Leeway Data Protection Policy

Purpose

This policy establishes how LeeTech IM Ltd. protects personal and sensitive data across its operations. Leeway develops and implements software systems that help organizations move from ideas to operational impact, combining software development, ERP implementation and AI-enabled delivery.

The policy outlines the lawful, fair and transparent handling of data throughout its lifecycle; describes the responsibilities of Leeway employees and partners; and defines how Leeway complies with applicable data-protection laws such as the EU General Data Protection Regulation and Cyprus Law 125(I)/2018.

It also provides guidance for incident response, data subject rights and governance, thereby strengthening Leeway's readiness for public-sector procurement and EU tenders.

Scope

This policy applies to all Leeway employees, consultants, contractors, interns, volunteers and third parties who process or manage personal data on behalf of Leeway.

It covers all forms of personal and sensitive data, whether collected digitally, in writing or verbally, including information about staff, clients, vendors, beneficiaries and other stakeholders.

It applies across all locations where Leeway operates, including Cyprus, Lebanon and remote offices, and to all processing activities performed on Leeway-managed systems or third-party platforms.

General Principles

• Lawfulness, fairness and transparency. Personal data shall be processed legally, fairly and transparently. Individuals must be informed about how their data is collected, used, stored and shared.
• Purpose limitation. Data will be collected for specific, explicit and legitimate purposes and not processed in ways incompatible with those purposes.
• Data minimization. Only data that are necessary for the intended purpose will be collected and processed. For instance, Leeway collects client contact details and project requirements to deliver web and software solutions but does not collect extraneous information.
• Accuracy. Personal data will be accurate and kept up to date; inaccurate data will be rectified or deleted without delay.
• Storage limitation. Data shall be retained only for as long as necessary for the purposes for which it was collected, in line with Leeway's data retention schedule.
• Integrity and confidentiality. Appropriate security measures shall protect personal data against unauthorized access, disclosure, alteration or destruction.
• Accountability. Leeway is responsible for and must be able to demonstrate compliance with these principles. All staff and representatives have a duty to uphold them.
• Data subject rights. Individuals whose data is processed by Leeway have the right to access, correct, restrict, erase or object to the processing of their data, and to request data portability.

Definitions

Leeway

LeeTech IM Ltd., a technology company providing stable, secure and scalable software solutions and combining web development, ERP implementation and AI-enabled delivery.

Law

The EU General Data Protection Regulation (Regulation (EU) 2016/679) and its replacements; the e-Privacy Directive 2002/58/EC, as amended; and relevant national legislation such as Law 125(I)/2018 in Cyprus.

Personal data

Any information that relates to an identified or identifiable individual. This includes names, contact details, IP addresses, device identifiers and scanned identity documents.

Sensitive data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, or data concerning a person's sex life or sexual orientation.

Data subject

The individual to whom the personal data relates.

Data Collection

Methods of Collection

Leeway provides services that range from website development and support, AI and data solutions, ERP implementation and custom software development. To deliver these services, Leeway may collect personal or sensitive data through:

• Secure online forms and portals. Clients provide contact information, project requirements, user credentials or other data via encrypted web forms. Forms are designed with GDPR-aware patterns for consent, data retention and analytics.
• Email and messaging. Communications with clients, vendors or job applicants may involve collecting names, email addresses, job titles and attachments. Email services are configured with encryption in transit and at rest.
• Scanned documents. For identity verification, compliance or contractual obligations, Leeway may collect scanned passports, national IDs, employment contracts or similar documents. This is necessary for onboarding, due diligence, international travel or tender requirements.
• Telemetry and usage logs. During development and support of websites, ERP systems or custom software, Leeway may collect system logs, performance metrics and analytics to monitor reliability and improve user experience. Only aggregated or pseudonymized data are collected where possible.
• AI and data solutions. When implementing AI systems, Leeway helps clients map data sources, monitor data quality and trace model inputs and outputs. Depending on the project, training data may include transactional records, documents or communications necessary for forecasting, anomaly detection or document intelligence.
• ERP and operational data. Implementing ERP environments requires migration of existing records such as CRM, sales, inventory, HR or accounting modules. Clients provide these datasets for configuration and integration; Leeway validates and reconciles the data during migration.

