Effective: May 2026 | Data Controller: Brilliant Athens
1. Who We Are
Paschalina Latrovali (trading as Brilliant Athens), Ermou 18, Athens 105 63, Greece, AFM: 03273965, is the Data Controller of your personal data under EU Regulation 2016/679 (GDPR) and Greek Law 4624/2019.
Contact for privacy matters: brilliantathens1@gmail.com | +30 211 117 5298
2. Data We Collect
We collect the following categories of data:
• Identity & contact data: name, email address, phone number, billing and shipping address.
• Order data: products purchased, order history, payment confirmation references (we do not store full card numbers).
• Technical data: IP address, browser type, device type, pages visited, time on site (via analytics cookies — see Cookie Policy).
• Communications: emails and messages you send us.
We do not collect special category data (health, religion, race, biometrics).
3. Legal Basis for Processing (GDPR Art. 6)
• Performance of a contract (Art. 6(1)(b)): processing your order, arranging delivery, handling returns.
• Legal obligation (Art. 6(1)(c)): retaining tax/accounting records as required by Greek tax law (10 years).
• Legitimate interests (Art. 6(1)(f)): fraud prevention, security, improving our service.
• Consent (Art. 6(1)(a)): marketing emails and analytics cookies — you may withdraw consent at any time.
4. How We Use Your Data
• Fulfil and manage your orders.
• Send order confirmations, shipping updates, and receipts.
• Respond to your enquiries.
• Send marketing emails (only with your consent; unsubscribe link in every email).
• Comply with legal and tax obligations.
• Detect and prevent fraud.
5. Data Sharing
We share your data only where necessary:
• Payment processors (e.g. Stripe, PayPal, Viva Wallet) — to process payments securely.
• Shipping carriers (e.g. DHL, ACS, Hellenic Post) — to deliver your order.
• Email service providers — to send transactional and marketing emails.
• Analytics providers (e.g. Google Analytics) — in anonymised/pseudonymised form.
• Legal/tax authorities — when required by Greek or EU law.
We do not sell, rent, or trade your personal data to third parties for their own marketing.
6. International Transfers
Some of our service providers (e.g. Google, PayPal) may process data outside the EEA. Where this occurs, we ensure appropriate safeguards are in place, such as EU Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.
7. Data Retention
• Order and transaction records: 10 years (Greek tax law obligation).
• Marketing consent records: until consent is withdrawn plus 3 years.
• Customer service communications: 3 years.
• Analytics data: as per provider settings (typically 14–26 months).
8. Your Rights
Under GDPR, you have the right to:
• Access: request a copy of your personal data.
• Rectification: correct inaccurate data.
• Erasure: request deletion (‘right to be forgotten’), subject to legal retention obligations.
• Restriction: request that processing be limited.
• Portability: receive your data in a machine-readable format.
• Objection: object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: at any time, without affecting the lawfulness of prior processing.
To exercise any right, contact us at brilliantathens1@gmail.com or +30 211 117 5298. We will respond within 30 days.
You also have the right to lodge a complaint with the Hellenic Data Protection Authority (ΑΠΔΠΧ) at www.dpa.gr.
9. Data Security
We implement appropriate technical and organisational measures to protect your data, including SSL/TLS encryption, access controls, and secure hosting. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.
10. Children
Our website is not directed at children under 16. We do not knowingly collect personal data from minors.
11. Changes to This Policy
We may update this Privacy Policy. Any significant changes will be communicated via email or a prominent notice on our website. Continued use of our site after changes constitutes acceptance.
