Privacy Policy

Effective date: 2026-04-27

1. Who We Are

This Privacy Policy explains how Amevo ("Amevo", "we", "us", or "our") processes personal data when you ("you" or the "User") use the Amevo iOS app, any related website we operate (including amevo.gr), and our customer support channels.

Amevo is a myDATA invoicing app for Greek freelancers, sole traders, and small businesses. It helps users prepare, store, and submit invoice-related data, including integrations with third-party services such as AADE myDATA, Article 39a services (under Article 39a of the Greek VAT Code, Law 2859/2000), the AFM (Greek Tax Identification Number) lookup service operated by GSIS, push notifications, and subscription billing.

For account, profile, customer, product, and invoice data we host on our backend, we act as the data controller under Regulation (EU) 2016/679 ("GDPR") and Greek Law 4624/2019. When you instruct the app to submit data to AADE, GSIS, or other Greek public authorities, you remain the controller of the underlying tax record; we act as your processor for the technical transmission and as a controller only for our own diagnostic and security logs related to that operation.

We have not appointed a Data Protection Officer because we are not required to do so under Article 37 GDPR. For all privacy matters, contact support@amevo.gr.

2. Scope

This Privacy Policy applies to:

• the Amevo iOS app
• our account, subscription, and cloud-sync features
• support requests and other communications you send to us
• the amevo.gr website and any other website or hosted document page that links to this Privacy Policy

It does not apply to third-party services that have their own privacy notices, including Apple, Google, RevenueCat, Supabase, OneSignal, AADE, and GSIS. Those providers process data under their own terms and privacy policies.

3. The Data We Process

3.1 Data stored only on your device

Some data is stored locally on your device and is not uploaded to our backend unless you separately create an Amevo account and choose features that sync data:

• AADE myDATA API credentials, namely the AADE-issued User ID (aade-user-id) and Subscription Key, together with the issuer AFM
• Article 39a credentials and related AFM data
• AFM lookup credentials (used to authenticate to the GSIS AFM lookup service)
• locally stored business profile fields used for PDF generation
• app settings and onboarding flags stored in app-owned UserDefaults
• generated PDF invoices saved in the app's Documents container and made visible through the Files app and standard iOS file-sharing features

Sensitive credentials are stored using the iOS Keychain.

3.2 Data synced to our backend when you use an Amevo account

If you create or sign in to an Amevo account, we may process and store:

• account data such as your email address, authentication provider details, and user ID
• business profile data such as AFM / VAT number, legal name, occupation, address, postal code, city, tax office (DOY), legal form, timezone, and subscription tier
• customer (counterparty) data such as names, AFM / VAT numbers, addresses, email addresses, and phone numbers
• product data such as product names, descriptions, prices, VAT settings, and classification fields
• issued invoice records, including line items, amounts, VAT and other tax calculations, payment terms, and any notes you record on the invoice
• invoice template data, recurring-invoice configurations, and invoice-series metadata
• subscription status data such as your plan, entitlement state, store of purchase, and renewal / expiration status

3.3 Data sent to third-party services when you use the relevant feature

When you use integrations in the app, data is transmitted to third parties to perform the function you requested, including:

• invoice, classification, and related tax data sent to AADE myDATA
• buyer / representative / OTP data sent to AADE Article 39a services
• AFM lookup requests and responses exchanged with the GSIS AFM lookup service, which include the queried AFM and the business registry data returned by GSIS
• push notification identifiers and delivery-related metadata used to send recurring-invoice reminders

We send this data on your behalf to fulfil our contract with you. Doing so does not release us from our controller obligations toward you for the data we hold; AADE and GSIS act as independent controllers under Greek law for the records they keep.

3.4 Subscription and purchase data

We never receive your payment card or bank-account details. Purchases are handled by Apple through the App Store. We may receive subscription status, purchase history, product identifiers, and entitlement information from Apple and from RevenueCat (our subscription-management provider) so we can unlock or remove premium access in the app.

3.5 Support and communications

If you contact us, we may process your name or email address, the content of your message, and any app version, device details, or other context you choose to share with us.

3.6 Logs, diagnostics, analytics, and crash reporting

When the app communicates with our backend, our infrastructure provider (Supabase) automatically generates technical logs that may include IP address, request timestamps, user agent, and similar request metadata. We use these logs for service operation, abuse prevention, debugging, and security.

