Privacy Policy

At T.M.A. SPECIAL LIGHT LIMITED which trades under the name “EPIPEDO ARTS & DESIGNS”, we care about the privacy and security of your personal information and we take measures to ensure that your personal information is properly handled while in our possession and while in the possession of others to whom we may disclose it, under the terms and for the purposes explained in this Privacy Policy.
This Policy explains when and why we collect personal information about visitors to our website, namely, and our Facebook Page and about natural persons in general, i.e., offline at our store or through the phone, how we use it, the conditions under which we may disclose it to others and how we keep it secure.
We may change this Policy from time to time. When we do so, we will notify you about the change, for example, by displaying a relevant notice about the fact of the change on our homepage inviting you to visit this page and ensure that you are happy with any change. Importantly, by using our website, you agree to this Policy as amended from time to time to the extent relating to information we collect about you in your capacity as a user of our website. As far as information about you we collect in the context of conducting our business in general, whether you have used our website or not, you are welcome to contact us in case you are not happy with any change to our Privacy Policy. Our full details are stated below in this Privacy Policy.

This Privacy Policy is valid as of 25th May 2018.

Last updated: 25th May 2018

You can contact our DPO as follows:

Dr. Christiana Markou, Markou & Co LLC,

Address: 2, Amfipoleos street, Marcou Tower, Office 201, 2025 Strovolos, Nicosia, Cyprus

Phone: 22377863

Fax: 22377860

E-mail: [email protected]

Who we are?
58 Stavrou Avenue Karyatides Building
2035 Nicosia
Tel: +(357) 22492310
Fax: +(357) 22492319
Email: [email protected]
Nature of business: We sell utilitarian decorative objects and decorative items for the home.

How do we collect information from you?
We obtain information about you when you use our website, for example, when you contact us about our products and services, if you register to receive information from us, if you submit a complaint, query or request to us.
We may also record information about you while you use our websites even if you do not do any of the above and simply browse through our website by clicking on links displayed therein. Such information is automatically recorded in the server logs of your websites and/or by cookies as explained in our Cookie Policy.
We also collect information about you offline or through other means of communication such as email or telephone, mainly, through our hard-copy forms, specifically, when you visit our shops or contact us requesting information about our products or services, when you submit an order, when you request or receive delivery of products purchased, when you pay us for your purchases or when you contact us submitting requests, queries or complaints to us.
We also collect information about you when you register to participate in our loyalty card scheme, while the said scheme is in operation thereby registering your purchases and when you participate in promotional contests or competitions organized by us.

What type of information is collected from you?

The personal information we collect may include your name, surname, identity card number, telephone number, address, email address, IP address, and information regarding what pages are accessed and when. We also collect any other information you provide to us by filling in and submitting web forms on our website or Facebook Page such as a query, order, rating, comment, request or complaint. If you have liked our Facebook Page, we collect your Facebook name as well as any likes or views you make on posts on our Facebook Page as well as anonymized statistics regarding how users engage with it as provided by Facebook.
We also collect all personal data you are providing to us through filling in any of our written forms such as the new client or loyalty card scheme form, mainly consisting of your name, surname, identity card number, contact details and birth date. If you order products from us about an event, such as a wedding or christening, we also collect information about the event, such as the date, event type and venue. If have register with our loyalty card scheme, we also collect, your purchases.
We have reviewed all our forms to ensure that we only collect and process information that is strictly necessary for the intended purpose specified or being apparent to you or is required by law, thereby avoiding excessive or unnecessary processing. We also do not collect any sensitiveinformation about you, such as political opinions or health, because we do not need it for conducting our business or serving you
We may also collect financial details relating to you such as your bank, bank account number or credit card details, when you pay us for your purchases. When you pay by credit card, your payment card details are not retained by us. They are collected by a third party payment service provider with whom we co-operate for this purpose. We believe that this provider is a data controller bound by all the requirements of the General Data Protection Regulation. For more on this third party provider, please see below in this Privacy Policy.

