Privacy Policy
Privacy Notice for Personally Identifiable Information of Colors Studio
Colors Studio (referred to as "we", "us", "Colors Studio" or "Company") is committed to protecting your privacy and processing your personally identifiable information (referred to as "personal data" or "personal information") with transparency. The personal data we collect and process depends on the purpose of your visit.
This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data, and keep it safe as well as explaining your privacy rights and how the law protects you.
We know that there’s a lot of information here, but we want you to be fully informed about your rights, and how Colors Studio uses your data.
For the purposes of this notice, personal information is understood to be any information which is relevant to you, with which your identity is or can be identified and which include, for example, your name, email address, physical address, IP address (only when we have collected it in conjunction with directly identifying information) or the information you submit in your private email.
Who are we?
Colors Studio is a Business Name company registered in the Republic of Cyprus, with registration number EE33973 and registered address Arch. Makariou III, 68A, Pera Chorio 2572, Nicosia, Cyprus. Nanogencyprus is the brand name of the online store that is owned and operated by Colors Studio.
Colors Studio is the controller and responsible for your personal data.
If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the Data Privacy Manager using the details set out below:
Email us at privacy at colorsstudio dot net
or write us at Colors Studio Arch. Makariou III, 68A, Pera Chorio 2572, Nicosia, Cyprus.
When do we collect your personal information?
We use different methods to collect data from and about you including through:
- Direct Interactions:
- When you create an account with us.
- When you visit our websites, and use your account to buy products.
- When you make an online purchase and check out as a guest (in which case we just collect transaction-based data).
- When you purchase a product by phone but don’t have (or don’t use) an account.
- When you contact us by any means with queries, complaints etc.
Automated technologies or interactions:
As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, traffic logs and other similar technologies. Please see our cookies policy for further details.
Which personal information we process
We collect personal information of our current and prospective customers through our web site. Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Identity Data: Includes first name, last name, username or similar identifier, title.
Contact Data: Includes email address, billing address, delivery address and telephone numbers.
Transaction Data: Includes details about payments to and from you and other details of products you have purchased from us.
Technical Data: Includes IP address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
Your IP address is temporarily collected whenever you are accessing our site in our web server's logs. This information is used to ensure the security of our web site and to prevent abuse. IP address information is not directly identifiable information but if it's stored in conjunction with your user account ID it might be an indirect identifier.
Profile Data: Includes your username and password (encrypted), purchases or orders made by you.
Usage Data: Includes information about how you use our website.
Marketing and Communications Data: Includes your preferences in receiving marketing from us and your communication preferences.
Queries: Any identifiable information you provide when you contact us with queries and any other personally identifiable information you may volunteer. We use that information to provide you with support and, generally, to answer your questions and address your requests.
Contact form: Any information you volunteer by submitting a contact form through this web site's Contact Us page. We use this information to respond to your requests.
We also collect and use at not share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Personal Information of minors
We do not allow minors (persons under the age of 13) to use our site. Any accounts found in violation of this term will be terminated without a refund and all information pertaining to that user account will be erased.
How are we using your personal data?
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us, or using the unsubscribe link.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
Whether you are legally obliged to provide us your personal information
Providing your invoicing information is legally required in accordance to the European Union's VAT directive and its incorporation to local tax laws. It is unlawful for us to let you make a purchase without issuing an invoice which requires this information. Information not printed on the invoice (IP address, country based on your IP address) are also required.
Your IP address in the context of security and abuse prevention is specifically exempt from requiring your consent per the European Union's GDPR. We are legally required to ensure the security of your personal information through any appropriate technical means and that includes collecting your IP address in that context.
Why we process your personal information and what is the legal basis?
As we mentioned already, we process your personal information with transparency and as such we process your personal information per the GDPR and the local data protection laws for one of the following reasons:
Contractual obligations
When logging in we automatically process your personal data to protect you against unauthorized access to your account and ensure your account safety. We also display you parts of your personal data for reasons of personalization of our site's pages and ensuring that it's clear who is the currently logged in user.
When you ask for a username reminder or password reset we automatically process your personal data to provide the service requested.
When using our contact form we process your personal data to reply to your request. We also automatically process your personal data to send you automated email notifications about the handling of your request.
