Privacy Policy

Last updated: 22 March 2026

1. Data Controller

The data controller responsible for the processing of your personal data is a registered Greek sole proprietorship operating under the following details:

  • Business Activity: Retail trade of clothing items (Λιανικό Εμπόριο Ειδών Ιματισμού)
  • Registered Address: Καποδιστρίου 10, Αιγάλεω, 12241, Athens, Greece
  • Greek Tax Identification Number (ΑΦΜ): 802132078
  • Jurisdiction: Greece

The business operates the website compliceteam.com (the "Site") under the trade name "Complice" ("we", "us", or "our"). This Privacy Policy is issued in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Greek Law 4624/2019.

We act as the Data Controller for all personal data processing described in this policy.

2. Categories of Personal Data Collected

We collect personal data only to the extent necessary for the purposes described in this policy. The categories of data collected depend on how you interact with us.

Account Registration (required for contract performance):

  • First name and last name
  • Email address
  • Password (stored using secure cryptographic hashing — we never store or have access to your plain-text password)

Checkout & Orders (required for contract performance):

  • First name and last name
  • Shipping address (street, city, postal code, country)
  • Phone number
  • Email address

Account Profile (optional — not required):

  • Date of birth — provided at your discretion; used only for personalised offers if marketing consent has been given
  • Saved shipping address — for convenience on future orders

Loyalty Programme (automatically derived from order history):

  • Points balance and ranking tier
  • Coupon usage history

Automatically Collected Data (only with your prior consent, except for strictly necessary processing):

  • Pages visited and interactions (via Google Analytics 4)
  • Basic device and browser information (via Vercel Analytics and Speed Insights)
  • IP address (anonymised, for security purposes)

Newsletter & Marketing Communications:

  • Email address — collected when you subscribe to our newsletter, opt in during account registration, or opt in at checkout.
  • We validate email addresses for correct formatting and reject known disposable or temporary email services to maintain list quality and protect against abuse.

3. Mandatory vs Optional Data

Certain personal data is required to perform our contractual obligations to you. Other data is optional.

Required data (necessary for contract performance):

  • Name, email address, shipping address, and phone number are required to create your account, process orders, arrange delivery, and issue invoices.
  • If you do not provide this data, we will not be able to process your order or create your account.

Optional data:

  • Date of birth, saved addresses, and marketing preferences are entirely optional. Failure to provide this data will have no impact on our ability to fulfil your orders or provide access to our services.

4. Purposes and Legal Bases for Processing

We process your personal data for the following purposes and on the following legal bases under the GDPR:

Contract performance (Article 6(1)(b) GDPR):

  • Creating and managing your account.
  • Processing and fulfilling orders, including delivery and returns.
  • Operating the loyalty programme.
  • Payment processing — you are redirected to Stripe for secure payment. We do not process or store payment card data on our systems.

Consent (Article 6(1)(a) GDPR):

  • Placing analytics cookies (Google Analytics 4, Vercel Analytics).
  • Sending marketing communications and promotional emails. You may give consent via any of the following touchpoints: (i) subscribing to our newsletter in the website footer, (ii) ticking the marketing opt-in checkbox during account registration, or (iii) ticking the marketing opt-in checkbox during guest checkout. Each touchpoint requires an explicit, affirmative action on your part; no checkbox is pre-selected.
  • Transmitting conversion events to Meta (Facebook) via the Conversions API.
  • You may withdraw consent at any time via the cookie consent banner, the unsubscribe link in our emails, or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

Legitimate interest (Article 6(1)(f) GDPR):

  • Basic site security and fraud prevention.
  • Maintaining server logs for operational stability.
  • We have conducted a balancing test and concluded that these interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time by contacting us at info@compliceteam.com.

Legal obligation (Article 6(1)(c) GDPR):

  • Tax and accounting record-keeping as required under Greek law (Κ.Φ.Α.Σ. / Greek Tax Code and related regulations).
  • Responding to lawful requests from competent authorities.

5. Automated Decision-Making

We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significant effects concerning you within the meaning of Article 22 GDPR.

6. Cookies, Local Storage & ePrivacy Compliance

We use cookies and browser local storage in accordance with the EU ePrivacy Directive (2002/58/EC as amended) and its Greek transposition. You can manage your preferences through our cookie consent banner at any time.

Strictly necessary (always active — no consent required under Article 5(3) ePrivacy Directive):

  • Shopping cart contents — stored in your browser's local storage so your cart persists between visits.
  • Cookie consent record — stores your consent preferences.
  • User session token — maintains your authenticated session.

Analytics (loaded only after explicit consent):

  • Google Analytics 4 cookies (_ga, _ga_*) — usage statistics. These cookies are not placed until you affirmatively consent.
  • Vercel Analytics — anonymous performance metrics. Not loaded until consent is given.

Marketing (loaded only after explicit consent):

  • Meta (Facebook) Conversions API — page view, add-to-cart, initiate-checkout, and purchase events sent server-side for advertising measurement. Activated only after marketing consent is given.
  • Moosend (Sitecore) — email marketing and abandoned cart tracking. When you subscribe to our newsletter, opt in during registration, or use the "Save my cart" feature, we share your email address and cart/browsing activity with Moosend to send you personalized emails and cart reminders. Moosend may set tracking cookies to identify your session.

Cookie consent safeguards:

  • No non-essential cookies or tracking scripts are loaded before you provide explicit, affirmative consent.
  • A "Reject all" option is available at first presentation and at all times thereafter.
  • You may withdraw consent at any time by accessing the cookie consent settings on the Site. Withdrawal takes effect immediately for future processing.
  • Consent records are retained for 12 months, after which we will request your preferences again.