Sources

Data are primarily collected from data subjects, such as clients, end users and employees, or authorized representatives acting under lawful authority. In some cases, Leeway may receive data from third-party services such as payment processors or identity verification providers under appropriate contractual safeguards.

Lawful Basis

• Consent. Data subjects give explicit consent, for example when submitting a contact form or opting into analytics cookies.
• Contractual necessity. Processing is required to deliver services such as building a website or implementing an ERP system. This includes performing pre-contractual steps at the client's request.
• Legal obligation. Leeway may need to collect data to comply with tax, employment or procurement laws.
• Legitimate interests. Leeway may process data for legitimate business interests such as improving service quality or preventing fraud, provided that such interests do not override the rights and freedoms of the data subject.

Protections During Collection

Leeway ensures that data is collected through secure channels. Online forms are protected with HTTPS, and sensitive uploads are encrypted. AI implementation projects follow a pilot architecture with guarded rollout and human-in-the-loop controls. ERP migrations involve data migration validation with reconciliation checkpoints.

Where cookies or analytics are used, Leeway provides clear choices and only uses strictly necessary cookies unless the user approves analytics.

Minimization and Confidentiality

Leeway collects only the data needed to achieve a defined purpose; extraneous personal data are not requested. In website projects, the company prioritizes high-volume, low-risk workflows and establishes security and compliance boundaries upfront.

ERP implementations follow role-based access and segregation-of-duties review to ensure users access only the data required for their role. AI projects maintain traceability for model inputs and outputs so that data can be audited and controlled. All staff sign confidentiality agreements and receive training on data handling procedures.

Data Transfer

Personal data may be transferred to or stored in other countries where Leeway or its service providers operate. Such transfers may include moving data between Lebanon and Cyprus or to cloud infrastructure located in the European Union, the United States or other jurisdictions.

Leeway ensures that cross-border transfers comply with GDPR by using approved mechanisms such as adequacy decisions, Standard Contractual Clauses or binding corporate rules. Any vendor handling data must offer privacy and security protections at least equivalent to those required by EU law.

Data Retention

Leeway retains personal data only for as long as necessary to fulfil the purposes for which it was collected or to comply with legal obligations. Retention periods are defined by the type of data and context:

• Project and account data. Retained for the duration of the client engagement plus a reasonable period to manage warranty or support obligations.
• Contractual documents. Retained in accordance with statutory limitation periods and procurement requirements.
• System logs and analytics. Aggregated logs may be kept for performance monitoring and security auditing for up to one year, after which they are anonymized or deleted.
• HR and recruitment data. Retained in compliance with employment law.

When data are no longer needed, Leeway securely deletes or anonymizes them.

Data Storage

Leeway stores data on secure servers and cloud platforms that comply with international security standards. Storage solutions include:

• Leeway-managed infrastructure. Servers hosted within the EU or in jurisdictions offering adequate protection, hardened with firewalls and intrusion detection systems.
• Approved cloud providers. Leeway uses vendors with strong security credentials such as Google Workspace, Google Drive and Amazon Web Services. These providers maintain compliance with ISO 27001 and SOC 2 standards. Access is restricted through multi-factor authentication and role-based privileges.
• Project collaboration tools. Where appropriate, Leeway uses trusted platforms such as Slack, Notion and Jira that apply their own security controls aligned with GDPR and industry standards. Any other platform must be approved by the IT department.

Data are encrypted both in transit and at rest. Regular backups are maintained, and disaster recovery procedures are tested periodically.

File Storage Security Protocols

• Approved platforms. Staff must store and share data only on platforms approved by the IT department. Personal data must never be stored on unapproved services or personal devices.
• Security baseline. Web and software projects adhere to a security baseline aligned with OWASP recommendations and modern dependency practices. Developers use version control, perform code reviews and integrate automated security testing.
• Documentation and governance. For public-sector procurement, Leeway produces documentation packs suitable for procurement review and long-term maintainability, including technical architecture overviews, test strategies with evidence logs, security and risk registers and operations runbooks.
• Incident playbooks. AI and data solutions include observability, fallback and incident playbooks. Website support offers priority incident handling with root-cause analysis. ERP programs provide cutover playbooks with rollback and business continuity procedures.

