Privacy Policy
Privacy Policy
1. Introduction
Amerelia Ltd (“we”, “us”, “our”) is committed to protecting your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Cyprus Law on Protection of Individuals with regard to the Processing of Personal Data (Law 125(I)/2018), and all applicable EU and Cyprus data protection legislation.
This Privacy Policy explains what personal data we collect, why we collect it, the legal basis for processing, who we share it with, and your rights as a data subject.
2. Data We Collect
We collect the following categories of personal data:
2.1 Data You Provide Directly
- Full name
- Email address
- Phone number
- ACS Courier pickup point selection
- Order and transaction details
2.2 Data Collected Automatically
- IP address
- Browser type and version
- Device type and operating system
- Pages visited, time spent, and browsing behaviour (after consent)
- Cookie identifiers and session data
2.3 Data from Third-Party Tools (After Consent)
- Behavioural and analytics data collected via Google Analytics, Meta Pixel, Microsoft Clarity, and HubSpot — only when you have given explicit cookie consent.
We do not collect or process special categories of data (e.g. health data, biometric data, or data about minors under 16).
3. How & Why We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Processing and fulfilling your order | Name, email, phone, pickup point, order details | Contract performance (Art. 6(1)(b) GDPR) |
| Sending order confirmation and updates | Email, order details | Contract performance (Art. 6(1)(b) GDPR) |
| Processing payments via JCC | Name, email, transaction data | Contract performance (Art. 6(1)(b) GDPR) |
| Coordinating delivery with ACS Courier | Name, phone, pickup point | Contract performance (Art. 6(1)(b) GDPR) |
| Responding to customer queries and complaints | Name, email, order details | Legitimate interest (Art. 6(1)(f) GDPR) |
| Legal, accounting, and VAT obligations | Name, transaction data | Legal obligation (Art. 6(1)(c) GDPR) |
| Website analytics and performance | IP, device, behaviour data (anonymised) | Consent (Art. 6(1)(a) GDPR) |
| Marketing and retargeting | Email, behavioural data, device identifiers | Consent (Art. 6(1)(a) GDPR) |
| Fraud prevention and security | IP, device, transaction patterns | Legitimate interest (Art. 6(1)(f) GDPR) |
4. Legal Basis for Processing
We process your personal data on the following legal bases as defined in Article 6 of the GDPR:
- Contract (Art. 6(1)(b)): Processing necessary to fulfil your purchase order and deliver your goods.
- Legal Obligation (Art. 6(1)(c)): Processing required to comply with Cyprus VAT law, accounting obligations, and consumer protection regulations.
- Legitimate Interest (Art. 6(1)(f)): Processing for fraud prevention, customer service, and internal analytics, where these interests are not overridden by your rights.
- Consent (Art. 6(1)(a)): For marketing communications and all non-essential cookies/tracking tools. Consent is obtained via our cookie banner and is freely given, specific, and withdrawable at any time.
5. Payment Processing
All payments are securely processed by JCC Payment Systems Ltd, an authorised payment service provider in Cyprus. We do not store, access, or transmit your card details. JCC acts as an independent data controller for payment processing purposes. For more information, see JCC’s privacy policy at www.jcc.com.cy.
6. Cookies & Tracking Technologies
We use cookies and tracking technologies on our website. These are only activated after you have given explicit consent via our cookie consent banner (powered by Complianz). For full details on what cookies we use and how to manage your preferences, see our Cookie Policy.
Tracking tools we use (after consent):
- Google Analytics – website traffic and performance analytics (Statistics category)
- Meta Pixel (Facebook) – advertising and conversion tracking (Marketing category)
- Microsoft Clarity – session recording and heatmaps (Statistics category)
- HubSpot – CRM and marketing automation (Marketing category)
7. Data Sharing & Third Parties
We do not sell your personal data. We may share it with the following third parties only to the extent necessary:
| Third Party | Purpose | Location |
|---|---|---|
| JCC Payment Systems | Secure payment processing | Cyprus (EU) |
| ACS Courier | Order delivery and pickup coordination | Cyprus (EU) |
| Google LLC | Analytics (Google Analytics) – consent-based | USA (SCCs apply) |
| Meta Platforms Inc. | Advertising pixel – consent-based | USA (SCCs apply) |
| Microsoft Corporation | Clarity session recording – consent-based | USA (SCCs apply) |
| HubSpot Inc. | CRM and marketing – consent-based | USA (SCCs apply) |
| Hosting/IT providers | Website infrastructure | EU / EEA |
We require all third parties to respect your personal data and process it only in accordance with applicable data protection law.
8. International Data Transfers
Some of our third-party service providers (Google, Meta, Microsoft, HubSpot) are based in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission; and/or
- Other legally approved transfer mechanisms.
By using our website and consenting to analytics or marketing cookies, you acknowledge that your data may be transferred to these countries under the safeguards described above.
9. Data Retention
We retain personal data only as long as necessary for the purpose it was collected. Our specific retention periods are:
| Data Type | Retention Period | Reason |
|---|---|---|
| Order and transaction records | 7 years | Cyprus VAT and accounting obligations |
| Customer account / profile data | 3 years from last activity | Legitimate interest (customer service) |
| Marketing consent and communications | Until consent is withdrawn | Consent-based |
| Analytics data (Google Analytics) | Up to 26 months | Standard GA4 retention |
| Session recordings (Clarity) | 30 days | Standard Clarity policy |
| Cookie consent logs | 1 year | GDPR accountability (Art. 5(2)) |
| Customer service correspondence | 3 years | Dispute resolution / legal defence |
After the applicable retention period, data is securely deleted or anonymised.
10. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to erasure / “right to be forgotten” (Art. 17): Request deletion of your data, where no legal obligation requires us to retain it.
- Right to restriction of processing (Art. 18): Request that we limit how we use your data while a dispute is resolved.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format and transfer it to another controller.
- Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes at any time.
- Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Right not to be subject to automated decision-making (Art. 22): We do not use automated individual decision-making or profiling that produces legal or similarly significant effects.
To exercise any of these rights, contact us at support@amerelialtd.com. We will respond within 30 days of receiving your request. We may ask you to verify your identity before processing your request.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:
- SSL/TLS encryption for data in transit
- Restricted access to personal data (need-to-know basis)
- Secure payment processing via PCI-DSS-compliant JCC systems
- Regular review of our data handling practices
In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, inform affected individuals without undue delay.
12. Supervisory Authority
If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the Cyprus Commissioner for Personal Data Protection (CPDP):
- Website: www.dataprotection.gov.cy
- Address: 1 Iasonos Street, 1082 Nicosia, Cyprus
- Email: commissioner@dataprotection.gov.cy
- Phone: +357 22 818 456
You may also lodge a complaint with the supervisory authority of your EU country of residence or place of work.
13. Policy Updates
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of significant changes by posting the updated policy on this page with a new “Last updated” date. For material changes, we will notify you by email where practicable.
14. Contact Us
For any questions, data subject requests, or concerns about this Privacy Policy:
- Email: support@amerelialtd.com
- Phone: +357 96 332814
- Address: Amerelia Ltd, [Insert registered address], Cyprus
We aim to respond to all inquiries within 30 days.
This Privacy Policy was last updated on [Insert date]. It supersedes all previous versions.
