Privacy policy

Last updated: May 26, 2026

Who We Are

Melitta is the trade name of VASILIKI GRAMMENOU, a sole proprietorship (ατομική επιχείρηση) registered in Greece.

Registered office: Farsalon 4, Chalandri, 152 34, Greece
VAT (ΑΦΜ): EL106865789
Contact: info@melittaofficial.com | +30 211 115 5240

We operate this store and website (the "Services") and act as the data controller of your personal information under the EU General Data Protection Regulation (GDPR) and Greek Law 4624/2019.

This Privacy Policy describes how we collect, use, and disclose your personal information when you visit, use, or make a purchase through our Services, or otherwise communicate with us. If there is a conflict between our Terms of Service and this Privacy Policy, this Privacy Policy controls with respect to the collection, processing, and disclosure of your personal information.

By using the Services, you acknowledge that you have read this Privacy Policy.

Personal Information We Collect or Process

When we use the term "personal information," we are referring to information that identifies or can reasonably be linked to you. Depending on how you interact with the Services, we may collect or process the following categories:

Contact details: name, billing and shipping address, phone number, email address.
Financial information: payment card information, transaction details, payment method, and payment confirmation. Full card numbers are handled by our payment providers and are not stored by us.
Account information: username, password (encrypted), preferences, and settings.
Transaction information: items you view, add to your cart or wishlist, purchase, return, exchange, or cancel; your past transactions.
Communications: information you include when contacting our customer service.
Device information: device, browser, IP address, network connection, and other unique identifiers.
Usage information: how and when you interact with or navigate the Services.

Sources of Personal Information

We collect personal information:

Directly from you, when you create an account, place an order, communicate with us, or otherwise provide your information.
Automatically through the Services, including through cookies and similar technologies.
From our service providers, when they collect or process your personal information on our behalf.
From third-party partners, such as payment providers and shipping carriers.

How We Use Your Personal Information and Legal Bases

Under Article 6 of the GDPR, we process your personal information for the purposes set out below, based on the corresponding legal basis:

1. To provide the Services and fulfill our contract with you. This includes processing payments, fulfilling orders, managing your account, arranging shipping, facilitating returns and exchanges, and providing customer support. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

2. To send marketing communications. This includes promotional emails or SMS about our products and offers. Legal basis: your consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time using the unsubscribe link in any marketing email, or by contacting us.

3. For online advertising and personalization. This includes showing targeted advertisements on third-party platforms based on your activity, and personalizing your shopping experience through cookies and similar technologies. Legal basis: your consent (Art. 6(1)(a) GDPR), captured through our cookie banner. You can change your preferences at any time.

4. To prevent fraud and secure our Services. This includes authenticating accounts, detecting and investigating fraudulent or unsafe activity, and protecting our customers and our business. Legal basis: our legitimate interest in protecting our business, customers, and Services (Art. 6(1)(f) GDPR).

5. To improve our Services. This includes analyzing how customers use our Services and developing new products or features. Legal basis: our legitimate interest in improving our business (Art. 6(1)(f) GDPR).

6. To comply with legal obligations. This includes retaining tax and accounting records, responding to legal requests, and cooperating with competent authorities. Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).

How We Disclose Personal Information

We may share your personal information with:

Shopify, our e-commerce platform provider, which hosts our store and processes data on our behalf.
Payment processors (such as Shopify Payments and PayPal), to process your payments.
Shipping and fulfillment partners (such as ACS Courier, Box Now, and ELTA), to deliver your orders.
Email and marketing service providers, to send transactional and marketing communications.
Analytics and advertising partners, where you have consented to cookies for these purposes.
Professional advisers (accountants, lawyers, auditors), where necessary for our business.
Competent authorities, where required by law or to protect our legal rights.
A purchaser or successor, in connection with a merger, acquisition, or other business transaction.

We require all third parties to safeguard your personal information consistent with applicable data protection law.

Relationship with Shopify

The Services are hosted by Shopify, which collects and processes personal information about your access to and use of the Services in order to provide and improve the Services. Information you submit will be transmitted to and shared with Shopify and its third-party processors, which may be located in countries other than where you reside.

