This Privacy Notice explains how N. PSATHAS & Co LP ("NP Labs", "we", "us") processes your personal data when you use the NPLabs pharmacy portal at pharmacy.nplabs.online (the "Portal"). It is issued under Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR") and Greek Law 4624/2019.
The Portal is a secure digital extension of our licensed Greek compounding pharmacy workflow. It supports prescription intake, pharmacist review, pharmacy communication, invoice settlement, compounding, dispensing, pickup, and delivery status. Dispensing through the Portal workflow requires a valid prescription. The Portal is not a public medication catalogue, product storefront, or advertising service.
This Notice applies to the Portal only. The nplabs.online marketing website has its own, separate privacy notice.
1. Who we are
Data controller: N. PSATHAS & Co LP Registered address: Papanikoli Street No. 40, Chalandri, 152 32, Attica, Greece VAT number: EL998186880
Privacy contact: privacy@nplabs.online General support: support@nplabs.online
Data Protection Officer: a formal DPO is not designated at the effective date of this Notice. The privacy contact above handles privacy inquiries and data-subject requests. If and when a DPO is designated, contact details will be published in an updated version of this Notice.
2. Who this Notice is for
This Notice applies to all users of the Portal, including:
- Patients who submit or receive prescription-linked pharmacy requests through the Portal;
- Professional Users — prescribers, clinics, external pharmacists, laboratory staff, shipping partners, and support agents;
- Internal NP Labs staff with Portal access, to the extent of their Portal use (their broader employment-data processing is covered by their employment privacy notice).
3. Personal data we process
3.1 Account data (all users). Full name, email address, phone number, date of birth, account role, preferred language, country, home and shipping address.
3.2 Authentication data (all users). User identifier, session tokens, sign-in events, multi-factor authentication state, device and browser metadata. This data is held in our authentication provider (see section 7.1).
3.3 Health data (patients) -- GDPR Article 9 special category. Prescription content (medication, strength, dosage, instructions, intended use), known allergies, current medications, relevant medical conditions, and any clinical notes you or your prescriber provide. We treat this data as special-category data requiring additional protection.
3.4 Professional data (Professional Users). Professional licence number and issuing country, specialty, practice name and address, verification status, joint-controller acknowledgement.
3.5 Pharmacy workflow, invoice, and payment data. Prescription review status, preparation request status, invoice amounts, invoice settlement status, and payment metadata (success/failure, authorisation, capture). We do not store full card numbers or card security codes -- this data is handled directly by our payment processor (see section 7.5).
3.6 Delivery data. Shipping address, special delivery instructions, courier tracking number, courier delivery events (handed over, in transit, delivered, failed).
3.7 Device and usage data. IP address, user-agent, access times, pages and features visited, actions taken on the Portal, and audit log entries recording who did what, when, to which record. Audit logs are required by Greek pharmacy law for dispensing activity.
3.8 Communications. The content of support tickets, messages exchanged with the pharmacy team, and transactional emails we send you through our email provider (see section 7.4).
4. How we collect it
- Directly from you when you register, complete your profile, upload prescription or identity documents, request pharmacy review, settle an invoice, or contact us.
- From your prescriber when they independently create or sign a prescription for you on the Portal.
- From Clerk, our authentication provider, when you sign in.
- From Viva Wallet, our payment processor, when you pay — we receive transaction status and identifiers, not card data.
- From our couriers (DHL, UPS, ACS) when they pick up, transit, and deliver your package.
- Automatically by the Portal itself (IP, user agent, audit log entries) when you interact with it.
5. Why we process it, and our legal basis
The table below sets out the purposes for which we process your personal data, the main data categories involved, and our legal basis. Where health data is involved, we also identify the special-category basis under Article 9.
