Data Protection Policy
Version 1.0 · Last updated June 2026
1. Purpose and Scope
This Data Protection Policy sets out the commitments and principles that Internetivo Ltd ("Internetivo", "we", "us", "our") applies to the protection of personal data across the IVO work marketplace platform and its federated nodes ("the Platform").
It is a statement of our outward posture and principles. It is distinct from, and should be read alongside, our operational Privacy Policy, which describes in detail what data we process and why. Where you need specific operational detail (data categories, retention periods, recipients), refer to the Privacy Policy; this document explains the principles behind it.
Internetivo Ltd is EU-registered and acts as data controller for personal data processed on the Platform.
2. Our Commitment
Internetivo has operated since 2010 and treats the protection of personal data as fundamental to earning and keeping the trust of Clients, Workers, and node operators. We commit to processing personal data lawfully, fairly, and transparently, and to building privacy considerations into how the Platform is designed and run.
3. The Data Protection Principles
We apply the seven principles of the GDPR (Art. 5) to all processing of personal data:
- Lawfulness, fairness and transparency - we process personal data only where we have a lawful basis and we are clear with people about how their data is used.
- Purpose limitation - we collect personal data for specified, explicit, and legitimate purposes and do not use it in ways incompatible with those purposes.
- Data minimisation - we collect only the personal data we actually need for the purpose.
- Accuracy - we take reasonable steps to keep personal data accurate and up to date, and to correct or erase inaccurate data.
- Storage limitation - we keep personal data only for as long as necessary, in line with the retention principles in Section 7.
- Integrity and confidentiality (security) - we protect personal data with appropriate technical and organisational measures.
- Accountability - we take responsibility for compliance and can demonstrate it.
4. Data Minimisation and Privacy by Design
We design features to ask for the least personal data necessary, to favour aggregated or anonymised data where it serves the purpose, and to apply privacy-by-design and privacy-by-default principles. Sensitive activities such as identity verification are handled through specialist providers so that we limit the sensitive data we hold ourselves.
5. Security Commitments
We maintain a documented information-security programme aligned with recognised standards (ISO 27032 aligned) and protect personal data using appropriate measures stated here at a generic level only:
- Encryption of personal data in transit and at rest.
- Access controls and least-privilege principles.
- Monitoring, logging, and detection.
- Regular security audits and penetration testing.
- Backup, recovery, and business-continuity measures.
- Personnel confidentiality and security-awareness measures.
Payment card data is handled by a PCI-DSS compliant payment processor; we do not receive or store full card numbers. We do not publish implementation detail that could assist an attacker.
6. Breach Notification
We maintain incident-response procedures. Where a personal data breach is likely to result in a risk to individuals' rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it (Art. 33 GDPR), and we will inform affected individuals without undue delay where the breach is likely to result in a high risk to them (Art. 34 GDPR).
7. Retention Principles
We retain personal data only for as long as necessary for the purpose for which it was collected, or for as long as required by law (for example, financial and anti-money-laundering records). When a retention period ends, data is securely deleted or irreversibly anonymised. The specific retention periods are set out in the retention table of our Privacy Policy.
8. Lawful Bases and Individual Rights
All processing rests on a lawful basis (contract, legal obligation, legitimate interests, or consent), as mapped in our Privacy Policy. We respect the full set of GDPR rights of individuals and respond to requests within 30 days. How to exercise each right is explained in GDPR and Your Data Rights.
9. Sub-processor and Node Governance
We engage third-party service providers and licensed node operators only under written contracts that include data-protection terms consistent with our Data Processing Agreement. We require flow-down of equivalent obligations, give notice of changes to sub-processors, and remain accountable for the providers we engage. We do not sell personal data and we do not share it with advertisers.
10. International Transfers
Where personal data is transferred outside the European Economic Area, we put appropriate safeguards in place, principally the Standard Contractual Clauses approved by the European Commission, and adequacy decisions where they apply.
11. Accountability and Governance
We assign responsibility for data protection, maintain records of processing, conduct data protection impact assessments where required, train relevant personnel, and review our practices periodically. Our Data Protection Officer / privacy function oversees this policy and handles enquiries.
12. Complaints
If you have a concern about how we handle personal data, contact us first by opening a privacy and data ticket. You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of Cyprus (www.dataprotection.gov.cy, commissioner@dataprotection.gov.cy) or your local EU/EEA supervisory authority.
13. Review and Changes
We review this policy periodically and may update it to reflect changes in law or practice. The version and date at the top indicate when it was last revised.
14. Contact
Data Protection Officer / Privacy enquiries: Internetivo Ltd Open a privacy and data ticket Website: https://internetivo.com/legal/data-protection-policy
Related documents: Privacy Policy, GDPR and Your Data Rights, Data Processing Agreement, Cookie Policy.
This policy is governed by the laws of the Republic of Cyprus and EU data protection law.