Privacy Policy

Effective Date: 1 January 2026

Last Updated: 12 March 2026

This Privacy Policy explains how eThesis P.C. ("eThesis", "we", "us", or "our") collects, uses, discloses, stores, and otherwise processes personal data in connection with our website, software platform, applications, and related services (collectively, the "Services").

We are committed to handling personal data in accordance with applicable privacy and data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Greek law.

1. Who We Are

eThesis P.C.
Pergamou 42, 10446 Athens, Greece
Email: info@ethesisplatform.com

2. Scope of This Policy

This Privacy Policy applies to personal data processed in connection with:

• visitors to our website;
• individuals who contact us;
• prospective customers, customers, and business partners;
• users of the eThesis platform, including students, faculty members, researchers, evaluators, and administrators; and
• other individuals whose personal data is processed in connection with the provision, support, security, and improvement of the Services.

3. Our Role: Controller or Processor

Depending on the context, eThesis may act either as a data controller or as a data processor.

3.1 When eThesis acts as Controller

eThesis generally acts as an independent controller when we process personal data for purposes such as:

• operating and securing our public website;
• responding to inquiries, demo requests, and support communications;
• managing commercial relationships, contracts, billing, and vendor communications;
• marketing our services where permitted by law;
• maintaining platform security, logs, and internal administration; and
• complying with legal obligations.

3.2 When eThesis acts as Processor

Where eThesis provides the platform or related services to a university, research institution, or other customer, and processes personal data on that customer’s behalf, eThesis acts as a processor and the relevant customer acts as the controller. In such cases, processing is governed by the applicable customer contract and, where required, a separate Data Processing Agreement ("DPA").

In processor scenarios, the customer determines the purposes of processing, categories of users, retention periods, and the scope of personal data processed through the platform, subject to applicable law.

4. Categories of Personal Data We Process

Depending on the context, we may process the following categories of personal data:

4.1 Website and Contact Data

• name;
• email address;
• telephone number;
• organization name;
• job title or role;
• message contents and correspondence history.

4.2 Account and Platform Data

• full name;
• institutional email address and username;
• user role, department, faculty, or institutional affiliation;
• account identifiers and authentication-related information;
• profile information and role-based permissions;
• login activity and audit logs.

4.3 Academic and Operational Data

• thesis, dissertation, supervision, evaluation, workflow, and submission metadata;
• documents, notes, comments, messages, deadlines, and research-related files uploaded to the platform;
• records of supervision, grading, committee participation, or project progress;
• administrative and reporting data generated through platform use.

4.4 Technical and Usage Data

• IP address;
• browser type and device information;
• operating system and language settings;
• session data, timestamps, system activity, and access logs;
• diagnostic, error, and performance information.

4.5 Commercial and Contractual Data

• customer contact details;
• billing and invoicing data;
• contract, order form, support, and licensing records;
• communications relating to proposals, renewals, and service delivery.

5. Sources of Personal Data

We may collect personal data:

• directly from you;
• from the institution or organization that provides you access to the Services;
• from other authorized users within the same institutional environment;
• automatically through your use of the Services;
• from service providers, identity providers, or integration partners where applicable; and
• from publicly available professional sources where relevant for business communications.

6. Purposes of Processing and Legal Bases

6.1 To Provide and Administer the Services

We process personal data to create and manage accounts, authenticate users, deliver platform features, support thesis and research workflows, provide support, and administer customer relationships.

Legal basis: performance of a contract; legitimate interests; where applicable, processing on behalf of a controller.

6.2 To Operate, Maintain, and Secure the Services

We process personal data to monitor system performance, maintain availability, troubleshoot issues, enforce access controls, detect misuse, and protect the confidentiality, integrity, and security of the Services.

Legal basis: legitimate interests; legal obligations; where applicable, processing on behalf of a controller.

6.3 To Communicate with You

We process personal data to respond to inquiries, schedule demos, provide administrative notices, send support communications, and manage contractual communications.

Legal basis: legitimate interests; performance of a contract; consent where required.

6.4 To Manage Sales, Billing, and Contracting

We process personal data to prepare quotes, negotiate contracts, manage order forms, issue invoices, process payments, and maintain commercial records.

Legal basis: performance of a contract; legal obligations; legitimate interests.

6.5 To Improve the Services

We may process usage, diagnostic, and feedback data to improve functionality, usability, reliability, reporting, and product development.

Legal basis: legitimate interests.

6.6 To Comply with Law and Protect Rights

We may process personal data where necessary to comply with legal obligations, respond to lawful requests, enforce our legal rights, prevent fraud, or protect users, customers, and eThesis.

