Privacy

Privacy policy for Balkan DealFlow.

This page describes how Balkan DealFlow handles personal data submitted through seller intake, buyer access requests, account creation, and marketplace activity. We process data in line with the EU General Data Protection Regulation (GDPR) where applicable, and the laws of North Macedonia for users in the WB6 region.

Last updated: 2026-04-26

Controller

Balkan DealFlow operating entity

Lawful basis

Contract, legitimate interest, consent

Hosting

Supabase (EU) and Vercel

1. Personal data we collect (GDPR Art. 13)

· Account data: full name, email address, role (buyer / seller / broker / admin).
· Listing content: business details, financial summaries, supporting media you submit.
· Buyer access data: name, email, budget, message, NDA acceptance status.
· Operational data: sign-in events, saved searches, saved listings, page activity.
· Payment data: handled by our payment processor (see § 4) — we do not store card numbers.

2. Why we process it (lawful basis)

· Contract: to operate your account, run the marketplace, moderate listings, gate confidential content, and process subscriptions.
· Legitimate interest: security, fraud prevention, operating analytics, and maintaining listing quality.
· Consent: non-essential analytics and marketing communications, where applicable. You may withdraw at any time.
· Legal obligation: tax, accounting, and regulatory record-keeping where required by North Macedonian or EU law.

3. Confidentiality and access controls

Public visitors see only the public teaser of each listing. Registered users may see more detail. NDA-gated content is released only after the buyer accepts the listing-level NDA and the seller approves the access request. Access decisions are enforced server-side.

4. Sub-processors

· Supabase — managed Postgres database, authentication, storage. EU region.
· Vercel — application hosting, edge delivery, runtime logs.
· Paddle — payment processing and merchant of record (when paid features are active).
· Email provider — transactional sign-in and notification email.

All sub-processors are bound by data processing agreements (DPAs) and process data only under our instructions. International transfers, where they occur, rely on EU Standard Contractual Clauses.

5. Retention

Account data is kept for the life of your account plus 24 months after closure. Listing and transaction records may be retained longer where required by law (typically up to 10 years for tax records). Sign-in logs are retained for up to 12 months.

6. Your rights (GDPR Art. 15-22)

EU and EEA users have the right to access, rectify, erase, restrict, port, and object to processing of their personal data, and to withdraw consent at any time. To exercise any of these rights, contact us at the address below. You also have the right to lodge a complaint with a supervisory authority (in North Macedonia: the Personal Data Protection Agency).

7. Contact

For data protection requests, contact privacy@balkandealflow.com. We respond within 30 days as required by GDPR.

Last updated: 2026-04-26

1. Personal data we collect (GDPR Art. 13)

· Account data: full name, email address, role (buyer / seller / broker / admin).

· Listing content: business details, financial summaries, supporting media you submit.

· Buyer access data: name, email, budget, message, NDA acceptance status.

· Operational data: sign-in events, saved searches, saved listings, page activity.

· Payment data: handled by our payment processor (see § 4) — we do not store card numbers.

2. Why we process it (lawful basis)

· Contract: to operate your account, run the marketplace, moderate listings, gate confidential content, and process subscriptions.

· Legitimate interest: security, fraud prevention, operating analytics, and maintaining listing quality.

· Consent: non-essential analytics and marketing communications, where applicable. You may withdraw at any time.

· Legal obligation: tax, accounting, and regulatory record-keeping where required by North Macedonian or EU law.

4. Sub-processors

· Supabase — managed Postgres database, authentication, storage. EU region.

· Vercel — application hosting, edge delivery, runtime logs.

· Paddle — payment processing and merchant of record (when paid features are active).

· Email provider — transactional sign-in and notification email.

All sub-processors are bound by data processing agreements (DPAs) and process data only under our instructions. International transfers, where they occur, rely on EU Standard Contractual Clauses.

6. Your rights (GDPR Art. 15-22)