When you buy with us we automatically process your personal data send you automated transactional emails, i.e. reminders about the status of your order.
To comply with a legal obligation
There are certain obligations in accordance to local and international laws, as well as Directives issued by the European Union. These legal obligations require the processing of your personal information. In other cases we may receive a court order or otherwise be legally obliged to process or convey your personal information to third parties.
When you are buying from us we automatically process your personal data to issue the legally required invoice and send you automated emails with the invoice and information about your purchase. The invoicing information is also sent to our Accountants and Auditors to comply with local tax regulations.
To protect our interests
We process your personal information to protect the legal interests of us and others. A legal interest exists when we have a business or commercial reason to use your information. Even then it must not be against what is fair to you and your best interests. Examples of such processing are as follows:
In case of a suspected abuse or an attempt to compromise, deteriorate, disrupt or otherwise interfere with of our services we may process personal data to identify the perpetrator and pursue redress. Such steps may for example (not an inclusive list) include contacting the suspected offender or pursuing the matter legally.
In rare occasions we may send you a personal, manual email or we may call you to address a concern regarding your purchase e.g. if there is an unexpected problem with our stock or if we notice that there is a problem with your order.
In case of a serious security issue in our software where a public announcement is deemed inadequate we may send you an email informing you of the situation, the risks and what you can do.
Because you have given your consent
If you have explicitly provided your consent the processing of your personally identifiable information draws its legality upon your explicit consent. You have the right to withdraw your consent at any time. However, any processing which took place before your consent's withdrawal is not affected.
Who are the recipients of your personal information
While fulfilling our contractual or legal obligations your personally identifiable information may be conveyed to our partners, suppliers and couriers are used by Colors Studio with which they are obliged to uphold the confidentiality and protection of your personal information in accordance to the local data protection laws and the GDPR.
We sometimes share your personal data with trusted third parties, including:
- IT companies who support our website and other business systems.
- Operational companies such as delivery couriers. (e.g. ACS Courier, Airtrans, Cyprus Post Office)
- Direct marketing companies who help us manage our electronic communications with you (e.g. Mailchimp).
- Google to show you products that might interest you while you’re browsing the internet. This is based on either your marketing consent or your acceptance of cookies on our websites. See our Cookies Policy for details.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Here’s the policy we apply to those organizations to keep your data safe and protect your privacy:
- We provide only the information they need to perform their specific services.
- They may only use your data for the exact purposes we specify in our contract with them.
- We work closely with them to ensure that your privacy is respected and protected at all times.
- If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
The recipients of your personal information are as follows.
- THEMISTOCLEOUS Accounting & Tax Consulting Chalcanoros 26, 1st Floor, 2540 Dhali, Nicosia, CYPRUS. Accountants and auditors. They receive your invoicing information to fulfil our obligations towards the tax laws.
- PayPal (Europe) S.à r.l. et Cie, S.C.A. 5th Floor, 22-24 Boulevard Royal, Luxembourg, 2449, LUXEMBOURG. They process payment for us. Any personal data submitted to them is subject to their own privacy policy. We only convey personal data to them for pre-filling the payment form when you explicitly select them as a payment processor and click on they Pay Now button on our site.
- Google, Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Provides analytics for our site. Only anonymized information is sent to Google. Even as such, it's unclear whether they should be listed as a data processor. The only way to resolve ambiguity is to list them here but clearly state that to the best of knowledge and technical ability we do not send any personally identifiable information to them.
Remittance of your personal data to a third party country or international Organization
We use the services of entities located outside the EU. Your data may be transferred to a third country.
All the Processors are obliged to comply and conform to the European Union's data protection norms and provide appropriate assurances regarding the remittance of of your personal information according to Article 46 of the GDPR.
How we deal with your personal information for marketing purposes and whether we use profiling for such activities?
In general, we do not base our marketing activities on the personal information we have collected from our clients. We do not perform personalized marketing and we do not make use of profiling for marketing purposes.
If we want to make a marketing campaign which includes your personally identifiable information, e.g. send you a promotional email with your first and last name, we will seek your explicit consent. In this case you have the right to withdraw your consent at any time. Any processing taking place or marketing campaigns launched before your consent withdrawal shall not be affected.
