1Introduction
forkast ("we") respects your privacy and is committed to protecting your personal data in accordance with the GDPR (EU Regulation 2016/679) and Greek law. This policy explains what data we collect, how we use it, and what rights you have.
2Data Controller
Controller: forkast
Email: [email protected]
App: forkast (iOS)
Website: forkast.gr
3What Data We Collect
3.1 Account data
- Email — your account login identifier (together with a password) and the account-recovery channel.
- Business VAT number (ΑΦΜ) — your business's VAT, captured when you connect myDATA; the basis for querying myDATA data. It is not a login identifier.
- Mobile phone (optional) — solely for account access recovery.
- Business name — shown in your reports.
3.2 myDATA / AADE credentials
- AADE subscription key — encrypted with AES-256-GCM. Never returned to the client after first save. Never shared with third parties.
3.3 myDATA transaction data
Through AADE's myDATA API we pull, on your behalf: issued and received invoices, revenue and expenses, and transaction metadata (date, type, amount, counterparty VAT). This data belongs to you.
3.4 Daily Register
The amounts you log daily (cash + card) are stored solely to compute your P&L.
3.5 App usage data
We record usage events linked to your account — e.g. when you open the app (and whether you opened it from a notification), how long you stay (session duration), when you log the Daily Register, and when you view your P&L. This data is stored only on our own servers (first-party) and is not sent to any third-party analytics provider (we do not use Sentry, Mixpanel, Segment, Firebase, or similar). We also record basic technical details (device type, iOS version, app version) for service stability.
3.6 Notification token (push token)
If you enable notifications, your device's operating system assigns a unique device token: on iOS from Apple (APNs — Apple Push Notification service), on Android from Google (FCM — Firebase Cloud Messaging). We store it linked to your account and use it solely to send you the daily reminder to log your Daily Register. We do not use it for advertising and do not share it with advertising or analytics third parties.
3.7 Business verification & pre-fill (KYB) — ΓΕΜΗ Open Data
When you connect your business, we look up its VAT number in the public General Commercial Registry (ΓΕΜΗ) via the official ΓΕΜΗ Open Data service and automatically pre-fill details such as business name, distinctive title, legal form, activity codes (ΚΑΔ), address, and registry status — so you don't have to type them and so we can confirm the business is active. You can always confirm or correct the details; your own entry prevails. This is public open business data (not third parties' personal data).
For sole proprietorships and non-commercial forms (e.g. associations) not held in ΓΕΜΗ, we use VIES (§3.8) or your own entry instead. Source: General Commercial Registry (ΓΕΜΗ) — Open Data. We present the data without alteration and with source attribution. Legal basis: Article 6(1)(b) & 6(1)(f).
3.8 Suppliers: details (VIES & ΓΕΜΗ) & aggregate registry
Supplier name lookup (VIES). So you can see who each supplier in your expenses is rather than a bare VAT number, we look up the supplier's VAT in the European Commission's VIES (the official VAT/VAT-number verification service) and store the name and address it returns, in order to categorize your expenses correctly. We look up only VAT numbers that already appear in your own documents. Legal basis: legitimate interest(Article 6(1)(f)). In some cases (e.g. sole proprietors / freelancers) the name is a natural person's name and constitutes personal data, which we process solely for this purpose. The lookup is performed at the European Commission's service (not AADE) and the supplier is not notified. Where this data is linked to your account, it is deleted when your data/account is deleted (see §6).
Supplier enrichment (ΓΕΜΗ). Beyond the name (VIES), for suppliers that are registered commercial businesses we draw structured public data from ΓΕΜΗ Open Data — legal form and activity codes (ΚΑΔ) — to improve the automatic categorization of your expenses. We look up only VAT numbers that already appear in your documents. This is public open business data; source: ΓΕΜΗ — Open Data. Legal basis: legitimate interest(Article 6(1)(f)).
Aggregate registry. We maintain an aggregate registry of VAT numbers, names, and public registry details (legal form / ΚΑΔ) of suppliers that appear on the invoices of various businesses. We use it to improve automatic categorization and, in the future, for anonymous benchmarking. Such analysis is always aggregate and never reveals an individual business's details or figures (we apply k-anonymity — no comparison without a sufficiently dense cohort). This registry is aggregate reference data, not linked to your account, and is retained independently of the deletion of your account (see §6).
4How We Use Your Data
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the P&L service | Article 6(1)(b) — performance of a contract |
| Authentication and security | Article 6(1)(b) — performance of a contract |
| Improving the app (first-party usage events, see §3.5) | Article 6(1)(f) — legitimate interest |
| Business pre-fill / verification via ΓΕΜΗ Open Data & KYB (see §3.7) | Article 6(1)(b) — contract & Article 6(1)(f) — legitimate interest (fraud prevention) |
| Supplier details via VIES (name) & ΓΕΜΗ Open Data (legal form/ΚΑΔ) (see §3.8) | Article 6(1)(f) — legitimate interest (identifying suppliers for expense categorization) |
| Supplier registry & categorization improvement (aggregate, see §3.8) | Article 6(1)(f) — legitimate interest |
| Engagement notifications (daily Daily-Register reminder) | Article 6(1)(f) — legitimate interest; sending requires the explicit iOS or Android notification permission you grant and can revoke at any time |
| Legal compliance | Article 6(1)(c) — legal obligation |
| Support communication | Article 6(1)(b) — performance of a contract |
4.1 Automated processing
forkast automatically categorizes your invoices into P&L categories and computes estimates such as projected after-tax profit. These are informational tools — they are not accounting/tax advice, nor automated decisions with legal effects within the meaning of Article 22 GDPR. You can re-categorize any invoice; the app learns from your corrections and applies them to future invoices from the same supplier.