How is your information used?
We use your information lawfully in accordance with Article 6(a), i.e., for purposes you have consented to, Article 6(b), i.e., as necessary to conclude or perform a contract with you, Article 6(c), i.e., to comply with obligations imposed by law (such as tax legislation) and Article 6(f), i.e., as necessary for legitimate interests we pursue as a business.
We explain these immediately below to help you understand how exactly we use your information:
We use your information in order to respond to orders, proposals, requests or queries submitted by yourself or by another person acting on your behalf or in order to communicate with you.
More specifically, we may use your information to:
process orders or requests for information;
carry out our obligations arising from the contract entered into between you and us and us, such as to deliver purchased products and invoice you for products ordered;
notify you of key changes to our services (such as opening hours), products (such as the cessation of the marketing of product) when relevant or our privacy policy;
send you communications which you have requested such as a reply to a query, a tender or quotation you have requested or invoices and receipts,
to operate and administer our loyalty card scheme, our Facebook Page and to organize promotional contests and;
ensure fraud prevention and protect other legitimate interests of our company, such as get anonymized statistics relating to the needs and behavior of our customers, reduce credit risk and receive payment for purchases made, contact you for the purpose of notifying you of any possible delay in the payment of your invoices or for collecting any outstanding amounts, only to the extent absolutely necessary for this purpose and provided that the necessary use of your information does not amount to a disproportionate interference with your privacy rights and interests.

We will not normally contact you for marketing purposes by post, email, phone or text message unless you have given your prior consent. You can change your marketing preferences and withdraw previously-given consent at any time by contacting us at the details stated at the beginning of this Privacy Policy.
In case, we contact you for marketing purposes without previously expressly securing explicit consent, it is because you are an existing customer of our company and we believe we have a legitimate interest in promoting our products or services to our existing customers in order to increase sales to the extent permitted by the law.
We will do so without intruding disproportionately on your privacy and we will provide you with a clear opportunity to object, in which case we will stop sending you marketing messages. For more on this right of to object to the processing of personal data for direct marketing and in general, see below in this Privacy Policy.

Where and how long do we retain your information for?
Your information is stored in physical (hard copy) files and in computer servers situated in Cyprus. By way of exception, personal information in our corporate emails is stored by Google and CYTA in its own servers. Similarly, information recorded on our Facebook Page is stored by Facebook in its own servers and information recorded when you use our website, is stored by the hosting company supporting our website in servers in Germany.
We, as a minimum, retain your information for as long as it is necessary for us to perform a contract we have with you or have your consent or administer the loyalty card scheme to which we are a member, if applicable or to comply with legal obligations to which we are subject, in particular, tax legislation. Other than that, we adhere to the maximum retention periods specified by the Data Protection Commissioner, if any.
When there are no specified maximum retention periods, we retain your data for 10 years, starting from the date of the termination or completion of the contractual or loyalty scheme relationship with you or from the end or settlement of any dispute arising between us, if applicable. This period covers the period specified by the statute of limitations, after the lapse of which no legal claims can successfully be raised against us and the period specified by tax legislation and/or our accountants and auditors’ advice.
We retain your information for a period of six months, in case we have collected your information in any of the ways described earlier in this Privacy Policy but we have never had a contract with you. The same applies to information we have collected as a result of yourself addressing a query or a comment to us through email or otherwise, when we have never had a contract with you.
We retain information we collect about you in your capacity as a mere visitor to our websites for two years.
After the lapse of the aforementioned periods of retention, we remove it from our systems by deleting it or we fully anonymize it so that you can no longer be identified from it. In this latter case, we do not delete all of the information but only those pieces of information such as your name, address, email address and any other information revealing that the said information belongs to you.
Should the Cyprus Data Protection Commissioner specify any maximum retention periods, shorter or longer than the above, we will adjust our Policy accordingly.
We would like to clarify that we may keep some of your information for longer than the aforementioned retention periods. This is when we have obtained your consent to or have a legitimate interest as explained above in collecting or using your information. In this case, we retain that information unless and until you decide to withdraw your consent or you object to its processing or you communicate to us a valid erasure request.

