Privacy Policy

WSB Network is operated by International Function Group. We are the data controller for personal data collected through the Platform. References to "we", "us", or "our" in this policy refer to International Function Group.

We are subject to the General Data Protection Regulation (GDPR) as applicable in Greece and across the European Union.

We collect the following categories of information when you use the Platform:

• Account data: your name, email address, and password (stored as a hashed credential via Firebase Authentication)
• Company data: your organization's name, tax ID (AFM), legal form, address, city, and postal code — collected during registration
• Business activity data: orders placed or received, product catalog entries, pricing configurations, and preorder participation records
• Communication data: messages sent within the Platform (e.g., order notes and announcements)
• Payment data: billing information processed by Stripe. We do not store card details — Stripe handles all payment data under their own security standards
• Usage data: log data, IP address, browser type, and pages visited — collected automatically for security and performance purposes

We use your data for the following purposes:

• To provide the service: operating your account, processing orders, resolving pricing, and enabling buyer-seller relationships
• To verify your business identity: validating your company's tax ID during registration via the AADE public API
• To process payments: processing plan payments securely via Stripe (one-time payments, not automatic recurring charges)
• To communicate with you: sending transactional emails (order notifications, subscription confirmations, password resets, OTP verification)
• To improve the Platform: analyzing aggregated usage patterns to understand how the product is used
• To comply with legal obligations: maintaining records as required by Greek and EU law

Our legal bases for processing under the GDPR are: (a) performance of a contract (operating your subscription), (b) legitimate interests (platform security, product improvement), and (c) compliance with legal obligations.

We do not sell your personal data. We share data only with the service providers necessary to operate the Platform:

• Google Firebase / Firestore: database, authentication, and file storage infrastructure
• Stripe: payment processing. All subscription payments are handled by Stripe. We do not store, transmit, or have access to your full card number, CVV, or other sensitive payment credentials — these are collected and secured directly by Stripe. Stripe processes payment data as an independent controller under their own privacy and security policies
• Resend: transactional email delivery (order confirmations, OTP codes, notifications)
• AADE (Greek Tax Authority): tax ID validation queries made during registration (no personal data sent — only the AFM number for public verification)

We may disclose your data if required to do so by law or in response to valid legal process.

Within the Platform, your company name and the content of orders you send or receive are shared with the counterparty in each transaction. This is necessary for the service to function.

Your data is stored in Google Firebase infrastructure. We configure Firebase to operate within European data centers where supported, in compliance with GDPR data residency requirements.

We apply appropriate technical and organizational measures to protect your data, including:

• Encrypted data in transit (HTTPS/TLS for all communications)
• Firestore security rules limiting data access to authenticated, authorized users
• Role-based access controls within the Platform
• Hashed passwords via Firebase Authentication (we never store passwords in plain text)
• Regular review of access permissions and security rules

We retain your account and business data for as long as your account remains active and your subscription is in good standing.

If you close your account, we may retain your data for up to 12 months to fulfill any outstanding legal, financial, or operational obligations. After that period, data is either permanently deleted or irreversibly anonymized so that it can no longer be linked back to you or your organization.

Certain categories of data may be retained beyond 12 months where required or permitted by law, including:

• Tax and accounting records: transaction data, invoices, and billing history may be retained as required by applicable tax and financial regulations in the United States and other applicable jurisdictions
• Legal disputes and claims: data relevant to an unresolved dispute, complaint, or legal proceeding may be preserved until the matter is fully resolved
• Fraud prevention and security: records related to security incidents, abuse, or fraudulent activity may be retained to protect the platform and its users
• Regulatory compliance: where a regulatory authority requires us to maintain specific records, we will do so for the period mandated
• Backup systems: deleted data may persist temporarily in encrypted backup systems and will be purged in accordance with our standard backup rotation schedule

You have the right to request deletion of your personal data at any time (see Section 8 — Your Rights Under GDPR, and Section 9 — Account Deletion). We will honor deletion requests promptly, but please note that some data cannot be immediately deleted where retention is required by law or necessary to protect a legitimate interest. In such cases, we will inform you of what data is being retained and why.

The Platform uses session cookies to keep you logged in. These are essential for the service to function and are not used for advertising or tracking across other websites.

We do not use third-party advertising cookies or tracking pixels. We do not share data with advertising networks.

As a data subject under the GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15): you can request a copy of the personal data we hold about you
• Right to rectification (Article 16): you can ask us to correct inaccurate data
• Right to erasure (Article 17): you can request deletion of your personal data, subject to any legal retention obligations
• Right to data portability (Article 20): you can request your data in a structured, machine-readable format
• Right to object (Article 21): you can object to processing based on legitimate interests
• Right to restrict processing (Article 18): you can request that we limit how we use your data in certain circumstances

To exercise any of these rights, email us at privacy@ifunction.group. We will respond within 30 days.

You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) at www.dpa.gr.

You can request deletion of your account and associated personal data at any time by emailing privacy@ifunction.group with the subject line "Account Deletion Request".

We will acknowledge your request promptly and process it within a reasonable timeframe. Once deletion is complete, your account data will be permanently deleted or irreversibly anonymized.

Please note that some data may not be immediately deletable where retention is required by law — for example, transaction records needed for tax or accounting purposes, or data relevant to an unresolved legal matter. In such cases, we will inform you of what is being retained, why, and for how long. Data retained under these exceptions will not be used for any other purpose.

The Platform supports sign-in via Google (OAuth 2.0). When you sign in with Google, we receive your name and email address from Google as part of the authentication process. We use this information only to create or identify your account.

We do not request access to your Google Drive, Gmail, or any other Google service beyond basic profile information. You can revoke access at any time through your Google account settings.

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users via email or a notice within the Platform. The "Last updated" date at the top of this page indicates when the policy was last revised.

For any questions, data requests, or concerns about this Privacy Policy:

• Email: privacy@ifunction.group
• Data Controller: International Function Group