Effective Date: 01/01/2024

Thank you for visiting the website https://yoursubstance.com (hereinafter the “website”) owned and managed by the company Xypno Technologies, which is located at 15a Valentina Court, Stratigou Gianni Timagia Street 15, Neapoli 3101, Limassol, Cyprus (hereinafter: “the Company” or “Substance”).

Before using our website, please read this Privacy Policy (hereinafter referred to as “the policy”) carefully. This privacy policy applies to all customers and users of the website in terms of the collection and use of personal data by the company and concerns only the personal data we collect and process through the website and not any data collected during the conclusion and performance of a contract between the Company and the data subject or under other circumstances.

1. HOW WE COLLECT PERSONAL DATA

1.1. Directly from you:  we collect personal data directly from you when you visit our website, when you request information, submit a request, or subscribe to our newsletter, or when ordering online.

1.2. By automated means through the use of the website:  when you visit the company website, we may collect data from you based on your browsing and use of our services. This data may include search history, IP address, screen resolution, browser used, operating system and settings, access times, and URL reference as well as data collected through cookies (See cookies policy).

From third parties:  If you connect to https://yoursubstance.com through a third-party service (e.g. Facebook), that third-party service may send us information such as your registration information and your profile from it the service. This information varies and is controlled This information varies and is controlled by that service or as authorized by you through your privacy settings on that service. Also to the extent permitted by applicable law, we may receive additional information about you, such as demographic or fraud detection information, from third-party service providers and/or partners and combine it with information we have about you.

2. WHAT PERSONAL DATA WE COLLECT

When you visit the website https://yoursubstance.com we collect the following personal data, which (data) will vary depending on the use performed by each visitor (contact form, newsletter, and others):

1. Name
2. Last name
3. Email address
4. Phone (mobile, landline)
5. Any information you provide in the text of the contact form
6. Browsing data such as IP address, screen resolution, browser you use, operating system and settings, access times and URLs, and data collected through (cookies).

3. USE OF COOKIES

Our Website uses cookies or similar technologies to ensure the best possible user experience and to analyze trends, administer the website, track users’ browsing of the website, and gather demographic information about our user base as a whole. For more information about the use of cookies, please also read our cookie policy.

4. PURPOSE OF PROCESSING

The purpose of data collection/processing is to provide information to all users, existing and future customers/partners about the company and the services offered, to communicate effectively with users and customers, to support, promote, and perform any contractual relationship with our customers and to protect the security of transactions. In particular, we use your data:

1. To access and use our website and the services we provide through our website
2. To respond to customer service requests.
3. To send you notifications and commercial communications,
4. To carry out marketing and promotional campaigns
   To be able to detect and prevent fraud, abuse, security incidents, and other harmful activities and to carry out security and risk assessments.
5. To enforce the website’s terms of use and other policies.
6. To ensure the company’s compliance with legal obligations
7. To improve our services and the user experience, in order to control, troubleshoot, and improve the functionality and quality of our online services and in general to optimize and adapt our online presence to your needs, making our website easier and more efficient to use.

5. LEGAL BASIS OF PROCESSING

The legal basis for processing the personal data collected in accordance with the above is:

1. the processing of personal data is necessary for the performance of the contract between you and Substance, specifically for the provision of the services and/or information requested.
2. the processing is necessary for the purposes of the legitimate interests pursued by vv or a third party. Substance will always balance your rights and interests in the protection of your personal data against the rights and interests of Substance or the third party.
3. processing is necessary to comply with a legal obligation to which Substance is subject (such as tax law or lawful law enforcement requests).
4. your consent, in order to process your personal data for the purposes of direct marketing, to provide personalized offers or any other case where consent is required under applicable law.

The Company also reserves the right to regularly inform the user, interested party or customer via telephone, mail, e-mail, mobile phone message (SMS) or any other convenient means of communication in their contact details, obtained legally, about the products and services in the context of their transactional relationship (Article 11§ 3 of Law 3471/2006) and as long as the subject does not object to this communication. This information may include information about the services, communication to conduct research to improve its services to customers as well as other promotional actions and serving similar purposes.

6. SOCIAL MEDIA SHARE BUTTON

SUBSTANCE has official social media accounts namely LinkedIn, Facebook, YouTube, and Instagram. On its website, the company integrates an additional social media (social media share button) of Facebook, YouTube, and Instagram, suggesting website visitors to follow the company in the respective media (Follow/like) as well as to make posts and comments. When transferring you to the respective social media, we may collect some of your data (such as your profile data on the respective media).

