Effective date: [19.01.2026] Last updated: [29.04.2026] Version: 2.0 This Privacy Policy explains how Accountly LTD ("Accountly", "we", "us", "our") collects, uses, shares, and protects personal data when you visit our website accountly.cy (the "Website"). This policy applies exclusively to the Website. The use of our software platform at accountly-app.com is governed by a separate privacy policy, which is available within the application. We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Cyprus Law 125(I)/2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data. 1. Data Controller Company: Accountly LTD Registration Number: HE 485943 Registered Address: Athinon 2, Flat/Office 401, 8035 Pafos, Cyprus Email: support@accountly.cy Website: accountly.cy Accountly LTD is the data controller within the meaning of Art. 4(7) GDPR and is responsible for all processing activities described in this policy. 2. Data Protection Officer (DPO) We have appointed a Data Protection Officer. You may contact our DPO at any time regarding questions about privacy, data processing, or exercising your rights: DPO Email: dpo@accountly.cy Postal Address: Data Protection Officer, Accountly LTD, Athinon 2, Flat/Office 401, 8035 Pafos, Cyprus 3. Supervisory Authority The competent supervisory authority for Accountly LTD is: Commissioner for the Protection of Personal Data (Επίτροπος Προστασίας Δεδομένων Προσωπικού Χαρακτήρα) Address: Kypranoros 15, 1061 Nicosia, Cyprus Postal Address: P.O. Box 23378, 1682 Nicosia, Cyprus Phone: +357 22 818 456 Fax: +357 22 304 565 Email: commissioner@dataprotection.gov.cy Website: www.dataprotection.gov.cy You have the right to lodge a complaint with this authority at any time if you believe your personal data has been processed in violation of the GDPR (Art. 77 GDPR). 4. Personal Data We Collect 4.1 Data You Provide Directly • Contact / inquiry data: Name, email address, company name, and any other information you voluntarily submit via contact forms, newsletter sign-ups, or other input fields on the Website. • Communication data: Content of messages, support requests, or other correspondence you send to us through the Website. 4.2 Data Collected Automatically • Usage & device data: IP address, browser type and version, operating system, device type, screen resolution, timestamps, pages visited, referrer URL, and language preferences. • Log files: Server log files containing IP address, access times, requested URLs, referrer URLs, and HTTP status codes. 4.3 Data Collected via Cookies & Tracking Technologies • Essential cookies: Required for core Website functionality, security, and session management. • Analytics cookies (Google Tag / Google Analytics): When consent is granted, we use Google Analytics (via Google Tag / gtag.js) to collect pseudonymised usage data including page views, session duration, traffic sources, and approximate geographic location. Google may process data in the USA — see Section 7 (International Transfers). Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy: https://policies.google.com/privacy • Marketing cookies (Meta/Facebook Pixel): When consent is granted, we use the Meta Pixel (Facebook Pixel, ID: 1172427741369903) to measure advertising effectiveness, create custom audiences, and deliver targeted ads via Meta platforms (Facebook, Instagram). The Pixel transmits data such as page views, events, IP addresses, browser information, and Facebook cookie identifiers to Meta Platforms Ireland Limited. Meta may process data in the USA — see Section 7 (International Transfers). Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Privacy policy: https://www.facebook.com/privacy/policy Legal basis for cookies: Essential cookies are processed under Art. 6(1)(f) GDPR (legitimate interest). Analytics and marketing cookies are only activated after you have given your explicit consent via our cookie consent banner (Art. 6(1)(a) GDPR). You may withdraw your consent at any time — see Section 9 (Cookies & Consent Management). 5. Purposes and Legal Bases for Processing Website operation and display Legal basis: Art. 6(1)(f) — Legitimate interest Delivering the Website, ensuring functionality, and displaying content correctly. Responding to inquiries Legal basis: Art. 6(1)(b) — Pre-contractual measures; Art. 6(1)(f) — Legitimate interest Processing your contact form submissions, emails, and other inquiries. Security and fraud prevention Legal basis: Art. 6(1)(f) — Legitimate interest Monitoring for misuse, preventing unauthorised access, ensuring Website integrity and availability. Website improvement Legal basis: Art. 6(1)(f) — Legitimate interest Understanding usage patterns and improving Website content, performance, and user experience. Analytics (Google Analytics) Legal basis: Art. 6(1)(a) — Consent Analysing website traffic and user behaviour to optimise our online presence (only when consent is granted). Advertising measurement (Meta Pixel) Legal basis: Art. 6(1)(a) — Consent Measuring ad performance, creating custom and lookalike audiences, retargeting (only when consent is granted). Marketing communications Legal basis: Art. 6(1)(a) — Consent Sending product updates, newsletters, or promotional content (only if you opt in; you may unsubscribe at any time). Compliance with legal obligations Legal basis: Art. 6(1)(c) — Legal obligation Responding to lawful requests from authorities. 