Privacy Policy

1. Introduction

This Privacy Policy explains how IT-Flow Cyprus (“we”, “us”, “our”, or “IT-Flow”) processes personal data of individuals who visit our website at https://itflowcy.com/, use our services, or interact with us in any capacity. This policy informs you about your privacy rights and how data protection law protects you.

This Privacy Policy applies to natural persons who are current or potential customers of IT-Flow, website visitors, newsletter subscribers, or anyone who provides personal data to us through any means.

We comply with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and any applicable local data protection laws.

Effective Date: 1 February 2023 
Last Updated: 12 September 2025 

2. Who We Are

IT-Flow Cyprus is a leading IT solutions provider specialising in comprehensive technology services for businesses. We provide IT support, cloud solutions, cybersecurity, and digital transformation services to help businesses optimise their technology infrastructure.

Contact Information:

For all privacy-related inquiries, including requests to exercise your legal rights, please contact our Data Protection Officer at [email protected]

3. The Types of Personal Data We Collect and Process

We may collect, use, store, and transfer the following categories of personal data:

3.1 Contact Information

  • First and last names
  • Business names and job titles
  • Email addresses
  • Phone numbers
  • Postal addresses
  • Company information

3.2 Technical and Usage Data

  • IP addresses
  • Browser type and version
  • Device information
  • Operating system
  • Pages visited on our website
  • Time and date of visits
  • Referring websites
  • Cookies and similar tracking technologies

3.3 Service-Related Information

  • Information provided during IT consultations
  • Technical specifications of your systems
  • Support ticket details
  • Service preferences
  • Communication history

3.4 Financial Information

  • Payment details
  • Billing addresses
  • Transaction records
  • Invoice information

3.5 Marketing and Communication Data

  • Marketing preferences
  • Newsletter subscriptions
  • Communication preferences
  • Event attendance records

3.6 Special Categories of Data

Under exceptional circumstances related to specific IT services, we may process special categories of personal data (such as health data on company devices or biometric data for security systems). Such processing occurs only with explicit consent or when legally required, and appropriate safeguards are implemented.

4. How, Why, and on What Legal Basis We Collect and Process Personal Data

4.1 How We Collect Data

Direct Collection:

  • When you contact us through our website, email, or phone
  • When you request quotes or consultations
  • When you subscribe to our newsletter
  • When you engage our services
  • When you attend our events or webinars

Automated Collection:

  • Through website analytics and cookies
  • During IT support sessions (with permission)
  • Through system monitoring (for clients)

Third-Party Sources:

  • Business partners and referrals
  • Public business directories
  • Professional networks

4.2 Why We Process Your Data

We process personal data for the following legitimate business purposes:

Service Delivery:

  • To provide IT support and consulting services
  • To manage client accounts and relationships
  • To process payments and billing
  • To deliver technical support and maintenance

Business Administration:

  • To respond to inquiries and communications
  • To manage contracts and agreements
  • To conduct business analysis and improvement
  • To maintain accurate business records

Marketing and Communication:

  • To send service updates and newsletters (with consent)
  • To inform you about relevant services and events
  • To conduct market research and surveys

Legal and Security:

  • To comply with legal obligations
  • To protect our business interests and rights
  • To prevent fraud and ensure security
  • To resolve disputes and enforce agreements

4.3 Legal Basis for Processing

We process your personal data under the following lawful bases:

Contract Performance: When processing is necessary for performing our contract with you or taking steps at your request before entering into a contract.

Legitimate Interests: For our legitimate business interests, including:

  • Providing and improving our services
  • Direct marketing to existing clients
  • Network and information security
  • Business development and administration

Legal Obligation: When we must process data to comply with legal requirements.

Consent: For special categories of data, direct marketing to non-clients, and certain cookies (where required).

5. Sharing and Disclosure of Personal Data

We may share your personal data with:

5.1 Service Providers

  • Cloud hosting providers
  • Payment processors
  • IT infrastructure suppliers
  • Professional advisors (lawyers, accountants)
  • Marketing and communication platforms

5.2 Business Partners

  • Technology vendors and suppliers
  • Subcontractors providing services on our behalf
  • Joint venture partners

5.3 Legal Requirements

  • Regulatory authorities and government bodies
  • Law enforcement agencies
  • Courts and legal proceedings

5.4 Business Transfers

In the event of a merger, acquisition, or sale of business assets, personal data may be transferred to the acquiring entity.