Who has access to your information?
We will never sell your information to third parties and we will not share it with third parties for marketing purposes.
We may pass your information to third party service providers. Such third parties may be technical service providers providing us with the software systems (or their maintenance) necessary to contact administrative tasks inherent in the provision of our services to you or in the conducting of our business or messengers and/or delivery companies we use to deliver ordered products to you as per your request. We only disclose to them the personal information that is absolutely necessary to deliver the service or perform the said task and we have a contract in place that requires them to keep your information secure and in accordance with the principles and rules of the General Data Protection Regulation and not to use it for their own direct marketing purposes or for any purposes other than to provide the service or complete the task as explained above.

We also pass your information as may be contained in our emails to Google and CYTA, which provide to us a relevant technical service of data processing for the said purposes. We have a contract in place that requires Google to keep your information secure and in accordance with the principles and rules of the General Data Protection Regulation. The same is true of CYTA.

Your information submitted or recorded by our Facebook Page is also passed to Facebook, which provides us with the service enabling us to make available and administer a Facebook Page. The said provider is a data controller in its own right and bound by all of the obligations of the GDPR. You can view its own privacy policy here

We may also pass your information to our lawyers and accountants/auditors to the extent necessary to defend or institute legal claims and to comply with legal obligations with regards to financial accounts and tax reasons respectively.

When you submit an order on our website or otherwise, pay by credit card, your payment is processed by a third party payment service provider, who specializes in the secure online processing of payment transactions, namely JCC PAYMENT SYSTEMS LTD. As this processing is not performed by us and we do not retain the relevant data, your rights, explained in the next section of this Policy, to the extent referring to payment card details or transactions should be exercised directly with the said payment service provider. In case, you address a relevant request to us, we will take reasonable measures to meet the request to the extent possible. The said provider is, we believe, a data controller in its own right and bound by all of the obligations of the GDPR. You can view its own privacy policy here We reserve the right to co-operate with other such payment service providers in addition or substitution to the aforementioned provider.
We may also transfer personal information to our banks in banks when you pay us through a check. Banks are controllers of personal data themselves and are bound by all of the obligations of the General Data Protection Regulation.
We may transfer your personal information to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganization in which case we will take measures to ensure that all data protection principles and related rights as derived by the General Data Protection Regulation are fully complied with, prior, during and after the relevant transfer.
Finally, we may disclose your information to public and/or regulatory authorities, if disclosure is required by law or an order issued by a court of law.
Other than the above, the recipients of personal data will be the authorized members of our staff which are contractually bound by confidentiality and security obligations and have been informed and trained to handle your personal data in accordance with the rules and principles of the General Data Protection Regulation.

What are your rights?

You may at any time send us any of the following requests and we will meet them the earliest possible and in any case, within a month from the date of receipt of your request and inform you about the action we have taken. If your request is for any reason complex to examine or meet, we will ask you for an extension before the aforementioned one-month period expires.
If we have legitimate reasons to refuse to satisfy your request, we will inform you accordingly and in this case, you have the right to submit a relevant complaint to the Cyprus data protection authority, namely, the Data Protection Commissioner, if you believe that our decision is unjustified.
These are the requests you can submit to us:
A request that we permanently delete all or some of your information from our records (right to be forgotten or to erasure), for example when we no longer have reasons to retain it.
A request for you to access your information that we keep in our records (right of access)
A request that we provide you with a copy of your information that exists in our records, in digital or hard copy form. If you require more than one copy, we may charge you a maximum of EUR10,00 per copy as administrative costs. (right to a copy)
A request that we update or correct your information that we keep in our records (right to rectification), for example, in case it is outdated or contains errors or inaccuracies.
A request that we provide you with information of yours we keep in our records in a structured, commonly used and machine-readable format or forward it in such form to another provider of your choice, if such forwarding or transfer is technically possible (right to portability). Please note that this right applies only in relation to data that you yourself has provided to us with and which we process by electronic means.
A request that we stop doing anything with your information without however deleting it from our records (right to restriction of processing). In this case, we will restrict access to your data.
A request that we stop processing your information for direct marketing purposes or on the basis of legitimate interests pursued by our company as explained under the second question of this Privacy Policy or in the name of the public interest (right to object). In the case of direct marketing, we will stop processing your information. In the rest of the cases, we will do so the same unless we have compelling reasons to refuse to do so.
If you wish to exercise any of the above rights you will be able to do so by contact us at any of the contact details stated above in this Privacy Policy, preferably by email specifying the type of right you seek to exercise.
Please not that before acting upon any of your above requests, we may require you to prove your identity, if we are in doubt about your true or correct identity. If we cannot identify you, i.e., we do not hold personal data belonging to the person you are saying you are, we will inform you accordingly and we will not act upon your request.