Legal basis: legal obligations; legitimate interests.

6.7 Marketing Communications

Where permitted by applicable law, we may use your contact details to send information about our services, events, or updates. You may opt out at any time.

Legal basis: legitimate interests or consent, depending on applicable law and context.

7. Special Note on Institutional Use

If you use eThesis through a university, research center, or other organization, that organization may control your account, role, permissions, retention settings, and certain processing activities carried out within the institutional environment.

In those cases, the institution is generally responsible for informing you how your personal data is used for its academic, administrative, supervisory, evaluation, archival, or reporting purposes.

8. Sharing of Personal Data

We may disclose personal data only where necessary and lawful, including to:

• the relevant customer or institution that administers your access to the platform;
• authorized users within the same institutional environment, based on role and permissions;
• our professional advisers, such as lawyers, auditors, accountants, and insurers;
• payment providers, hosting providers, infrastructure providers, communication tools, and other service providers acting on our instructions;
• competent authorities, courts, regulators, or law enforcement where legally required; and
• a buyer, investor, or successor in connection with a merger, acquisition, restructuring, or sale of assets, subject to appropriate safeguards.

We do not sell personal data.

9. International Transfers

Where personal data is transferred outside the European Economic Area ("EEA"), we will ensure that appropriate safeguards are in place as required by applicable law, such as adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms.

10. Data Security

We implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

Depending on the service model and context, such measures may include:

• encryption of data in transit using TLS/SSL;
• secure authentication and role-based access controls;
• logging of user access and activity for audit and security purposes;
• logical separation of customer data in multi-tenant environments, where applicable;
• backup procedures and integrity checks;
• restricted access to personal data by authorized personnel subject to confidentiality obligations.

No system can be guaranteed completely secure. Users and customers also share responsibility for maintaining secure credentials, devices, and environments.

11. On-Premises Deployments

For on-premises deployments hosted within a customer’s own infrastructure, the customer is generally responsible for the physical and logical security of its servers, databases, network environment, backup environment, access controls, server hardening, and related infrastructure-level protections.

In such environments, eThesis remains responsible only for the processing activities and security measures that fall within its contractual role and actual sphere of control.

12. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law, contract, legitimate business need, or the instructions of the relevant controller.

Retention periods may vary depending on the context:

• Website/contact inquiries: retained for as long as needed to manage the inquiry and any follow-up relationship.
• Commercial and contractual data: retained for the duration of the contractual relationship and thereafter as required for accounting, tax, audit, legal, and evidentiary purposes.
• Platform data processed for institutional customers: retained in accordance with the applicable contract, customer instructions, institutional rules, and any DPA.
• Security and audit logs: retained for as long as reasonably necessary for security, troubleshooting, and compliance purposes.

Upon termination or expiry of a customer relationship, we may return or delete personal data in accordance with the applicable contract, customer instructions, and legal obligations.

13. Cookies and Similar Technologies

We may use cookies and similar technologies that are necessary for the operation, security, and performance of the website and Services. We may also use analytics or preference-related technologies where lawful and appropriate.

Where required by law, non-essential cookies or similar technologies will be used only with your consent.

14. Your Rights

Subject to applicable law, you may have the right to:

• request access to your personal data;
• request rectification of inaccurate or incomplete data;
• request erasure of personal data;
• request restriction of processing;
• object to processing based on legitimate interests;
• request data portability where applicable;
• withdraw consent where processing is based on consent, without affecting prior lawful processing; and
• lodge a complaint with a competent supervisory authority.

If eThesis processes your personal data as a processor on behalf of a university or other customer, you should normally direct your request to that institution first, since it is the controller responsible for deciding how and why your personal data is processed.

16. Confidentiality and Restricted Access

Personal data and other non-public information processed through the Services may also constitute confidential information under applicable contracts. Access to such information is restricted to personnel and authorized users who have a legitimate need to know and who are subject to appropriate confidentiality obligations.

17. Breach Handling

We maintain processes for identifying, assessing, and responding to security incidents. Where required by law or contract, and where personal data is affected, we will notify the relevant customer or authority without undue delay.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a revised "Last Updated" date. Where required by law, we will provide additional notice of material changes.

19. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact:

eThesis P.C.
Pergamou 42, 10446 Athens, Greece
Email: info@ethesisplatform.com

20. Supervisory Authority

If you are located in Greece or believe Greek data protection law applies, you may lodge a complaint with the Hellenic Data Protection Authority. You may also contact your local supervisory authority within the EEA.