All third parties are contractually obligated to protect your data and use it only for specified purposes in accordance with our instructions and applicable data protection laws.

6. International Transfers of Personal Data

Some of our service providers are located outside the European Economic Area (EEA). When we transfer personal data outside the EEA, we ensure adequate protection through:

  • Adequacy Decisions: Transfers to countries with adequate data protection as determined by the European Commission
  • Standard Contractual Clauses: Using EU-approved standard contractual clauses
  • Certification Schemes: Ensuring providers have appropriate certifications
  • Your Explicit Consent: When you have specifically agreed to the transfer

For more information about our international transfer safeguards, contact our Data Protection Officer.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including:

Service Data: For the duration of our business relationship, plus 7 years for financial records

Website Data: Up to 2 years for analytics purposes

Marketing Data: Until you unsubscribe or withdraw consent

Legal Requirements: As required by applicable laws and regulations

We regularly review our data retention practices and securely delete or anonymise data when no longer needed.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication systems
  • Regular security assessments and updates
  • Employee training on data protection
  • Incident response procedures

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. However, we will notify the Cyprus Commissioner for Personal Data Protection and affected individuals within the timelines required by GDPR: Website: https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/home_en/home_en?opendocument

Address: kypranoros 15, Nicosia 1061 , Cyprus

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

9.1 Right of Access

Request a copy of the personal data we hold about you

9.2 Right to Rectification

Request correction of inaccurate or incomplete data

9.3 Right to Erasure (“Right to be Forgotten”)

Request deletion of your personal data in certain circumstances

9.4 Right to Restrict Processing

Request a limitation of processing in certain situations

9.5 Right to Data Portability

Request the transfer of your data to another organisation

9.6 Right to Object

Object to processing based on legitimate interests or for direct marketing

9.7 Rights Related to Automated Decision-Making

Rights regarding automated decision-making and profiling

To exercise any of these rights, contact our Data Protection Officer at [email protected]. We will respond within one month of receiving your request.

10. Consent and Withdrawal

Where we rely on your consent for processing, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To withdraw consent for marketing communications, use the unsubscribe link in our emails or contact [email protected].

11. Cookies and Website Technologies

We use cookies and similar technologies to:

  • Ensure website functionality
  • Analyse website usage
  • Remember your preferences
  • Provide personalised content

You can control cookie settings through your browser preferences. For detailed information about our cookie usage, please see our Cookie Policy.

12. Children’s Privacy

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data, we will delete it promptly.

13. Marketing Communications

We may send you marketing communications if:

  • You have consented to receive them
  • You are an existing client, and the communications relate to similar services
  • We have a legitimate interest in marketing to you

You can opt out of marketing communications at any time by:

  • Using unsubscribe links in emails
  • Contacting [email protected]
  • Updating your preferences in your account

14. Data Protection Officer

We have appointed a Data Protection Officer responsible for overseeing data protection compliance. Contact our DPO for:

  • Privacy-related questions
  • Exercising your rights
  • Data protection complaints
  • General data protection inquiries

DPO Contact: [email protected]

15. Complaints and Supervisory Authority

If you believe we have not handled your personal data properly, you can:

  • Contact our Data Protection Officer at [email protected]
  • Lodge a complaint with the Cyprus Commissioner for Personal Data Protection
  • Contact your local supervisory authority if you’re in another EU country

16. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

  • Changes in our business practices
  • Legal or regulatory requirements
  • Improvements in our data protection practices

We will notify you of significant changes through:

  • Email notifications
  • Website announcements
  • Updated effective dates

17. Contact Information

For any questions about this Privacy Policy or our data practices:

IT-Flow Cyprus Email: [email protected]  Website: https://itflowcy.com/

Data Protection Officer Email: [email protected]

This Privacy Policy was last updated on 12 September 2025 and is effective as of 1 February 2023.