Privacy Policy

1. Data Controller

The data controller for your personal data is:

2. Data We Collect

When you use our online store, we may collect the following categories of personal data:

• Identification details: Full name
• Contact details: Email address, phone
• Shipping details: Postal address, city, postcode
• Payment details: Card type, last 4 digits (full processing handled by the payment provider)
• Order history: Products, amounts, purchase dates
• Browsing data: IP address, browser type, pages visited, time spent (via cookies and analytics)

3. Processing Purpose

Your personal data is collected and processed for the following purposes:

• Order fulfilment: Processing, shipping and delivery of your orders, as well as handling returns
• Communication: Updates on the status of your order, responses to enquiries and customer service
• Marketing activities: Sending newsletters and updates about new products or offers, only with your explicit consent
• Legal obligations: Compliance with tax and accounting obligations under Greek law
• Service improvement: Analysis of site usage to improve the browsing and shopping experience

4. Legal Basis of Processing

The processing of your data is based on the following legal bases, in accordance with Article 6 of the GDPR:

• Performance of contract (Art. 6.1.b): Processing is necessary for the performance of the sales contract (order completion, shipping, service)
• Consent (Art. 6.1.a): For sending newsletters and marketing messages, which can be withdrawn at any time
• Legitimate interest (Art. 6.1.f): For fraud prevention, site improvement and usage analytics
• Legal obligation (Art. 6.1.c): For compliance with tax and accounting requirements

5. Data Recipients

Your personal data may be disclosed to the following categories of recipients, only to the extent necessary for the processing purposes:

• Courier companies: For shipping and delivery of your orders (name, address, phone)
• Payment providers: For secure processing of electronic payments
• Hosting services: For the operation and maintenance of the site
• Accounting office: For compliance with tax obligations

We do not sell, rent or trade your personal data to third parties for advertising or commercial purposes. All third-party recipients are contractually bound to comply with the GDPR and apply appropriate security measures.

6. Data Retention Period

Your personal data is retained only for as long as necessary for the purposes for which it was collected:

• Order & invoice data: Retained for 5 years after the completion of the transaction, in accordance with tax law
• Customer account details: Retained for as long as the account remains active. You may request deletion at any time
• Marketing/newsletter data: Retained until you withdraw your consent
• Browsing data (cookies): According to the settings defined in our Cookie Policy

After the retention period ends, data is securely deleted or anonymised.

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights in relation to your personal data:

To exercise any of the above rights, you may contact us at [EMAIL]. We will respond to your request within 30 days of receipt.

8. Cookies

Our site uses cookies and similar technologies to improve the browsing experience, analyse traffic and ensure the correct operation of the online store.

The cookies we use include:

• Essential cookies: Strictly necessary for the operation of the site (e.g. shopping cart, user login)
• Analytics cookies: Help us understand how you use the site (e.g. Google Analytics)
• Marketing cookies: Used to display relevant ads, only with your consent

You can manage your preferences via the cookie banner on your first visit or via your browser settings. For detailed information, please refer to our Cookie Policy.

9. Data Security

We take appropriate technical and organisational measures to protect your personal data from unauthorised access, modification, disclosure or destruction. In particular:

• SSL/TLS encryption: All communication between your browser and our site is encrypted
• Secure storage: Data is stored in encrypted systems with controlled access
• Controlled access: Data is accessible only to authorised personnel, to the extent necessary for performing their duties
• Secure payments: Electronic payments are processed via certified payment providers (PCI DSS)

Despite the security measures we apply, no data transmission over the internet can be guaranteed 100% secure. In the event of a data breach, we will notify you within the time limits set by the GDPR.

10. Minors

The Bloom in Box online store is intended for adults. We do not knowingly collect personal data from anyone under the age of 18 without parental or guardian consent.

If we become aware that we have collected data from a minor without appropriate consent, we will delete it immediately. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

11. Changes to the Privacy Policy

We reserve the right to modify this Privacy Policy at any time to reflect changes in our practices or in the law.

In case of material changes:

• We will update the "Last updated" date at the top of the page
• We will notify you by email or via a prominent notice on our site
• Where required by law, we will request your renewed consent

We recommend that you check this page regularly for any updates.

12. Contact & Complaints

For any question, request or concern regarding the processing of your personal data, you can contact us:

If you believe that the processing of your data violates the GDPR or Greek law, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):

However, we encourage you to contact us first so that we can try to resolve any issue directly.