What security measures do we apply to protect your information?

When you give us personal information, we take organizational and technical measures to ensure to keep it secure and protected against unauthorized disclosure, alteration, accidental loss or other violation. We list herein below some of the technical and organization measures we apply:

We take reasonable endeavors to avoid a situation whereby files or documents containing personal data are allowed on open view without reason. All such documents/files are securely kept in file cabinets to which access is limited to authorized personnel of our company.
We input in our software minimum personal data that does not contain sensitive data and we apply a strict permission policy according to which our personnel have access only to such parts of our software or systems as strictly necessary to perform their work tasks and duties. We have specified all relevant roles and permissions in a written security policy and we follow procedures through which access is interrupted or blocked should the need arises, such as when a personnel member leaves our company.
We follow an effective procedure of data destruction ensuring that all documents no longer necessary are effectively destroyed.
We do not engage into an excessive or unnecessary use of the function of email copying (cc).
Our personnel save all documents and work directly on the servers, thereby ensuring that no personal data remains on the disks of our computers.
Access to our computer terminals of our company is protected by a strong-security password known only by the member of our personnel to whom a given working station is assigned. An automated locking system is applied to our computer terminals.
Access to the data processing system of our company and to corporate email is password-protected, all passwords are kept securely and are updated periodically.
We apply effective anti-virus and firewall software and we engage in systematic updates of the said security software.
We ensure that back-up copies of all of the data we store and process are effected daily and stored in a secure environment at a location different from where the primary data exists and in encrypted form.
The support service of our data processing software is offered on site under supervision or remotely through secure VPN.
Access to the Internet through our computers has been limited so that the possibility of access to unsecure or illegal websites presenting a risk to the security of our systems is reduced.
Access to our data processing software is possible through secure VPN with systematically updated passwords.
Remote access to corporate email through personal devices of our personnel is possible but is protected by a strong security password and we are notified every time a new device has gained access to email so that we can readily verify that it belongs to authorized personnel.
The possibility of using external data transfer and storage devices such as USBs and external disks has been disabled on the computers of our company.
We have a fire protection system in operation on our premises aiming at protecting the physical files with personal data we maintain.
We ensure that the servers supporting our systems and databases are not used as working stations and that access to them is restricted.
When you use the forms on our websites to submit personal data to us, your information is encrypted and protected through the use of 128 Bit encryption on SSL. This means that what you send and receive from the website is encrypted, which makes it difficult for anyone else to see, read or take possession of this data. You know that your information is encrypted, when you see a lock icon appearing in address bar of your web browser before the URL of the web page you are on.
We have trained our personnel with regards to how they should handle personal data in accordance with the requirements of the General Data Protection Regulation and we have signed contracts with the parties who process data together with us or on our behalf which oblige the said parties to keep your data private and secure and process it in accordance with the requirements of the General Data Protection Regulation.

Use of Cookies
Please click here to read our Cookies Policy.

Transferring your information outside the European Union
We do not transfer your information outside the European Union except to the extent that we use third party services such as Google services which may use servers situated outside the EU. The data protection laws of the such countries are not the same with those applying in the EU, however, when this is a country in relation to which there not a European Commission decision on the sufficiency of its legal data protection regime as per Article 45 of the Regulation, we ensure that your personal data will be given analogous and/or appropriate respect and protection, specifically by signing with parties based outside the EU, relevant data sharing agreements using standard contractual clauses approved by the European Commission, in accordance with Article 46 of the Regulation. This is in case that we ever have to transfer as strictly necessary, your information to a country that is not a Member State of the EU.