Data Access

Access to personal data is restricted to employees who need it for legitimate business purposes. Procedures include:

• Role-based access control. User permissions are granted according to job function. ERP implementations perform a segregation-of-duties review to prevent inappropriate access.
• Least-privilege principle. Team members receive the minimum level of access required to perform their tasks. Elevated privileges must be approved and documented.
• Training and awareness. Leeway provides regular training to employees and contractors on data protection, security best practices and incident response procedures.
• Data handling policies. Staff are required to handle data securely, avoid informal sharing and follow established processes for requesting or granting access.

Data Security Incident Process

• Detection. Systems and staff monitor for unusual activity or suspected breaches using logs and observability tools.
• Notification. Any employee who suspects an incident must immediately report it to the IT department. Where a personal data breach poses a risk to individuals' rights and freedoms, Leeway will notify the relevant supervisory authority within 72 hours and, where the risk is high, inform affected data subjects without undue delay.
• Investigation and containment. The IT team will investigate the incident, contain the breach and identify the root cause. Incident playbooks guide the process.
• Mitigation and corrective actions. Remediation steps will be taken to prevent recurrence, such as patching vulnerabilities, updating access controls or enhancing training. Lessons learned will be documented and incorporated into the risk register.
• Reporting. A post-incident report will be produced outlining the nature of the breach, the data affected, actions taken and measures to prevent similar incidents.

Compliance Standards

Leeway complies with the GDPR, Cyprus Law 125(I)/2018 and other applicable data-protection laws. To enhance readiness for EU tenders and public-sector contracts, Leeway integrates the following practices:

• Accessibility and inclusive design. Web projects follow accessibility-by-design approaches aligned with WCAG 2.2 and EN 301 549.
• GDPR-aware implementation. Forms and analytics incorporate consent mechanisms and data-retention controls.
• Security baseline. Development adheres to OWASP guidelines and modern dependency management practices. Custom software programs use API-first architecture, secure-by-default implementation, quality gates in every sprint and performance readiness.
• Structured governance. Delivery models include clear RACI matrices, milestone controls and acceptance criteria. Work packages with acceptance criteria and traceable deliverables, sprint-level QA evidence, risk registers with mitigation owners and security review gates are used to ensure accountability.
• Assurance controls for ERP programs. Implementation safeguards include data migration validation, role-based access reviews, cutover playbooks with rollback procedures, UAT evidence tracking and post-go-live hypercare.
• Data quality and traceability. AI projects implement data quality controls, source mapping, traceability for model inputs and outputs and human-in-the-loop controls.

Leeway conducts periodic audits and internal reviews to validate compliance and strengthen accountability. Suppliers and sub-processors must adhere to equivalent data-protection standards.

Data Subject Rights

Individuals have the right to:

• Access. Request confirmation of whether their data is being processed and obtain copies of their data.
• Rectification. Request correction of inaccurate or incomplete personal data.
• Erasure. Request deletion of their data where there is no lawful basis for continuing processing.
• Restriction of processing. Request that Leeway limits processing of their data under certain circumstances.
• Objection. Object to processing based on legitimate interests or direct marketing.
• Data portability. Receive their data in a structured, commonly used and machine-readable format and transmit it to another controller.

Requests should be directed to dataprotection@leeway-im.com. Leeway will respond within one month as required by GDPR.

Responsibilities and Governance

Responsibility for implementing this policy rests with Leeway's senior management under the oversight of the Managing Director and the IT Department. Specific responsibilities include:

• Managing Director. Approves the policy and ensures organizational commitment to data protection.
• IT Manager / Data Protection Officer. Oversees implementation, monitors compliance, coordinates incident response and acts as the primary contact for supervisory authorities.
• Department Heads and Project Leads. Ensure that projects adhere to data-protection requirements, maintain risk registers and produce documentation for procurement and audit readiness.
• All staff and contractors. Adhere to this policy, complete mandatory training and report any suspected incidents.

This policy is reviewed annually or whenever significant legal, technological or organizational changes occur. Questions or concerns should be addressed to dataprotection@leeway-im.com.