1. Data Controller
The data controller responsible for your personal data is:
She.cy Ltd.
Nicosia, Republic of Cyprus
Republic of Cyprus
General enquiries: legal@she.cy
Data Protection Officer: dpo@she.cy
For any data protection concerns, rights requests, or complaints, please contact our Data Protection Officer (DPO) directly at dpo@she.cy.
2. Data We Collect
We collect the following categories of personal data:
2.1 Account Data (provided by you)
- Full name (first name, last name)
- Email address
- Password (stored as a secure bcrypt hash — we never store your plain-text password)
- Phone number (optional)
- Account type (individual / business)
- Profile photo / avatar URL (optional)
- Bio and location information (optional)
2.2 Activity Data (generated automatically)
- Listings you create (products, services, jobs)
- Messages exchanged with other users through the Platform
- Wishlist items and favourite shops
- Reviews and ratings submitted
- Loyalty points and transaction history
2.3 Technical Data (automatically collected)
- Session identifiers (via HTTP-only session cookie)
- IP address (used for security and fraud prevention — not stored long-term)
- Browser type and device type (for compatibility)
- Pages visited and features used (aggregate, non-identifying logs)
- Language preference (stored in your browser's local storage)
We do not collect: financial payment card data, government ID numbers, biometric data, or any special categories of personal data as defined by GDPR Article 9, unless explicitly required and with your explicit consent.
3. Legal Basis for Processing
Under GDPR Article 6, we process your data on the following legal bases:
Consent
Marketing communications (if you opt in). You may withdraw consent at any time.
Contract Performance
Processing your account registration, listings, messages, and transactions to deliver our services.
Legal Obligation
Tax records, fraud prevention, and law enforcement requests as required by Cyprus and EU law.
Legitimate Interests
Platform security, fraud detection, abuse prevention, and service improvement. We balance these interests against your rights.
4. How We Use Your Data
We use your personal data to:
- Create and manage your account on the Platform.
- Display your public profile, listings, shop, and reviews to other users.
- Enable messaging between buyers and sellers.
- Send transactional emails (account verification, password reset, purchase confirmations).
- Calculate and award loyalty points.
- Detect and prevent fraud, abuse, and violations of our Terms.
- Respond to your support requests and legal enquiries.
- Comply with legal and regulatory obligations under Cyprus and EU law.
- Improve and personalise your experience on the Platform.
- Send marketing communications, only with your explicit opt-in consent.
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Transaction records | 7 years (Cyprus VAT/tax law requirement) |
| Messages | Duration of account + 30 days |
| Server logs (IP) | 90 days |
| Session cookies | Session or 7 days (remember me) |
| Reports / abuse records | 3 years (for legal defence) |
When data is no longer needed and there is no legal basis for continued retention, it is securely deleted or anonymised.
8. Security
We implement appropriate technical and organisational security measures in accordance with GDPR Article 32 to protect your personal data against unauthorised access, loss, or misuse. These measures include:
- Encryption in transit: All data is transmitted over HTTPS/TLS (enforced via HSTS header).
- Password hashing: Passwords are hashed using bcrypt with a cost factor of 12. We never store plain-text passwords.
- HTTP-only session cookies: Session tokens are not accessible to JavaScript, protecting against XSS attacks.
- Secure cookie flags: Session cookies use Secure and SameSite=None in production to prevent CSRF.
- Content Security Policy (CSP): Strict CSP headers prevent injection attacks.
- X-Frame-Options / X-Content-Type-Options: Protection against clickjacking and MIME sniffing.
- Rate limiting: Authentication endpoints are rate-limited to prevent brute-force attacks.
- Input validation: All user input is validated and sanitised on the server side.
- Database encryption: Database connections use TLS. The database is hosted in an access-controlled environment.
In the event of a personal data breach, we will notify affected users and the Cyprus Commissioner for Personal Data Protection within 72 hours as required by GDPR Article 33, where the breach is likely to result in a risk to your rights and freedoms.
9. Your Rights Under GDPR
As a data subject under GDPR and Cyprus Law 125(I)/2018, you have the following rights:
Right of Access
Request a copy of all personal data we hold about you.
Right to Rectification
Correct inaccurate or incomplete data.
Right to Erasure
Request deletion of your data ('right to be forgotten').
Right to Restriction
Restrict processing while a dispute is being resolved.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Rights re: Automated Decisions
Not be subject to solely automated decision-making with significant effects.
Right to Withdraw Consent
Withdraw consent at any time without affecting prior processing.
To exercise any of these rights, please contact our Data Protection Officer at dpo@she.cy. We will respond within 30 days. We may ask you to verify your identity before processing your request.
If you believe your rights have been violated, you have the right to lodge a complaint with the supervisory authority — the Cyprus Commissioner for Personal Data Protection:
Cyprus Commissioner for Personal Data Protection
1 Iasonos Street, 1082 Nicosia, Cyprus
Tel: +357 22 818 456
Website: https://www.dataprotection.gov.cy
10. International Data Transfers
Your data is primarily stored and processed within the European Economic Area (EEA). Where we use service providers outside the EEA (such as cloud infrastructure providers located in the USA), we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) as adopted by the European Commission.
- Adequacy decisions by the European Commission where applicable.
- Binding Corporate Rules (BCRs) where applicable.
For details about specific transfers, please contact our DPO at dpo@she.cy.
11. Children's Privacy
she.cy is not directed at, and we do not knowingly collect personal data from, individuals under 18 years of age. In Cyprus, the age of digital consent is 14 years under Law 125(I)/2018, Article 8; however, as a marketplace platform, our minimum age is 18.
If you believe a child under 18 has provided us with personal data, please contact us immediately at dpo@she.cy and we will take steps to delete that data promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or our services. We will notify you of material changes by:
- Email notification sent to your registered email address at least 30 days before the change takes effect.
- A prominent notice on the Platform.
- Updating the "Last updated" date at the top of this Policy.
Your continued use of the Platform after the effective date of an updated Policy constitutes acceptance of the new Policy. If you do not accept the changes, you should stop using the Platform and may request deletion of your account.
13. Contact & Complaints
For any privacy-related enquiries, rights requests, or complaints, please contact us:
Supervisory Authority
Cyprus Commissioner for Personal Data Protection
1 Iasonos Street, 1082 Nicosia
We take all privacy complaints seriously and will respond within 30 days. You also have the right to escalate directly to the supervisory authority at any time without first contacting us.