Privacy Policy

Last updated: 6 May 2025

2. What Data We Collect

Account data: When you register or log in, we collect your email address and any profile information you provide (e.g. name, delivery address). This is processed by our authentication and database provider on our behalf.

Order data: When you place an order, we collect billing and shipping information, and order details. Payment card data is handled exclusively by Stripe and is never stored on our servers.

Technical data: With your consent, our performance monitoring service collects anonymised metrics (e.g. page load times, Core Web Vitals) to help us improve the site. No personal identifiers are included in this data.

Communications: If you contact us by email, we retain that correspondence to respond to your enquiry.

3. Legal Basis for Processing

Contract performance (Art. 6(1)(b) GDPR): Processing your account and order data is necessary to fulfil your purchases and manage your account.

Consent (Art. 6(1)(a) GDPR): We process analytics data only after you give explicit consent via our cookie banner.

Legitimate interests (Art. 6(1)(f) GDPR): We may process data where necessary to protect the security and integrity of our service.

4. Third-Party Service Providers

Authentication & Database Provider

We use a third-party provider to manage user accounts and store order data. This provider processes data on servers within the EU/EEA under a data processing agreement with us.

Stripe (Payment Processing)

Payments are processed by Stripe, Inc. Stripe is PCI-DSS Level 1 certified. We share only the order amount and currency with Stripe; card details never pass through our systems. See Stripe Privacy Policy.

Performance Monitoring Service

With your consent, we use a third-party performance monitoring service that collects anonymised Core Web Vitals data (e.g. page load speed) to help us improve the site. No personal data is transmitted.

5. Cookies

We use essential cookies for authentication and payment security (Stripe), and — with your consent — analytics cookies for performance monitoring. See our Cookie Policy for a full list.

6. Data Retention

Account and order data is retained for as long as your account is active and for up to 7 years afterwards to comply with tax and accounting obligations. You may request deletion at any time (subject to legal retention requirements) by contacting us at hello@ypheskincare.cy.

7. Your Rights

Under the GDPR (and equivalent legislation) you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request erasure of your data
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time (without affecting prior processing)
  • Lodge a complaint with the Cyprus Commissioner for Personal Data Protection

To exercise any right, email us at hello@ypheskincare.cy. We will respond within 30 days.

8. International Transfers

Where data is transferred outside the EEA (for example by payment processors based in the US), appropriate safeguards are in place including Standard Contractual Clauses and/or adequacy decisions.

9. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of the site after changes constitutes acceptance of the revised policy.