The app also includes the following EU-hosted, GDPR-compliant diagnostic tools:

• TelemetryDeck (product analytics): collects anonymous, aggregated usage signals such as which app screens are opened and which features are used. TelemetryDeck applies a double-hash anonymisation model on the device before any data is transmitted, so the events that leave your device are not personal data. We use this information to understand which features are useful and to prioritise improvements. TelemetryDeck is hosted in the EU. No business or commercial content is ever sent through analytics. In particular, we do not collect through analytics: your business type or occupation, your customer or counterparty data, your product catalogue, or any content of your invoices, including invoice amounts, income figures, invoice types, line items, dates, or any other invoice fields.
• Sentry (crash and error reporting): collects technical information about app crashes and unhandled errors, such as stack traces, OS version, device model, app version, and a randomly generated install identifier. Sentry data is hosted in the EU. Crash reports may incidentally contain technical metadata that, in combination, could be considered personal data; we use them solely to diagnose and fix bugs and we do not use them for profiling or advertising.

The app does not contain advertising SDKs, cross-app tracking SDKs, or any other third-party tracking technologies.

3.7 Data we receive from third parties

When you use the AFM lookup feature, we receive business registry data from the GSIS AFM lookup service in response to a query you initiated. The categories of data received are those returned by GSIS (for example, legal name, occupation, registered address, tax office, and activity status). The source of this data is the official GSIS register.

4. How We Use Data

We use personal data to:

• provide the app's core functionality
• authenticate you and keep your account secure
• sync your account data across sessions and devices
• generate, store, and manage invoices, templates, recurring reminders, and related business records
• submit data to AADE, Article 39a, and AFM lookup services when you instruct the app to do so
• manage subscriptions, restores, upgrades, downgrades, and entitlement checks
• send service-related push notifications, including recurring-invoice reminders (these are service messages, not marketing)
• respond to support requests and troubleshoot problems
• protect the service, detect abuse, and enforce our Terms
• comply with legal, accounting, tax, and regulatory obligations

We process personal data only for the purposes described in this Policy or otherwise notified to you, in line with the principle of purpose limitation, and we collect only the data we need (data minimisation). We do not carry out automated decision-making, including profiling, that produces legal or similarly significant effects on you.

5. Legal Bases

If you are in the EEA, the United Kingdom (UK), or another jurisdiction with similar rules, we rely on one or more of the following legal bases under Article 6 GDPR:

• Performance of a contract with you (Art. 6(1)(b)): processing necessary to provide the app, your account, sync, invoice generation, AADE / Article 39a / AFM-lookup transmission, subscription management, and support.
• Legal obligation (Art. 6(1)(c)): retention of invoice and accounting records under the Greek Code of Tax Procedure (Law 4987/2022) and the Greek Accounting Standards Law (Law 4308/2014); responses to lawful requests from authorities.
• Legitimate interests (Art. 6(1)(f)): securing the service against abuse and fraud, maintaining service reliability, preventing and investigating misuse of credentials or quotas, debugging, and defending or pursuing legal claims. You may object to processing based on legitimate interests at any time (see Section 11).
• Consent (Art. 6(1)(a)): where we ask for it for a specific activity, such as optional marketing communications. Consent can be withdrawn at any time without affecting prior processing.

6. Whether You Must Provide Data

Providing personal data is generally a contractual requirement to use Amevo. If you do not provide the data described in Sections 3.1 and 3.2, we cannot create your account, generate compliant invoices, or transmit records to AADE / GSIS on your behalf. You are not legally obliged to provide this data, but the relevant features will not function without it.

7. How We Share Data and Roles of Third Parties

We do not sell your personal data. We do not use your data for third-party advertising or cross-app tracking.

We share data with the following recipients, in the roles indicated:

• Supabase: hosting and database provider; acts as our processor under a data processing agreement.
• RevenueCat: subscription management; acts as our processor.
• OneSignal: push notification delivery; acts as our processor.
• TelemetryDeck: anonymous product analytics, hosted in the EU; acts as our processor, processing only the double-hashed, non-personal event data described in Section 3.6.
• Sentry: crash and error reporting, hosted in the EU; acts as our processor.
• Apple Inc.: App Store distribution, sign-in with Apple, in-app purchases and subscriptions, and device services; acts as an independent controller for data it collects under its own privacy policy.
• Google LLC: sign-in with Google, where used; acts as an independent controller.
• AADE (Greek Independent Authority for Public Revenue) and GSIS (General Secretariat for Information Systems): Greek public authorities; act as independent controllers for the records they keep under Greek law when you submit data through Amevo.
• Other service providers that help us operate support, security, compliance, hosting of email, or similar business functions, in each case under appropriate contractual safeguards.
• Courts, regulators, law enforcement, or other third parties when required by law or to protect rights, safety, and the service.