| Purpose | Main categories | Legal basis (Art. 6) | Special-category basis (Art. 9) |
|---|---|---|---|
| Creating and managing your account | Account data, authentication data | Art. 6(1)(b) — performance of contract (Terms of Service) | — |
| Verifying prescribers and clinics | Professional data | Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interest in preventing fraud | — |
| Receiving, verifying, compounding, and dispensing prescriptions | Account data, health data, professional data | Art. 6(1)(b) — performance of contract; Art. 6(1)(c) — legal obligation | Art. 9(2)(h) — provision of health care by a health professional under professional secrecy |
| Obtaining explicit consent from patients to process health data through the Portal | Health data | Art. 6(1)(a) — consent | Art. 9(2)(a) — explicit consent |
| Creating pharmacy invoices and taking payment | Invoice data, payment metadata | Art. 6(1)(b) — performance of contract | — |
| Shipping and delivery | Account data, delivery data | Art. 6(1)(b) — performance of contract | — |
| Customer support, complaints, and dispute resolution | Communications, account data, workflow and invoice data | Art. 6(1)(b) — performance of contract; Art. 6(1)(f) — legitimate interest | Art. 9(2)(h) where health data is discussed |
| Audit logging of dispensing activity | Account data, professional data, audit log | Art. 6(1)(c) — legal obligation (Greek pharmacy law) | Art. 9(2)(h) |
| Accounting, tax, and statutory recordkeeping | Pharmacy workflow data, payment metadata, invoices | Art. 6(1)(c) — legal obligation (Greek tax law) | — |
| Security and abuse prevention | Device data, authentication data, audit log | Art. 6(1)(f) — legitimate interest in a secure service | — |
| Product-liability and quality assurance | Pharmacy workflow data, limited health data | Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interest | Art. 9(2)(i) — public interest in public health and medicinal-product safety |
| Payment-provider, card-network, and certification audit support | Account data, invoice data, limited workflow records, compliance evidence | Art. 6(1)(c) where legally required; Art. 6(1)(f) — legitimate interest in lawful payment processing and compliance verification | Art. 9(2)(h) or Art. 9(2)(f) only where health data is strictly necessary |
| Sending service-operation emails (prescription review, invoice, preparation, delivery status, password reset) | Account data, workflow and invoice data | Art. 6(1)(b) | — |
| Responding to data-subject requests (access, erasure, etc.) | Any relevant | Art. 6(1)(c) — legal obligation | Art. 9(2)(g) where needed |
We dual-base the processing of patient health data on both Art. 9(2)(a) (explicit consent you give at onboarding) and Art. 9(2)(h) (healthcare provision by a health professional under professional secrecy). This means that even if you later withdraw your Art. 9(2)(a) consent, we may still be required or permitted to retain records to the extent needed for the provision of health care, pharmacy recordkeeping obligations, product safety, or defence of legal claims.
We do not use your personal data for marketing or profiling on the Portal. We do not engage in automated decision-making with legal or similarly significant effects under Article 22 GDPR.
6. Who we share your data with
We share personal data only with:
- Your prescriber (for the prescriptions they issue to you);
- Our pharmacy staff and pharmacists with a need to see the data;
- Sub-processors listed in section 7;
- Payment processors, acquiring banks, card networks, and compliance or certification reviewers where this is necessary to maintain lawful payment processing, answer a transaction dispute, or demonstrate compliance. We minimise patient health data in these disclosures wherever possible;
- Competent authorities where we are required to disclose data by law (e.g. tax authorities, the Hellenic Data Protection Authority, pharmacy inspectors, courts).
We do not sell your personal data. We do not share it with advertisers. We do not use Portal health data for product advertising, targeted advertising, or marketing profiling.
7. Sub-processors and service providers
The Portal relies on the following providers to deliver the service:
| Provider | Role | Location | Transfer safeguard |
|---|---|---|---|
| Clerk, Inc. | Authentication (sign-up, sign-in, sessions, MFA) | United States | EU Standard Contractual Clauses (Commission Decision 2021/914) |
| Convex, Inc. | Database, real-time backend, server-side application logic | United States | EU Standard Contractual Clauses |
| Vercel, Inc. | Application hosting and content delivery | United States / global edge network | EU Standard Contractual Clauses |
| Sendinblue SAS (Brevo) | Transactional email delivery | France (EU) | Intra-EU — no transfer |
| Viva Payment Services SA | Payment processing (card data, direct) | Greece (EU) | Intra-EU — no transfer |
| DHL | Courier delivery | Germany and shipping destinations | EU + country-specific courier operations |
| UPS | Courier delivery | United States (parent); shipping destinations (operations) | EU Standard Contractual Clauses where applicable |
| ACS Courier SA | Courier delivery (Greece / regional) | Greece (EU) | Intra-EU — no transfer |
Each of these providers acts as a data processor or independent controller for the limited purpose described. We have a written data-processing agreement with each provider where required by Article 28 GDPR. You may request the current list of sub-processors at privacy@nplabs.online.