How do we protect your personal data?
We know how much data security matters to all our customers. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We secure access to all transactional areas of our websites using ‘https’ technology.
Access to your personal data is password-protected, and sensitive data is secured by SSL encryption.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
How long do we keep your personal information?
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
We are legally required to retain your invoicing information, both as an off-line backup and in the custody of our auditors, for a period of up to ten (10) years after your purchase.
Other logs which may contain personal information such as server access logs and security logs are kept for up to fourteen (14) months.
We may retain your personal information longer than that for regulatory, technical or legal reasons.
Your data protection rights
You have the following rights with regards to the personally identifiable information we keep on file for you:
Right of access: Access your personal information. This lets you for example get a copy of the personal data we keep on file for you and confirm that we are processing it legally. You can request a copy of your data through the Personal Date menu item on our site after logging into our site.
Right of rectification: Request the correction of the personal information we keep on you. This allows you to correct incomplete or inaccurate information we keep on file for you. This can be done from the My Account menu item on our site after logging into our site. Please note that correcting your invoicing information is only possible when making a purchase and the correction is only applied to newly issued invoices only. This is a legal requirement.
Right to be forgotten: Ask for the deletion of your personal information. This lets you request that we delete your personal information when there is no real reason for us to process it. Kindly note that this is impossible for 60 days since your last purchase for taxation reporting reasons.
Right to objection: Object to processing your personal information when we base our processing on protecting our interests bit there is something special in your situation which makes you want to object to the processing for this reason. If you object we will no longer process your personal information unless we can prove pressing legal reasons for the processing which trump your interests, rights and freedoms. Please note that this is largely inapplicable to our business relationship since our processing is done either on a legal basis, your explicit consent or is exempt from the GDPR protections (e.g. keeping an IP log for security reasons).
You have the right to object in cases where we process your personal information for reasons of direct marketing. This also includes profiling, to the extent that this is used for direct marketing.
Right to restrict processing: Ask the limitation of the processing of your personal information. This allows you to ask us to limit the processing of your personal information, that is to use it only for specific cases, if:
- they are inaccurate;
- they have been used illegally but you do not wish us to delete them;
- they are no longer necessary but you want us to retain them for their use in potential legal demands;
- you have asked us to stop using your personal information but you are waiting us to confirm if we have legal reasons to use them.
Right to data portability: Ask for a copy of the personal information pertaining to you in a structured, commonly used and machine readable format, to convey this information to other organizations. You may also request that we directly convey that file to another organization of your choice.
Withdraw your consent regarding the processing of your personal information at any time. Please note that withdrawal of your consent at any time does not invalidate the legality of the processing based on your consent before that was revoked or withdrawn by you.
To exercise any of your rights we kindly ask you to use the tools offered on our site after logging in. Alternatively, or if you have questions about the use of your personal information from us, you can contact us through the Contact Form and use the appropriate contact category. Or you can contact our Data Protection Officer directly as explained earlier in this document.
According to the law, we will reply to your requests promptly and within 30 business days. If you have not received a reply from us for over three weeks (21 days) please retry contacting us with alternate means; most likely your request never reached us. Kindly note that we reserve the right to direct you to our site's tools and / or this Privacy Notice if your concern is readily addressed by it. Per the law, we reserve the right to not reply to your requests if they are too often or are otherwise in abuse of the provisions of the law.
Right to file a complaint: If you have exercised some or all of your rights to data protection and you still feel that your concerns about the way we use your personal data have not been addressed satisfactorily by us, you have the right to file a complaint by filling in the Contact Us form on our site. You also have the right to file a complaint with the Office of the Personal Data Protection Commissioner. On the relevant website you will find information on how to file complaints.
Changes in this Privacy Notice
We may periodically modify or amend this privacy statement.
We recommend that you re-examine this statement periodically so that you are always updated on the way we process and protect your personal information.
Cookies Policy
Our site uses small text files, known as Cookies, to enhance your experience and work better.
To learn more about the use of cookies on our site please consult our Cookies Policy. Links to this policy, our Cookies Policy and our Terms of Service can be found at the bottom of every page.