Privacy Policy
01. OBJECTIVE
The company under the name, “CAI PHARMACEUTICALS PRIVATE CAPITAL COMPANY”, (hereinafter referred to as the “PCC”), headquartered in Athens, 10 Merlin Street, is committed to protecting the privacy of visitors to its website and takes its obligation to safeguard their personal data seriously. We will be transparent and honest about the data we collect and the purposes for which we collect it.
This policy includes and refers to the following:
- Your personal data that we collect and process due to your relationship with us as a visitor and through the use of the website, as well as a potential customer of our online store (e-shop).
- Where we obtain the data from
- What we do with the data
- How we store the data
- To whom we transfer/disclose the data
- How we address your data protection rights
- How we comply with data protection regulations
All personal data is collected and processed in accordance with the personal data protection legislation of Greece and the European Union.
02. PERSONAL DATA WE COLLECT
Personal data refers to any information related to you that allows us to identify you, such as your name, contact details, payment information, and information related to your access to our website and electronic correspondence.
We may collect personal data from you when you contact us via the form available on the company’s website, when you participate in a competition or survey, or when you visit our online store (e-shop).
Specifically, we may collect the following categories of information:
a. Name, home and work address, email address, phone number, identification or passport details, credit/debit card information, or other payment details,
b. Information during the use of the website,
c. Communications exchanged with us or directed to us through letters, emails, chat, calls, and social networks,
d. Location, including the real-time geographical location of your computer or device via GPS, Bluetooth, and IP address, as well as Wi-Fi hotspot and cell tower locations, provided by users when you use location-based features and enable location services settings on your device and computer.
03. PURPOSES OF PROCESSING PERSONAL DATA - RETENTION
We process your personal data only when we have a legal basis to do so. The legal basis depends on the reasons for which we have collected and need to use your personal data.
Your data may be used for the following purposes:
a. Provision of requested products and services: We use your data to provide the services you request in connection with the products or services offered through our website.
b. Verification/Checking of credit cards or other payment methods: We use your payment information for accounting, billing, and verification purposes, as well as to detect or prevent any fraud incidents. The relevant data is automatically transferred to the secure banking environment and is protected by the respective Bank.
c. Administrative or legal purposes: We use your data for statistical and marketing analysis purposes, customer studies, or to handle a claim or dispute. Please note that we reserve the right to profile based on the data collected from you. Any profiling activities will be conducted without your prior consent only if all reasonable efforts have been made to ensure the accuracy of the data used. By providing any personal data, you explicitly consent to the possibility of profiling in accordance with this Privacy Policy.
d. Marketing: From time to time, we may contact you electronically to provide you with information about our offers and products. You will have the option to receive or not such communications depending on whether you subscribe to our newsletter. Furthermore, in each electronic communication, you will have the opportunity to indicate that you no longer wish to receive direct marketing material.
In most cases, we need to process your personal data to fulfill your order for our products or to contact you for promotional purposes.
Additionally, we may process your personal data for the following reasons:
- To comply with a legal obligation (e.g., for tax and accounting purposes).
- Because you have given us your consent to use your personal data.
Only individuals aged 15 years and above can provide their own consent. For children below this age, parental or legal guardian consent is required.
We do not retain your data for longer than is necessary to fulfill the purpose for which it is processed. To determine the appropriate retention period, we consider the quantity, nature, and sensitivity of personal data, the purposes for which we process it, and whether we can achieve those purposes through other means.
We also take into account the time periods for which we may need to retain personal data to fulfill legal obligations, respond to complaints/queries, and protect our legal rights in case of a claim.
This period is defined as ten (10) years for data collected in relation to the process and execution of orders in our online store (e-shop).
Additionally, we will retain your personal data for the promotion of our products unless you decide to request its deletion.
When we no longer need your personal data, we delete or destroy it securely. We also consider whether and how we can minimize the personal data we use over time and whether we can retain it anonymously so that it can no longer be associated with or identify you. In such cases, we may use it without further notice.
04. PERSONAL DATA SECURITY
We follow strict security procedures when storing and disclosing your personal data, as well as to protect it from accidental loss, destruction, or damage. The data you provide us is safeguarded in accordance with our company's security policy.
