Privacy Policy

Effective Date: 05/06/25

1.1. Introduction

Welcome to NAP Hair Collection Co Ltd. This Privacy Policy outlines how NAP Hair Collection Co Ltd (“we”, “us”, “our”) collects, uses, protects, and discloses your personal information when you visit or make a purchase from our website https://naphair.cy.net/ (the “Website”) or otherwise interact with us.

It is our policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you.1 We are committed to protecting your personal data and ensuring transparency in our data processing activities in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and relevant Cypriot data protection legislation, such as the Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of such Data of 2018 (Law 125(I)/2018). Explicitly referencing these legal frameworks, as seen in the practices of other e-commerce operators in Cyprus 2, serves to build user trust and demonstrate an awareness of the specific operating context within Cyprus.

This Privacy Policy applies to all information collected through our Website and any related services, sales, marketing, or events. The inclusion of an “Effective Date” is crucial for version control and transparency, allowing users to understand which iteration of the policy governs their data at any given time, especially as policies are periodically updated.1

1.2. Data Controller Information

For the purposes of the GDPR and relevant Cypriot data protection laws, the data controller is:

NAP Hair Collection Co Ltd

Company Registration Number:

Registered Address: Riga Fereou 42, Tseri 2480, Cyprus

For any privacy-specific concerns or inquiries regarding your personal data, or if you wish to exercise any of your data protection rights, please contact us using the following details:

Email: info@naphair.cy.net

Phone: +357 22 323 153

Postal Address: Riga Fereou 42, Tseri 2480, Cyprus

While a formally appointed Data Protection Officer (DPO) may not be legally mandated for all organisations, providing a clear and accessible contact point for data privacy matters enhances accountability and user trust.5 This aligns with the practices of larger entities in Cyprus 3 and ensures users have a direct channel for communication regarding their data. Maintaining consistency in company details across all legal documents is also essential for clarity and professionalism.

1.3. Information We Collect

We collect various types of personal information in connection with your use of our Website and services. Personal information is any information about you which can be used to identify you, including details about you as a person, your devices, payment details, and how you use online services.1 This information can be broadly categorised as data you “voluntarily provide” to us and data that is “automatically collected”.1

The types of personal data we may collect include:

Identity Data: This includes your first name, last name, username or similar identifier, and title.
Contact Data: This encompasses your billing address, delivery address, email address, and telephone numbers.
Financial Data: We collect payment card details (such as credit/debit card numbers, expiry dates, CVV codes) when you make a purchase. However, these details are typically processed directly by our third-party payment gateways and are not stored on our servers. We may store a tokenised version or partial details for transaction verification, in line with secure practices observed by other e-commerce entities.6
Transaction Data: This includes details about the products you have purchased from us, your order history, payments made to and from you, and other details of products and services you have obtained from us.
Technical Data: When you access our Website, we may automatically collect technical information such as your Internet Protocol (IP) address, login data (if you create an account), browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Website.1
Profile Data: If you create an account, this includes your username and password, your purchase history, your preferences, feedback you provide, and responses to any surveys we may conduct.
Usage Data: This comprises information about how you use our Website, products, and services, such as the pages you visit, the time spent on those pages, and links clicked.1
Marketing and Communications Data: This includes your preferences in receiving marketing communications from us and our third parties (where applicable) and your communication preferences.

Methods of Collection:

We use different methods to collect data from and about you, including:

Direct Interactions: You may give us your Identity, Contact, Financial, and Profile Data by filling in forms on our Website (e.g., when creating an account, placing an order, subscribing to our newsletter, or contacting us) or by corresponding with us by post, phone, email, or otherwise.2
Automated Technologies or Interactions: As you interact with our Website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies, server logs, and other similar technologies (please see Section 1.6 on Cookies and Similar Technologies for more details).1
Third Parties or Publicly Available Sources: We may receive personal data about you from various third parties, such as:

Technical Data from analytics providers like Google Analytics.9
Contact, Financial, and Transaction Data from providers of technical, payment, and delivery services.
Identity and Contact Data from data brokers or aggregators.
Information from other trusted sources, which we may combine with voluntarily provided and automatically collected personal information.1