With regard to the processing of the above personal data, the Company, in accordance with the applicable European jurisprudence, has the role of joint Controller of your data together with the respective social media. In compliance with our obligations under EU and national law, the Company has posted the Personal Data Protection Policy in a prominent place on every social media, strictly adheres to the obligations regarding the protection of personal data by taking the appropriate technical and organizational measures (such as limiting who has access to media management), in order to ensure secure data processing (see below under ¶9)

The purpose of processing the specific data is to display and promote the image and services of the company, to provide updates or to communicate with you, responding to the messages/comments you send us.

The legal basis for the processing is your consent which you provide with your positive action and initiative to press the like or follow field on the Company’s social media. This consent can be revoked in the same way, i.e. by disliking or unfollowing.

We emphasize that the Company is not responsible for the way or the means by which each social network media processes your data and it is your responsibility to inform yourself about it based on the Privacy Policy of Facebook, YouTube, and Instagram.

Substance welcomes and encourages communication and feedback from users on its social media posts and/or pages. However, it informs users that any post or comment should respect the basic rules of politeness, decency, and respect for different viewpoints. Therefore, although the Company is neither obliged nor able to control the content submitted by users of these media, it will make efforts to ensure a safe online environment and will remove any content deemed to violate the terms of use of the website, such as content that is abusive, pornographic, threatening or that violates intellectual property rights, while it may exclude users who violate the above conditions. In any case, if you believe that content posted on an official Substance social media account violates the terms of use, please contact us immediately.

7. RECEIVERS OF PERSONAL DATA

Access to the data collected through the website may have, in the context necessary for the fulfillment of each of the above processing purposes and in the context of the responsibilities of each recipient:

1. The competent employees of the company in the exercise of their duties
2. public authorities, such as indicative tax authorities, judicial, public and independent authorities, and police authorities, if this is absolutely necessary for the defense of legal rights or the fulfillment of the Company’s obligations.
3. to the extent that this is appropriate for the fulfillment of our contractual obligations, to better serve you, and to satisfy your requests, they may be transmitted to providers cooperating with the Company, such as companies providing legal, consulting, and auditing services, IT companies, to transport companies, companies that provide internet services, or other services necessary for the operation of the website and the execution of the company’s services.

It should be noted that when accessing and/or processing the user’s personal data, the employees and employees of the Company fully comply with the provisions of the European General Regulation 2016/679 on Data Protection as well as with the applicable Greek legislation and jurisprudence regarding the privacy. The Company requires its employees, the maintainers of its website, as well as its third-party partners to take all necessary technical and organizational measures (including appropriate policies and procedures to prevent the disclosure of personal data of visitors/registered users- of its customers who process and dispose of and implement procedures for the management and processing of personal data in a manner that is lawful and protect it in accordance with the GDPR.

8. RETENTION PERIOD

We keep your personal data for as long as our business relationship lasts and in any case for a period not longer than five years from the termination or termination of the contract in any way. However, in case of judicial or administrative proceedings, the retention of your personal data is extended until the issuance of an irrevocable decision or the completion of the proceedings before the competent Administrative Authority/Court. Particularly:

a. in the case of providing a service for as long as is necessary for the completion of the service and for a period of five (5) from the completion of the specific service and at least for as long as is defined by the respective legal (tax or other) obligation including as well as for the defense of our rights before any competent Court or any other Authority.

b. in the event that you contact us or submit a request, your personal data is kept for as long as is required to serve you and for a period of ………. after the process is completed.

c. in case you subscribe to our newsletter, your personal data is kept for as long as you wish to receive the newsletter. You can inform us at any time that you no longer wish to receive the newsletter by sending a relevant e-mail to [email protected] and your data will be deleted.

We will also retain personal data:

• to the extent required by law (for example, in order to comply with tax laws);
• in order to comply with legal proceedings (any ongoing or future legal proceedings)
• to secure, exercise, or defend our legal rights, and the personal safety of its users and the public.

Nevertheless, some necessary personal data concerning your business relations with the company as well as the notification or legal consent (if this is required) for the processing of your data, may remain as information for the user-client to ensure the proof of legality of the processing of his data by the company and the safeguarding of the legal claims of the parties.