We may disclose your data to trusted third parties for the purposes outlined in this Privacy Policy. We require all third parties to have appropriate technical and operational security measures in place to protect your personal data in compliance with Greek and EU data protection legislation.
05. SHARING OF PERSONAL DATA
We may share your personal data with the following third parties for the purposes outlined in this Privacy Policy:
a. Trusted service providers we work with to conduct our business operations, such as providers managing our website services.
b. Banks to which credit and debit card details are transmitted to facilitate your payments to us and to monitor fraud incidents. These banks may require information about your payment method to process transactions or ensure the security of your payment.
c. Legal and other professional advisors, courts, and law enforcement agencies in all countries where we operate, to enforce our legal rights arising from our agreement with you.
d. Social networks: Through our website and application, or prior to visiting our website and application, you may access third-party social networks. When registered with your social media account, we will receive the personal data you choose to share with us through these social networks in accordance with their privacy settings, to enhance and personalize your experience on our website or application. We may use social media links on our website or application. This will result in your data being shared with your social media provider and potentially displayed on your social media profile and accessible to others in your network. Please refer to the privacy statement of these third-party social media providers to learn more about their practices.
We understand the importance of taking additional precautions to protect children's privacy and security. Therefore, children under the age of 15 will not be allowed to place any orders from our online store.
When the processing of personal data is based on your consent, you have the option to withdraw your consent for processing or request the deletion of your personal data at any time. You can do this by submitting a request through our website or via email services (see the section RIGHTS REGARDING PERSONAL DATA PROTECTION below).
06. RIGHTS RELATED TO PERSONAL DATA PROTECTION
Under certain circumstances and by law, you have the right to:
- Be informed whether we hold your personal data and, if so, what data we hold and why we hold/use it.
- Request access to your personal data (commonly referred to as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and check that we are processing it lawfully.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below). You can delete such personal data when its use is based on your consent.
- Object to the processing of your personal data where we rely on a legitimate interest (or those of a third party), and there is something about your situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Object to automated decision-making, including profiling, that should not be subject to automated decision-making using your personal data or profile.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data, for example, if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to you or another party (commonly known as the right to "data portability") in a structured electronic format. This enables you to receive your data from us in a format that is electronically usable and to transfer your data to another party in such a format.
- Withdraw consent. In the limited circumstances where you may have provided your consent to the collection, processing, and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will cease processing your information for the purpose(s) you originally agreed to unless we have another legal basis to do so lawfully.
If you wish to exercise any of these rights, we have developed an online form to make exercising your rights simple and effective - click here.
We have also added new tools to your account, giving you the ability to directly change the personal data you have provided there.
This policy should help you better understand how we use your personal information. It explains in detail the types of personal information we collect, how we use it, and to whom we may disclose it. If you have further questions about this policy or how we handle your personal data, which are not answered here or through our online form, please contact us at info@cai.gr.
Please note that requests for data access, deletion, etc., are reviewed through the form mentioned above (click here). Such requests cannot be processed via email due to their volume and the need to verify your identity before we can act on your request. This is another critical security measure to ensure personal data is not disclosed to anyone who does not have the right to receive it.
You will not need to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your access request is clearly unfounded or excessive. Alternatively, we may refuse to comply with your request in such cases.
Furthermore, to the extent you have this right, you are entitled to file a complaint directly with the relevant supervisory authority (Hellenic Data Protection Authority, dpa.gr).
07. CHANGES TO THE PRIVACY POLICY
The Privacy Policy may change from time to time, and any updates to the privacy statement will be communicated to you via a notification on our website.
VIDEO SURVEILLANCE POLICY
Video Surveillance System Operation Policy
1. Purpose and Scope of Application
1.1. This policy describes the terms for the installation and operation of the company’s video surveillance system (CCTV) of “CAI PHARMACEUTICALS PRIVATE COMPANY”, located in Athens, 10 Merlin Street.
It also defines the security measures adopted to protect the personal data of individuals captured by the cameras.
For transparency purposes, this policy is available at the company’s premises.
1.2. The installation of video surveillance systems in the company’s facilities allows for the recording and/or transmission of images to display monitors and mobile devices.
1.3. The purpose of the system is to ensure the safety and protection of the company’s personnel, clients, visitors, vehicles, and other assets.
