Terms And Policies

Introduction

With this Privacy Policy, our company “SHOP & TRADE S.A. COMMERCIAL AND INDUSTRIAL CLOTHING COMPANY, DISTRIBUTION AND SERVICE PROVIDER” (hereinafter referred to as the “Company”, “We”, “Us”), acting as the Data Controller, and with a strong commitment and respect toward the privacy of the individuals who interact with us, provides you with the necessary information regarding the processing of your personal data (the types of personal data we collect, how we process it, and the means we use to protect it), in the context of our relationship.

This Policy and our practices focus on the collection, processing, disclosure, transfer, and storage of your personal information in a lawful and appropriate manner, ensuring the confidentiality, integrity, availability, and security of your personal data, in accordance with the Applicable Legislation.

The processing and protection of your personal data is governed by the terms below, by the relevant provisions of the applicable Greek legislation on personal data protection (e.g., Law 4624/2019, Law 3471/2006, etc.), the guidelines and regulations of the European Union (in particular, the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”)), as well as by the relevant decisions, guidelines, and regulatory acts of the Hellenic Data Protection Authority (hereinafter “HDPA”) (collectively referred to as the “Applicable Legislation”).

This Policy includes all relevant information that applies to the collection, processing, and use of your personal data as a user/visitor of our Company’s main website www.shopandtrade.gr, as a final consumer in any of our physical stores in Greece, as a wholesale client, or as a job applicant with our Company.

For the Privacy Policy applicable to your transactions through our Online Store (www.bloobox.gr), you may find more information [here].

Definitions

The terms related to the General Data Protection Regulation (GDPR) used in this Privacy Policy carry the meanings assigned to them in the official text of the GDPR.

• “Personal data” means any information relating to an identified or identifiable natural person, i.e., someone whose identity can be determined, directly or indirectly, especially by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
• “Processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data that has been or will be brought to the Company’s attention, either directly from you through the website or in the context of your transactional relationship with us.
• “Data Controller” refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data. The Data Controller is our Company.
• “Processor” refers to a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.
• “Recipient” refers to a natural or legal person, public authority, agency or another body to whom personal data are disclosed, whether a third party or not.
• “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
• “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data Controller and Data Protection Officer (DPO)

The Data Controller of the personal data collected is the company “SHOP & TRADE S.A. COMMERCIAL AND INDUSTRIAL CLOTHING COMPANY, DISTRIBUTION AND SERVICE PROVIDER”, located in Tavros, Attica (222 Pireos Street, 177 78, Attica, info@shopandtrade.gr, +30 210 34 08 400).

Our Company has appointed a Data Protection Officer (DPO), who serves as the liaison between the Company and you, and oversees the Company’s compliance with the applicable regulatory framework for data protection. For any questions, comments or clarifications regarding this Policy or your personal data, please contact our DPO at dpo@shopandtrade.gr.

Data Processing Principles

Our processing of your personal data is always based on the following data protection principles, as per the applicable legal framework:

• Personal data is processed lawfully, fairly, and in a transparent manner.
• Personal data is collected for specified, explicit, and legitimate purposes.
• The collection of personal data is limited to what is necessary in relation to the purposes for which they are processed.
• Personal data is accurate and, where necessary, kept up to date.
• All necessary steps are taken to ensure that inaccurate personal data is rectified or erased without delay, considering the purposes for which they are processed.
• Personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.
• Personal data is treated as confidential and stored securely.
• Personal data is not shared with third parties unless this is necessary for providing our services to you, with prior notice, or if required or permitted by applicable law.

Collection, Legal Basis, and Purpose of Processing Your Data

In the interest of transparency and responsible management of your personal data, we provide the following table, which outlines:

• The main categories of data subjects,
• The types of personal data we collect,
• The legal basis for processing under the GDPR,
• The corresponding purposes of processing.

This table is intended to inform you in a clear and understandable way about how and why we use your data, ensuring that their collection and use is limited to what is strictly necessary for specific, lawful, and legitimate purposes, as defined by the Applicable Legislation.

Processing Activity Table

Processing of Special Categories of Personal Data (“Sensitive Data”)

Please note that we do not generally process sensitive personal data (special categories of personal data), such as data relating to your racial or ethnic origin, religious or philosophical beliefs, health data, or data concerning your sexual life or orientation, as such data is not necessary for the fulfillment of the aforementioned purposes. We apply the principles of data minimization, necessity, and proportionality as outlined in the GDPR—except where there is a specific legal obligation or where you have given your explicit consent.

Processing of Personal Data Concerning Minors

Our website is not directed toward minors. For the purposes of this Policy, minors are considered individuals under the age of 18. The Company does not process personal data of minors.

When the processing of personal data is based on consent under Article 6(1)(a) of the GDPR and concerns the provision of information society services directly to a child, such consent is valid only if the child is at least 16 years old. If the child is under 16, the processing is lawful only if and to the extent that such consent is given or authorized by the person holding parental responsibility (Article 8 GDPR).

