Privacy Policy - Management of personal data (GDPR)

Privacy Policy - Management of personal data (GDPR)

Purpose and Aim of Use of Personal Data

The personal data collected each time Users visit the Website or place an order is necessary for the overall management of the order by YELLOW ROSE and its accredited providers. This management includes the detection of online fraud and fraud related to modern means of payment, the prevention and management of payment (non-payment) and the maintenance of YELLOW ROSE’s rights regarding its commercial activity. In addition, this data may be used for information about new products and services provided by YELLOW ROSE and offers or other promotional services. These data are kept for a period of time not exceeding the period of time required according to the purpose for which they have been collected.

What Data do we collect from you?

We take care to collect only the absolutely necessary Data, which is appropriate and clear for the intended purpose. This Data includes the following: • Data when creating a user account: e-mail address, login password, first name, last name, postal address, telephone number, TIN - tax office - billing information (in case of registration as a professional), activity (beauty, make-up, massage, waxing or other) and proof of professional status (in case of registration as a professional). • Information from your transactions with us, either through our physical stores or through our online store - For example, we collect notes from our conversations with you, details of any complaints or comments you make, details of purchases you have made, products added to or removed from your basket, a list of products you wish to purchase (wish list), voucher redemptions, websites you visit and how and when you contact us. • Interests and shopping preferences, which help us to recommend specific products and services of interest to you - For example, which products you show a preference for so you can receive a personalized offer from us We will only ask for and use the Data we collect to recommend products or services of interest to you and to further enhance your shopping experience with us. Of course, it is always your choice whether to share such Data with us. • Traffic Data of our website or other websites you have browsed before us - Information collected from the use of cookies in your browser. Learn more about how we use cookies here. • Payment information. • Your feedback and product reviews. • Your image may be captured on CCTV when you visit one of our physical stores • To provide the best possible website experience, we collect technical information about your internet connection and browser, as well as the country and phone code where your computer is located, the web pages that appear during your visit, the ads you click on and any search terms you enter. Find out more about this. • Your social media username if you interact with us through these channels to help us respond to your comments, questions or feedback. We comply with the law and do not allow children to register on the Website when they are under 16 years of age.

How do we use your Data?

We want to offer you the best possible experience when shopping. To do this, it is necessary to get a complete picture of you by combining the Data we have collected. We then use your Data to offer you offers for products and services that are likely to be of interest to you. In the case of loyalty program members, we will also offer you additional and relevant rewards. Data protection legislation allows us to do the above in our legitimate interest and the need to understand our customers in order to provide them with a high level of service. Of course, if at any time you want to change the way we use your Data, you will find details in sections 12 & 13 “What are your rights” and “How you can exercise your rights” below. Remember, if you choose not to share Data with us or to refuse certain communication rights, we may not be able to provide some of the services you have requested. For example, if you have asked us to let you know when a product is available again, we may not be able to serve you if you have withdrawn your general consent to receive updates from us. Finally, we inform you that the processing of your Data is carried out either by the Company’s specifically authorized personnel, or through computer systems and electronic devices by the Company and, exceptionally, by third parties who, having been contractually bound to maintain confidentiality and protect your Data, carry out operations necessary to achieve the purposes strictly related to the use of our Sites, its services and the sale of products through our Sites. You will find information about this below in section 9 “Who are the recipients of your Data? How your Data is shared”.

Below you can find details of how we use your Data and why:

To provide information about the Website and the services you request

• Product orders: The Company processes your Data in order to fulfil its contractual relationship, to process the order of products and/or services, to provide customer service, to comply with legal obligations, to oppose, raise or exercise legal claims. If we do not collect your Data when you complete the order either from our physical stores or from our online store, we will not be able to process your order and comply with our legal obligations. It may be necessary to transfer your Data to third parties for the supply or delivery of the product or service you have ordered. In addition, we may retain your Data for a reasonable period of time in order to fulfil our contractual obligations, such as product returns, as required by relevant legislation. • Creating a User Account: The Company processes your Data in order to provide you with account functions and to facilitate the purchase of products and/or services. • Contact: The Company uses your Data to respond to your requests/queries, refund requests and/or complaints. The information you share with us enables us to manage your requests and respond to you in the best possible way. We may also keep a record of your queries/requests to us so that we can better respond to any future communication. We do this based on our contractual obligations to you, our legal obligations and our legitimate interests to provide you with the best possible service and to be able to improve our services based on your personal experience. • Sometimes, we will need to share your Data with a third party that provides a service (such as courier delivery). If you did not share your personal data, we would not be able to satisfy your request. Here is more information about how we share Personal Data with third parties.

