· FREE SHIPPING OVER €100 · GREECE · · GENUINE KYOSHO · JOYSWAY · SANWA · KOSWORK · ARROWMAX · · SHIPS IN 1-3 BUSINESS DAYS · · EXPERT SUPPORT FROM HOBBYISTS ·

Privacy Policy

Plain-English summary of what we collect, why, and what you can do about it. This policy is governed by the EU General Data Protection Regulation (GDPR) and Greek Law 4624/2019.

Data Controller: Antzoulatos Bros General Partnership (t/a D.S.A.W. Hobbies), 2 Agias Triados Street, Glyfada, Attica, Greece. G.E.MI. 002319101000. VAT 084226029. Contact: [email protected].

1. What we collect

When you place an order

  • Identity: full name
  • Contact: email, phone, shipping & billing address
  • Transaction: products ordered, total, payment method (we never see card numbers — Alpha Bank handles those), order date
  • VAT number if you order as a business

When you create an account

  • Email + password (hashed — we cannot read it)
  • Optionally: shipping address, phone, preferences
  • Order history linked to your account

When you browse

  • Technical: IP address, browser type, device type, pages visited, referring URL — collected via server logs and analytics cookies
  • Cookies: see the separate Cookie Policy

When you contact us

  • Whatever you put in the email, phone call, or contact form — plus the metadata of the channel (e.g. the email address you wrote from)

2. Why we collect it (lawful basis)

Purpose Lawful basis
Fulfilling your order (shipping, invoicing, support) Performance of contract (GDPR Art. 6(1)(b))
Issuing tax-compliant invoices & retaining accounting records Legal obligation (Greek tax & commercial law)
Sending order & shipping notifications Performance of contract
Marketing emails (newsletters, deals) Your explicit consent — opt-in, revocable anytime
Site analytics & improvement Legitimate interest, with consent for non-essential cookies
Fraud prevention & payment security Legitimate interest
Responding to your contact requests Legitimate interest / pre-contractual steps

3. How long we keep it

  • Order & invoice data: 10 years from the order date — required by Greek tax law (Law 4308/2014).
  • Account data (no orders): until you delete your account, or 24 months of inactivity, whichever comes first.
  • Marketing consent records: until you withdraw consent + 12 months evidence retention.
  • Server & security logs: 6 months.
  • Cookies: see Cookie Policy for per-cookie durations.
  • Support correspondence: 24 months from last contact.

4. Who we share it with

We never sell your data. We share only as needed to fulfill your order or run the site:

  • Couriers (BOX NOW, ACS Courier, ELTA Courier, DHL) — name, address, phone, order weight. Only for shipping.
  • Alpha Bank payment gateway — for card payment processing. They see card details; we don’t.
  • PayPal — when you choose PayPal at checkout.
  • Accounting & tax authorities — invoice data to our certified accountant and (via myDATA) the Greek Independent Authority for Public Revenue (AADE).
  • Email service provider (Mailchimp or similar) — for newsletters, only if you’ve opted in. Email + first name.
  • Hosting & CDN (Hetzner Online GmbH, Cloudflare Inc.) — site infrastructure. EU + US data processing under Standard Contractual Clauses.
  • Analytics (Google Analytics) — only if you’ve accepted analytics cookies. Pseudonymized, aggregated.
  • Marketing platforms (Meta, Google Ads) — only if you’ve accepted marketing cookies. Pseudonymized.

All processors are GDPR-compliant and bound by Data Processing Agreements. We do not transfer data outside the EU/EEA except under approved transfer mechanisms (Standard Contractual Clauses).

5. Your rights (GDPR Chapter III)

You can exercise any of these rights free of charge by emailing [email protected] from the address on file:

  • Access — get a copy of all data we hold about you (Art. 15)
  • Rectification — correct anything inaccurate (Art. 16)
  • Erasure (“right to be forgotten”) — delete your data, subject to legal retention rules (Art. 17)
  • Restriction — pause processing while a dispute is resolved (Art. 18)
  • Portability — receive your data in a machine-readable format (Art. 20)
  • Objection — opt out of legitimate-interest processing, e.g. analytics (Art. 21)
  • Withdraw consent — for any consent-based processing, anytime (Art. 7(3))

We respond to all requests within 30 days (extendable to 90 days for complex cases — we’ll let you know if so).

6. Security

  • All traffic to and from this site is encrypted via HTTPS (TLS 1.2+).
  • Passwords are stored as bcrypt hashes — we cannot read them.
  • Card numbers never reach our servers; Alpha Bank’s PCI-DSS-certified gateway handles them.
  • Administrative access is restricted to named staff with two-factor authentication.
  • We run regular security updates and have a 24h incident response procedure.

If you suspect a data breach, email [email protected] with subject “Security”. We treat these reports as high priority.

7. Children’s data

Our site is intended for users 15 years or older (Greek age of digital consent under GDPR Art. 8). We do not knowingly collect data from younger children. If you believe a child has provided us with personal data without parental consent, contact us and we’ll delete it promptly.

8. Filing a complaint

If you believe we’ve mishandled your data and we haven’t resolved it to your satisfaction, you can lodge a complaint with the Greek Data Protection Authority:

Hellenic Data Protection Authority
Kifisias 1-3, 11523 Athens
Tel: +30 210 6475600
www.dpa.gr/en

9. Changes to this policy

We may update this policy when our processing practices change. Material changes are announced via banner on the site for 30 days and emailed to registered users. The “Last updated” date below reflects the most recent change.

Last updated: this policy is dated to the most recent material change committed in production.