2. Data Controller Obligations
2.1. As the data controller, the company assumes all obligations arising from the GDPR 2016/679, Law 4624/2019, and the Guidelines of the Hellenic Data Protection Authority (HDPA).
2.2. Specifically, the company ensures compliance with the rights of data subjects regarding information (display of an information sign referring to the relevant law, contact details of the controller, and publication of this policy), access, and the right to object. It also ensures confidentiality and security in data processing.
3. Video Surveillance System Operation Policy
3.1. The company’s CCTV system has been installed in accordance with the principle of proportionality for the security of facilities, employees, clients, suppliers, and visitors, and for the protection of individuals and property against criminal acts. After conducting a Data Protection Impact Assessment, the company concluded that the existing CCTV system is essential for achieving the desired level of security and protection, which cannot be ensured through milder means.
3.2. To enhance privacy protection, the company ensures that the CCTV system does not capture or process (e.g., by targeted focus, indexing, or analysis of special characteristics) images revealing “special categories of data”. Cameras are generally fixed and installed in external areas.
4. Monitored Areas – Video Surveillance Data
4.1. The video surveillance and recording system includes:
• One 8-channel recorder without remote control (Dahua XVR5108C-X)
• One hard drive
• One outdoor infrared camera for night vision and two indoor night-vision cameras without zoom capability on faces
• Dahua HAC-HDW1200EM dome-type fixed-lens (2.8mm) cameras for indoor and outdoor use
The cameras operate twenty-four (24) hours a day, seven (7) days a week.
The recorded material is securely stored for a maximum period of fifteen (15) days.
The CCTV system records movement within the monitored area, along with date and time. Live camera footage is available in real time on the mobile phone of the company’s legal representative.
4.2. Cameras were installed by a qualified technician in appropriate positions to ensure that monitoring is limited strictly to areas necessary for the intended purposes. No cameras are directed at public roads or sidewalks, and no footage is captured from public spaces or neighboring buildings.
4.3. Operation of the cameras during and outside business hours enhances the protection of visitors’ and company assets (e.g., prevention and documentation of criminal acts such as theft, vandalism, assault, or timely detection of malicious actions, flooding, or fire before escalation), especially during the night, holidays, and periods when the premises are closed to the public.
5. Data Retention Period
The recorded material is securely stored for a maximum period of fifteen (15) days. Afterwards, data is automatically deleted, except in specific cases (criminal acts, security breaches, or requests by law enforcement or judicial authorities). In the event of an incident related to security, the relevant footage may be retained beyond fifteen (15) days in accordance with the HDPA Guidelines for the purpose of investigating the incident and initiating legal proceedings to safeguard the company’s legitimate interests.
6. Protection of Video Surveillance Data
6.1. The CCTV equipment is installed in restricted and access-controlled areas, connected to a secure sub-network protected from unauthorized access through password authentication. Access to the CCTV system and the personal data it collects, including live and recorded footage, is granted solely to the company’s legal representative.
6.2. Apart from the authorized representative with access to the system’s data due to their role, the data is not shared or transmitted to third parties unless consent is provided by the individuals depicted in the footage. Exceptions include:
(a) Disclosure to competent judicial, prosecutorial, or police authorities when the footage contains information necessary for the investigation of a criminal act affecting persons or property of the data controller;
(b) Disclosure to competent authorities upon lawful request in the exercise of their duties;
(c) Disclosure to the victim or perpetrator of a criminal act when the footage may serve as evidence of the act.
7. Authorized Personnel – External Processors
The technical maintenance of the CCTV system is carried out by an external, specialized technician who has access to personal data only via visual contact through the webcam monitor and not to the system’s hard drive.
8. Data Subject Rights
8.1. As a data subject, any individual has the right to access the footage concerning them. They may also request a copy of the relevant video material by submitting a written request to the company, in accordance with the procedure described below in section 8.2.
8.2. Data subject rights are reviewed and addressed by the company in compliance with applicable legislation. If an individual believes that their data protection rights have been violated by the company, they may contact the company’s legal representative, and if not satisfied, they may lodge a complaint with the Hellenic Data Protection Authority (HDPA) (see http://www.dpa.gr).
9. Policy Review
The company intends to periodically review this policy to reflect any changes in its policies and practices.
10. Availability
This policy is readily available at the company’s premises.
DATE OF LAST UPDATE: 30-10-2025