For communicating information about our products, services and events, and for other promotional purposes

• Sending newsletter / offers: With your consent, we shall use your personal data, preferences and transaction details to inform you via e-mail, internet, telephone and/or social media about relevant products and services, including personalized/personalized offers, discounts, etc. Of course, you have the option to withdraw this consent at any time. • Web push notifications. Of course, you have the possibility to withdraw this consent at any time. • Participation in the loyalty program: The Company processes your Data for the purposes of your participation in the loyalty program, i.e. both the processing of your membership application, the accumulation and redemption of points and the enjoyment of customer benefits in general, as detailed in the terms of participation in the loyalty program. This enables us to offer you personalized offers that are of interest to you. These are based on an analysis of previous purchases using, including products you have just purchased. We do this based on our legitimate interest in showing you relevant offers. Of course, you are free to choose whether to take advantage of them. • Participation in Competitions: The Company processes your Data if you agree to participate in competitions it runs, to notify you if you are a competition winner and to deliver your prize.

To operate, improve and maintain our business, products and services

• Development and improvement of systems and services for the products we provide you. We do this based on our legitimate business interests. • We want to provide you with offers and proposals that are most relevant to your interests. To help us form a better and more general understanding of you as a customer, we combine your personal data gathered throughout our relationship with each other, for example your shopping history both in our physical stores and in our online store. To this end, we also combine Data that we collect directly from you with Data that we receive from third parties to whom you have given your consent to transfer this Data to us. For example, by combining this Data, this will help us to tailor your experience and decide what inspiration or content to share with you. We also use anonymized data from customer purchase history to identify trends in different regions of the country. This can then guide which products we display in specific stores. • To display the most interesting content to you on the Site, we will use the Data we maintain about your favorite products. This is based on your consent to place cookies on your device. For example, we may display a list of products you have recently looked at or offer you recommendations based on your shopping history and any other Data you have shared with us. • To send you survey and evaluation requests so that we can improve our services. These messages will not include promotional content and will not require prior consent when sent by email or text message (SMS). We have a legitimate interest in doing so as this helps our products or services to be more relevant to you. Of course, you are free to opt-out of receiving these requests from us at any time by updating your preferences in your online account.

To protect our rights, property or safety, ours or that of others

• Protect your account from fraud and other illegal activities: This includes using your Data to maintain, update and protect your account. We also monitor your browsing activity with us to identify and quickly resolve any problems and protect the integrity of our website. All of the above is part of our legitimate interest. For example, we check your password when you log in and use automated IP address tracking to detect possible false logins from unexpected sites. • Operating CCTV Systems. We do this based on our legitimate business interests. If we identify any criminal activity or alleged criminal activity through the use of CCTV, fraud monitoring and suspicious transaction monitoring, we will process this Data for the purposes of preventing or detecting illegal activity. Our aim is to protect our customers, employees and partners from criminal activity. • Process payments and prevent fraudulent transactions: We do this based on our legitimate business interests. This also helps protect our customers from fraud.

To comply with our obligations under the law

• To comply with our contractual or legal obligations to share data with law enforcement. For example, following a court order to share data with judicial authorities. • To send you communications required by law or necessary to inform you of changes to the services we provide to you. For example, updates on these privacy notices, product recall notices and legally required information about your orders. These service messages will not include promotional content and will not require prior consent when sent by email or text message (SMS). If we do not use your personal data for these purposes, we cannot comply with our legal obligations.

For what purpose do we process your Data?

We collect your Data for the purposes of the products and/or services provided by our Company and in particular for: a) the management of the sale of our products and/or services, e.g. communication and informing you about the availability of products and the progress of your order, the execution of your order, the shipment of the products, the management of your debts to the COMPANY, the realization of returns and the provision of guarantees. b) compliance with the obligations imposed by the applicable legislation, e.g.

What is the lawful basis for the processing of your Data by the Company?

