AllCity

Legal

Privacy Policy

Last updated: 17 May 2026

This Privacy Policy explains how ALLCITY Clothing ("we", "us", "ALLCITY") collects, uses, stores and discloses personal data when you visit www.allcityclothing.com or place an order with us. It is issued in accordance with Regulation (EU) 2016/679 ("GDPR") and Greek Law 4624/2019.

1. Data Controller

The data controller of your personal data is nr40Athens E.E., with registered office at Kanigos 27 & Kapodistria, 10682 Athens, Greece, VAT EL802436040. Contact: allcityclo@gmail.com.

2. Personal Data We Collect

2.1 Data you provide directly

  • Identification & contact: full name, email address, telephone number.
  • Shipping data: postal address, city, postal code, country, BoxNow locker details.
  • Order data: items purchased, sizes, quantities, order value, order date.
  • Newsletter: email address (only if you subscribe).
  • Communications: any information you choose to send by email or social media.

2.2 Data collected automatically

  • Technical data: IP address, browser type and version, device type, operating system, referrer URL.
  • Usage data: pages visited, time spent, products viewed, basket activity.
  • Cookies and similar technologies: see our Cookie Policy.

2.3 Data we do not collect

We do not store payment card data. All card payments are processed directly by Stripe; we only receive a tokenised transaction reference.

3. Purposes and Legal Bases

PurposeLegal basis (Art. 6 GDPR)
Processing and delivering your orderPerformance of contract — Art. 6(1)(b)
Payment processing and fraud preventionPerformance of contract & legitimate interest — Art. 6(1)(b),(f)
Invoicing, accounting and tax complianceLegal obligation — Art. 6(1)(c)
Customer support and after-salesPerformance of contract — Art. 6(1)(b)
Newsletter / marketing emailsConsent — Art. 6(1)(a)
Analytics and site optimisationConsent (non-essential cookies) — Art. 6(1)(a)
Defence of legal claimsLegitimate interest — Art. 6(1)(f)

4. Recipients and Processors

Your personal data may be shared, only to the extent strictly necessary, with the following categories of recipients acting as data processors on our behalf under Article 28 GDPR:

  • Stripe Payments Europe Ltd. (Ireland) — payment processing.
  • BoxNow Greece S.A. — parcel locker delivery.
  • Courier service providers (e.g. ELTA Courier, Geniki Taxydromiki, ACS) — shipping outside the BoxNow network.
  • Resend, Inc. (USA) — transactional and marketing email delivery.
  • Vercel Inc. (USA) — website hosting and CDN.
  • Greek tax authorities — when required by law.

We do not sell your personal data to any third party.

5. International Transfers

Some of our processors (Stripe, Resend, Vercel) are based in or transfer data to the United States. In all such cases the transfer is protected by the EU–US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795) and/or by Standard Contractual Clauses approved by the European Commission, in accordance with Articles 45–46 GDPR.

6. Retention Periods

  • Order and invoice data: 10 years from issue, as required by Greek tax law (Codified Law 4308/2014).
  • Customer-support correspondence: up to 2 years after the last interaction.
  • Newsletter consent: until you unsubscribe.
  • Analytics data: up to 14 months (anonymised or aggregated thereafter).
  • Marketing consent records: 5 years after withdrawal of consent (proof of compliance).

7. Your Rights

Under Articles 15–22 GDPR you have the right to:

  • Access your personal data and obtain a copy;
  • Rectification of inaccurate or incomplete data;
  • Erasure ("right to be forgotten"), subject to legal retention obligations;
  • Restriction of processing;
  • Data portability in a structured, machine-readable format;
  • Object to processing based on legitimate interests, including direct marketing;
  • Withdraw consent at any time, without affecting prior lawful processing;
  • Not be subject to solely automated decision-making producing legal effects.

To exercise any of these rights, write to allcityclo@gmail.com. We respond within one month, extendable by a further two months for complex requests.

8. Right to Lodge a Complaint

You have the right to lodge a complaint with the Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), 1–3 Kifissias Avenue, 11523 Athens, www.dpa.gr, or with the supervisory authority of your country of residence within the EU.

9. Security

We apply appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access — including TLS encryption in transit, role-based access controls, secure cloud hosting and minimisation of data collection. Despite these measures, no system is fully secure; we will notify you and the competent authority of any personal-data breach affecting your rights within 72 hours pursuant to Article 33 GDPR.

10. Children

The Website is not directed at children under 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this Policy

We may amend this Privacy Policy from time to time. The latest version is always available on this page with the date of last update. Substantial changes will be notified by email to active customers and newsletter subscribers.

12. Contact

Questions, requests or complaints: allcityclo@gmail.com.