1. ABOUT THE WEBSITE

1.1. The website www.themythicbox.com is registered under the Tax Identification Number 147319410 (Tax Office of Florina) seated at the street Megalou Alexandrou 66, in Florina, Greece (hereinafter “Administrator”).

1.2. www.themythicbox.com is an online shop that sells packaged food exclusively from Greek producers in Greece and abroad.

2. PERSONAL DATA - DEFINITION

2.1. Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de-identified, encrypted or pseudonymized but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymized, the anonymization must be irreversible.

2.2. The term “personal data” refers to information of natural persons, such as name, postal address, e-mail address, contact telephone number, etc., which identify or can identify the User (hereinafter referred to as “Personal Data” or “Data” »)

3. PROCESSING OF PERSONAL DATA - DEFINITION

3.1. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

4. MANDATORY AND OPTIONAL DATA

4.1. The disclosure of the User Data may be necessary for the achievement of the purposes set out in this Privacy Policy or may be optional. The mandatory or optional nature of the data is indicated by an asterisk (*) next to the personal data of a mandatory nature.

4.1.1. Required Data: If the User refuses to provide the Administrator with the information that is marked as mandatory on the Websites, it will be impossible to achieve the main purpose of collecting this data, and may, for example, make it impossible for the Administrator to provide the services available on the Website.

4.1.2. Optional Data: The provision of additional data to the Administrator, in addition to those that are marked as mandatory, is optional and does not affect the main purposes of data collection, but their concession serves to optimize the quality of the services that are provided.

5. PERSONAL DATA WE COLLECT

5.1. We only collect personal data we actually need for our specified purposes and which are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This Data includes the following:

5.1.1. Data provided by the User during his registration and the creation of a User account, via the internet or his mobile phone, and specific data such as e-mail address * and login password *, as well as name, surname, postal address, and telephone number (optional).

5.1.2. Data and information provided to the Administrator through the transactions between them (purchases, orders, etc.) and the communication between them (via the electronic or physical store, telephone, e-mail, etc). For example, notes are collected from the Administrator’s conversations with the User, details of any complaints or comments the User makes, details of their purchases, documents added to or removed from the cart, a list of desired services, coupon redemptions, as well as how and when to contact the Administrator.

5.1.3. Data concerning the method of payment for the transactions made by the User with the Administrator.

5.1.4. Data provided by the User during his registration in the newsletter.

5.1.5. Data for the services that the User usually chooses. This data, which the User reserves the right not to share, will be used to offer him services of interest and to improve his shopping experience.

5.1.6. Traffic data of this website or other websites that the User browsed just before it.

5.1.7. Information collected from the use of cookies in the User’s browser. More about how to use cookies can be found in the Cookies Policy.

5.1.8. For the best possible website experience, we collect technical information about the User’s internet connection and browser, the country and phone code where his computer is located, the web pages that appear during his visit, the ads that he clicked at, and the search terms he eventually visited.

5.1.9. The user name of the User’s social media, if he interacts with the Administrator through these channels, in order to help him answer his questions or comments.

5.1.10. Copies of documents provided by the User to prove his age or identity (eg copy of his police or student ID), when required by law. For example, these copies may include details of the User’s full name, address, date of birth as well as a photo of him. If he provides a passport, the data will also include his place of birth, sex, and nationality.

5.2. Juvenile Data: In accordance with the applicable law, it is not the Administrator’s policy to seek or receive personal data of minors, either directly or indirectly through third parties. However, as it is not possible to always verify the age of persons entering or using the site, parents and guardians of minors are advised to contact the Administrator directly if they find any unauthorized disclosure of data by the minors for whom they are responsible in order to exercise respectively the rights granted to them, such as e.g. to delete their data.