• Data protection legislation sets out various reasons why a company may collect and process your personal data, including: the terms of our contractual relationship

• your consent, where required. For example, when you choose to receive newsletters. When collecting your personal data, we will always inform you which data is necessary in relation to a particular service.

• the Company’s obligations arising from the law (e.g. tax legislation, e-commerce legislation, etc.)

• the legitimate interests of our Company. In certain cases, we collect your Data in a manner that is reasonably expected as part of the operation of our business and that does not substantially affect your rights, freedom or interests. For example.

Who are the recipients of your Data - How is your Data shared?

Access to your Data is available to the Company’s staff, who are bound by confidentiality obligations, and to our partner companies or third party service providers, who process your Data as Processors on our behalf and in accordance with our instructions. Disclosure of Data by the Company - The Company shares your Data with: • Third party service providers who process personal data on behalf of the Company, for example (listed indicatively and without limitation) for processing credit cards and payments, transfers and deliveries, hospitality, management and maintenance of your data, e-mail distribution, research and analysis, management of promotional activities for the brand and the products, Google, Facebook, as well as management of certain services and records. When we use third party service providers we enter into agreements that require them to implement appropriate technical and organizational measures to protect your personal data. • Other third parties to the extent necessary for the following purposes: (i) compliance with a government request, court order/judgment or law in force, (ii) avoidance of illegal uses of our Websites or violations of the Terms of Use of our Websites and policies, (iii)our own protection from third party claims, and (iv) contributing to the avoidance or investigation of cases of fraud (e.g. counterfeiting) •To other third parties when you yourself have consented to disclosure by you • When you use certain social media elements on our Site, you may create a public profile that includes information such as username, profile picture and city. You may also share content with your friends or the general public, including information about your interaction with the Company. We encourage you to use the tools we provide to manage sharing on Company's social media to control the information you make available through Company's social media elements. The policy we apply to those with whom we share your Data in accordance with the above is given below: • We only provide the information needed to perform their specific services. • They may only use your Data for the exact purposes we specify in our contract with them. • We work closely with them to ensure that your privacy is respected and protected at all times. • If we stop using their services, any of the Data you hold will be deleted or made anonymous. • To improve your experience as a customer on the Website, we use the following companies who shall process your Personal Data as part of their contracts with us: Google, Facebook

How do we ensure that Processors respect your Data?

The Processors processing on our behalf have agreed and have undertaken a contractually commitment to the Company: • to maintain confidentiality, • not to send your Data to third parties without the Company's permission, • to take appropriate security measures, • to comply with the legal framework for the protection of personal data and in particular Regulation 979/2016/EU (otherwise GDPR).

International Data Transfer

The personal data we collect (or process) within the context of our Sites will be stored in Greece. However, some of the recipients of the Data with whom the Company shares your Personal Data may be located in countries other than the country in which the original collection of your Personal Data took place. The laws in those countries may not provide the same level of data protection as the country that originally provided your Personal Data. However, when we transfer your Personal Data to recipients in other countries, we are committed to protecting your Personal Data as described in this Privacy Policy and in accordance with applicable law. We take steps to comply with applicable legal requirements for transferring Personal Data to recipients in countries outside the European Economic Area or Switzerland that do not ensure an adequate level of protection. We use various measures to ensure that your Personal Data transferred to these countries enjoys adequate protection under data protection rules. These include signing the Contractual Clauses, certifying that the recipient has adopted the European Binding Rules or complying with the EU-US and Switzerland-US Privacy Shield.

For how long do we keep your Data?

We retain your Personal Data for as long as necessary to fulfil the purposes set out in this Privacy Policy (unless a longer retention period is required by applicable law). Generally, this means that we will retain your Personal Data for as long as you have an account with our Company. With respect to your Personal Data related to product purchases, we retain this data for a longer period in order to comply with our legal obligations (such as tax and trade law and for warranty purposes).At the end of this retention period, your data will be deleted completely or anonymized, for example by aggregating it with other data, so that it can be used in an unidentifiable way for statistical analysis and business planning. Some examples of customer data retention periods. • Orders. When you place an order, we will retain the personal data you gave us for five years, so that we are able to comply with our legal and contractual obligations. • Warranties. If your order included a warranty, the relevant personal data will be retained until the end of the warranty period. • Newsletters. Your statement of consent to receive a newsletter is kept for as long as you receive a newsletter from the Company.

