Privacy Notice (GDPR)
This Privacy Notice describes how we collect, use, disclose, and protect personal data when you visit our Website, create an account, purchase products, or interact with our team. It applies to all processing carried out by BBF DESIGN CY LTD in accordance with the EU General Data Protection Regulation (GDPR) and Cyprus law.
2.1 Who We Are
BBF DESIGN CY LTD is the data controller responsible for your personal data. We trade as bbf:design and can be contacted at Spyrou Kyprianou 73, 4042 Limassol, Cyprus or via [email protected].
2.2 Scope
This notice covers personal data processed when you browse our Website, use our online services, create or manage an account, make purchases, contact support, sign up for marketing communications, or otherwise interact with us.
2.3 Categories of Data We Process
- Identity & Contact: name, email, phone, billing and shipping addresses.
- Order & Payment: purchased items, order history, VAT numbers, payment method details (processed by payment providers—we do not store full card numbers).
- Account Data: login credentials, preferences, saved items, wishlists.
- Communications: enquiries, customer service notes, reviews, survey feedback.
- Technical & Usage: IP address, device IDs, browser details, pages viewed, referral URLs, cookie identifiers, session logs.
- Marketing: newsletter opt-ins, campaign engagement, unsubscribe history.
2.4 Sources
We collect data directly from you, automatically via cookies and tracking pixels, from payment processors and delivery partners, and from publicly available sources to verify identity, prevent fraud, or confirm delivery information.
2.5 Purposes & Legal Bases
We process personal data for the purposes below and rely on the associated legal bases:
- Order processing & customer service — contractual necessity.
- Account creation and management — contract / legitimate interests.
- Payments, refunds, and fraud prevention — legal obligations / legitimate interests.
- Marketing communications — consent; or legitimate interests for similar products to existing customers with opt-out.
- Analytics & service improvement — consent where required; otherwise legitimate interests to improve the Website.
- Compliance with tax, accounting, and legal duties — legal obligations.
- Security, incident response, and risk management — legitimate interests / legal obligations.
2.7 International Transfers
Where data is transferred outside the European Economic Area, we implement appropriate safeguards such as EU Standard Contractual Clauses, transfer impact assessments, and supplementary measures to ensure equivalent protection.
2.8 Retention
We retain personal data only as long as necessary for the purposes described in this notice:
- Orders and transaction records: 7–10 years for tax and accounting compliance.
- Customer service interactions: up to 6 years after resolution.
- Marketing data: until you withdraw consent or object.
- Cookie identifiers: in line with the durations listed in our Cookie Policy.
2.9 Your Rights (GDPR)
You have the right to access, rectify, erase, restrict, and object to the processing of your personal data, and to data portability. Where processing relies on consent, you may withdraw it at any time. To exercise these rights, contact [email protected].
2.10 Children
Our services are not directed to children under 16. We do not knowingly collect data from minors. If you believe a child has provided personal data, please contact us so we can delete it.
2.11 Automated Decision-Making
We do not carry out automated decision-making that produces legal or similarly significant effects solely based on automated processing.
2.12 Contact (DPO / Privacy)
For privacy questions, data subject rights requests, or complaints, contact our privacy team:
Spyrou Kyprianou 73, 4042 Limassol, Cyprus