9. TECHNICAL AND ORGANIZATIONAL MEASURES

The company, its employees, affiliates, and agents undertake to implement appropriate technical and organizational measures to ensure, as much as possible, the most appropriate protection of personal data from accidental or unlawful destruction, loss, alteration, unlawful disclosure, or access in them and any illegal processing, as well as to ensure the possibility of restoring availability and access to them. These measures also serve to demonstrate that the processing is carried out in accordance with the GDPR, obviously, taking into account the nature, scope, context, and purposes of the processing, as well as risks of varying probability and severity to rights and freedoms of natural persons, applying the appropriate procedures for the regular control, assessment and evaluation of the effectiveness of the technical and organizational measures.

a) The strict technical security measures that are irrevocably observed are related to the management of the users of the information systems which is done centrally by the IT Manager and include the use of individual and demanding access codes, their regular change and renewal in case of employee movement. The security of communications is ensured by updated operating and anti-virus systems, server infrastructures (log & backup files), the regular export of Protection copies, and the constant vigilance of the technical and administrative staff.

b) The organizational Protection measures observed are related to the strictly distinct roles, work tasks, and data processing of the staff, in accordance with the organizational chart and the principle of accountability and transparency. The storage of all physical data in the company’s Archive is done centrally and managed exclusively by one person. All external collaborators-executors of the processing comply with the standards of the Legislation and are legally bound to respect the privacy of the subjects by the existing contracts.

c) Physical security measures include strictly controlled access to the workplace, the prohibition of transferring data in a physical or other form outside the company, the use of the minimum personal data necessary to carry out the work, stricter Protection measures, and limited access to sensitive data.

PRIVACY BY DESIGN: The Company adopts the principle of data protection by design and will ensure that the identification and design of all new or significantly changed systems that collect or process personal data will be subject to appropriate consideration of data protection issues of private life.

The use of techniques such as data minimization, pseudonymisation, anonymisation and encryption are taken into account where possible and appropriate.

10. YOUR RIGHTS

According to the GDPR (Articles 12-22) you have the following rights:

1. Request a copy of your personal data.
2. To withdraw your consent when this is the legal basis of the processing of your personal data.
3. Request that your personal data be corrected if it is inaccurate.
4. Request the deletion of the personal data you have provided, in accordance with the conditions defined by law.
5. Request the restriction of processing, under the conditions defined by law.
6. Request the portability of your personal data if you provide the data to us yourself and the processing is based on consent or performance of contract and the processing is carried out by automated means.
7. Object to some form of processing of your personal data by the company.

To exercise any of the above rights, you can contact us via e-mail: [email protected]

We will take all reasonable steps to comply with your request within a reasonable time, no later than one (1) month after the request is made and you are properly identified. This deadline may be extended by two additional months if necessary, taking into account the complexity and number of applications. Please note that strictly necessary data may be retained in order to protect the legitimate interests of the business.

Please note that depending on the circumstances and the request, we may not be permitted to provide you with access to personal data or otherwise fully comply with your request, for example, where providing your data may reveal someone else’s identity person. We reserve the right to charge an appropriate administrative fee to comply with your request, where permitted by applicable law, and/or to deny your requests where, in the Company’s sole discretion, they may be unreasonable, excessive, or otherwise objectionable in accordance with applicable law.

Finally, each user has the right to submit a question to the Company about the way their personal data is processed and protected, and if they believe that any of their rights are being violated, they have the right to file a complaint with the Personal Data Protection Authority ( https://www.dataprotection.gov.cy /commissionerdataprotection.gov.cy).

11. MINORS

You should be aware that the content and services of this Website are not intended for minors under the age of 15. No Personal Data shall be submitted to the Company through the Site by visitors under the age of 15. If it comes to our attention that a user under the age of 15 has registered Personal Data, without the express consent of the person exercising parental care, we will immediately, upon notification or request, delete said data in accordance with our Company’s deletion policy.

12. CHANGES TO POLICY

The Company may modify this Policy. Please check the Effective Date at the beginning of the Policy to see when it was last revised. Any revision will be effective as soon as we post the revised Policy.

If we make material changes to this Policy that expand our rights to use Personal Data that we have already collected from you, we will notify you and provide you with a choice about future use of that data.