Is your Data safe?

We are committed to safeguarding your Personal Data. Recognizing the importance of the security of your Personal Data, we have taken all appropriate organizational and technical measures to ensure the security and protection of your Data from any form of accidental or unlawful processing. We use the most modern and advanced methods to ensure maximum security. Isotope uses the TLS protocol, for secure online commercial transactions. This encrypts all Data you provide, including your credit card number, name and address, so that it cannot be decrypted or altered during transmission over the Internet. In addition, the data used to identify you as an account user are two: your Username and your Personal Secret Security Code (Password). Each time you enter your details, you are granted access to your personal account. This process is achieved securely through encryption during their transfer to the Internet and the Company's servers. Following the same standards, you are given the opportunity to change your Personal Secret Security Code (Password) as often as you wish. After entering the desired password, the new password is encrypted and stored in the Company's systems. For this reason, the only person who knows your password is you, and you are solely responsible for maintaining the secrecy of the password from third parties. These measures are reviewed and modified when necessary.

What are your rights?

You have the right to access your personal data. This means that you have the right to be informed by us if we process your Data. If we process your Data, you can ask to be informed about the purpose of the processing, the type of your Data we hold, who we give it to, how long we store it, whether automated decision-making is carried out, and your other rights, such as rectification, erasure, restriction of processing and lodging a complaint with the Data Protection Authority. You have the right to rectify inaccurate personal data. If you find that there is an error in your Data, you may submit a request to us to correct it (e.g., to correct your name or update a change of address). You have the right to erasure/right to be forgotten. You can ask us to delete your Data if it is no longer necessary for the processing purposes listed above or you wish to withdraw your consent where this is the only lawful basis. You have the right to portability of your Data. You may request to receive in a readable form the Data you have provided or request us to transfer it to another controller. You have the right to restrict processing. You can ask us to restrict the processing of your Data for as long as your objections to the processing are pending. You have the right to object to and withdraw consent to the processing of your Data. You may object to the processing of your Data and we will stop processing your Data unless there are other compelling and legitimate reasons that override your right. If you have consented to the collection, processing and use of your Personal Data, you may withdraw your consent at any time with future effect.

Opting out of receiving Marketing Communications.

You may opt out of receiving marketing communications from the Company by modifying your options in your user account (my profile) on our Sites. You may also opt out of receiving marketing communications by changing your email and text messages (SMS) subscriptions by clicking the unsubscribe link or following the instructions included in the message. Alternatively, you can contact us using our contact details. Where we rely on our legitimate interest. Where we process your personal data based on our legitimate interest, you can ask us to stop for reasons relating to your personal situation. We must then do so if we do not believe we have a legitimate compelling reason to continue to process your Personal Data.

How can you exercise your rights?

In order to exercise your rights, you can submit a request to the Data Protection Officer at the Company’s mailing address (Nikitas Pachopos www.yellowrose.gr), 15 Menexedon Street, Kifissia, Attica, 14564) or at the Company’s e-mail address (info@yellowrose.gr) with the title “Exercise of Rights” and we shall see that we examine such request and reply to you as soon as possible. As an exception: • If you wish to withdraw your consent to receive a newsletter, you can do so by selecting the link “To unsubscribe from the ‘newsletter mailing list’ click here” located at the bottom of each newsletter; • if you do not wish to receive web push notifications from the Company, you can deactivate the option from your browser setting. Identity Verification. To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Policy. If you have authorized a third party to make a request on your behalf, we will ask them to demonstrate that they have your permission to act for this purpose.

When do we respond to your Requests?

We will respond to your Requests free of charge without delay, and in any case within one (1) month of receiving your request. However, if your Request is complex or there are a large number of Requests, we will let you know within the month if we need to obtain an extension of another (2) two months within which we will respond to you. If your Requests are manifestly unfounded or excessive in particular because of their repetitive nature, the Company may impose a reasonable fee, taking into account the administrative costs of providing the information or performing the requested action, or refuse to follow up on the Request.

What is the applicable law when we process your Data?

The applicable law is Greek law, as formulated in accordance with the General Data Protection Regulation 2016/679/EU and in general the applicable national and European legislative and regulatory framework for the protection of personal data. The competent Courts for any disputes arising in relation to your Data are the Courts of Athens.