Being highly specific about the types of data collected (e.g., distinguishing between billing and delivery addresses) enhances transparency and helps users understand the full scope of data processing, a practice exemplified by detailed policies like Alphamega’s.6 Acknowledging data collection from third-party sources is also vital for providing a complete picture of our data practices, as required by GDPR.1

1.4. How We Use Your Personal Data (Purposes)

We use your personal data for various purposes, ensuring that each use is justified and necessary. The specific purposes for which we will use your personal data are set out below:

To Register You as a New Customer: To create and manage your account on our Website.
To Process and Deliver Your Orders: This includes managing payments, fees, and charges; arranging for shipping and delivery; and collecting and recovering money owed to us.
To Manage Our Relationship with You: This involves notifying you about changes to our terms, conditions, or this Privacy Policy; asking you to leave a review or take a survey; and providing customer support.
To Enable You to Participate in Promotions or Competitions: If you choose to participate, we will use your data to administer these activities.
To Administer and Protect Our Business and This Website: This includes troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data to ensure the security and integrity of our services.
To Deliver Relevant Website Content and Advertisements to You: To provide you with content tailored to your interests and to measure or understand the effectiveness of the advertising we serve to you.
To Use Data Analytics: To improve our Website, products/services, marketing strategies, customer relationships, and overall user experiences by analysing how our services are used.
To Make Suggestions and Recommendations: To inform you about goods or services that may be of interest to you, based on your preferences and purchase history (this will typically be done with your explicit consent where required by law).
To Comply with Legal Obligations: To meet our legal and regulatory requirements, such as tax and accounting obligations, or to respond to lawful requests from authorities.
To Prevent Fraud: To protect our business and our customers from fraudulent activities.

Linking specific data types to these purposes provides clearer justification for data collection, reflecting GDPR’s principle of purpose limitation and demonstrating thoughtful data handling.6 It is also important to distinguish between processing activities essential for service provision (like order fulfilment) and those that are optional (like marketing), particularly concerning the legal basis for processing, such as consent.4

1.5. Lawful Basis for Processing

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances, which are known as “lawful bases” under GDPR:

Performance of a Contract: Where we need to process your data to perform a contract we are about to enter into or have entered into with you. For example, when you purchase products from us, we process your data to fulfil your order, manage your account, and provide customer service related to your purchase.1
Legitimate Interests: Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Our legitimate interests include operating our business, maintaining and improving our Website and services, ensuring the security of our systems, preventing fraud, and conducting data analytics to understand our customers better. We always consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.1
Consent: Where you have given us explicit consent to use your personal data for a specific purpose. This typically applies to sending direct marketing communications via email or SMS, or for the use of non-essential cookies. You have the right to withdraw your consent at any time by contacting us.1
Legal Obligation: Where we need to comply with a legal or regulatory obligation. This includes, for example, retaining records for tax purposes or responding to requests from law enforcement agencies.1

The “Legitimate Interests” basis requires careful justification. We ensure that our interests are balanced against your individual rights and freedoms, and we provide clear explanations for relying on this basis. For instance, analysing website traffic to improve user experience is a legitimate interest, provided it does not unduly infringe on your privacy.

To provide greater clarity, the table below summarises the main purposes for which we process your personal data and the corresponding lawful bases we rely upon. This approach, inspired by comprehensive policies like Alphamega’s 6, aims to make our data processing activities transparent and easy to understand.

Purpose of Processing	Types of Data Used	Lawful Basis for Processing
To register you as a new customer	Identity Data, Contact Data	Performance of a Contract
To process and deliver your orders	Identity Data, Contact Data, Financial Data, Transaction Data	Performance of a Contract; Legitimate Interests (for recovering debts)
To manage our relationship with you	Identity Data, Contact Data, Profile Data, Marketing and Communications Data	Performance of a Contract; Legitimate Interests (to keep records updated, study customer use); Legal Obligation (for T&C updates)
To enable your participation in promotions, competitions	Identity Data, Contact Data, Profile Data	Performance of a Contract; Legitimate Interests (to study customer use); Consent (if specific opt-in required)
To administer and protect our business and Website	Identity Data, Contact Data, Technical Data	Legitimate Interests (for running our business, provision of IT services, network security, fraud prevention)
To deliver relevant content and advertisements	Identity Data, Contact Data, Profile Data, Usage Data, Marketing Data, Technical Data	Legitimate Interests (to develop products/services, grow business); Consent (for non-essential cookies/direct marketing)
To use data analytics to improve our offerings	Technical Data, Usage Data	Legitimate Interests (to define customer types, keep Website updated, develop business strategy)
To make suggestions/recommendations (marketing)	Identity Data, Contact Data, Transaction Data, Usage Data, Profile Data	Consent (for direct marketing); Legitimate Interests (to develop products/services and grow our business)
To comply with legal and regulatory obligations	Identity Data, Contact Data, Transaction Data, Financial Data	Legal Obligation
To prevent and detect fraud	Identity Data, Contact Data, Financial Data, Transaction Data, Technical Data	Legitimate Interests (to protect our business and customers)