6. HOW WE USE YOUR PERSONAL DATA

6.1. The User’s Personal Data is used to provide information about the websites, products, and services he wishes, as follows:

6.1.1. Product Order: The Administrator processes the User Data in order to fulfill its contractual relationship, to process product orders, to provide customer service, to comply with legal obligations, to oppose, raise or enforce legal requirements. If he does not collect the User Data during the completion of the order, through his physical store, through a service phone or through his online store, he will not be able to process his order and comply with his legal obligations. In addition, it may retain the User Data for a reasonable period of time in order to fulfill its contractual obligations, such as product returns, as required by applicable law.

6.1.2. Creating a User Account: The Administrator processes User Data in order to provide the account functions and to facilitate the conclusion of the purchase of products.

6.1.3. Contact: The Administrator uses User Data to respond to requests / inquiries, refund requests and / or any complaints. The Administrator, with the information he receives from the User, acquires the ability to manage his requests and respond to him in the best possible way. He can also keep a record of his inquiries / requests to him so that he can better respond to any future communication. It does this based on its contractual obligations to the User, its legal obligations but also its legitimate interests in order to provide the best possible service and to be able to improve its services based on the User’s personal experience.

6.1.4. Please note that User Data may need to be transferred to third parties to deliver the service it has ordered (usually courier services). Below is more information about how he has personal data to third parties.

6.2. In addition, the User’s Personal Data may be used to disclose information about the Administrator’s services, as well as for other promotional purposes. Particularly:

6.2.1. Sending newsletters and offers: With the consent of the User, his Personal Data, preferences, and transaction data will be used to be informed via e-mail, internet, telephone and/or through social media for relevant products, including personalized offers, etc. The User can revoke this consent at any time.

6.2.2. Web Push Notifications: Depending on its navigation, the User can receive – having previously given his consent – notifications for offers, news, his Wish List, and his shopping cart. Here, as well, the User can revoke this consent at any time.

6.2.3. Participation in Rewards Programs or Contests: The Administrator processes the User’s Data, in case he agrees to participate in any reward program or contests he conducts, to notify him if he is the winner of the contest and to deliver his gift.

6.3. User Data is also used to operate, improve and maintain the Administrator’s business and services, for the following reasons:

6.3.1. Development and improvement of systems and services for the services he provides to the User, based on his legitimate business interests.

6.3.2. Sending offers and proposals that are related to the interests of the User. In order to form a better image for the User, the personal data collected throughout the user’s relationship with the Administrator is combined, such as e.g. the history of the services requested in both the physical and the online store.

6.3.3. Showing interesting content on the website. For this purpose, there are used data provided by the User, who has given his consent for the placement of cookies on his device. For example, you may see a list of products that the User has recently viewed or offers recommendations based on his purchase history and any other Data shared with the Administrator.

6.3.4. Sending research and evaluation requests in order to improve the services provided. These messages will not contain promotional content and do not require prior consent when sent via email or text message (SMS). The Administrator has a legitimate interest in doing so, as this helps his services to be more relevant to the User’s interests. The User has the right to refuse to receive these requests from the Administrator at any time by updating his preferences on his online account.

6.4. In addition, User Data is used to protect the rights, assets, or security of the Administrator or third parties.

6.4.1. Protecting the User’s account from fraud and other illegal activities. This includes the use of his Data to maintain, update and protect his account. The activity of browsing this website is also monitored for the detection and quick resolution of any problems, as well as for the protection of the integrity of the website. All of the above are part of the legitimate interest of the Administrator. For example, he checks the User’s password when logged in and uses automated IP address tracking to detect possible false inputs from unexpected locations.

6.4.2. Processing payments and preventing fraudulent transactions. He does so on the basis of his legitimate business interests, helping at the same time to protect his customers from fraud.

6.5. Finally, the processing is done for his compliance with obligations arising from the law.

6.5.1. Compliance with his contractual obligations towards the User, with the provisions of law, or for the execution of court decisions.