Shopify may also use certain enhanced features that combine data from your interactions with our store, other merchants, and Shopify itself. For these enhanced features, Shopify is responsible for the processing of your personal information, including for responding to your requests to exercise your rights.

To learn more about how Shopify uses your personal information and any rights you may have, visit the Shopify Consumer Privacy Policy.

Cookies and Tracking Technologies

This section describes how we use cookies and similar tracking technologies on our website. We do not publish a separate Cookie Policy; the information you need is contained here and in the cookie consent banner displayed when you first visit our site.

What are cookies?

Cookies are small text files placed on your device when you visit a website. They allow the website to recognize your device and remember information about your visit, such as your preferences or what is in your shopping cart. We also use similar technologies such as pixels and local storage. In this Policy, we refer to all of these collectively as "cookies."

Categories of cookies we use

We group cookies into four categories, which are reflected in our cookie consent banner:

1. Essential cookies (always active). These cookies are strictly necessary for our website to function. They allow you to navigate the site, log into your account, add items to your cart, and complete checkout. Without these cookies, the Services cannot operate properly. Examples include session identifiers, cart contents, and security tokens. These cookies do not require your consent.

2. Personalization cookies (consent required). These cookies remember choices you have made — such as your preferred language, region, or recently viewed products — to provide a more tailored experience on return visits.

3. Analytics cookies (consent required). These cookies help us understand how visitors use our website by collecting information such as which pages are viewed, how long visitors stay, and where they came from. We use this information to improve our Services. Analytics data is aggregated and not used to identify you individually.

4. Marketing cookies (consent required). These cookies are used by us and our advertising partners to measure the performance of our marketing campaigns and to show you relevant advertisements on other websites and platforms based on your activity on our site. They may be set by us or by third parties such as advertising and social media platforms.

Who sets the cookies

Cookies on our website may be set by:

Us (Melitta) — first-party cookies set by our domain to provide and improve our Services.
Shopify — our e-commerce platform, which sets cookies necessary for store functionality and, where consented, for analytics and personalization.
Third-party services — including payment processors, analytics providers, and advertising networks, where you have consented to non-essential cookies.

Because the specific cookies on our site change as we add or remove features and apps, we do not maintain a fixed cookie list in this Policy. The cookie consent banner reflects the current categories of cookies in use and allows you to accept or reject each category.

How to manage your cookie preferences

When you first visit our website, our cookie banner asks you to accept or decline non-essential cookies. You can:

Accept all — allow all categories of cookies.
Decline all — only essential cookies will be set.
Manage preferences — choose which categories you want to allow.

You can change your choice at any time by clicking the cookie settings link in our website footer. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

You can also manage cookies through your browser settings. Most browsers allow you to view, delete, or block cookies. Note that blocking essential cookies may prevent parts of our website from working correctly. For instructions on managing cookies in your specific browser, please refer to your browser's help pages.

Lifespan of cookies

Cookies on our site are either:

Session cookies, which are deleted automatically when you close your browser; or
Persistent cookies, which remain on your device until they expire or until you delete them. The expiry period varies by cookie — most persistent cookies on our site expire within 12 months, while some essential security and preference cookies may last up to 24 months.

International transfers via cookies

Some of the third parties that set cookies on our website (such as Shopify and, where consented, analytics or advertising providers) are based outside the European Economic Area, including in the United States. Where this is the case, the transfer is covered by the safeguards described in the "International Transfers" section below.

Automated Decision-Making

We do not make decisions concerning you based solely on automated processing that produce legal effects or similarly significantly affect you. Some features of our Services (such as product recommendations) involve automated profiling, but these do not have legal or similarly significant effects on you.

Third-Party Websites and Links

The Services may contain links to websites or platforms operated by third parties. We are not responsible for the privacy or security practices of those sites. We encourage you to review their privacy policies before providing any personal information.

Children's Data

The Services are not intended for use by children under 15 years of age, and we do not knowingly collect personal information from children under 15.