1.6. Cookies and Similar Technologies

Our Website uses cookies and similar tracking technologies (such as web beacons or pixels) to enhance your browsing experience, analyse site traffic, and for marketing purposes.4 Cookies are small text files placed on your device when you visit a website.

Types of Cookies We Use:

We use the following types of cookies:

Strictly Necessary Cookies: These cookies are essential for the operation of our Website and enable core functionalities such as security, network management, and accessibility. They allow you to navigate the site and use its features, such as accessing secure areas or using a shopping cart. These cookies do not require your consent.
Performance/Analytics Cookies: These cookies collect information about how you use our Website, such as which pages you visit most often and if you receive error messages. This data helps us improve the performance and design of our Website. For example, we may use Google Analytics to track website usage.9 All information these cookies collect is aggregated and therefore anonymous.
Functionality Cookies: These cookies allow our Website to remember choices you make (such as your username, language, or the region you are in) and provide enhanced, more personal features. For example, they can be used to remember your login details or preferences.
Targeting/Advertising Cookies: These cookies are used to deliver advertisements more relevant to you and your interests. They may be used to limit the number of times you see an advertisement and help measure the effectiveness of advertising campaigns. They are usually placed by advertising networks with our permission. They remember that you have visited a website, and this information may be shared with other organisations such as advertisers.

Managing Cookies:

Upon your first visit to our Website, you will be presented with a cookie consent banner, allowing you to accept or decline non-essential cookies. You can manage your cookie preferences at any time through this banner or via your browser settings. Most web browsers allow you to:

View the cookies stored on your device.
Delete some or all cookies.
Block third-party cookies.
Block cookies from particular sites.
Block all cookies from being set.
Delete all cookies when you close your browser.

Please note that if you choose to block or delete cookies, some features of our Website may not function properly or your experience may be less personalised. For instance, if you disable strictly necessary cookies, you may not be able to use our shopping cart or checkout services.

A granular cookie consent mechanism, allowing users to opt-in to specific categories of cookies, is considered best practice under GDPR and ePrivacy regulations, offering users greater control over their data. If using tools like Google Analytics that involve data transfer to the USA, it is important to be transparent about this and the safeguards in place, such as Standard Contractual Clauses (SCCs), particularly following the invalidation of the EU-US Privacy Shield.10

Table of Cookies:

To provide further transparency, the following table details some of the cookies that may be used on https://naphair.cy.net/:

Cookie Category / Name	Provider(s)	Purpose	Duration	How to Manage / Opt-Out
Strictly Necessary	NAP Hair Collection Co Ltd / Website Platform	Essential for website functionality, session management, shopping cart, security.	Session / Persistent	These are essential and typically cannot be disabled without impacting site functionality. Manage through browser settings if absolutely necessary.
Performance/Analytics	Google Analytics	To collect anonymous data on website usage, page visits, traffic sources to improve website performance.	Persistent	Via our cookie consent banner or Google Analytics Opt-out Browser Add-on.
Functionality	NAP Hair Collection Co Ltd / Website Platform	To remember user preferences (e.g., language, region) for a more personalised experience.	Persistent	Via our cookie consent banner or browser settings.
Targeting/Advertising	[e.g., Facebook Pixel, Google Ads]	To deliver targeted advertisements and measure campaign effectiveness.	Persistent	Via our cookie consent banner, browser settings, or through advertising platform opt-out mechanisms (e.g., YourOnlineChoices).

