At Phanos N. Epiphaniou Public Ltd, subsidiary companies Hydrotherm Co. Ltd, Stelmeco Ltd, Hydrotherm (Paphos) Limited and associated companies Big Solar Cyprus Ltd and Hydrotherm (Limassol) Limited, we care about the privacy and security of your personal information and we take measures to ensure that your personal information is properly handled while in our possession and while in the possession of others to whom we may disclose it, under the terms and for the purposes explained in this Privacy Policy.

This Policy explains when and why, we collect personal information about visitors to our websites, namely,, about natural persons in general, i.e., offline, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

We may change this Policy from time to time. When we do so, we will notify you about the change, for example, by displaying a relevant notice about the fact of the change on our homepage inviting you to visit this page. Importantly, by using our website, you agree to this Policy as amended from time to time to the extent relating to information we collect about you in your capacity as a user of our website. As far as information about you we collect in the context of conducting our business in general, whether you have used our website or not, you are welcome to contact our DPO (see immediately below), in case you are not happy with any change to our Privacy Policy.

Even though we are not expressly required by the law, specifically the EU General Data Protection Regulation (GDPR), our company has appointed a Data Protection Officer (DPO), specifically, Mr. Michalis Kythreotis.

In case you have any questions with regards to this Privacy Policy or any question or complaint with regards to how your personal data is handled, you can contact our DPO as follows: 

Mr Michalis Kythreotis
Tel.: 22793333
Fax: 22431534
Address: 21 Markou Drakou Street, Pallouriotissa, P.O.Box 29078, 1621 Nicosia, Cyprus.

This Privacy Policy is valid as of 25th of May 2018.
Last updated: 25th of May 2018.

Who are we?

Phanos N. Epiphaniou Public Ltd group of companies.
Registered office: 21 Markou Drakou Street, 1040 Nicosia.

Mailing address: P.O.Box 29078, 1621 Nicosia

Tel: +(357) 22793333
Fax: +(357) 22431534


Nature of business: Trade of products and provision of services for the construction industry, including sanitary ware, air-conditioning systems, photovoltaic systems, and building; construction materials.

How do we collect information from you?

We obtain information about you when you use our website, for example, when you contact us about products and services, if you register to receive information from us, if you submit a complaint or if you submit your CV as a candidate for purposes of employment.

We may also record information about you while you use our websites even if you do not do any of the above and simply browse through our website by clicking on links displayed therein. Such information is automatically recorded in the server logs of your websites and/or by cookies as explained in our Cookie Policy. Your activity on our Facebook Page is also recorded in a similar manner and we also automatically collect information about you when you like, share or comment on our Facebook Page or send us a message on Facebook or any other means of distance communication.

We also collect information about you offline or through other means of communication such as email or telephone, through our hard-copy forms, specifically, when you visit our shops or contact us requesting information about our products or services, when you request a written tender, when you place an order, when you receive delivery of products purchased, when you pay us for your purchases, when you refer a customer of yours to us (in case, you are a professional acting in the construction industry) or when you submit requests, queries or complaints to us.

We also collect any other information you provide to us by contacting us through our website, commenting on posts on our social media Pages and more generally, communicating with us as described in the previous section of this Privacy Policy.

We may also collect information about you, not directly from you, but from third parties such as a developer, contractor or architect, who refer you to us with your knowledge and/or consent.

The companies in our group may pass information to one another for the purpose of contacting you for related products or services, if you have previously consented to such processing.

What type of information is collected from you?

The personal information we collect may include your name, identity card number, telephone number, address, email address, IP address, and information regarding pages accessed and when. We also collect any other information you provide to us by filling in and submitting web forms on our websites such as a query, request or complaint.

We also collect all personal data you provide us with, through filling any of our written forms, such as the New Client Form, mainly consisting of your full name, identity card number, contact details and details of your property relating to our products, such as the address, the name of the architect, interior designer or civil engineer or through placing and/or paying for orders in which case, we additionally collect information about the products you ordered and payments made. We also collect your entrance and/or exit images in our stores or your image in other areas of our premises, where a relevant ‘video surveillance ‘ notice is in place.

If you are a professional of the construction industry, we may collect your information, such as your name, contact details and projects you have worked or are working on, when you submit it to us through business meetings with our staff, when you contact us for co-operation and from publicly-available sources such as advertising.

We have reviewed all our forms to ensure that we only collect and process information that is strictly necessary for the intended purpose specified or being apparent about you or is required by law, thereby avoiding excessive or unnecessary processing. We also do not collect any sensitive information about you, such as political beliefs or health, or sexual orientation, because we do not need it for conducting our business or servicing you

We may also collect financial details relating to you such as the name of your bank, bank account number or credit card details, when you pay us for your purchases. When you pay by credit card, your payment card details are not retained by us. They are collected by a third party payment service provider with whom we co-operate for this purpose. We believe that such providers are data controllers bound by all the requirements of the General Data Protection Regulation. For more on this matter, please see below in this Privacy Policy.

How is your information used?