7. Meta (Facebook) Conversions API — Transparency

When you grant marketing consent, we transmit certain event data to Meta Platforms Ireland Limited via the Meta Conversions API. The following applies:

  • We transmit your email address in hashed (SHA-256) form along with event data (page views, add-to-cart, initiate checkout, purchases). Hashed email addresses remain personal data under GDPR.
  • Meta may combine the data we transmit with other data it holds about you for its own purposes, including ad targeting and measurement across its platforms. Meta acts as a joint controller or independent controller for such further processing, depending on the specific use case.
  • This processing occurs only after you have given explicit marketing consent via our cookie consent banner.
  • You may withdraw marketing consent at any time, which will immediately stop future transmission of data to Meta.

8. Data Processors and Data Processing Agreements

We share personal data with the following categories of third-party processors, solely to the extent necessary to provide our services. We have entered into Data Processing Agreements compliant with Article 28 GDPR with each processor:

  • Stripe (Stripe Technology Europe, Limited) — payment processing. Stripe acts as an independent data controller for regulatory and fraud-prevention purposes. See Stripe's Privacy Policy.
  • Google Ireland Limited (Google Analytics 4) — website analytics. Processing is configured to use EU-based data centres where possible.
  • Meta Platforms Ireland Limited (Conversions API) — marketing conversion measurement.
  • Vercel Inc. — website hosting, analytics, and speed insights.
  • DigitalOcean, LLC — image storage and content delivery.
  • Moosend (Sitecore) — email marketing platform. We share your email address, cart activity, and purchase history with Moosend to deliver marketing emails, abandoned cart reminders, and personalized offers. You can opt out at any time by unsubscribing via the link in our emails or through your account settings. See Moosend's Privacy Policy.

We do not sell, rent, or trade your personal data to any third party.

9. International Data Transfers

Certain processors listed above are established in, or may transfer personal data to, the United States. We ensure that all such transfers are subject to appropriate safeguards as required under Chapter V GDPR:

  • EU–U.S. Data Privacy Framework (DPF): Where the receiving entity is certified under the EU–U.S. Data Privacy Framework (adequacy decision of 10 July 2023, C(2023) 4745), transfers are made on that basis.
  • Standard Contractual Clauses (SCCs): Where DPF certification does not apply, we rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as the transfer mechanism.

The specific safeguard applicable to each processor is as follows:

  • Stripe — DPF-certified; supplemented by SCCs.
  • Google (Analytics) — DPF-certified; supplemented by SCCs.
  • Meta (Conversions API) — DPF-certified; supplemented by SCCs.
  • Vercel — SCCs in place.
  • DigitalOcean — SCCs in place.

You may request a copy of the relevant safeguards by contacting us at info@compliceteam.com.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

  • Account data — retained for as long as your account is active. You may request deletion at any time.
  • Order and transaction data — retained for up to 5 years after your last transaction to comply with Greek tax and accounting retention obligations.
  • Analytics data — Google Analytics data is retained for 14 months, after which it is automatically deleted by Google.
  • Cookie consent records — retained for 12 months, after which we will request your preferences again.
  • Marketing data — your email is removed from our marketing processes promptly upon withdrawal of consent.
  • Newsletter subscription data — retained for as long as your subscription is active. You may unsubscribe at any time via the link in our emails or by contacting us, after which your email will be promptly removed from our marketing list.
  • Meta Conversions API data — event data transmitted to Meta is retained by Meta in accordance with its own data retention policies. Upon withdrawal of consent, no further data is transmitted.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised.

11. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR. These rights are not absolute and may be subject to legal limitations:

  • Right of access (Article 15) — obtain confirmation of whether we process your personal data and request a copy thereof.
  • Right to rectification (Article 16) — request correction of inaccurate or incomplete personal data.
  • Right to erasure (Article 17) — request deletion of your personal data, subject to applicable legal retention obligations.
  • Right to restriction of processing (Article 18) — request that we restrict the processing of your personal data in certain circumstances.
  • Right to data portability (Article 20) — receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller.
  • Right to object (Article 21) — object to processing based on legitimate interest or for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing without delay.
  • Right to withdraw consent (Article 7(3)) — withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right not to be subject to automated decision-making (Article 22) — we do not carry out automated decision-making as described in Section 5 above.

To exercise any of these rights, contact us at info@compliceteam.com. We will respond within one month of receipt of your request, in accordance with Article 12(3) GDPR. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

You have the right to lodge a complaint with the Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα):

  • Website: www.dpa.gr
  • Address: Kifisias 1-3, 115 23 Athens, Greece
  • Telephone: +30 210 6475600
  • Email: contact@dpa.gr

12. Data Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures include:

  • Encryption in transit — all data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
  • Secure password hashing — user passwords are stored using industry-standard cryptographic hashing algorithms. We never store or have access to plain-text passwords.
  • Payment data isolation — payment card data is handled exclusively by Stripe (PCI DSS Level 1 certified). We never process, store, or have access to card numbers.
  • Role-based access control — access to personal data is restricted to authorised personnel on a need-to-know basis.
  • Two-factor authentication (2FA) — enabled on all administrative systems and accounts with access to personal data.
  • Access logging — access to systems containing personal data is logged and monitored.
  • Regular security reviews — periodic review of infrastructure, dependencies, and application code.

13. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are under 16, you may only use our Site with the verifiable consent and supervision of a parent or legal guardian. If we become aware that we have collected personal data from a child without appropriate parental consent, we will delete such data without undue delay.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or regulatory guidance. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or via a notice on the Site.

15. Contact

For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data, you may contact us at:

  • Email: info@compliceteam.com
  • Website: compliceteam.com/contact
  • Address: Καποδιστρίου 10, Αιγάλεω, 12241, Athens, Greece

If you have any questions about this Privacy Policy, please contact us at info@compliceteam.com