6.5.2. Sending communications required by law or necessary to inform the User about changes in the services provided. For example, privacy notifications, product recall notices, and legally required information about User orders. These service messages will not contain promotional content and do not require prior consent when sent by email or text message (SMS). If the User’s personal data is not used, the Administrator will not be able to comply with its legal obligations.

6.6. The processing of User Data is carried out either by specially authorized personnel or through computer systems and electronic devices and exceptionally by third parties, who, having contractually committed to the confidentiality and protection of User Data, carry out tasks necessary for the achievement of the purposes strictly related to the use of this website, its services and the provision of products through it. Below you can find more information about the recipients of the User Data and the ways of their notification “.

7. PURPOSE OF DATA PROCESSING

7.1. The Administrator collects the User Data for the purposes of the products provided by him and in particular for the following:

7.1.1. Management of the sale of his products, e.g. the communication and information of the User regarding the progress of the requested order, the execution of his order, the shipment of his products, the management of his debts to the Administrator, the realization of returns and the provision of guarantees.

7.1.2. Compliance with the obligations imposed by the current legislation e.g. tax legislation, e-commerce directive, etc.

7.1.3. Control, improvement, and adaptation to the preferences and choices of the User regarding his products.

7.1.4. Sending, by electronic or traditional means, administrative, technological, organizational and/or commercial information for products and/or services of the Administrator.

7.1.5. Customer satisfaction research, service promotion, and sending newsletters about his products.

8. LEGAL BASIS FOR DATA PROCESSING

8.1. Data protection legislation defines a number of reasons why a User’s personal data may be collected and processed. These include the terms of the Administrator-User relationship, the consent of the latter where required (eg when choosing to receive a newsletter), the obligations of the Administrator arising from the law (eg tax legislation, legislation on e-commerce, etc.), as well as his legal interest.

8.2. In certain cases, the collection of Data is done in a way that is reasonably expected as part of the operation of the website and that does not substantially affect the rights of the User, his freedom, or his interests.

9. DATA RECIPIENTS

9.1. Data Recipients: Access to the User Data is held by the Administrator, who is committed to maintaining confidentiality, and third-party service providers, who process the User Data as the Executors of the Processing on behalf of the Administrator and in accordance with his instructions.

9.2. Notification from the Administrator: The Administrator shares the User Data with the following persons:

9.2.1. Other suppliers with whom he may cooperate in every specific case to provide the products requested by the User.

9.2.2. Third-party service providers that process personal data on behalf of the Administrator, such as those responsible for processing credit cards and payments, transfers and deliveries, hosting, managing and maintaining his data, email distribution, research and analysis, management promotions of his services, as well as with Google and Facebook. When using third-party service providers, he enters into agreements with them that oblige them to implement appropriate technical and organizational measures for the protection of the User’s personal data.

9.2.3. Other third parties, to the extent required for the following purposes: (i) compliance with a government request, court order or applicable law, (ii) prevention of unlawful use of the site or breach of its Terms of Use and policies, (iii) his own protection against third party claims, and (iv) contributing to the prevention or investigation of fraud (eg counterfeiting)

9.2.4. Other third parties when the User himself has given his consent.

9.3. User Disclosure: When a User uses certain social media elements on this website, he may create a public profile that includes information such as username, profile picture and city. It can also share content with friends or the general public, including information about how he interacts with the Administrator. The User is encouraged to use the tools provided by the website to manage the sharing of the Administrator’s social media in order to control the information that is made available through the Administrator’s social media data.

9.4. Policy towards third party Data Recipients:

9.4.1. When sharing Data with third parties, the Administrator provides only the absolutely necessary information needed to perform their specific services, and they, in turn, can use the User’s data only for the exact purposes specified by the Administrator in his contract with them. In addition, he works closely with them to ensure that the privacy of each User is respected and protected at all times, and in the event that he stops using their services, all data will be deleted or made anonymous.

9.4.2. To improve the User experience, the Administrator uses the following companies, which will process his Personal Data as part of their contracts with him: Google, Facebook, Instagram, ELTA Courier, ACS, Österreichische Post, DHL.

