GDPR Information Notice

Controller within the meaning of GDPR art. 4(7): Ege Bilge, sole proprietor, trading as "Papyro".

Website: https://papyro.dev

Contact: [email protected]

Papyro is self-hosted by the customer on their own infrastructure. Personal data of the customer's end users is never transmitted to us. We process personal data only in the following limited contexts:

• Identity and contact data — name, business email address, company name, provided when you request a license or contact us.
• License records — license identifier, edition, seat count, issue date, expiry date, customer name, billing email address.
• Communications data — email correspondence about sales, support, billing, and renewals.
• Usage data of papyro.dev — IP address, user-agent string, referrer header, requested path. Logged transiently by our hosting provider for security and abuse prevention.
• Payment data — handled by our payment processor. We receive only the transaction confirmation, invoice number, and the buyer's name, email and billing address.

• Performance of a contract (art. 6(1)(b)) — issuing, validating, and renewing the license; providing support.
• Legal obligation (art. 6(1)(c)) — issuing invoices and keeping statutory tax records.
• Legitimate interests (art. 6(1)(f)) — preventing abuse of the website and the license-issuance system; sending renewal reminders 30 days before expiry. You may object to processing based on legitimate interests at any time.
• Consent (art. 6(1)(a)) — only where required (e.g. optional product news, which we currently do not operate). Consent can be withdrawn at any time without affecting the lawfulness of prior processing.

We do not sell or rent personal data. We share data with the following categories of recipients, acting as processors under written agreements:

• Email service provider — for transactional email.
• Payment processor — for purchase confirmations and invoicing.
• Hosting provider for papyro.dev — the website itself; no customer application data is involved.
• Tax accountant — strictly within statutory bookkeeping scope.

Some processors are located outside the European Economic Area. Where this is the case, transfers take place under the safeguards permitted by GDPR art. 46, primarily the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914), supplemented by additional technical measures where necessary. A copy of the relevant safeguards is available on request to [email protected].

• License records: while the license is active and for ten (10) years after expiry, to comply with statutory bookkeeping obligations.
• Invoices and tax records: ten (10) years (statutory).
• Support correspondence: up to three (3) years after the last interaction.
• Website server logs: up to thirty (30) days.

Subject to the conditions set out in the GDPR, you have the following rights:

• Right of access (art. 15) — obtain confirmation of whether your data is processed and a copy of it.
• Right to rectification (art. 16) — request correction of inaccurate or incomplete data.
• Right to erasure (art. 17) — request deletion where the conditions in art. 17 apply.
• Right to restriction of processing (art. 18).
• Right to data portability (art. 20) — receive your data in a structured, commonly used, machine-readable format.
• Right to object (art. 21) — object to processing based on legitimate interests.
• Right not to be subject to a decision based solely on automated processing (art. 22). We do not carry out automated decision-making with legal effect.
• Right to withdraw consent (art. 7(3)) — where processing is based on consent.

To exercise any of these rights, email [email protected]. We respond within one (1) month, free of charge, unless your request is manifestly unfounded or excessive.

You have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement (GDPR art. 77). For data subjects in the United Kingdom, the competent authority is the Information Commissioner's Office (ICO).

This notice may be updated as our processing activities evolve. The "Last updated" date at the top of the page always reflects the current version. Material changes are communicated by email to active licensees.