If you are a parent or guardian and you become aware that your child has provided us with personal data, please contact us immediately. If we become aware that we have collected personal data from a minor without appropriate parental consent, we will take all necessary steps to immediately delete the data and prevent similar occurrences in the future.

Retention of Your Personal Data

In all cases, your data is retained by us only for the necessary and reasonable period required to fulfill the purposes for which it was collected. This period is determined based on the nature of the processing, our legal obligations, and any potential legal claims. For example:

• To fulfill legal obligations from a sale: 2 years
• For specific campaigns and contests: as long as the campaign or contest lasts
• For tax purposes: 5 years, and exceptionally 10 or 20 years if additional elements arise under applicable law and jurisprudence.

Your data will be deleted when it is no longer reasonably necessary or if you withdraw your consent. The legality of processing based on your consent is not affected by its withdrawal until the moment you requested the withdrawal.

If necessary to comply with legal or regulatory obligations, resolve disputes, or enforce our terms of use, we may retain certain data even if we no longer provide services to you.

In case of a legal dispute, your personal data will be retained until the resolution of the litigation, even if this exceeds the 20-year retention period.

In any case, after the applicable retention periods expire, your data will be securely and irreversibly deleted.

Who We Share Your Personal Data With

All your data is processed by our Company (as Data Controller) for the fulfillment of contractual and legal/regulatory obligations, the pursuit of its legitimate interests, or when you have given your consent, always in full compliance with applicable law.

Access to your personal data is granted to:

1. a) Company employees responsible for evaluating your requests, managing contracts, and fulfilling legal obligations. These employees are bound by strict confidentiality clauses.
2. b) Third-party service providers (Data Processors) performing specific tasks on our behalf. These providers are contractually obligated to process your data lawfully and securely, in accordance with Articles 28 and 32 of the GDPR. These may include:

• Logistics and transport companies,
• Advertising and promotional service providers (e.g., social media),
• IT service providers supporting the Company’s website and applications,
• Market research and analytics firms offering insights for product/service improvements.

1. c) Public authorities, such as regulatory bodies, law enforcement, or courts, when required by applicable laws and regulations.

We ensure that such disclosures are limited to what is strictly necessary for the performance of their tasks, and that the data is used exclusively according to our instructions.

If our ownership changes, your personal data may be transferred to the new owner.

Apart from these cases, your data will not be disclosed, published, or sold to third parties unless required by law, such as under Law 2225/1994 or the implementation of Directive 24/2006. In such cases, data may be disclosed to competent authorities strictly under the applicable regulatory framework.

You also have an obligation to safeguard the confidentiality of your personal data and not to disclose or allow its misuse by others. The Company reserves the right to claim damages in case of a breach of these obligations by you.

International Transfers of Personal Data

We do not transfer your personal data directly to third countries (outside the EU) or international organizations, unless such transfer is required by law or is subject to appropriate safeguards, in accordance with Articles 44 et seq. of the GDPR.

Your Rights as a Data Subject

According to the General Data Protection Regulation (EU) 2016/679, you have the following rights at any time:

1. Right to be informed about how your data is used (Articles 12, 13, 14 GDPR).
2. Right of access to your personal data held and processed by the Company (Article 15).
3. Right to rectification of inaccurate or incomplete data (Article 16).
4. Right to erasure (“right to be forgotten”) when data is no longer necessary or legally required (Article 17).
5. Right to restriction of processing, for example, if accuracy is contested or processing is unlawful (Article 18).
6. Right to object to processing based on legitimate interest or to automated decision-making (Articles 21 and 22).
7. Right to data portability, allowing you to receive your data in a structured format or transfer it to another controller (Article 20).
8. Right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Article 7).

Specifically, regarding promotional communications via email or SMS, you always have the right to opt out, at no cost and without providing justification.

If you no longer wish to receive updates from our Company, you can click “Unsubscribe” in any of our emails or SMS, or contact us at marketing@shopandtrade.gr. After your request, your data will no longer be processed for marketing purposes.

You also have the right to lodge a complaint with the Hellenic Data Protection Authority if you believe that your data is being processed unlawfully. For more information, visit: www.dpa.gr

How to Exercise Your Rights

You may exercise your rights by sending an email to: dpo@shopandtrade.gr
or by post to: Pireos 222, Tavros, Attica, using the designated Rights Request Form available on our website.

Your request will be reviewed upon submission of the completed form and under the specific guidelines provided.

Shop and Trade will make every effort to respond within one month from the date of your request. If the request is complex or involves extensive processing, we may extend the timeline but will inform you accordingly within the same one-month period.

Processing Security

We inform you that your personal data will always be processed securely, with the implementation and maintenance of necessary technical and organizational measures aimed at protecting your data against accidental or unlawful alteration, falsification, unauthorized disclosure, or access—especially when data processing involves the transmission of your data over a network—and against all unlawful forms of processing.

For example, our information systems include:

• Installed antivirus software and firewalls protecting against internal and external threats
• Regular updates to operating systems and software
• Access control mechanisms (access matrix) restricting data reach
• Encryption of critical assets such as corporate devices, backups, and data files
• Backups and secure file storage
• Company-wide Security Policies governing both electronic and physical infrastructure security and data protection

Specifically, our website uses the SSL (Secure Sockets Layer) protocol with strong encryption to enhance the security of data transmission over the Internet.