9.5. Data Respect by the Executors: The Executors on behalf of the Administrator have agreed and contractually agreed with him to maintain confidentiality, not to send to third party User Data without the permission of the Administrator, to take appropriate security measures, and to comply with the legal framework for the protection of personal data and in particular Regulation 979/2016 / EU (GDPR).

10. INTERNATIONAL DATA TRANSFER

10.1. The personal data that the Administrator collects or processes in the context of his Website are stored in Greece. However, some of the recipients of the Data with whom the Administrator shares the User’s Personal Data may be located in countries other than the one where the initial collection of his Personal Data took place. Legislation in those countries may not provide the same level of data protection as the legislation in the country where his Personal Data was originally provided. However, when transferring the User’s Personal Data to recipients in other countries, including the US, he undertakes to protect it as described in this Privacy Policy and in accordance with the applicable law.

10.2. The Administrator shall take steps to comply with applicable legal requirements for the transfer of personal data to recipients in countries outside the European Economic Area or Switzerland that do not provide an adequate level of protection. He uses various measures to ensure that User Personal Data transferred to these countries enjoys adequate protection in accordance with data protection rules. These include signing the Contract Clauses, certifying that the recipient has adopted European binding rules or complying with the EU-US and Switzerland-US Privacy Shield.

11. DATA RETENTION PERIOD

11.1. The Administrator retains the User Data for as long as necessary to fulfill the purposes set out in this Privacy Policy unless a longer retention period is required by applicable law. Generally, this means that he will retain the Personal data of the User for as long as he has an account on this website. With regard to the Personal Data related to service purchases, he retains this data for a longer period of time in order to comply with his legal obligations (such as tax and commercial legislation and for warranty purposes). At the end of this retention period, the Data will be deleted completely or anonymously, for example by aggregation with other data, so that it can be used in an unrecognizable manner for statistical analysis and business planning.

11.2. Here are some examples of User Data Retention Periods:

11.2.1. Orders: When the User places an order, his personal data will be kept for five years, so that it is possible for the Administrator to comply with his legal and contractual obligations.

11.2.2. Newsletter: The User consent statement for sending a newsletter (newsletter) is kept for as long as the newsletter is sent by the Administrator and in any case not more than six months from the cessation of sending.

12. DATA SECURITY

12.1. Recognizing the importance of the security of the User’s Personal Data, the Administrator is committed to safeguarding the User Data and has taken all appropriate organizational and technical measures to secure and protect them from any form of accidental or improper processing.

12.2. TLS Protocol: www.themythicbox.com uses the TLS protocol for secure online trading. This encrypts all the Data provided by the User, including his credit card number, name and address, so that they can not be decrypted or changed during their transfer to the Internet.

12.3. Username & Password: In addition, the information used to identify the User as an account user is twofold: the username (Username) and the password. Each time the User enters his data, he is given access to his personal account. This process is achieved securely through encryption when transferring them to the Internet and the Administrator’s servers. According to the same standards, the User is given the opportunity to change his Personal Security Code (Password) as often as he wishes. After entering the desired code, the new code is encrypted and stored in the systems of the website. For this reason, the only one who knows the password is the User himself, who is solely responsible for maintaining the confidentiality of the password by third parties.

13. USER RIGHTS

13.1. Right of access to personal data: This means that the User has the right to be informed by the Administrator if he is processing his Data, and in a positive case he can ask to be informed about the purpose of processing, the type of Data he keeps, how long he stores them, if automated decisions are made, as well as for his other rights, such as those of correction, deletion of data, restriction of processing and submission of a complaint to the Personal Data Protection Authority.

13.2. Right to correct inaccurate personal data: If the User finds that there is an error in his Data he can apply for correction (eg name correction or change of address notification).

13.3. Right to delete / right to forget: May ask the Administrator to delete his data if it is no longer necessary for the above mentioned processing purposes or wishes to withdraw his consent in case this is the only legal basis.