8. International Transfers

Some of our service providers may process data outside the European Economic Area, for example in the United States. Where required by law, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses, adequacy decisions, or another lawful transfer mechanism offered by the relevant provider. You can request a copy of the safeguards used by contacting support@amevo.gr.

9. Data Retention

We retain data only for as long as necessary for the purposes described in this Policy and for as long as required by law.

In particular:

• Device-only credentials and local files remain on your device until you delete them, remove the app, or clear them through app actions.
• Account and synced workspace data are retained while your account is active. If you delete your account, we delete or anonymise this data within 30 days, except where we must keep it for legal reasons (see below).
• Invoice and tax-related records must be retained under Greek tax law: at least five (5) years from the end of the relevant fiscal year under the Code of Tax Procedure (Law 4987/2022, Article 13), and as required by the Greek Accounting Standards Law (Law 4308/2014). In specific cases (for example, ongoing audits, proceedings, or non-filing) Greek law extends these periods to up to twenty (20) years.
• Subscription and transaction records may be retained for up to ten (10) years for accounting, fraud-prevention, audit, and dispute-resolution purposes, in line with Greek bookkeeping rules.
• Support communications are typically retained for up to two (2) years after the matter is closed.
• Backend logs and diagnostics are typically retained for up to ninety (90) days, except where a longer period is needed for security investigations.

10. Security

We use reasonable technical and organisational measures designed to protect personal data, including:

• TLS encryption for data in transit between the app, our backend, and third-party services
• authenticated and access-controlled backend storage on Supabase
• secure storage of sensitive credentials using the iOS Keychain
• least-privilege access controls within our team

We comply with the personal-data breach notification obligations under Articles 33 and 34 GDPR. No method of transmission or storage is completely secure, however, and you are responsible for keeping your device, login credentials, and government-service credentials secure.

11. Your Rights and Choices

Depending on where you live, you may have the right to:

• access personal data we hold about you (Art. 15 GDPR)
• request correction of inaccurate or incomplete data (Art. 16)
• request deletion of your account or personal data (Art. 17)
• restrict our processing (Art. 18)
• object to processing based on legitimate interests (Art. 21)
• receive a copy of your data in a portable format (Art. 20)
• withdraw consent where processing is based on consent (Art. 7(3))
• not be subject to automated decisions that produce legal or similarly significant effects (Art. 22); we do not engage in such processing

You can also:

• manage push notification permissions in iOS settings
• manage or cancel App Store subscriptions through Apple at https://apps.apple.com/account/subscriptions
• contact us at support@amevo.gr to exercise privacy rights

We will respond to verified requests within the time limits set by Article 12 GDPR (generally one month, extendable by up to two further months for complex requests).

If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority, in particular the Hellenic Data Protection Authority (HDPA / Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα):

• Address: Kifissias 1-3, 11523 Athens, Greece
• Tel.: +30 210 6475600
• Email: contact@dpa.gr
• Website: www.dpa.gr

12. Account Deletion

You can request deletion of your account at any time through the in-app account-deletion control or by emailing support@amevo.gr. We will delete or anonymise your account and synced workspace data within 30 days of a verified request, except where we must keep specific data for legal reasons described in Section 9 (in particular, invoice and accounting records subject to Greek tax-law retention periods). We will explain in our response which data, if any, must be retained and on what legal basis.

13. Cookies and the Website

The amevo.gr website is a static informational site and does not set cookies or use trackers beyond what is strictly necessary to deliver the page. If we add analytics or other non-essential cookies in the future, we will update this Policy and, where required by Greek Law 3471/2006 and the ePrivacy rules, ask for your consent first.

14. Children's Privacy

Amevo is not directed to children and is intended for adult professionals and business users. We do not knowingly collect personal data from children for the service. Under Article 21 of Greek Law 4624/2019, the digital age of consent in Greece is 15. If you believe a child under that age has provided personal data to us, contact us at support@amevo.gr and we will take appropriate steps to delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the app, on our website, or by another appropriate method before those changes take effect. The "Effective date" above shows the latest revision date.

16. Contact Us

For privacy questions, requests, or complaints, contact:

Amevo
support@amevo.gr

You may also lodge a complaint with the Hellenic Data Protection Authority (see Section 11) or another competent supervisory authority.

17. Revision History

• 2026-04-27: Restructured to align with Articles 13–14 GDPR; added DPO statement, automated decision-making clause, specific retention periods, third-party roles, HDPA complaint details, account-deletion timeframe, cookies note, Greek age-of-consent reference, and disclosure of TelemetryDeck (analytics) and Sentry (crash reporting) as EU-hosted processors.
• 2026-04-23: Initial draft.