We use your information lawfully in accordance with Article 6(a), i.e., for purposes you have consented to, Article 6(b), i.e., as necessary to conclude and perform a contract with you, Article 6(c), i.e., to comply with obligations imposed by law (such as tax legislation) and Article 6(f), i.e., as necessary for legitimate interests we pursue as a business.

More specifically, we may use your information to:
process orders or tender requests;
carry out our obligations arising from the contract entered into between you and us, such as to deliver purchased products and invoice you for products ordered;
notify you of key changes to our services (such as opening hours), products (such as the cessation of the marketing of a product) when relevant, or of our privacy policy;
send you communications which you have requested such as a reply to a query, a tender you have requested or invoices and receipts, and;
ensure fraud prevention and protect other legitimate interests of our company, such as to keep record of our customer base, get anonymized statistics relating to the needs and behavior of our customers, maintain centralized technical infrastructure, reduce credit risk and receive payment for purchases made, contact you for the purpose of notifying you of any possible delay in the payment of your invoices or for collecting any outstanding amounts or serving needs communicated to us, or to protect and secure our premises and property, only to the extent absolutely necessary for this purpose and without disproportionately interfering with your privacy.

We will not normally contact you for marketing purposes by email or text messages unless you have given your prior consent or in so far as is permitted by the law or if you are a professional acting in the construction industry such as an architect or civil engineer and we believe we have a legitimate interest in getting in touch with professionals or businesses operating in the same industry as us for mutual benefit.

You can change your marketing preferences and withdraw previously-given consent at any time and without any consequences whatsoever by contacting our DPO, the details of whom are stated at the beginning of this Privacy Policy. You also have the right to object to the processing of your personal data including for direct marketing purposes. For more on this right to object to the processing of personal data for direct marketing and in general, see below in this Privacy Policy.

Where and how long do we retain your information?

Your information is stored on physical (hard copy) files and some information not including any sensitive data, on computer servers situated in our premises in Cyprus. By way of exception, personal information in our corporate emails, data storage and calendar is stored by Google in its own servers. Information recorded through our social media Pages are stored on their own respective servers. Additionally, information we collect through our websites may be stored on servers situated in other countries, depending on where the hosting company is based. The servers of those companies are situated in Cyprus, the United Kingdom and the United States of America.

We, as a minimum, retain your information for as long as it is necessary for us to perform a contract we have with you or to comply with legal obligations to which we are subject, in particular, tax legislation. Other than that, we adhere to the maximum retention periods specified by the Data Protection Commissioner, if any.

When there are no specified maximum retention periods, we retain your data for 10 years, starting from the date of the termination or completion of the contractual relationship with you or from the end or settlement of any dispute arising between us. This period covers the period specified by the statute of limitations, after the lapse of which no legal claims can successfully be raised against us and the period specified by tax legislation and/or our accountants and auditors’ advice. Images of the video surveillance system are kept for a period of two weeks

We retain your information for a period of 18 months, in case we have collected your information in any of the ways described earlier in this Privacy Policy but we have never had a contract with you. This is to enable us to contact you in case we believe we can meet your needs, this being a legitimate interest of our company, which we will make sure it does not disproportionately intrude upon your privacy.

We retain information we collect about you in your capacity as a mere visitor to our websites for one year.

After the lapse of the aforementioned periods of retention, we remove it from our systems by deleting it or we fully anonymize it so that you can no longer be identified by it. In this latter case, we do not delete all of the information but only those pieces of information such as your name, address, email address and any other information revealing that the said information belongs to you.

Should the Cyprus Data Protection Commissioner specify any maximum retention periods, shorter or longer than the above, we will immediately adjust our retention policy accordingly.

Who has access to your information?

We will never sell your information to third parties and we will not share it with third parties for marketing purposes apart from us between companies in our group.

We may pass your information to third party service providers. Such third parties may be messengers or technical service providers providing us with software systems (or their maintenance) necessary to conduct administrative tasks inherent in the provision of our services to you or in the conducting of our business. We only disclose to them the personal information that is absolutely necessary to deliver the service or perform the said task and, when legally required, we have a contract in place that requires them to keep your information secure and in accordance with the principles and rules of the General Data Protection Regulation and not to use it for their own direct marketing purposes or for any purposes other than to provide the service or complete the task as explained above. We also share your information with the companies that are members of our group of companies, as part of our centralised accounting and customer management technical infrastructure.  If you have been referred to us by your building contractor, we may forward your order to the said contractor to the extent necessary for the purposes of work coordination, pricing or payment.

We also pass your information as may be contained in our emails, data storage or calendar to Google, which provides us with a relevant technical service of data processing for the said purposes. We have a contract in place that requires Google to keep your information secure and in accordance with the principles and rules of the General Data Protection Regulation and not to use it for their own direct marketing purposes or for any purposes other than to provide the relevant service.