13.4. The right to data portability: It allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.

13.5. Right to restrict processing: He may also request that the processing of his Data be restricted for as long as the processing of his objections to processing is pending.

13.6. Right to object and revoke consent to the processing of his Data: The User may object to the processing of his Data and the Administrator will stop processing them, unless there are other compelling and legal reasons that prevail over his right. If he has given his consent to the collection, processing and use of personal data, he may revoke his consent at any time with future effect.

13.7. Right to stop receiving marketing communications: The User may choose not to receive marketing communications by modifying his / her options in the user account (my profile) of this website. He may also choose not to receive marketing communications by changing the email records by clicking the delete link or following the instructions in the message. Alternatively, you can contact the Administrator using the contact details on the “Contact” tab.

13.8. In case the processing is based on legitimate interest: In cases where the processing of User Data is based on the legitimate interest of the Administrator, the User may request the cessation of processing for reasons related to his personal situation. In this case, the Administrator must terminate if he does not believe that he has a legitimate reason to continue processing the Personal Data of that User.

14. EXERCISING THE ABOVE-MENTIONED RIGHTS

14.1. Submission of a request: For the exercise of his rights, the User can submit a relevant request to the Data Protection Officer at the postal address of the Administrator (66 Megalou Alexandrou, Florina 53100) or to his e-mail address ([email protected]) entitled “Exercise of Right” and the Administrator will make sure to review it and respond as soon as possible. Exceptionally:

14.1.1. If the User wishes to correct his Data in his user account, he can log in to it and make any correction/change without the need to submit a Request.

14.1.2. If he wishes to withdraw his consent to receiving newsletters he can do so by selecting the link “Unsubscribe”, located at the bottom of each newsletter.

14.1.3. Finally, if he does not want to receive web push notifications, he can disable the option from his browser setting.

14.2. Identity check: To protect the confidentiality of the User’s information, he will be asked to verify his identity before making any request based on this Privacy Policy. If he has authorized a third party to submit a request on his behalf, he will be asked to prove that he has the User’s permission to act for this purpose.

14.3. Response to a request: The response to the User’s request is free, without delay, and in any case within (1) one month from the time the request is received. If, however, his request is complex or there is a large number of requests, he will be informed within the month if it is necessary to obtain an extension of another (2) two months within which he will receive a response. If his requests are manifestly unfounded or excessive, in particular, because of their repetitive nature, the Administrator may impose a reasonable fee, taking into account the administrative costs of providing the information or performing the requested action, or refusing to comply with the request.

15. APPLICABLE LAW & RIGHT TO APPEAL

15.1. Applicable Law during the processing of the Data is the Greek Law, as formulated according to the General Regulation for the Protection of Personal Data 2016/679 / EU, and in general the current national and European legal and regulatory framework for the protection of personal data.

15.2. Any dispute arising out of or in connection with the protection of the User’s Personal Data is subject to mediation in accordance with the European Mediation Directive. In the event that the dispute or part of it is not resolved through mediation, the dispute or the unresolved part of it is resolved exclusively and irrevocably by an arbitral tribunal, which determines and conducts the arbitration in accordance with the Arbitration Rules of EODID Mediation & Arbitration Organization.

15.3. The User has the right to submit a complaint to the Personal Data Protection Authority (postal address 1-3 Kifissias, PC 115 23, Athens, tel. 210. 6475600, e-mail address [email protected]), if he considers that the processing of his Personal Data violates the current national and regulatory framework for the protection of personal data. 

16. UPDATES TO OUR PRIVACY POLICY

16.1. This Privacy Policy is updated whenever necessary. If there are significant changes to the Privacy Policy or the manner in which the User Personal Data is used, an update hereof will be posted on the Website before the changes take effect. The User is advised to read this Policy at regular intervals to know how his Data is protected.

16.2. This Privacy Policy was last modified on February 26, 2021.