional health-related notes you add	Article 9(2)(a) GDPR — Explicit consent
Improve security, prevent abuse, and handle support requests	Article 6(1)(f) GDPR — Legitimate interests
Comply with legal obligations, such as responding to lawful requests	Article 6(1)(c) GDPR — Legal obligation

You may withdraw consent for processing of health-related notes at any time by deleting the relevant entries or requesting full account deletion.

4. Data Sharing and International Transfers

Personal data is stored in Google Firebase (Authentication and Firestore). Google acts as our data processor under a Data Processing Agreement incorporating the EU Standard Contractual Clauses. Data may be transferred outside the EEA/UK, including to the United States, with these safeguards in place.

We do not share your personal data with third parties for marketing purposes. Disclosure is limited to the scenarios listed in the Privacy Policy (e.g., legal compliance, business transfers).

5. Data Retention

Account data is retained while your account remains active.
Health notes, reminders, visits, and categories remain in your account until you delete them or ask us to remove them.
Backup copies may persist temporarily under Firebase/Google backup retention processes before automatic purge.

We will retain minimal records necessary to demonstrate compliance with GDPR after fulfilling deletion requests.

6. Your GDPR Rights

You have the following rights, subject to legal limitations:

Right of access — Obtain confirmation and a copy of your personal data.
Right to rectification — Correct inaccurate or incomplete data.
Right to erasure — Request deletion of your data ("right to be forgotten").
Right to restriction — Temporarily limit processing.
Right to data portability — Receive your data in a structured, machine-readable format and transmit it to another controller.
Right to object — Object to processing based on legitimate interests.
Right to withdraw consent — Withdraw consent at any time without affecting prior lawful processing.
Right not to be subject to automated decision-making — We do not conduct automated decision-making or profiling that produces legal effects.

How to Exercise Your Rights

Send your request to privacy@pavlossta.com from the email address associated with your account. We may need to verify your identity before acting on the request. We aim to respond within one month and may extend by two further months for complex requests, in accordance with Article 12 GDPR.

You can also delete your account in the App or use the Account Deletion page if you cannot access the App.

If you believe we have not addressed your concerns, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu. UK users may contact the Information Commissioner's Office (ICO).

7. Data Protection Impact Assessment (DPIA)

Given the optional processing of health-related information, we have assessed the risks and implemented safeguards including:

Limiting access to authenticated users' own records via Firebase security rules.
Encrypting data in transit (TLS) and at rest (Firebase-managed encryption).
Using the minimum required personal data fields.
Allowing user-initiated deletion of entries and signed-in accounts.

We monitor these measures and will revisit the DPIA if new features introduce higher risks.

8. Contacting the Data Protection Authority

If you wish to escalate a complaint, you may contact your national supervisory authority. If you are in Greece (where Tefteri is currently based), you may contact the Hellenic Data Protection Authority at dpa.gr.