Personal data

Your personal data includes any information that may lead, either directly or in combination with others, to your identification or location as a natural person. This category includes information such as the full name, VAT registration number, social security number, your physical and electronic addresses, your landline and mobile phone numbers, your bank/debit/prepaid card details, your e-mail addresses, your rating data, your internet history (log files, cookies, etc.), and any other information allows your identification, according to the provisions of the General Data Protection Regulation (GDPR 2016/679) and the applicable Greek legislation and the decisions of the Hellenic Data Protection Authority (HDPA).

Who we are

Epafos offers integrated applications for the management of educational organizations in the cloud.

The address and contact details of the company are the following:

46-48 El. Venizelou Avenue & 1 Kanakidi street

PC 17676, Kallithea



This Personal Data Protection Policy is intended to inform you of the terms of collection, processing and transmission of your personal data that we may collect as Data controllers.

Collection of personal data

EPAFOS will always ask you for the minimum required personal data required by law in order for you to receive our services, and this include indicatively, at each case, the name, surname, email address, postal address for the issuance and dispatching of the invoice or the receipt for the provision of services, billing method that may include also details of the credit card or bank account in cases of a bank transfer, as well as details related to the services. The receipt of your personal data is made almost generally for the execution of a contract between us in your capacity as a user of our services and/or as our supplier and/or as a visitor of our website.

EPAFOS keeps your personal data only for as long as required by the contractual terms of each service, in combination with the applicable financial, tax and other legislation, based on the respective purpose of processing and then anonymizes or destroys it.

Legality of processing

EPAFOS will use your information for at least one of the following legitimate processing purposes:

  1. For the signing and execution of a contract between us and the service of our contractual obligations.
  2. As it is necessary for us to comply with a legal obligation such as fulfilling our tax and accounting obligations.
  3. To serve our legitimate business interests as well as the legitimate interests of third parties. A legitimate interest occurs when we have a business or commercial reason to use your information. Even then this use is in line with your fundamental rights, for example:
    • To provide you with effective service and support.
    • To respond to your requests.
    • To improve the security and usability of our website.
    • To conduct business transactions with you.
    • To inform you about our new products and services.
    • To record your complaints.
  4. Since you provided us your consent. If we have received your valid consent, which you have freely provided, then the lawfulness of the processing is based on that consent.

Transmission to third parties

In fulfilling our contractual and legal obligations, your personal data may be provided to various service providers and suppliers. These service providers and suppliers are bound by data processing agreements and are required to ensure confidentiality and protection of data in accordance with the GDPR, e.g.

  • External legal advisers
  • Financial and business consultants
  • IT and telecommunications companies
  • External auditors and accountants

In any case, we take the appropriate technical and organizational measures to ensure that your personal information is transferred, stored and processed in accordance with the appropriate security standards and in accordance with the terms of this Policy and the applicable data protection laws.

Transmission to Third Countries

EPAFOS does not transmit personal data to third countries (outside the European Economic Area - EEA).

Data storage

We will process and store your Personal Data for the entire duration of our business relationship and for as long as it is necessary to meet our contractual and legal obligations.

We will delete your data:

  • When it is no longer necessary for the purposes for which this information was collected and processed.
  • Upon your request or objection to the processing, provided that there are no legal grounds requiring us to retain this information.
  • When it is not necessary for the purposes of our compliance with legal obligations.
  • If the collection and processing of data was based on your consent, after the withdrawal of your consent.

Automated decision making and profiling

When conducting our business, we do not use an automated decision-making process. We can process certain aspects of your data in order to commence a business relationship with you.

Marketing purposes

We may process your personal information to inform you about our services and offers that may be of interest to you or your business.

The personal data we process for this purpose consists of information you provide to us and data we collect when you use our services. We may use your personal information to promote our products and services to you, only if we have your consent to do so or if we believe we have a legitimate interest in doing so.

You have the right to object at any time to the processing of your personal data for marketing purposes.

Your Rights

You have the following rights regarding the personal data we retain about you:

  1. To have access to your personal data. This allows you for example to receive a copy of the personal data we retain about you and verify that we process it legally. In order to receive the relevant copy you can contact the company directly or through its website (Contact).
  2. To request the correction of the personal data we retain about you. This allows you to correct any incomplete or inaccurate data we retain about you.
  3. To request the deletion of your personal information [known as the "right to be forgotten"]. This allows you to request us to delete your personal data when there is no legitimate reason to continue processing it.
  4. To oppose to the processing of your personal data [known as the "right of objection"] in case we are based on a legitimate interest but there is something special about you that makes you wish to oppose to the processing for this reason. If you file an objection, we will no longer process your personal data.
  5. You also have the right to object in cases where we process your personal data for the purposes of direct marketing. This also includes profiling, insofar as it is related to direct marketing. If you object to the processing for direct marketing purposes, then we will stop processing your personal data for these purposes.
  6. To request the restriction on the processing of your personal data. This allows you to ask us to restrict the processing of your personal data, i.e. to use it only for certain cases.
  7. To ask to receive a copy of your personal data in a structured, commonly used and machine-readable format in order to transmit this data to other organizations. You also have the right to request that your personal data be transmitted directly from us to other organizations you will name [known as data portability right].
  8. To withdraw the consent, you have provided us regarding the processing of your personal data at any time. Please note that any withdrawal of consent does not affect the legality of the consent-based processing before it is withdrawn or revoked by you.

In order to exercise any of your rights you can contact the Company, or fill out the relevant form through the Company's website.

Right to complain

Before submitting your complaint, you must contact us, exercising your abovementioned rights, provided by the GDPR. If we do not satisfy your requests, or you consider that our response is not what it should be, you have the right to file a complaint to the Hellenic Data Protection Authority HDPA (

Security of personal data

We, at EPAFOS, have trained and responsible staff, while recognizing the importance of protecting your privacy and all your personal information. For this purpose, we have appropriate security policies and use the appropriate technical and operational tools, such as anonymization, pseudonymization, data encryption, use of firewalls, establishment of access levels, authorized employees, staff training, periodic inspections. Any partner who has access to the above information, uses it to serve exclusively the above purposes. We share the information you provide to us solely in the ways described in this Policy.

Cookies Policy

According to the EU E-Privacy Directive 2009/136/EC, which is being replaced by a Draft Regulation, our website accepts the use of "cookies". These are online tools for collecting and analyzing information that are necessary for the operation of the website; see our cookie policy.

Validity of personal data protection policy

This Policy was published by EPAFOS on 01/10/2018 and is subject to periodic improvement and revision.

Any changes to this Policy will apply to the information collected from the date the revised version is published, as well as to the existing information we hold. The use of the website after the publication of changes implies the acceptance by you of these changes.