OVOSKOS

Become a shepherd today

Privacy Policy

Last updated: 9 May 2026

OVOSKOS is operated by SSCS Services Ltd, a company incorporated in the Republic of Cyprus. SSCS Services Ltd is the data controller for personal data processed through this site within the meaning of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). Registered office: Limassol, Cyprus. Company number HE 393290. VAT CY 10393290U.

1. What we collect

  • Account data: email address, hashed password (or OAuth identifier), display name, account creation timestamp.
  • Submission data: business name, destination URL, the logo image you upload, block size and grid coordinates, terms acceptance timestamp.
  • Payment metadata: Stripe checkout session ID, payment status, refund ID. We do not see, receive or store your full card number, CVV or expiry.
  • Operational logs: IP address, user agent, request path and timestamp, kept for security and abuse prevention.

2. Why we collect it

  • Performance of our contract with you (Art. 6(1)(b) GDPR): creating your account, taking payment, displaying and linking your block.
  • Legal obligation (Art. 6(1)(c) GDPR): keeping invoice and tax records, responding to lawful requests from authorities.
  • Legitimate interests (Art. 6(1)(f) GDPR): preventing fraud and abuse, moderating content, securing the service, basic analytics. You can object to processing based on legitimate interests at any time.

3. Where it's stored

Personal data is stored on infrastructure located in the European Union. Where a sub-processor processes data outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (and, where relevant, an adequacy decision) to ensure an equivalent level of protection.

4. Who we share it with

We share the minimum necessary personal data with the following sub-processors:

  • Stripe Payments Europe, Ltd (Ireland) — payment processing. Stripe is an independent controller for the data it receives.
  • Supabase, Inc. (with EU-region hosting) — database, authentication and file storage.
  • Lovable Cloud (operated by Lovable AB, Sweden, EU) — transactional email delivery (receipts, approvals, rejections) and application hosting.
  • Cloudflare, Inc. — content delivery, DDoS protection and edge hosting.

We do not sell your personal data and we do not share it with advertising networks or data brokers.

5. Your rights under GDPR

You have the right to: (a) access the personal data we hold about you; (b) request correction of inaccurate data; (c) request deletion ("right to be forgotten"), subject to our legal obligation to retain certain records; (d) restrict or object to processing; (e) data portability; and (f) withdraw consent where processing is based on consent. You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (dataprotection.gov.cy), or with the supervisory authority in your country of residence.

6. Cookies and tracking

We use a single first-party cookie strictly necessary to keep you signed in. We do not run third-party advertising trackers, behavioural advertising pixels or cross-site analytics tools. Stripe may set its own cookies on its hosted checkout pages; that processing is governed by Stripe's own privacy notice.

7. Data retention

  • Account data: kept while your account exists; deleted within 30 days of account closure.
  • Approved block data and uploaded logos: kept while the block is live on the grid.
  • Payment and invoice records: kept for 7 years to comply with Cypriot tax and accounting law.
  • Operational logs: kept for up to 90 days, then deleted or anonymised.

8. Contact for privacy requests

To exercise any of the rights above, or if you have any question about how we handle your data, please reach us at hello@ovoskos.com or via the contact page. We aim to respond to all GDPR requests within one calendar month, in line with Article 12(3) GDPR.