Last updated: 14/01/2026
This Privacy Policy explains how Althexis collects, uses, shares, and protects information when you use our website, portals/landing pages, and QR-code report pages (the “Site”). It also summarizes how data is handled in connection with the Althexis Skincare Suite used in pharmacies, to the extent you interact with it through our online experiences.
Althexis is responsible for processing personal data collected through the Site.
Address: Thessalonikis 75, 183 45, Moschato
Contact: info[at]althexis.com
Important note about in-pharmacy sessions:
When you use the Althexis Skincare Suite inside a partner pharmacy, the pharmacy may also process your data as part of delivering the service in-store. In some cases, Althexis may process certain data to provide the service, maintain the system, synchronize reports/logs, and generate aggregated business insights. (Specific controller/processor roles can vary by deployment and will be supported by appropriate contractual terms.)
Depending on the page you use, we may collect:
Contact details (e.g., name, email, message) if you contact us or request a demo.
Account details if we offer portal login (planned).
If you access a session report or (planned) history portal, data may include:
Skin images captured during the session (typically face; and the system can support analysis beyond face).
Objective measurements/parameters (e.g., sebum, wrinkles, discoloration) and other outputs produced by image analysis.
Inputs used for personalization such as age range, sex, skin phototype, habits, season, stated concerns, and preference adjustments.
The resulting skincare routine / product recommendations and explanatory text.
For partner pharmacies and system operations we may process:
Pharmacy product catalog/stock data (including ERP exports or integrations).
Session usage metrics, logs, and report artifacts synced to cloud storage for service delivery and analytics.
Checkout/session mapping signals (e.g., QR scan markers or receipt tags) used for BI and conversion tracking.
System monitoring metrics for reliability and support.
We may collect standard technical data such as IP address, device/browser type, pages viewed, and approximate location derived from IP, to help operate and secure the Site.
We use personal data to:
Provide and operate the Site and any portal features (including QR-based access to reports).
Provide the Althexis service in partner deployments, including generating reports and syncing logs/reports and usage data.
Improve and maintain system performance, security, and monitoring.
Provide customer support and respond to requests.
Produce aggregated business intelligence insights for pharmacies and (where applicable) skincare manufacturers using aggregated/anonymized data under clear data protection clauses and appropriate consent mechanisms.
Where GDPR applies, we rely on one or more of these legal bases:
Consent (e.g., where you opt in to data sharing for anonymized insights via a mobile app or similar flow).
Contract (e.g., to deliver portal functionality you request or to support partner pharmacy service delivery).
Legitimate interests (e.g., securing our systems, preventing fraud, improving reliability, and producing high-level operational analytics), balanced against your rights.
Legal obligation where applicable.
We may share data with:
A) Partner pharmacies (in-pharmacy service delivery)
Session-related data may be accessible to the pharmacy providing the service.
B) Service providers / subprocessors
We use vendors to host and operate parts of the platform, including:
AWS infrastructure for storage and secure communications (e.g., reports, logs, usage metrics synced to S3; API Gateway).
Cloudflare for authentication protection in some components.
Hetzner infrastructure (notably for BI backend services) and Metabase for BI tooling in some deployments.
In limited cases, LLM services (OpenAI API) used for unstructured data parsing such as ingredient labels, with guardrails and oversight.
We require service providers to protect data and only process it for authorized purposes.
C) Aggregated/anonymized data for insights
Manufacturers or other partners may receive access only to aggregated, anonymized insights, with rigorous data protection clauses designed to maintain end-user privacy.
D) Legal and safety
We may share data if required by law, or to protect rights, safety, and security.
Our vendors and infrastructure may process data in multiple countries. Where GDPR applies and data leaves the EEA, we use appropriate safeguards (such as Standard Contractual Clauses) as required.
We use technical and organizational measures appropriate to the sensitivity of the data, including:
Encrypted local storage in current in-store deployments.
Secure transmission to cloud storage for synchronization (reports/logs/usage data).
Role-based access controls and least-privilege access (e.g., AWS IAM) and additional security hardening initiatives (encryption at rest/in transit, key management, monitoring, incident response).
No method of transmission or storage is 100% secure, but we continuously improve protections.
We keep personal data only as long as needed for the purposes described in this policy, including providing the service and meeting legal obligations.
Current deployments aim to maintain strict privacy controls with encrypted local storage; planned developments include centralizing data handling in the cloud (e.g., customer authentication via QR code login and personal history sync), reducing long-term storage at the pharmacy level.
Where we store data in cloud services, retention schedules may be applied (e.g., lifecycle policies for secure deletion).
If GDPR applies, you may have rights to:
Access your data
Correct inaccurate data
Delete your data
Restrict or object to processing
Data portability
Withdraw consent (where processing is based on consent)
You can exercise your rights by contacting: [insert privacy email]. You also have the right to lodge a complaint with your local supervisory authority.
We may use essential cookies necessary for the Site to function, and (optionally) analytics cookies to understand Site usage. Where required, we will ask for consent before placing non-essential cookies. You can manage cookies through your browser settings and any cookie banner controls on the Site.
The Site is not intended for children, and we do not knowingly collect personal data from children. If you believe a child has provided data, contact us so we can take appropriate action.
We may update this Privacy Policy from time to time. We will post the updated version on the Site and update the “Last updated” date.
For privacy questions or requests: privacy[at]althexis.com
Address: Thessalonikis 75, 183 45, Moschato/Athens