MastrosBook — Privacy Policy
Last updated: 10 July 2026
This policy explains how Xenofontas Papastavrou, trading as MastrosBook, of Megaron 6, Aradippou 7104, Larnaca, Cyprus ("we", "us") processes personal data in connection with MastrosBook (the "Service"), in accordance with the EU General Data Protection Regulation (GDPR) and Cyprus Law 125(I)/2018.
1. Two roles: controller and processor
- Your account data (section 2): we are the data controller.
- Your business records — the clients, quotes, invoices, payments, expenses and receipt images you enter: you are the controller and we process that data only on your behalf and on your instructions, as your processor (Article 28 GDPR). We never use your clients' data for our own purposes.
2. Data we collect
| Data | Purpose | Legal basis |
| Email, password (stored as a bcrypt hash — we cannot read it) | Account login | Contract (Art. 6(1)(b)) |
| Business details: name, trade, address, phone, VAT number, TIC, IBAN, logo | Shown on the documents you issue | Contract |
| Your business records (clients, documents, payments, expenses, receipt photos) | The core function of the Service | Contract (as processor for client data) |
| Basic technical logs (IP address, timestamps) | Security, abuse and rate-limit protection | Legitimate interest (Art. 6(1)(f)) |
We do not use analytics trackers or advertising cookies. The Service stores only your login token and language preference on your device.
3. What we never do
We do not sell personal data. We do not share your records with anyone except the subprocessors below. We do not read your business records except where strictly necessary to fix a fault you have reported.
4. WhatsApp payment reminders
When you tap "Chase via WhatsApp", the Service composes a message and opens WhatsApp on your device with the client's number and the message text pre-filled. Nothing is sent by us; sending happens in your WhatsApp under WhatsApp's own terms and privacy policy. You are responsible for having a lawful basis to message your client.
5. Where data is stored and who touches it
- All data is stored on servers located in Germany (Hetzner Online GmbH), our hosting subprocessor.
- Backups are stored with the same provider in the EU.
- No personal data is transferred outside the EU/EEA.
6. Retention
- Account and business records: for as long as your account is active.
- After account closure: deleted within 90 days, except backups which roll off within 30 further days.
- Remember that you have statutory record-keeping duties (currently six years for VAT records in Cyprus) — export and keep your own copies; the Service is not your statutory archive.
7. Security
Passwords are hashed (bcrypt). Access is over TLS. Each user's data is isolated per account. Receipt and logo files are stored under non-guessable filenames. Daily backups are kept.
If a breach affecting your data occurs we will notify the Office of the Commissioner for Personal Data Protection and affected users without undue delay, as required by Articles 33–34 GDPR.
8. Your rights
You may request access to, correction of, deletion of, or a copy (portability) of your personal data, and you may object to or ask us to restrict processing. Write to support@mastrosbook.com — we respond within one month.
For your clients' data, direct requests to the tradesperson who holds the records (the controller); we will assist them as processor.
You may lodge a complaint with the Office of the Commissioner for Personal Data Protection, Cyprus (dataprotection.gov.cy).
9. Changes
We will announce material changes in the app or by email before they take effect.
Contact: support@mastrosbook.com