2. Who is the Data Controller?
Data Controller of the Users’ personal data within the meaning of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) is IPHIS. This means that IPHIS is responsible for processing and protecting your personal data. The office of IPHIS is located in Athens, Greece, Agion Panton 77, Kallithea 17671.
Postal address: Agion Panton 77, Kallithea 17671, Athens, Greece
Email address: firstname.lastname@example.org
3. What personal data do we collect and what are the purposes and the legal bases for data processing?
Depending on how you interact with us, we will process your data for various purposes and on different legal bases. In particular:
A. Voluntarily provided data
(a) When you create an account, we ask you to provide your full name, e-mail address and password. The purpose of the processing is the User’s authentication and to facilitate the User's activities on the website (e.g., shop faster, be up to date on an order's status, keep track of previous orders, etc.). The legal basis for the processing is the performance of the contract (Article 6 (1) (b) GDPR).
(b) When you carry out a transaction as a new customer, we ask you to provide your full name, contact information (e-mail address or telephone number), shipping address (Country, address, postal code, city) and payment information (e.g., card details etc.). All this information is necessary for the execution of the transaction (e.g., delivery of products, billing, communication). The legal basis for the processing is the performance of the contract (Article 6 (1) (b) GDPR). With your consent (Article 6 (1) (a) GDPR), which you provide by ticking the specific tick-box, we will save the above information for future orders. We will keep some transaction related data for tax purposes (Article 6 (1) (c) GDPR).
(c) When you fill in the Website’s contact form (name, e-mail, phone number, message), we process this data to fulfill your requests by answering your questions and providing information. In this case, the legal basis for the processing is the consent (Article 6 (1) (a) GDPR) that you give by clicking on the specific tick-box before submitting your inquiry.
(d) When you wish to subscribe to our newsletter, we only ask you to provide a valid e-mail address. We do not collect any further data beyond the email address. We collect this data to send you emails about our latest products and offers. The legal basis for the processing is the consent (Article 6 (1) (a) GDPR) that you give by clicking on the specific tick-box. You may unsubscribe from our mailing list at any time by following the instructions within each email you receive.
(f) We may also use the contact details of our existing customers (e.g., account holders or Users that have purchased our products) for marketing purposes (e.g., send emails about our latest offers and deals). The processing of personal data for marketing purposes may be regarded as carried out for our legitimate interest to promote our products. However, you may unsubscribe from our mailing list at any time by following the instructions within each email you receive.
B. Automatically collected data
(a) When you visit the Website, some information is automatically collected from our server and recorded in log files. This data may include information about the device and browser you use, your network connection, your IP address, etc. The temporary storage of the IP address is necessary to enable the delivery of the website to the user's computer. We store the above data to ensure the Website functionality, security, availability, integrity, and confidentiality of information from accidental or unlawful acts or incidents. The legal basis for the temporary storage of data and log files is Article 6 (1) (f) GDPR.
(b) We also collect information automatically by using cookies or similar technologies. For more information on cookies, please visit our Cookies Policy (hyperlink).
4. Who do we share your personal data with?
Your data shall not be disclosed to any third party, apart from the following:
(a) Vendors who are required to have access to personal data to provide their services (e.g., IT services company, hosting providers, accounting office, courier service provider). All vendors are bound by specific agreements (controller-to-processor contracts) ensuring protection of your data.
(b) Authorized employees who have access to personal data only when this is necessary (e.g., to handle your requests) and are bound by non-disclosure and confidentiality agreements.
(d) Public or independent authorities such as Public Prosecutor's Office, Cybercrime Division, Data Protection Authority (DPA), etc. when that disclosure is necessary to comply with a law or to prevent unlawful acts against us or Users of the Website.
(e) Third-party partners setting cookies. Some Cookies are put in place by third-party service providers. These partners have access to cookie-related information that may under certain circumstances constitute personal data (for more information about cookies, see our Cookies Notice hyperlink).
5. Data Retention
When you create an account, we retain your data for as long as your account is active. When you contact us through the online contact form, we process your data for as long as it is necessary to fulfill your request. When you subscribe to our Newsletter, we retain your e-mail address until you unsubscribe. In any case, we retain data for as long as it is necessary to fulfill our obligations according to tax law (e.g., transaction data). We keep your chat data for one (1) month for security purposes.
If you request the deletion of your account, we delete all information about you upon deletion of your account unless: (a) we must keep it to comply with applicable law or to keep evidence for such compliance; (b) there is a dispute or claim and we need to retain all relevant information until it is resolved; or (c) we must keep the information for our legitimate business interests, such as fraud prevention and Website Users security.
6. Data security – International data transfers
We have adopted measures of a technical and organizational nature required to guarantee the security of your data and prevent it from being lost, processed, or accessed illegally. We regularly monitor our systems for possible vulnerabilities and attacks and review all processing practices to update security measures.
Our web hosting provider is located in the United States (US). Therefore, we transfer personal data outside the European Economic Area (EEA). However, we provide all appropriate safeguards laid down in the GDPR since we have signed with the web hosting company the Standard Contractual Clauses for personal data transfers to third countries adopted by the European Commission (EU 2021/914 of 4 June 2021 Decision). For service efficiency purposes, some of our third-party providers such as advertising and marketing related partners, hold servers outside the EEA. We inform you that this data is transferred with adequate safeguards and is always kept safe.
7. Links to third-party websites
8. Rights of data subjects
We want to ensure that you can exercise your rights enshrined under the applicable laws. To this end, for as long we retain your data you may exercise your rights free of charge. However, we may charge a reasonable fee in case of manifestly unfounded, disproportionate or repeated requests. In particular, you have the following rights:
• to request access to the personal data that we hold;
• to request rectification of inaccurate or incomplete data;
• to request erasure of your personal data to the extent that they are no longer necessary for the purpose for which we need to keep processing them, as we have explained above, or when we are no longer legally permitted to process them;
• to request that we limit the processing of your personal data;
• if you have given us your consent to process your data, you also have the right to withdraw such consent at any time. In the event that you withdraw your consent, this will not affect the legality of the processing carried out previously.
• When we process your data based on your consent of for the purposes of a contract, you can also request portability of your personal data.
• When the processing of your data is based on our legitimate interest, you are entitled to object to the processing.
You can exercise the above-mentioned rights by sending us an email message at email@example.com.
Finally, we inform you that you have the right to lodge a complaint with the competent Data Protection Authority if you have concerns that we have violated your rights.
10. Contact us
In case you need any clarification about the processing of personal data, please do not hesitate to contact us via e-mail at firstname.lastname@example.org.