Your information submitted or recorded by our social media Pages is also passed to those social media service providers enabling us to make available and administer such Pages. The said providers are data controllers in their own right and bound by all of the obligations of the GDPR with their own privacy policies displayed on their websites

We may also pass your information to our lawyers and accountants/auditors to the extent necessary to defend or institute legal claims and to comply with legal obligations with regards to financial accounts and tax reasons respectively.

When you submit an order on one of our websites or otherwise, pay by credit card, your payment is processed by a third party payment service provider, who specializes in the secure online processing of payment transactions such as JCC PAYMENT SYSTEMS LTD. As this processing is not performed by us and we do not retain the relevant data, your rights, explained in the next section of this Policy, to the extent referring to payment card details or transactions should be exercised directly with the said payment service provider. In case, you address a relevant request to us, we will take reasonable measures to meet the request to the extent possible. The said provider is, we believe, a data controller in its own right and bound by all of the obligations of the GDPR. You can view its own privacy policy here We reserve the right to co-operate with a different payment service provider in the future; what is stated in this paragraph will be applicable to the case of any such payment service providers.

We may also transfer personal information to our banks, namely Bank of Cyprus Ltd, Eurobank Cyprus, CDB Bank, Hellenic Bank, COOP, in particular when you pay us through a check. Banks are controllers of personal data themselves and are bound by all of the obligations of the General Data Protection Regulation. You can see their own privacy policies on their websites.

We may transfer your personal information to a third party as part of a sale of some or all of our business assets to any third party or as part of any business restructuring or reorganization in which case we will take measures to ensure that all data protection principles and related rights as derived by the General Data Protection Regulation are fully complied with, prior, during and after the relevant transfer.

Finally, we may disclose your information to public and/or regulatory authorities, if disclosure is required by law or an order issued by a court of law.

What are your rights?

You may at any time send us any of the following requests and we will meet them at the earliest possible and in any case, within a month from the date of receipt of your request and inform you about the action we have taken. If your request is for any reason complex to examine or meet, we will ask you for an extension before the aforementioned one-month period expires.

If we have legitimate reasons to refuse to satisfy your request, we will inform you accordingly and in this case, you have the right to submit a relevant complaint to the Cyprus data protection authority, namely, the Data Protection Commissioner, if you believe that our decision is unjustified.

These are the requests you may submit to us:
A request to permanently delete all or some of your information from our records (right to be forgotten or to erasure), for example when we no longer have reasons to retain it.
A request for you to access your information that we keep in our records right of access.
A request that we provide you with a copy of information about you that exists in our records, in digital or hard copy form. If you require more than one copy, we may charge you a maximum of EUR10,00 as administrative costs. (right to a copy)
A request to update or correct information about you that we keep in our records (right to rectification), for example, in case it is outdated or contains errors or inaccuracies.
A request that we provide you with the information about you that we keep in our records in a structured, commonly used and machine-readable format or forward it in such form to another provider of your choice, if such forwarding or transfer is technically possible (right to portability). Please note that this right applies only in relation to data that you yourself have provided us with and which we process by electronic means in the context of a contract between you and our company or because you have consented to us doing so. Not all information you provide to us is processed by electronic means. 
A request that we stop processing information about you, without however deleting it from our records (right to restriction of processing). In this case, we will restrict access to and use of your information.

A request that we stop processing your information for direct marketing purposes or on the basis of legitimate interests pursued by our company as explained under the fourth question (5th bullet point) of this Privacy Policy or in the name of the public interest (right to object). In the case of direct marketing, we will stop processing your information. In the rest of the cases, we will do so, unless we have compelling reasons to refuse to do so, which we will explain.

If you wish to exercise any of the above rights you will be able to do so by contacting our DPO, Mr Michalis Kythreotis preferably by email and specify the type of right you seek to exercise.

Please note that before acting upon any of your above requests, we may require you to prove your identity, if we are in doubt about your true or correct identity. If we cannot identify you, i.e., we do not hold personal data belonging to the person you are saying you are, we will inform you accordingly and we will not act upon your request.

What security measures do we apply to protect your information?

When you give us personal information, we take organizational and technical measures to ensure to keep it secure and protected against unauthorized disclosure or access, alteration, accidental loss or other violation or unlawful processing. Such measures, amongst others, aim at restricting access to personal information, ensuring secure storage, limiting the risk of viruses and other harmful events, securing and keeping secure back-ups and effectively destroying unnecessary or outdated data.

Use of Cookies

Please click here to read our Cookies Policy.


Transferring your information outside the European Union

We do not transfer your information outside the European Union except to the extent that as explained above, we use third party cloud services such as Google email and hosting services for our websites.

In case we will have to do so, we will inform you accordingly. The data protection laws of the such countries are not the same with those applying in the EU, however, when this is a country in relation to which there is not a European Commission decision on the sufficiency of its legal data protection regime as per Article 45 of the Regulation, we will ensure that your personal data will be given corresponding and/or appropriate respect and protection, specifically by signing with parties based outside the EU, relevant data sharing and/or processing agreements using standard contractual clauses approved by the European Commission, in accordance with Article 46 of the Regulation.