Cookies

We may use cookies to facilitate or enable communication between us via electronic communications networks. This ensures the efficient operation of our services, records general traffic or consumer behavior data, and allows us to conduct research to improve the content and services we provide.

Cookies are small data files transferred from the website to your browser for identification purposes. If you have configured your device to accept them, they are stored on your hard drive for the above purposes.

Depending on their duration, we may use:

• Session cookies: These collect information about when you access our site, allowing us to personalize your visits. They are automatically deleted when you close your browser.
• Persistent cookies: These help customize your experience, enhance member security, and gather data about website usage. They remain until their predetermined expiration.

On this website, we use the following cookie categories by purpose:

1. Strictly Necessary Cookies

Essential for website functionality—e.g., enabling secure areas, shopping carts, or online billing. Without these, those services cannot be provided. They do not collect marketing data or track your browsing outside our site. If disabled, we cannot ensure proper site behavior.

2. Functional Cookies

Enable the site to remember your choices (e.g., username, language, region) and offer personalized features—like local weather, text size adjustments, video playback, or blog commenting. The data may be anonymized and is not used to track your activity on other sites.

3. Performance / Analytics Cookies

Collect anonymized data on your browsing behavior—page visits, error messages—to help us improve site structure, navigation, and content. We do not link this data to identifiable individuals.

We may use tools like Google Analytics to track site usage and interactions (known as “website metrics” or “analytics”). Google uses cookies to analyze site use and produces aggregated statistics about user behavior. We may also use analytics cookies from partners like Adobe to track user interaction on our site. Google only shares such data with third parties if legally required.

4. Targeting / Advertising Cookies

Used to present ads relevant to you, limit ad frequency, and measure campaign effectiveness. Placed by advertising networks with site permission, they record your visit and share data with advertisers. These are often tied to functionalities provided by other entities.

Some of these cookies are third-party—set by our partners to collect data on ad performance and user interaction. This information may be used for statistical insights and to improve your ad experience. We work with providers such as Google (Google Analytics & Ads) and Facebook for site analytics and ad optimization.

We do not collect personally identifiable data via basic cookies. Any identification occurs only if you choose to provide it. We never sell or trade data collected via cookies.

Your Cookie Control

You may set or disable cookies at any time. Upon entering our site, you will see a notice about our cookie use, with options to choose which categories (beyond necessary) you accept. Browsing further, assuming proper browser settings, means you give explicit consent.

You can disable cookies via your browser settings (instructions and links below), but please note that this may limit certain site functionalities:

• Internet Explorer: support.microsoft.com/kb/278835
• Firefox: support.mozilla.org/en-US/kb/delete-cookies-remove-info-websites-stored
• Chrome: support.google.com/accounts/answer/61416?hl=en
• Safari (macOS): support.apple.com/kb/PH5042
• Safari (iOS): support.apple.com/kb/HT1677

For comprehensive guidance, visit www.allaboutcookies.org. Be aware that disabling cookies may impede some site capabilities.

Specific Declarations by the Company

The Company shall not be held liable for any damage (direct, indirect, actual, or consequential) that may be caused to the visitor in connection with or due to the use of this website. The visitor is solely responsible for protecting their system from viruses and other malicious software.

The Company reserves the right to modify this Privacy Policy at any time, in accordance with applicable legislation. Any such modification shall take effect upon its publication on this website. No changes to the above terms shall have retroactive effect on the processing of personal data collected prior to the update, unless such retroactive effect is required by law. In such a case, all registered users will be informed either via the email addresses they have provided or through a notice on the website.

Since your personal information and contact details are extremely important for the fulfillment of your electronic transactions—as they are the only means of communication with you regarding our obligations and your orders—you must ensure that the information you provide is accurate. Every effort will be made to ensure that we receive correct information from you, and for this reason, we ask that you carefully review all your details before submitting them to us along with your explicit consent.

Therefore, the Company bears no responsibility if any of its contractual or legal obligations are not properly or timely fulfilled due to incorrect personal data being submitted. In particular, any notification sent to the email address you have provided shall be considered valid, even if not delivered due to errors in the information entered. The same applies to your physical shipping address and contact telephone numbers. You are required to update your information whenever any changes occur.

By reading this notice, the user/visitor acknowledges the above processing, which is fully compliant with the GDPR and its recitals, and is carried out solely for the purposes mentioned above or for compatible purposes.

Contact Information

Data Controller:

SHOP AND TRADE S.A.
Address: 222 Piraeus Street, Tavros, 17778, Athens, Greece
Phone: +30 210 3408400
Email: info@shopandtrade.gr
Website: www.shopandtrade.gr

Data Protection Officer (DPO):

Email: dpo@shopandtrade.gr

Hellenic Data Protection Authority (DPA – National Supervisory Authority):

Address: 1-3 Kifisias Avenue, GR-115 23, Athens, Greece
Telephone: +30 210 6475600
Fax: +30 210 6475628
Email: contact@dpa.gr