5Data Sharing
We do not sell, rent, or trade your data.
We share data only with:
- Cloud infrastructure providers (within the EU) — database storage.
- Apple — Apple Push Notification service (APNs) (iOS devices) and Google — Firebase Cloud Messaging (FCM) (Android devices) — when we send a notification, your device token and the notification content are transmitted to the respective service (APNs for iOS, FCM for Android) for delivery. These are the only third parties in the notification path; we do not use the Expo Push service or any other intermediary.
- Legal obligation — if required by a court or competent authority.
5.1 Internal access by authorized personnel
Authorized forkast personnel may gain internal access to your data through an internal administration tool (backoffice), solely for the operation, support, and debugging of the service. This access may cover account data, myDATA transaction / invoice data, Daily Register entries, business verification (KYB) details, the supplier registry, and app usage events. This is not sharing with third parties — it is the controller's own personnel — but we disclose it transparently. This access relies on the legal bases of Article 6(1)(b) — performance of a contract and Article 6(1)(f) — legitimate interest (operating and supporting the service), is governed by the principle of least privilege, and every access is recorded in an audit log, which includes the IP address of the accessing personnel. The AADE subscription key is never exposed to personnel or to the admin tool (it stays encrypted at rest and is never returned — see §3.2). Your financial records (invoices, lines, categories, P&L, Daily Register amounts) are read-only to personnel — they are never modified through the admin tool. Data stays within the EU; if the admin tool runs locally, that constitutes internal access by the controller itself, not a transfer to a third country.
6Data Retention
| Category | Period |
|---|---|
| Account data | Until account deletion |
| myDATA transaction data | Until deletion + 5 years (tax law) |
| Daily Register | Until account deletion |
| First-party usage events (see §3.5) | Until account deletion |
| Business verification / KYB details (see §3.7) | Until data deletion (myDATA disconnect) or account deletion |
| Supplier registry — aggregate, not linked to the account (see §3.8) | Retained indefinitely as aggregate reference data; not deleted on account deletion since it is not linked to it |
| Internal-access audit log (operator audit log) — which authorized person accessed which business's data and when, with their IP address, plus every operational write action with its justification (see §5.1) | ~1 year (distinct from usage logs; the privileged-access trail is deliberately kept longer to survive any dispute) |
| Account sign-in metadata — the IP address and time of your last sign-in (for account security) | Latest value only (overwritten on each sign-in); deleted when the account is deleted |
| Notification token (push token) | Until account deletion; deleted automatically when the service reports it inactive (Apple/APNs: 410 / BadDeviceToken; Google/FCM: UNREGISTERED) or when you disable notifications |
| AADE subscription key | Deleted immediately after data deletion (myDATA disconnect), revocation, or account deletion |
7Data Security
- Encryption at rest: AES-256-GCM for sensitive fields.
- Passwords: stored only as irreversible hashes (scrypt) — never in plaintext.
- Encryption in transit: TLS 1.3 for all API communication.
- Access control: each owner can access only their own data (JWT). Authorized forkast personnel may access account and transaction data solely for the operation, support, and debugging of the service, under the principle of least privilege and with every access recorded in an audit log — see §5.1.
- Sign-in logging: we store the IP address and time of your last sign-in, solely for account-security purposes (detecting suspicious access). Legal basis: Article 6(1)(f) — legitimate interest.
- Servers within the EU.
8Your Rights (GDPR Articles 15–22)
- Access (Article 15): a copy of your data.
- Rectification (Article 16): correction of inaccurate data.
- Erasure (Article 17): the "right to be forgotten".
- Portability (Article 20): your data in JSON/CSV.
- Objection (Article 21): object to processing based on legitimate interest.
- Restriction of processing (Article 18).
Contact [email protected]. We respond within 30 days. You may also contact the Hellenic Data Protection Authority (ΑΠΔΠΧ) (www.dpa.gr).
8.1 Account & data deletion
We offer two deletion paths:
- Disconnect & wipe a business — deletes a business's synced data (invoices, entries, learned corrections) and immediately erases the myDATA credentials, so there is no silent re-sync. The business shell remains so you can reconnect with the same VAT number.
- Account deletion — starts a 30-day grace period. During this window, if you log in again, the deletion is cancelled automatically. After 30 days, the account and all linked data (businesses, invoices, Daily Register, notification tokens, usage events) are permanently deleted.
The aggregate supplier registry (§3.8) is not linked to your account and is not affected by deletion.
9Transfers Outside the EU
Data is stored exclusively on servers within the EU. No transfer to third countries occurs without appropriate safeguards.
The only transfer to a third party in the notification path is to Apple Push Notification service (APNs) for iOS devices and to Google Firebase Cloud Messaging (FCM) for Android devices, solely for delivering notifications. These services may process the token outside the EU (e.g. in the US) under appropriate contractual safeguards (Standard Contractual Clauses).
10Cookies
The iOS app does not use cookies. The forkast.gr website uses minimal cookies — see the Cookie Policy.
11Changes to This Policy
Material changes will be communicated to you by email or in-app notification at least 30 days before they take effect.
12Contact
Email: [email protected] — Subject: "GDPR Request — [request type]"