GDPR and Your Data Rights
Version 1.0 · Last updated June 2026
1. Purpose of This Notice
This page explains, in plain language, the rights you have over your personal data under the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable Cypriot data protection law, and how to exercise them on the IVO Platform.
It is a summary written for ease of use. The full detail of what data we collect, why, and for how long is set out in our Privacy Policy, which this notice does not replace. Where this notice and the Privacy Policy differ in detail, the Privacy Policy governs.
2. Who Is the Data Controller
Internetivo Ltd ("Internetivo", "we", "us", "our") is the data controller for personal data processed on the IVO work marketplace platform.
Internetivo Ltd Contact for all data matters: a privacy and data ticket
For data processed within a federated node operated by a licensed node operator, the node operator may act as a controller or joint controller for certain activities; in those cases you may exercise your rights with either us or the node operator and we will coordinate as needed.
3. The Legal Bases We Rely On
We only process personal data where we have a lawful basis to do so. Depending on the activity, our bases are:
- Performance of a contract (Art. 6(1)(b)) - to operate your account, run the marketplace, process payments, and manage escrow.
- Legal obligation (Art. 6(1)(c)) - for identity verification, anti-money-laundering, tax, and financial record-keeping.
- Legitimate interests (Art. 6(1)(f)) - for fraud prevention, platform security, reputation scoring, matching, analytics, and support, where balanced against your rights.
- Consent (Art. 6(1)(a)) - for non-essential cookies and for marketing notifications, which you can withdraw at any time.
The full mapping of each purpose to its legal basis is in the legal-basis table in our Privacy Policy.
4. Your Rights
You can exercise any of the rights below by emailing a privacy and data ticket or by using the data controls in your account settings. We respond to all requests within 30 days of receipt (this period may be extended where the law allows for complex requests, and we will tell you if so). Exercising your rights is free of charge in normal circumstances.
| Right | What it means | How to exercise it |
|---|---|---|
| Access (Art. 15) | Get a copy of the personal data we hold about you and information on how it is used. | Email a privacy and data ticket or use account data controls. |
| Rectification (Art. 16) | Have inaccurate or incomplete data corrected. | Update most fields directly in profile settings, or contact us. |
| Erasure / right to be forgotten (Art. 17) | Have your personal data deleted where there is no overriding reason to keep it. | Request account deletion in settings or email us. See the carve-out in Section 5. |
| Restriction (Art. 18) | Have processing paused in certain situations, for example while a dispute about accuracy is resolved. | Email a privacy and data ticket. |
| Data portability (Art. 20) | Receive the data you provided in a structured, commonly used, machine-readable format (JSON or CSV) and have it transferred where technically feasible. | Email a privacy and data ticket or use export controls. |
| Object (Art. 21) | Object to processing based on our legitimate interests, and opt out of direct marketing at any time. | Email a privacy and data ticket; use unsubscribe / notification settings for marketing. |
| Automated decision-making (Art. 22) | Not be subject to a solely automated decision that significantly affects you, and request human review. | See Section 6 and contact us by opening a support ticket. |
| Withdraw consent (Art. 7(3)) | Where we rely on consent, withdraw it at any time without affecting prior lawful processing. | Use the cookie preference centre or notification settings. |
5. What We Cannot Erase
The right to erasure is not absolute. We may be legally required to keep certain data even after you ask us to delete it, in particular:
- Financial and transaction records - retained to meet Cyprus tax law (a 7-year obligation).
- Identity verification and anti-money-laundering records - retained to meet AML obligations (typically 5 years from your last transaction).
In these cases we restrict the data to that legal purpose and delete or anonymise the rest. The exact retention periods are in the retention table of our Privacy Policy.
6. Automated Decision-Making and Profiling
The Platform uses automated systems to help match work and to assist with dispute review. These systems produce recommendations; they do not make binding decisions that significantly affect you without the possibility of human review. If you believe an automated process has produced an unfair outcome, you may request a human review by contact us by opening a support ticket.
7. International Transfers
Some of our service providers are located outside the European Economic Area. Where personal data is transferred internationally, we rely on appropriate safeguards, principally the Standard Contractual Clauses (SCCs) approved by the European Commission, and adequacy decisions where they apply. The categories of recipients and the safeguards used are listed in our Privacy Policy and our Data Processing Agreement. You may request details of the mechanism used for any specific provider.
8. How to Make a Request
- Email a privacy and data ticket, or use the data controls in your account settings.
- Tell us which right you wish to exercise and enough detail to locate your data.
- We may need to verify your identity to protect your data before we act.
- We will respond within 30 days.
9. Complaints
If you are not satisfied with how we have handled your data or a request, you can contact us first by opening a privacy and data ticket so we can try to resolve it. You also have the right to lodge a complaint with the supervisory authority in Cyprus:
Office of the Commissioner for Personal Data Protection (Cyprus)
- Website: www.dataprotection.gov.cy
- Email: commissioner@dataprotection.gov.cy
If you are based in another EU/EEA country, you may also lodge a complaint with your local supervisory authority.
10. Contact
Privacy enquiries / Data Protection Officer: Internetivo Ltd Open a privacy and data ticket Website: https://internetivo.com/legal/gdpr
Response time: within 30 days of receipt.
Related documents: Privacy Policy, Cookie Policy, Data Processing Agreement, Data Protection Policy.
This notice is governed by the laws of the Republic of Cyprus and EU data protection law.