Privacy Policy

Who we are and scope of application

Althexis (“we,” “us,” “our”) provides dermatological analysis and pharmacy support solutions, including the distribution and operation of the system Althexis Skincare Suite and related software/services. This Privacy Policy describes how we process personal data across all our business channels:

  1. use of Althexis systems/devices (e.g., dermoscope) in pharmacies/retail outlets,
  2. company website https://althexis.com/ and any microsites/portals,
  3. communication with customers/partners, support, social media accounts,
  4. commercial relations with suppliers/partners, B2C and B2B customers,
  5. corporate functions (HR/recruitment, legal compliance, consulting, finance/accounting).

Data Controller and contact details

The Data Controller is ALTHEXIS IKE (Reg. No 163482658000), based in Chania, at 13 Alexandrou Papanastasiou street, PC 73200.

Email for privacy issues: [email protected].

Categories of data we process

The categories vary depending on the activity:

  1. Session/skin analysis data via the system Althexis Skincare Suite: contact details (e.g., email when provided), gender, age range, phototype, skin images/characteristics, skin needs, recommended and selected products, session timestamp, unique analysis code, date of next appointment.
  2. Technical/operational system data: device identifiers, logs, IP/browser information for security/maintenance.
  3. Communication/support: name, contact details, message content.
  4. Marketing/updates:communication preferences, interaction with newsletters/campaigns.
  5. B2B/Suppliers: contact details, contracts, invoicing/documents.
  6. HR/Candidates: CVs, contact details, references, evaluations.

Legal basis for processing

Depending on the activity, the following apply:

  1. Consent (Article 6(1)(a) and for special categories Article 9(2)(a)), especially for health data from skin analysis, analytics cookies, and promotional communication.
  2. Performance of a contract (e.g., provision of services to partners/customers).
  3. Legitimate interest (system security, fraud prevention, business continuity) with appropriate balancing.
  4. Legal obligation (tax/accounting compliance, response to lawful requests from authorities).

Purposes of processing

We use the data for:

  1. Provision/support of dermoscope services (performing analyses, issuing personalized recommendations, organizing follow-ups).
  2. Improving products/services (satisfaction surveys, effectiveness evaluations, trend analysis on an aggregated/anonymized basis).
  3. Communication/support (responding to requests, providing updates requested by you as data subjects).
  4. Marketing only with your explicit consent (e.g., newsletters; option to unsubscribe at any time).
  5. System security and integrity, legal compliance, claims management.

We do not make decisions that produce legal/significant effects based solely on automated processing (without human intervention).

Data transfer and international transfers

We only share data where necessary:

  1. to infrastructure/hosting, maintenance, cloud, and security providers,
  2. to pharmacies/retail partners in the context of the service provided,
  3. to marketing providers (only with consent for communication),
  4. to consultants/legal advisors and public authorities where required.

Our goal is to host and process within the EU/EEA. If transfer outside the EU/EEA is required, appropriate safeguards (e.g., Standard Contractual Clauses) and additional measures are applied.

Retention periods

We only retain data for as long as necessary:

  1. Session/analysis data: for the purposes of the session and any follow-up; in consent scenarios, up to ten (10) years as a maximum, unless otherwise required by law; after the limit, anonymization for statistical/research purposes.
  2. Communication/support: until completion of the request and reasonable file retention period.
  3. Technical data/log files: Retained only for a short period of time, strictly as necessary for security purposes, system maintenance and incident investigation. Such data are normally kept for no longer than 6 months, after which they are securely deleted or anonymised.
  4. Marketing/communication data: Retained until the data subject withdraws their consent or submits an objection (opt-out). After withdrawal or objection, the contact details are placed on a suppression list to ensure that no further communications are sent to the same individual.
  5. Contractual/ financial/accounting data: Retained for the period required under Greek law, such as the Greek Code of Tax Procedure, which generally requires keeping tax and accounting records for 10 years from the end of the relevant fiscal year, or for as long as necessary to comply with other statutory corporate record-keeping obligations.

Security

We implement appropriate technical and organizational measures (encryption in motion/at rest where necessary, access and role controls, 2FA, network segmentation, event logging, backups and recovery tests, system hardening, vulnerability assessments/penetration testing on critical elements, security policies, and staff training). We have incident response and breach notification procedures in place where required by Articles 33–34 of the GDPR.

Your rights

The GDPR gives you the rights to access, correct, delete, restrict, transfer, object to, and withdraw consent (without affecting the lawfulness of previous processing).

Please submit your requests to this email: [email protected]

You have the right to appeal to the Personal Data Protection Authority (APDPCH)-www.dpa.gr.

Specifically for pharmacies/retail outlets

Before each session, clear information is provided and, where necessary, explicit consent is requested for the processing of sensitive (health) data through an appropriate information and consent mechanism. Consent may be revoked at any time with future effect through the channels indicated in the information/form.

Cookies/Analytics/Tracking

Information about cookies and similar technologies on the website is described in detail in our Cookies Policy. Non-essential cookies (e.g., analytics) are only set with your consent.

Changes to this policy

We may update the policy to reflect changes in procedures or legal requirements. The updated version will be posted on the website with a new effective date. Where necessary, we will provide relevant notification or request consent again.

Contact

For any privacy issues, you can email us at the following address:

Effective Date: 10.10.2024