8. International transfers
Some of our providers are located in or operate from the United States. We rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision 2021/914) and supplementary organisational and technical measures (encryption in transit and at rest, access controls, audit logs) to ensure that transferred data continues to enjoy an essentially equivalent level of protection.
You may request a summary of the transfer mechanisms and safeguards we rely on at privacy@nplabs.online.
9. How long we keep it
| Category | Retention period | Basis |
|---|---|---|
| Prescription records, signed prescriptions, and dispensing logs | 10 years from the date of the last dispensing | Greek pharmacy recordkeeping obligations |
| Orders, invoices, and payment metadata | 10 years | Greek tax law (Law 4308/2014) |
| Audit log of dispensing activity | 10 years | Aligned with prescription records |
| Account data (active) | For the life of your account | Performance of contract |
| Account data (after deletion request or account closure) | 2 years after closure | Defence of legal claims, limited to what is strictly needed |
| Support communications | 2 years from last message in the ticket | Legitimate interest in support-quality assurance and complaint resolution |
| Device and usage logs | 90 days rolling | Legitimate interest in security and abuse prevention |
After the applicable retention period, personal data is either securely deleted or irreversibly anonymised such that it can no longer be associated with you.
Where a retention period under Greek or EU law is longer than one of the periods above, the longer period applies.
10. Your rights
Under GDPR and Greek data-protection law you have the following rights:
- Right of access (Art. 15) — to obtain confirmation of whether we process your personal data and a copy of it.
- Right to rectification (Art. 16) — to have inaccurate or incomplete data corrected.
- Right to erasure / "right to be forgotten" (Art. 17) — to have your data deleted, subject to exceptions (legal obligations, recordkeeping duties, legal claims).
- Right to restriction of processing (Art. 18) — to have processing temporarily limited while you contest accuracy or lawfulness.
- Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format, where the processing is based on consent or contract and is carried out by automated means.
- Right to object (Art. 21) — to object to processing based on our legitimate interests.
- Right to withdraw consent (Art. 7(3)) — where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Withdrawing Art. 9(2)(a) health-data consent may prevent us from offering you new dispensing services, but we will still retain records we are required to retain under healthcare or pharmacy law.
- Right not to be subject to automated decision-making (Art. 22) — we do not use automated decision-making with legal or similarly significant effects.
How to exercise your rights. Contact privacy@nplabs.online, or use the Privacy Center inside the Portal. We may need to verify your identity before acting on your request.
Response time. Within one month of receipt. We may extend by up to two further months where the request is complex or we receive a large number of requests, in which case we will tell you within the first month.
Fees. Free, unless your requests are manifestly unfounded or excessive (for example, repetitive), in which case we may charge a reasonable fee or refuse to act on the request.
Right to lodge a complaint. You have the right to lodge a complaint with the Hellenic Data Protection Authority:
- Address: 1-3 Kifissias Avenue, 115 23, Athens, Greece
- Phone: +30 210 6475600
- Website:
www.dpa.gr - Email: complaints@dpa.gr
You may also lodge a complaint with the supervisory authority of your country of residence.
11. Cookies
The Portal uses only strictly-necessary cookies. See our separate Cookie Notice at /legal/cookies.
12. Security
We apply technical and organisational measures appropriate to the risk, including:
- HTTPS/TLS (SSL) encryption for Portal traffic and encryption at rest for stored data;
- access control and role-based permissions inside the Portal;
- audit logging of sensitive actions;
- regular backups and tested restore procedures;
- security training for staff;
- an incident-response procedure for personal-data breaches, including, where applicable, notification to the Hellenic Data Protection Authority within 72 hours and to affected data subjects without undue delay.
No system is perfectly secure, and transmission of data over the internet carries inherent risk. If you become aware of a suspected security issue affecting the Portal, please contact us at security@nplabs.online.
13. Children
The Portal is not intended for users under the age of 18. Where a minor requires compounded medication, the account is held by a parent or legal guardian acting on the minor's behalf, and the minor's personal and health data is processed on that basis.
14. Changes to this Notice
We may update this Notice. For material changes, we will notify you and ask you to acknowledge the updated Notice at your next login. Minor changes are published at /legal/privacy with notice in your Privacy Center. The current version and effective date are shown at the top of this Notice.
15. Contact
Privacy questions and data-subject requests: privacy@nplabs.online General support: support@nplabs.online Post: N. PSATHAS & Co LP, Papanikoli Street No. 40, Chalandri, 152 32, Attica, Greece.