PERSONAL DATA PROTECTION POLICY

FOR THE PHYSICAL AND ELECTRONIC STORE (E-SHOP)

General

The purpose of this Personal Data Protection Policy is to inform you about the manner and the reasons for which we collect and process your personal data when you communicate with us or use any of our services, as well as about the rights you have as data subjects, based on the applicable regulatory framework for the protection of personal data of the European Union (EU) 2016/679 – General Data Protection Regulation (“GDPR”), as well as the relevant Greek legislation.

Data Controller and Processor

Our company under the name “ELZE PROJECT Single-Member Private Company (IKE)” and the trade name “ELZE”, headquartered in Athens, at 10 Valaoritou Street, Metamorfosi, Attica, Postal Code 14452, with Tax Identification Number (VAT) 802898823, KEFODE Attikis, acts as Data Controller and Data Processor of Personal Data and collects and processes your personal data, including special categories of personal data within the meaning of Article 4 of the GDPR and Greek legislation (Law 4624/2019), as in force (hereinafter “Personal Data”), in accordance with this Personal Data Protection Policy.

This Personal Data Protection Policy applies to the following categories of data subjects:

  • Customers

  • Potential customers

  • Visitors of our website elzeproject.com

  • Registered users of our website elzeproject.com

How We Collect Your Personal Data

We collect your Personal Data in the following ways:

Directly from you:

  • By completing your details when placing an order through the e-shop

  • By registering on the e-shop to create your user account

  • By providing your details by telephone when placing a phone order

  • By completing and submitting the contact form, product return form, and complaint form

  • By registering in printed or electronic mailing lists to receive informational and promotional material

  • By participating in contests, questionnaires, and surveys

  • By visiting our website, through which we collect information from your terminal device using cookies

From third parties:

Such as judicial, tax, and supervisory authorities through requests, orders, legal documents, warrants, etc., relating to the investigation of crimes and the protection against criminal activity and unlawful acts.

Legal Basis for Collection and Processing of Personal Data

The lawful bases for collecting and processing Personal Data include the sale of products through the physical and electronic store (e-shop), compliance with our legal obligations, and your consent, as further detailed below.

Providing your Personal Data is optional. However, it is necessary for certain store functions, such as creating a user account, ordering products, using the contact form, using the product return form, etc.

Failure to provide Personal Data may result in the inability to effectively carry out and/or complete the above activities.

Purpose of Collection, Processing, and Retention of Personal Data

We collect and process your Personal Data for various purposes, depending on your relationship with us. The purposes and retention periods are detailed in the table below.

If you act as a customer, potential customer, website visitor, or registered user:

Purpose of Processing – Personal Data – Legal Basis – Retention Period

  • Purchase through the e-shop
    Full name (or company name if an invoice is issued), residence (or registered office), delivery address, email address, username and password (encrypted), phone number, VAT number and tax office (if invoice issued), payment preference
    Sales contract
    5 years from order completion

  • Telephone purchase
    Full name (or company name), residence (or registered office), delivery address, phone number, VAT number and tax office, debit/credit card details
    Sales contract
    5 years from order completion

  • Communication via email
    Full name, email address, phone number
    Legitimate interest for effective communication
    2 years from completion of communication

  • Product return
    Full name, email address, phone number, residence
    Sales contract
    5 years from completion of communication

  • Sending informational and/or promotional material
    Full name, email address, phone number, gender
    Consent
    Until consent is withdrawn

  • Participation in contests
    Full name, residence, email address, phone number, age, gender
    Consent
    1 year from contest completion

  • Sending personalized informational/promotional material using profiling services (*)
    Full name, email address, phone number, gender, profile information
    Consent
    Until consent is withdrawn

  • Marketing communication based on profiling services (*)
    Profile information
    Consent
    Until consent is withdrawn

  • Customer satisfaction surveys
    Full name, email address, phone number, survey responses
    Legitimate interest for operational optimization
    1 year from survey date

  • Complaint management and customer service improvement
    Full name, email address, phone number
    Legitimate interest / Sales contract
    2 years from last communication

  • Website security
    IP address
    Legitimate interest for website security
    2 years from last communication

  • Legal claims and protection of rights
    Data depends on the specific legal claim
    Legal obligation
    According to applicable law

(*) Customer profiling consists of an automated process for collecting and processing Personal Data to evaluate preferences and promote tailored informational and promotional material.

Profiling data includes purchase history, content, purchase location, and purchase time.

We do not collect financial information from payment service providers. Payments by card are processed on the provider’s website and governed by their privacy policy.

In certain cases, Personal Data may be retained beyond the above periods due to legal obligations, legitimate interests, or protection of vital interests (e.g. health-related reasons).

Use of Cookies

We use cookies on our website. For more information, please refer to our Cookie Policy.

Transfer of Personal Data

Personal Data is transferred to third parties only when absolutely necessary, including:

  • Independent data controllers (e.g. banks, lawyers, accountants, insurers, financial advisors)

  • External processors bound by confidentiality (e.g. IT providers, hosting providers, telecom providers, couriers)

  • Competent police, administrative, tax, judicial, and other authorities in cases of public interest or emergencies

All third parties are contractually obliged to protect your Personal Data and may not use it for other purposes.

We do not disclose Personal Data for commercial promotion without your consent, unless required by law or a lawful authority.

Security, Integrity, and Storage of Personal Data

We prioritize the security, integrity, and confidentiality of your Personal Data. Data is accessed only by authorized personnel and strictly within their duties.

We apply technical, organizational, and physical security measures, including firewalls, restricted access, daily backups, penetration testing, software updates, employee training, processor audits, and physical security. However, due to the nature of the internet, absolute risk elimination is not possible.

Storage of Personal Data

Personal Data is stored electronically and/or in hard copy on private servers and in secure storage facilities at our company premises.

Your Rights Regarding Personal Data

You have the right to:

  • Access

  • Rectification

  • Erasure

  • Restriction of processing

  • Data portability

  • Objection to processing

  • Notification of rectification, erasure, or restriction

  • Not be subject to automated decision-making, including profiling

Exercising Your Rights

You may exercise your rights by submitting the relevant request form, either by post to:
10 A. Valaoritou Street, Metamorfosi 14452, Attica, Greece
or by email: info@elzeproject.com

Hellenic Data Protection Authority

If you believe your rights have been violated, you may lodge a complaint with the Hellenic Data Protection Authority, headquartered at 1 Kifisias Avenue, Athens 115 23, tel. +30 210 6475600, email: complaints@dpa.gr

Changes to This Policy

We reserve the right to amend this Personal Data Protection Policy at any time by publishing the revised version on our website:
https://elzeproject.com/prosopika-dedomena/

Effective date: 12/01/2026