Privacy Policy

This Privacy Policy explains how Saldovi (“Saldovi”, “we”, “us”) collects, uses and protects personal data when you use our website and application. We are committed to processing personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable national law.

For the purposes of the GDPR, the data controller is [Legal entity name], [address], [country]. For data-protection enquiries, contact us at [DPO/privacy email].

Note on roles: For personal data you enter about your guests and tenants, you are the controller and Saldovi acts as a processor on your behalf, governed by our Terms of Service / Data Processing terms.

• Account data: name, email, password (hashed), organisation details, role.
• Operational data you enter: properties, bookings, leases, guest and tenant details, expenses, receipts, mortgage and utility records.
• Billing data: plan and subscription status (payment card details are handled by our payment processor, not stored by us).
• Technical data: IP address, device and browser information, log data, and cookies strictly necessary for authentication and security.
• Communications: messages you send us via the contact form or email.

• To provide the service (contract, Art. 6(1)(b)) — operating your account, storing your portfolio data, delivering features.
• To bill and manage subscriptions (contract / legal obligation, Art. 6(1)(b)/(c)).
• To secure and improve the service (legitimate interests, Art. 6(1)(f)) — fraud prevention, debugging, aggregate analytics.
• To communicate with you (legitimate interests / consent) — service notices and, where you opt in, product updates.
• To comply with legal obligations (Art. 6(1)(c)) — tax, accounting and lawful requests.

We use a limited set of trusted subprocessors to run Saldovi. Current subprocessors include:

• Stripe — payment processing.
• Resend — transactional and contact-form email delivery.
• Cloudflare R2 — object storage (property images, receipts).
• Supabase / our database host — managed PostgreSQL database hosting.
• Vercel (or our hosting provider) — application hosting and delivery.
• Web-push / VAPID infrastructure — push notification delivery.

We require all subprocessors to provide adequate data-protection guarantees. Where any processing involves a transfer outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses. A current list is available on request.

We keep personal data for as long as your account is active and as needed to provide the service. After account closure, we delete or anonymise personal data within a reasonable period, except where longer retention is required for legal, tax or accounting obligations. Receipts and financial records may be retained for the statutory retention period applicable in your jurisdiction.

Under the GDPR you have the right to access, rectify, erase, restrict and port your personal data, to object to certain processing, and to withdraw consent where processing is based on consent. You may exercise these rights by contacting [privacy email]. You also have the right to lodge a complaint with your local supervisory authority (in Cyprus, the Office of the Commissioner for Personal Data Protection).

Saldovi uses a minimal set of cookies, limited to those strictly necessary for authentication, security and session management. We do not use advertising or third-party tracking cookies on the application. Any analytics we use are privacy-respecting and, where required, consent-gated.

We protect data with industry-standard measures including encryption in transit, hashed passwords, role-based access control, optional two-factor authentication, and private storage with signed URLs for sensitive files such as receipts. No system is perfectly secure, but we take reasonable and appropriate steps to protect your data.

Saldovi is a business tool and is not directed at children under 16. We do not knowingly collect data from children.

We may update this policy from time to time. Material changes will be notified through the service or by email. The “Last updated” date reflects the latest version.

Questions about this policy or your data: [privacy email] · [Legal entity name], [address].