6. Recipients and Data Sharing We share personal data only when necessary and only with the following categories of recipients: Onepage GmbH — Website hosting (accountly.cy) — Germany (EU) Google Ireland Limited — Website analytics (Google Analytics / Google Tag) — Ireland / USA (SCCs in place) Meta Platforms Ireland Limited — Advertising measurement (Facebook Pixel) — Ireland / USA (SCCs in place) Authorities — Only if required by law or court order — Cyprus / EU We do not sell your personal data. We do not share personal data with third parties for their own marketing purposes. All processors are contractually bound by Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR. 7. International Data Transfers Some of our service providers process data outside the European Economic Area (EEA), in particular in the United States. For all transfers to countries without an adequate level of protection as determined by the European Commission, we rely on: • Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR), and • Supplementary technical and organisational measures where necessary (e.g., encryption in transit and at rest, access controls, pseudonymisation). Where the EU–US Data Privacy Framework applies (per the European Commission Adequacy Decision of 10 July 2023), we verify that the recipient is certified under the framework. You may request a copy of the applicable transfer safeguards by contacting our DPO at dpo@accountly.cy. 8. Data Retention We retain personal data only as long as necessary for the purposes described in this policy: Server log files — 90 days Contact form / inquiry data — 12 months after last contact, unless a contractual relationship is established Newsletter subscriber data — Until you unsubscribe; deleted within 30 days of unsubscription Analytics data (Google Analytics) — 14 months (as configured in Google Analytics) Meta Pixel data — Subject to Meta's data retention policies After the applicable retention period, data is securely deleted or irreversibly anonymised. 9. Cookies & Consent Management We use a consent management mechanism (cookie banner) on our Website. When you first visit accountly.cy, you will be asked to choose which categories of cookies you wish to accept. Essential / strictly necessary — Website functionality, security, session management — No consent required (Art. 6(1)(f) GDPR) Analytics (Google Tag / GA4) — Website usage analysis — Consent required Marketing (Meta/Facebook Pixel) — Ad measurement, retargeting — Consent required Managing Your Preferences • Cookie banner: Adjust your preferences at any time by clicking the cookie settings link in the Website footer. • Browser settings: You can block or delete cookies through your browser settings. Note: disabling essential cookies may impair Website functionality. • Opt-out links: – Google Analytics opt-out: https://tools.google.com/dlpage/gaoptout – Meta ad preferences: https://www.facebook.com/adpreferences 10. Your Rights Under the GDPR Under the GDPR, you have the following rights regarding your personal data: Right of access (Art. 15) — Obtain confirmation and a copy of the personal data we hold about you. Right to rectification (Art. 16) — Correct inaccurate or incomplete personal data. Right to erasure (Art. 17) — Request deletion of your personal data, subject to legal retention obligations. Right to restriction of processing (Art. 18) — Request that we limit how we process your data in certain circumstances. Right to data portability (Art. 20) — Receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) and transmit it to another controller. Right to object (Art. 21) — Object to processing based on legitimate interests or for direct marketing purposes at any time. Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time without affecting the lawfulness of prior processing. Right to lodge a complaint (Art. 77) — File a complaint with the Cyprus Commissioner for Personal Data Protection (see Section 3). How to Exercise Your Rights Email: dpo@accountly.cy Postal mail: Data Protection Officer, Accountly LTD, Athinon 2, Flat/Office 401, 8035 Pafos, Cyprus We will respond to your request within one (1) month of receipt. If the request is complex or we receive a high volume of requests, this period may be extended by a further two months, in which case we will inform you of the extension and the reasons within the initial one-month period (Art. 12(3) GDPR). We will verify your identity before processing your request and may ask for additional information to confirm your identity. Exercising your rights is free of charge, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act (Art. 12(5) GDPR). 11. Security Measures We implement appropriate technical and organisational measures to protect your personal data in accordance with Art. 32 GDPR, including: • Encryption of data in transit (TLS/SSL) • Access controls and the principle of least privilege • Regular security assessments and software updates • Access logging and monitoring No system can guarantee absolute security. If you become aware of any security vulnerability, please report it immediately to security@accountly.cy. 12. Data Breach Notification In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: 1. Notify the supervisory authority (Cyprus Commissioner for Personal Data Protection) without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Art. 33 GDPR). 2. Notify affected individuals without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Art. 34 GDPR), providing: – A description of the nature of the breach – The name and contact details of our DPO – A description of the likely consequences – The measures taken or proposed to address the breach and mitigate its effects 13. Children's Data The Website is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate parental consent, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact our DPO immediately at dpo@accountly.cy. 14. Automated Decision-Making We do not use automated decision-making, including profiling, that produces legal effects or similarly significant effects concerning you (Art. 22 GDPR). 15. Changes to This Privacy Policy We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on this page with a new "Last updated" date. We encourage you to review this policy periodically. 16. Applicable Law and Jurisdiction This Privacy Policy and any disputes arising from or related to it shall be governed by the laws of the Republic of Cyprus and the applicable provisions of the GDPR. Any disputes shall be subject to the exclusive jurisdiction of the competent courts of Pafos, Cyprus, without prejudice to your right to lodge a complaint with a supervisory authority under Art. 77 GDPR or to seek a judicial remedy before the courts of the EU Member State where you have your habitual residence (Art. 79(2) GDPR). 17. Contact For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data: General inquiries: support@accountly.cy Data Protection Officer: dpo@accountly.cy Security issues: security@accountly.cy Postal address: Accountly LTD, Athinon 2, Flat/Office 401, 8035 Pafos, Cyprus © 2026 Accountly LTD. All rights reserved.