Privacy Policy

This page explains what personal data we collect when you visit leeveel.gr or get in touch with us, why we collect it, who we share it with, and the rights you have over it. We've written it to be readable. If anything is unclear, email [email protected] and a real person will reply.

1. Who we are

leeveel ("leeveel studio", "we", "us") is a small software studio based in Athens, Greece. For the purposes of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and Greek Law 4624/2019, we are the data controller for personal data processed through this website.

You can reach us at:

• Email: [email protected]
• Address: Athens, Greece

We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR. Privacy questions go to the email above and are handled by the studio directly.

2. What we collect, and why

2.1 Information you give us through the contact form

When you submit the form on /contact, we process:

• Your name — so we know who's writing.
• Your email address — so we can reply, and so a copy of your message lands in your own inbox.
• Subject (optional) — to triage the message.
• Your message — the brief, question, or note you decide to send.

Legal basis: Article 6(1)(b) GDPR — taking steps at your request before entering into a contract — and, where you are not (yet) a client, Article 6(1)(f) — our legitimate interest in responding to enquiries about our services.

2.3 Anti-spam (Cloudflare Turnstile)

To stop bots flooding the form, the contact page uses Cloudflare Turnstile. Turnstile receives your IP address, basic browser/device signals, and a challenge token to decide whether the submission is human. Cloudflare acts as our processor for this check. The token is verified server-side and then discarded; we do not store the IP ourselves.

Legal basis: Article 6(1)(f) GDPR — legitimate interest in preventing abuse of the form. See Cloudflare's privacy policy.

2.3 Email delivery

Form submissions are sent over SMTP to the studio inbox, and a copy is CC'd to you so the conversation has a paper trail. Once the email leaves our server, it is stored in our mail provider's inbox in line with their retention.

Legal basis: Article 6(1)(b) and (f) GDPR.

2.4 Hosting and infrastructure (Vercel)

The site is hosted on Vercel. Like any web host, Vercel automatically processes connection metadata — IP address, user-agent, requested URL, response code, timestamp — in transient logs to deliver the site, mitigate attacks, and produce aggregate uptime data. We do not use these logs for tracking.

Legal basis: Article 6(1)(f) GDPR — legitimate interest in operating a secure, reliable website. See Vercel's privacy policy.

2.5 Analytics

We use a small, focused set of analytics to understand whether the site works:

• Vercel Web Analytics — privacy-friendly, no cookies, no cross-site tracking. It records page views and high-level device/region signals using a hashed identifier that cannot be linked back to you across sessions.
• Vercel Speed Insights — measures real-user performance metrics (Core Web Vitals) so we can spot slow pages. No cookies.
• Google Analytics 4 — only loaded in production when explicitly enabled by us. When active, GA sets cookies and processes pseudonymous identifiers, page paths, referrers, approximate location, and device data. IP is anonymised by GA4 before storage.

Legal basis: for the cookieless analytics, Article 6(1)(f) GDPR — legitimate interest in understanding traffic in aggregate. For Google Analytics, Article 6(1)(a) — your consent, given through the cookie banner before any GA cookie is set. You can withdraw consent at any time from the same banner; withdrawal does not affect prior processing.

2.6 What we don't collect

We don't buy data, run ad pixels, fingerprint visitors, or sell anything to anyone. There is no "data partner" tier in this policy because there are no data partners.

3. Cookies and similar technologies

A cookie is a small file stored by your browser. We try to use as few as possible.

Strictly necessary and functional storage does not require consent under Article 5(3) of the ePrivacy Directive (Greek Law 3471/2006, as amended). Analytics cookies do — and we'll only set them after you accept them via the banner.

You can also block or delete cookies directly through your browser settings. Doing so will not break the site.

4. Who we share data with

We share personal data only with the processors needed to run the site, and only for the purposes described above:

• Vercel Inc. — hosting, analytics, speed insights. Servers in the EU/US; transfers covered by the EU-US Data Privacy Framework and Standard Contractual Clauses.
• Cloudflare, Inc. — anti-spam (Turnstile). Transfers covered by SCCs and the Data Privacy Framework.
• Our SMTP / email provider — delivery of contact messages to our inbox.
• Google Ireland Ltd. — Google Analytics 4, only when consent is given. Data is processed under the Data Privacy Framework and SCCs.

We do not sell personal data and we do not share it with advertisers. We will only disclose data to public authorities when legally compelled to do so.

5. International transfers

Some of the providers above are headquartered outside the European Economic Area. Where personal data is transferred to a third country, we rely on one or more of the following safeguards under Chapter V GDPR: the EU-US Data Privacy Framework, Standard Contractual Clauses approved by the European Commission, or your explicit consent. We don't transfer data to countries without an adequate safeguard.

6. How long we keep data

• Contact form submissions — kept in our inbox for as long as the conversation is useful, and then archived or deleted. If a project doesn't happen, we typically delete or anonymise the thread within 24 months.
• Project / client correspondence — kept for the duration of the engagement and up to 5 years afterwards, where required by Greek tax and accounting law.
• Analytics data — Vercel Analytics retains aggregated data for up to 12 months. Google Analytics retention is set to the shortest available option (currently 14 months).
• Server logs — typically rotated within 30 days by our hosting provider.

7. Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you (Art. 15).
• Rectify inaccurate or incomplete data (Art. 16).
• Erase your data, where one of the grounds in Art. 17 applies.
• Restrict processing in the cases listed in Art. 18.
• Port your data to another controller (Art. 20).
• Object to processing based on legitimate interests, including the analytics described above (Art. 21).
• Withdraw consent at any time, where consent is the legal basis (Art. 7(3)). Withdrawal does not affect the lawfulness of processing carried out before.

To exercise any of these rights, email [email protected]. We'll reply within 30 days. There is no fee, unless your request is manifestly unfounded or excessive.

If you believe we've mishandled your data, you have the right to lodge a complaint with the Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), Kifisias 1-3, 115 23 Athens, Greece — or with the supervisory authority in your EU country of residence.

8. How we keep data secure

We use HTTPS across the site, store secrets in environment variables on the host, restrict access to the studio inbox to the people who need it, and rely on reputable processors with their own security programmes. No system is perfect, but we treat your messages with the care we'd want for our own.

9. Children

The site is not directed at children under 16 and we do not knowingly collect their data. If you believe a minor has sent us personal data, contact us and we'll delete it.

10. Changes to this policy

We may update this policy when our tools or practices change. The Last updated date at the top will reflect the most recent revision. For material changes (new processors, new purposes for processing) we'll surface a notice on the site before the change takes effect.

11. Contact

Questions, requests, or complaints — start here:

• Email: [email protected]
• Or use the contact form.