Πολιτική Απορρήτου

Last updated: April 2026

1. Who We Are

NCP Media ("we", "us", "our") operates the NCP Media Πύλη Πελατών at https://www.ncp-media.com/portal. We are the data controller for personal data processed through this portal. Contact: info@ncp-media.com

2. What Data We Collect

• Account data: Όνομα, email address, company name, phone number, postal address
• Authentication data: Encrypted password hash, two-factor authentication (TOTP) shared secret, hashed single-use backup codes, 2FA verification timestamps
• Tax identification data: VAT number you enter, plus — when you choose to verify it — the registered company name and address returned by the European Commission's VIES service. This VIES response is retained to evidence that reverse-charge treatment applied at the time από invoicing was justified.
• Usage data: Σύνδεση timestamps, IP addresses, browser user agent
• Ad performance data: Campaign metrics, spend, ROAS synced from your connected ad accounts
• Lead data: Contact information from Meta Lead Ads forms (stored AES-256 encrypted)
• Υποστήριξη data: Tickets, messages, attachments you submit
• Billing data: Invoice records, VAT rate applied, reverse-charge flag and legal note (no card data stored — handled by Stripe)

3. Legal Basis for Processing

• Σύμβαση performance (Art. 6(1)(b) GDPR): To provide the services you have engaged us for
• Legitimate interests (Art. 6(1)(f) GDPR): Security, fraud prevention, service improvement
• Legal obligation (Art. 6(1)(c) GDPR): Invoicing, tax compliance
• Consent (Art. 6(1)(a) GDPR): Marketing communications (where applicable)

4. How We Use Your Data

• Providing access to the client portal and its features
• Αποστολήing transactional notifications (reports, invoices, support updates, security alerts for 2FA events)
• Two-factor authentication (time-based one-time passwords) for account security
• Validating VAT numbers through the European Commission's VIES system to determine correct VAT treatment (reverse charge for intra-EU B2B supplies)
• Syncing and displaying your advertising campaign performance
• Δημιουργία εβδομαδιαίων αναφορών
• Παρακολούθηση ασφαλείας

5. Data Storage & Security

Τα δεδομένα σας αποθηκεύονται σε διακομιστές στην Νυρεμβέργη, Γερμανία (EU) hosted by Hetzner Online GmbH, an EU-based provider. We implement the following security measures:

• AES-256-CBC encryption for personal lead data at rest
• TLS/HTTPS encryption for all data in transit
• Τείχος προστασίας με περιορισμένη πρόσβαση
• Brute force protection via fail2ban and per-user rate limiting on 2FA attempts
• Time-based one-time password (TOTP) two-factor authentication; backup codes are stored as bcrypt hashes and single-use
• Session regeneration on successful authentication to prevent session fixation
• CSRF token verification on all state-changing actions
• Audit logging από data access events and security-relevant actions

6. Data Retention

• Account data: Retained for the duration από the contract + 2 years
• 2FA credentials (TOTP secret + backup codes): Retained while 2FA is enabled; cleared immediately if 2FA is disabled or reset
• VIES verification responses: Retained for 7 years alongside the invoices they support (required to evidence reverse-charge treatment to tax authorities)
• Lead data: Retained for 12 months from collection date
• Ad metrics: Retained for 24 months
• Audit logs: Retained for 12 months
• Invoices: Retained for 7 years (tax law obligation)

7. Third-Party Υπηρεσίες

• Brevo (Αποστολήinblue): Email & SMS delivery — Πολιτική Απορρήτου
• Meta (Facebook): Ad account & lead data sync — Πολιτική Απορρήτου
• Google: Ad account sync & OAuth login — Πολιτική Απορρήτου
• TikTok: Ad account sync — Πολιτική Απορρήτου
• Stripe: Payment processing — Πολιτική Απορρήτου
• Hetzner: Server hosting (EU) — Πολιτική Απορρήτου
• European Commission — VIES: VAT number validation for EU intra-community transactions. When you click "Verify VAT", we send your VAT number to the EC's VIES service; the EC returns the registered company name and address, which we store alongside your account to evidence correct VAT treatment. See EC's VIES information page.

8. Your Rights Under GDPR

As an EU data subject, you have the following rights:

• Right από access (Art. 15): Request a copy από your personal data
• Right to rectification (Art. 16): Correct inaccurate data
• Right to erasure (Art. 17): Request deletion από your data
• Right to restriction (Art. 18): Restrict processing από your data
• Right to data portability (Art. 20): Receive your data in a portable format
• Right to object (Art. 21): Object to processing based on legitimate interests

To exercise any από these rights, visit your Απόρρητο Πίνακας Ελέγχου or contact us at info@ncp-media.com. We will respond within 30 days as required by GDPR.

9. Cookies

We use strictly necessary cookies for session management and authentication. No tracking or advertising cookies are used in the portal. See our Πολιτική Cookies for details.

10. Complaints

NCP Media is an Estonian-registered entity, so our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): www.aki.ee/en. Under GDPR's one-stop-shop mechanism you may also lodge a complaint with your local supervisory authority — for example the Greek Data Protection Authority (HDPA): www.dpa.gr, Tel: +30 210 6475 600.

11. Changes to This Policy

We may update this policy from time to time. We will notify you από significant changes via email. Continued use από the portal after changes constitutes acceptance.