Under Greek Law 4624/2019 (Article 21), children aged 15 and older may provide their own consent for information society services. For children below 15, the consent of a parent or legal guardian is required.

If you believe we have collected personal information from a child under 15 without proper consent, please contact us using the details below and we will take steps to delete it.

Security and Retention of Your Information

We use reasonable technical and organizational measures to protect your personal information. However, no security measures are perfect, and we cannot guarantee absolute security. We recommend that you do not send sensitive information via unsecure channels.

We retain your personal information only for as long as necessary for the purposes for which it was collected, including to meet legal, accounting, or reporting requirements. Typical retention periods are:

Order, invoice, and accounting records: 10 years from the end of the relevant fiscal year, in line with Greek tax law.
Account information: while your account remains active, plus 2 years after your last login or interaction.
Marketing consent and contact records: until you withdraw your consent, or after 3 years of inactivity.
Customer service communications: 3 years from the date of last contact.
Website analytics data: up to 14 months.
Fraud prevention and security logs: up to 1 year.
Records of data subject requests: 3 years, to demonstrate compliance.

Where required by law or for the establishment, exercise, or defense of legal claims, we may retain information for longer periods.

Your Rights

If you are in the European Economic Area or the United Kingdom, you have the following rights under the GDPR and applicable national law in relation to your personal information:

Right of access (Art. 15 GDPR): to request a copy of the personal information we hold about you.
Right to rectification (Art. 16 GDPR): to request that we correct inaccurate or incomplete information.
Right to erasure (Art. 17 GDPR): to request that we delete your personal information, subject to certain exceptions.
Right to restriction of processing (Art. 18 GDPR): to request that we limit how we use your personal information in certain circumstances.
Right to data portability (Art. 20 GDPR): to receive your personal information in a structured, commonly used, machine-readable format, or to have it transferred to another controller.
Right to object (Art. 21 GDPR): to object to our processing of your personal information, including for direct marketing purposes.
Right not to be subject to solely automated decisions (Art. 22 GDPR).
Right to withdraw consent (Art. 7(3) GDPR): where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint with a supervisory authority (see "Complaints" below).

To exercise any of these rights, contact us using the details at the end of this Policy. We may need to verify your identity before responding. We will respond within the time required by applicable law (generally within one month).

You may also designate an authorized agent to make requests on your behalf. We may require proof of authorization and may verify your identity directly.

We will not discriminate against you for exercising any of these rights.

For residents of the United States and other jurisdictions outside the EEA, additional rights may apply under applicable local law, including rights to opt out of the sale or sharing of personal information for targeted advertising. Where you visit our website with a recognized opt-out preference signal such as the Global Privacy Control enabled, we will treat this as an opt-out request for the relevant device and browser. To learn more about the Global Privacy Control, visit globalprivacycontrol.org.

Managing Marketing Communications

You can opt out of marketing emails at any time by clicking the unsubscribe link in any such email, or by contacting us. Even if you opt out of marketing, we may still send you transactional or service emails (such as order confirmations, shipping notifications, or messages about your account).

International Transfers

We may transfer, store, and process your personal information outside the country where you live, including outside the European Economic Area.

Where we transfer personal information to recipients in the United States that are certified under the EU-US Data Privacy Framework (such as Shopify and Google), we rely on the European Commission's adequacy decision of 10 July 2023.

For other transfers outside the EEA, we rely on Standard Contractual Clauses approved by the European Commission, or other appropriate safeguards recognized under applicable law. You may request a copy of the relevant safeguards by contacting us.

Complaints

If you have concerns about how we process your personal information, please contact us first using the details below — we will do our best to resolve them.

You also have the right to lodge a complaint with a data protection supervisory authority. For residents of Greece, the competent authority is the Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα — HDPA / APDPX):

Address: Kifisias Avenue 1-3, 115 23 Athens, Greece
Website: www.dpa.gr
Email: contact@dpa.gr

Residents of other EEA countries may contact their local supervisory authority — a full list is available at edpb.europa.eu.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technologies, legal requirements, or other factors. We will post the revised Policy on this page and update the "Last updated" date. Where the changes are significant, we will provide additional notice as required by applicable law.