Privacy Policy

Last updated: 15th January 2026

Data Controller Information

brightcorealis Ltd is the data controller responsible for your personal data. We are registered in Cyprus with company registration number HE985214. Our registered office is located at Leontiou Street 6, 8014 Paphos, Cyprus.

Data Collection

The data we collect includes personal information that you provide directly to us and information that we gather automatically when you use our services. We collect the following types of personal data:

• Contact information (name, email address, phone number, postal address)
• Account information (username, password, subscription preferences)
• Skincare profile data (skin type, concerns, product preferences, allergies)
• Order and billing information (purchase history, payment details, delivery information)
• Communication data (customer service interactions, feedback, reviews)
• Technical information (IP address, browser type, device information, usage patterns)
• Marketing preferences and consent records

How We Use Your Information

We use of your data is based on legitimate legal grounds under GDPR. We process your personal information for the following purposes:

• To provide and personalise our skincare subscription service
• To process orders, payments, and deliveries
• To curate personalised product selections based on your skincare profile
• To communicate with you about your subscription and account
• To provide customer support and respond to enquiries
• To improve our services and develop new features
• To send marketing communications (with your consent)
• To comply with legal obligations and resolve disputes
• To detect and prevent fraud and security threats

Cookies and Tracking Technologies

We may use cookies and tracking technologies for analytics, advertising, and remarketing purposes, including Google Ads. These technologies help us measure campaign effectiveness, deliver relevant advertisements, and improve our services. You can manage your cookie preferences at any time through our cookie consent banner or by visiting our cookie policy page.

Data Sharing and Disclosure

We do not sell your personal data to third parties. We may share your information with trusted service providers and partners who assist us in operating our business, including:

• Payment processors and financial institutions
• Shipping and logistics companies
• Customer service platforms
• Analytics and marketing service providers
• IT infrastructure and security providers
• Legal and professional advisors when required

All third-party service providers are contractually bound to protect your data and use it only for the specific purposes we authorise.

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations. Generally, we retain:

• Account and subscription data: for the duration of your subscription plus 7 years for tax and legal compliance
• Transaction records: for 7 years as required by financial regulations
• Marketing communications data: until you withdraw consent or for 3 years from last interaction
• Website analytics data: for 26 months as per Google Analytics settings
• Customer service records: for 3 years to maintain service quality

International Data Transfers

As we operate across the European Union, your data may be transferred and processed in different EU member states. When we transfer data outside the EU, we ensure appropriate safeguards are in place, such as adequacy decisions or standard contractual clauses approved by the European Commission.

Your Rights

Under GDPR and applicable data protection laws, you have the following rights regarding your personal data:

• Right of access: Request copies of your personal data
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data in certain circumstances
• Right to restrict processing: Request limitation of how we use your data
• Right to data portability: Request transfer of your data to another service provider
• Right to object: Object to processing based on legitimate interests or for marketing purposes
• Right to withdraw consent: Withdraw consent for processing where consent is the legal basis
• Right to lodge a complaint: File a complaint with your local data protection authority

To exercise any of these rights, please contact us using the information provided below. We will respond to your request within one month.

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include encryption, secure servers, access controls, and regular security assessments. However, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.

Children's Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such information promptly.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on our website and updating the "last updated" date. For significant changes, we may provide additional notice through email or our website.

Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or need to contact us regarding data protection matters, please reach out to us:

Supervisory Authority

If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with the Cyprus Data Protection Commissioner or your local data protection authority if you are based in another EU member state.