(Note: The specific names of cookies, providers, and durations will depend on the actual technologies implemented on the NAP Hair Collection Co Ltd website. This table should be populated accurately after a cookie audit.)

1.7. Data Sharing and Disclosure

We do not sell your personal data to third parties for their own marketing purposes without your explicit consent. However, we may share your personal data with trusted third parties under certain circumstances, as outlined below:

Third-Party Service Providers: We engage various third-party companies and individuals to perform services on our behalf. These may include:

Payment Processors: To securely process your payments (e.g., Stripe, PayPal).
Delivery and Courier Companies: To deliver your orders to you.
IT and Website Hosting Providers: To manage and maintain our Website, databases, and IT infrastructure.
Marketing Agencies: To assist with our marketing campaigns (where you have consented to marketing).
Analytics Providers: To help us understand how our Website is used (e.g., Google Analytics). These service providers are contractually bound to protect your personal data, only process it on our instructions, and adhere to confidentiality and data protection obligations consistent with this Privacy Policy and applicable law.1

Legal Requirements: We may disclose your personal data if required to do so by law, or in response to valid requests by public authorities (e.g., a court, government agency, or law enforcement).2 This includes for national security or law enforcement requirements.
Business Transfers: In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you before your personal data is transferred and becomes subject to a different privacy policy.2
To Protect Our Rights and Safety: We may disclose your information when we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Use, or as otherwise required by law.4
With Your Consent: We may share your personal data with other third parties if you have given us your explicit consent to do so.

If we use international service providers (e.g., a US-based cloud service), this will involve international data transfers, which are addressed in Section 1.11.

1.8. Data Security

We are committed to protecting the security of your personal data. We implement a variety of appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed.1 These measures include:

Encryption: Using Secure Socket Layer (SSL) technology to encrypt data transmitted to and from our Website.
Secure Servers: Storing your personal data on secure servers, potentially managed by third-party hosting providers who are also committed to security.6
Access Controls: Limiting access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality.
Payment Security: We do not store your full payment card details on our systems. Payments are processed through secure third-party payment gateways that are compliant with Payment Card Industry Data Security Standards (PCI-DSS). We may use tokenization for recurring payments or faster checkouts.6
Staff Training: Regularly training our staff on data protection and security best practices.
Data Breach Procedures: We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.1

While we strive to use commercially acceptable means to protect your personal data, it is important to acknowledge that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.1

You also play a role in keeping your data secure. If you have an account with us, you are responsible for keeping your password confidential. We ask you not to share your password with anyone.

1.9. Data Retention

We will only retain your personal data for as long as it is necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.1

To determine the appropriate retention period for personal data, we consider:

The amount, nature, and sensitivity of the personal data.
The potential risk of harm from unauthorised use or disclosure of your personal data.
The purposes for which we process your personal data and whether we can achieve those purposes through other means.
The applicable legal, regulatory, tax, accounting, or other requirements.

For example:

If you create an account with us, we will typically retain your personal data for as long as your account is active or as needed to provide you with our services.
Transaction data may be kept for a longer period to comply with tax laws (e.g., typically 6-7 years in many jurisdictions).1
Correspondence with you may be kept for a period necessary to address any follow-up queries or for record-keeping purposes.

When your personal data is no longer required for the purposes for which it was collected, or when any applicable legal retention period has expired, we will take reasonable steps to securely destroy or permanently anonymise it.1 If you request the deletion of your data, we will comply subject to any overriding legal obligations to retain it.2

1.10. Your Data Protection Rights (Under GDPR)

Under the General Data Protection Regulation (GDPR) and Cypriot data protection law, you have several rights in relation to your personal data. We are committed to upholding these rights. These include:

The Right to be Informed: You have the right to be provided with clear, transparent, and easily understandable information about how we use your personal data and your rights. This is why we are providing you with this Privacy Policy.
The Right of Access: You have the right to obtain access to your personal data (if we are processing it) and certain other information (similar to that provided in this Privacy Policy). This is commonly known as a “Data Subject Access Request”.1
The Right to Rectification: You are entitled to have your personal data corrected if it is inaccurate or incomplete.1
The Right to Erasure (The ‘Right to be Forgotten’): This enables you to request the deletion or removal of your personal data where there is no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions (e.g., where we need to keep the data to comply with a legal obligation).1
The Right to Restrict Processing: You have rights to ‘block’ or suppress further use of your personal data in certain circumstances. When processing is restricted, we can still store your personal data, but may not use it further.1
The Right to Data Portability: You have the right to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. This right only applies to personal data you have provided to us, where processing is based on your consent or for the performance of a contract, and when processing is carried out by automated means.1
The Right to Object to Processing: You have the right to object to certain types of processing, including processing for direct marketing (which we do only with your consent). You can also object to processing based on our legitimate interests, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.1
Rights in Relation to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you. We do not currently engage in such automated decision-making.
The Right to Withdraw Consent: If you have given your consent to anything we do with your personal data (i.e., we rely on consent as a legal basis for processing), you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you.

Exercising Your Rights:

To exercise any of these rights, please contact us using the details provided in Section 1.2 (Data Controller Information). We will respond to your request within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

Typically, you will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Right to Lodge a Complaint:

You have the right to lodge a complaint at any time with the supervisory authority for data protection issues in Cyprus. This is the Office of the Commissioner for Personal Data Protection.

Contact details:

Address: 1 Iasonos Street, 1082 Nicosia, Cyprus

P.O. Box 23378, 1682 Nicosia, Cyprus

Telephone: +357 22 818 456

Email: commissioner@dataprotection.gov.cy

Website: http://www.dataprotection.gov.cy 10

Providing these direct contact details for the Cyprus Data Protection Commissioner facilitates users in exercising their right to complain, demonstrating transparency and respect for their rights.10 Clearly stating that exercising rights is usually free, with potential charges only in specific, legally defined circumstances, manages user expectations effectively.

1.11. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA).

However, some of our third-party service providers may be based outside the EEA, or may process data outside the EEA (for example, cloud service providers or analytics services like Google Analytics which may transfer data to the USA). If we do transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe (known as Standard Contractual Clauses or SCCs). This is particularly relevant for transfers to countries like the USA, following legal developments such as the Schrems II judgment.3
Where we use providers based in the US, we may transfer data to them if they are part of a framework that requires them to provide similar protection to personal data shared between Europe and the US (e.g., the EU-US Data Privacy Framework, if applicable and validated).

It is important for users to be aware that if data is transferred to countries without an adequacy decision and not covered by robust safeguards, there might be risks, such as potential access by public authorities in those countries for security purposes, without equivalent data subject rights or remedies as available within the EEA.10

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA. A thorough audit of all data flows, especially concerning the use of common US-based e-commerce tools (e.g., email marketing platforms, analytics), is necessary to ensure this section accurately reflects the company’s practices. A blanket statement of “no transfers outside EEA” 6 may be inaccurate for many modern e-commerce businesses.

1.12. Children’s Privacy

Our Website and services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children under 18. If you are a parent or guardian and you believe that your child has provided us with personal data without your consent, please contact us using the details in Section 1.15. If we become aware that we have collected personal data from a child under 18 without verification of parental consent, we will take steps to remove that information from our servers.

While the primary target audience for “Hair Collection” products is adults, including this standard clause demonstrates a comprehensive approach to data protection principles, particularly those concerning the heightened protection required for children’s data under GDPR.

1.13. Links to Other Websites

Our Website may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.7

We strongly advise you to review the privacy policy of every site you visit. This Privacy Policy applies only to our Website and our processing of your personal data. This clause helps manage user expectations and clearly delineates our responsibility concerning the data practices of external sites.

1.14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will revise the “Effective Date” at the top of this policy.8

If we make material changes to this Privacy Policy, we will notify you either by prominently posting a notice of such changes on our Website before they take effect or by directly sending you a notification (e.g., via email if you have an account with us). Proactive notification for significant changes is a better practice than solely relying on users to check the “Last Updated” date, ensuring users are genuinely informed of modifications that might affect their rights or how their data is processed.1

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

1.15. Contact Us

If you have any questions, comments, or concerns about this Privacy Policy, our data handling practices, or if you wish to exercise any of your data protection rights, please do not hesitate to contact us: