Privacy Policy
Apoteca.al
NIPT / NUIS: M61829018H
Registered address: Njësia Bashkiake Nr. 10, Rruga e Bogdanëve, Vila 22, Nr. 2, Tiranë, Albania
Data protection contact: [email protected]
General contact: [email protected]
Phone: +355 69 470 2775
Last updated: 6 July 2026
1. About this Privacy Policy
This Privacy Policy explains how Apoteca.al collects, uses, stores, shares and protects personal data when you use our website, mobile applications, online store, customer account, AI assistant, loyalty features, gift cards, store credit, physical boutique, WhatsApp Business channel, customer support, marketing communications and related services.
In this Privacy Policy:
- “Apoteca”, “we”, “us” and “our” refer to Apoteca.al.
- “You” and “your” refer to customers, account holders, website visitors, app users, gift-card recipients, support contacts, newsletter subscribers, loyalty members, boutique visitors and other persons whose personal data we process.
- “Platform” means our website, mobile applications, online store, account area, AI assistant and related digital services.
This Privacy Policy should be read together with our Terms & Conditions, Cookie Policy, Shipping & Delivery Policy, Returns, Refunds & Cancellation Policy, Health & Medical Disclaimer, Acceptable Use & AI Notice, Loyalty Program Terms and Gift Card Terms.
2. Who is responsible for your personal data
Apoteca.al is the controller of the personal data described in this Privacy Policy. This means we decide why and how your personal data is processed, except where another party acts as a separate controller for its own services.
We process personal data in accordance with applicable Albanian data-protection law, including Law No. 124/2024 “On the Protection of Personal Data”, and, where relevant, principles reflected in EU data-protection law.
For privacy questions or requests, contact:
Email: [email protected]
Address: Apoteca.al, Njësia Bashkiake Nr. 10, Rruga e Bogdanëve, Vila 22, Nr. 2, Tiranë, Albania
Phone: +355 69 470 2775
Unless we state otherwise, [email protected] is our data-protection contact point. It should not be interpreted as confirmation that Apoteca has appointed a registered Data Protection Officer, unless we expressly publish that information.
3. Personal data we collect
We collect personal data directly from you, automatically when you use the Platform, from service providers, and from third-party login or payment services where you choose to use them.
3.1 Identity and contact data
This may include:
- name and surname;
- email address;
- phone number;
- delivery address;
- billing address;
- customer account details;
- communication preferences;
- recipient details where you send a gift card or order to another person.
3.2 Account and authentication data
This may include:
- account identifier;
- email or phone one-time code verification data;
- login method;
- session data;
- Google or Apple sign-in identifiers where you choose social sign-in;
- security and authentication logs;
- account status, including deletion or suspension status.
We do not ask you to share your password because our account access may use one-time codes or third-party sign-in methods.
3.3 Order, purchase and transaction data
This may include:
- products viewed, added to cart, purchased, returned or refunded;
- order number;
- order date and status;
- amounts, currency, discounts, delivery charges and payment method;
- delivery method and delivery status;
- courier and tracking information;
- fiscal invoice data;
- refund, cancellation, return and complaint records;
- customer-support notes linked to the order.
3.4 Payment data
Card payments are processed by our payment provider POK. We do not receive or store your full card number, CVV or complete card authentication data.
We may receive and store limited payment-related information, such as:
- payment method;
- payment status;
- transaction reference;
- last digits or card brand where provided by the payment processor;
- fraud, chargeback or payment-failure information;
- refund status.
For cash-on-delivery orders, we process information needed to manage delivery, collection, failed delivery, refusal, cancellation or abuse prevention.
3.5 Delivery and courier data
This may include:
- recipient name;
- phone number;
- delivery address;
- delivery instructions;
- courier partner;
- tracking code;
- delivery attempts;
- delivery confirmation;
- failed-delivery or refusal records.
3.6 Preferences and shopping activity
This may include:
- language preference;
- currency preference;
- saved cart;
- favorites;
- recently viewed products;
- product interests;
- restock alerts;
- notification preferences;
- marketing opt-ins and opt-outs;
- loyalty activity;
- gift-card and store-credit activity.
3.7 Loyalty, store credit and gift-card data
This may include:
- loyalty account status;
- points earned, used, reversed or expired;
- store-credit balance and ledger;
- gift-card purchase, recipient and redemption data;
- QR claim or in-store redemption activity;
- fraud, abuse, refund or correction records linked to loyalty or credit balances.
3.8 AI assistant conversations
When you use our AI assistant, we may process:
- your messages and prompts;
- AI responses;
- product recommendations or search results generated during the conversation;
- timestamps;
- account identifier if you are signed in;
- technical and safety metadata;
- moderation or guardrail flags;
- human-review notes for flagged conversations, where applicable.
Please do not submit sensitive medical information, health records, diagnoses, medication lists, test results or other special-category personal data into the AI assistant.
3.9 Customer-support and communication data
This may include:
- emails, WhatsApp messages, SMS, phone notes or other messages you send us;
- complaint details;
- return or refund evidence, including photos;
- delivery issue evidence;
- product-safety or adverse-reaction reports;
- records of our responses to you.
3.10 Technical, device and security data
This may include:
- IP address;
- device type;
- browser type;
- operating system;
- app version;
- user-agent;
- approximate location derived from IP address;
- session identifiers;
- security logs;
- bot-protection signals;
- fraud-prevention signals;
- error logs;
- crash reports;
- dates and times of access;
- pages, screens or features used.
Cloudflare may help us recover and process IP and security-related data at the network edge for security, performance and anti-abuse purposes.
3.11 Cookies, analytics and similar technologies
Depending on your choices, we may process:
- cookie identifiers;
- analytics events;
- pages viewed;
- products viewed;
- clicks and interactions;
- conversion events;
- performance data.
Non-essential analytics cookies and similar technologies are used only where required consent has been obtained. More details are provided in our Cookie Policy.
3.12 Push notification data
If you use our mobile app or enable notifications, we may process:
- push notification token;
- device identifier;
- notification preferences;
- delivery and interaction data;
- account link, where you are signed in.
For installed app users who have not signed in, we may process a limited anonymous push token or device-level identifier to support basic app notifications, security, functionality or consent-based messaging. Where required, marketing push notifications are sent only with your permission.
3.13 Physical boutique data
When you interact with us in our physical boutique, we may process:
- purchase and invoice data;
- loyalty QR or account claim data;
- refund, exchange or complaint information;
- contact details where needed for receipts, product safety, recalls or customer support.
If CCTV, access-control or other in-store monitoring is used, we will provide separate notice where required.
4. Health and special-category data
Apoteca is a parapharmacy and wellness retailer. We do not ask you to disclose health conditions and we do not create or maintain medical records.
However, because we sell wellness, supplement, dermocosmetic, personal-care and related products, some purchase history or product interest may allow inferences about health, lifestyle or personal concerns. Also, you may voluntarily include health-related information in messages, support requests, reviews or AI assistant conversations.
You should not send us sensitive health information unless it is necessary for a specific support, safety, complaint, return or legal issue.
Where you voluntarily provide health-related or other special-category information, we may process it only as necessary to:
- respond to your request;
- handle a product-safety issue, complaint, adverse reaction, return or refund;
- comply with legal obligations;
- protect your vital interests or the interests of another person, where relevant;
- establish, exercise or defend legal claims;
- prevent abuse or misuse of the Platform;
- apply our AI safety and medical-advice guardrails.
We do not use health-related information for marketing profiling, targeted advertising or loyalty scoring.
We may delete, restrict or refuse to process unnecessary sensitive information, especially where it is not needed to provide the service or handle your request.
5. Why we use your data and our legal basis
We process personal data only where we have a lawful reason to do so.
| Purpose | Examples | Legal basis |
|---|---|---|
| Account creation and management | Sign-up, login, account settings, account security | Contract / legitimate interest |
| Orders and checkout | Cart, order placement, payment status, delivery, returns, refunds | Contract |
| Payments | Payment processing, payment references, refunds, chargeback handling | Contract / legal obligation / legitimate interest |
| Fiscalization, tax and accounting | Fiscal invoices, accounting records, legal reporting | Legal obligation |
| Delivery | Courier fulfilment, tracking, failed delivery handling | Contract / legitimate interest |
| Customer support | Email, phone, WhatsApp, complaints, returns, product questions | Contract / legitimate interest |
| AI assistant | Product search, product guidance, general wellness-product information, safety guardrails | Contract / legitimate interest / consent where required |
| AI safety and quality | Abuse prevention, response checking, audit, improvement, flagged conversation review | Legitimate interest / legal obligation where applicable |
| Loyalty, store credit and gift cards | Points ledger, redemptions, balance corrections, gift-card delivery | Contract / legitimate interest |
| Product safety and recalls | Safety notices, supplier warnings, recall communications | Legal obligation / legitimate interest |
| Fraud, abuse and security | Bot protection, suspicious orders, COD abuse, account misuse, payment risk | Legitimate interest / legal obligation |
| Analytics | Product analytics, performance measurement, service improvement | Consent where required / legitimate interest for strictly necessary metrics |
| Marketing | Email, SMS, push or other promotional messages | Consent where required |
| Transactional communications | OTP codes, order updates, delivery notices, security alerts, legal notices | Contract / legal obligation / legitimate interest |
| Legal claims and compliance | Disputes, authority requests, investigations, enforcement of Terms | Legal obligation / legitimate interest |
| Platform improvement | Debugging, error monitoring, feature improvement, performance | Legitimate interest / consent where required |
Where we rely on legitimate interest, we do so only where we consider that our interest is not overridden by your rights and freedoms. Our legitimate interests include operating and improving Apoteca, preventing fraud and abuse, securing the Platform, protecting customers, handling disputes, enforcing our Terms, and improving product discovery and customer experience.
Where we rely on consent, you may withdraw consent at any time. Withdrawal does not affect processing that took place before consent was withdrawn.
6. AI assistant
The Platform may include an AI shopping assistant that helps with product discovery, general product comparisons and general wellness-product information.
The AI assistant is powered by third-party AI technology, including OpenAI as our primary AI provider. When you use the AI assistant, your messages may be sent to the AI provider for processing and generation of a response.
We may store AI conversations, linked to your account where you are signed in, for:
- providing the assistant;
- improving product search and service quality;
- applying safety and health-claim guardrails;
- detecting misuse or unsafe requests;
- auditing and compliance;
- resolving disputes or complaints;
- protecting our legal rights.
AI conversations are normally deleted after 90 days, unless longer retention is necessary for security, abuse prevention, legal compliance, complaint handling, dispute resolution or protection of our rights.
The AI assistant applies safety controls intended to avoid medical advice, diagnosis, treatment claims and forbidden health claims. However, AI responses may be incomplete, incorrect, outdated or unsuitable. The AI assistant is not a doctor, pharmacist, emergency service, diagnostic tool or substitute for professional advice.
You should not submit sensitive medical information into the AI assistant. If you do, we may process it as described in this Privacy Policy and may delete or restrict it where it is unnecessary.
Flagged AI conversations may be reviewed by authorized human reviewers for safety, compliance, quality, abuse prevention or dispute handling.
7. Automated decision-making and profiling
We may use limited automated processing to support:
- product search and recommendations;
- cart recovery;
- fraud and abuse detection;
- bot protection;
- account security;
- marketing segmentation where you have opted in;
- loyalty and store-credit calculations;
- AI assistant responses.
We do not intend to make decisions based solely on automated processing that produce legal effects or similarly significant effects for you, unless this is necessary for entering into or performing a contract, authorized by law, or based on your explicit consent where required.
Fraud, abuse, security or payment-risk systems may automatically flag or restrict an order, payment method, account, promotion, COD eligibility or Platform access. Where appropriate, you may contact us to request human review.
8. Marketing and communication choices
Marketing communications are sent only where permitted by law and according to your preferences or consent where required.
Marketing may include:
- email offers;
- SMS offers;
- push notifications;
- WhatsApp messages where permitted;
- restock alerts;
- personalized product suggestions;
- loyalty or campaign offers.
Marketing consent is separate from essential service messages. You may opt out of marketing at any time through account settings, unsubscribe links, notification settings, or by contacting us.
Even if you opt out of marketing, we may still send you necessary non-marketing messages, including:
- OTP and login messages;
- order confirmations;
- payment and refund messages;
- delivery updates;
- account notices;
- legal notices;
- security alerts;
- product-safety notices;
- recall notices;
- customer-support replies.
9. Cookies and analytics
We use cookies and similar technologies to operate the Platform, keep it secure, remember choices, measure performance and understand how users interact with Apoteca.
Some cookies are necessary for the Platform to work. Others, such as analytics or marketing cookies, are used only where required consent has been obtained.
You can manage cookie preferences through our cookie banner or settings where available. You can also control cookies through your browser settings.
More details are provided in our Cookie Policy.
10. Who we share personal data with
We share personal data only where necessary to operate Apoteca, provide our services, complete orders, process payments, deliver products, comply with the law, protect the Platform, or where you have authorized it.
Depending on how you use Apoteca, we may share relevant personal data with the following categories of recipients:
payment providers, to process card payments, refunds, chargebacks and payment security checks;
fiscalization and accounting providers, to issue fiscal invoices and meet tax, accounting and legal obligations;
courier and delivery partners, to deliver orders, manage tracking, handle failed deliveries and resolve delivery issues;
technology and hosting providers, to host the Platform, store data, secure our systems and keep Apoteca running;
communication providers, to send OTP codes, order updates, service messages, emails, SMS, WhatsApp messages and marketing communications where permitted;
analytics, security and error-monitoring providers, to understand Platform performance, detect errors, prevent fraud and protect against abuse;
AI providers, where you use the AI assistant or AI-powered product discovery features;
mobile app and platform providers, where you use our mobile app, push notifications, Apple sign-in, Google sign-in or related app services;
professional advisers and authorities, including lawyers, accountants, auditors, banks, insurers, courts, regulators, tax authorities, law-enforcement bodies or the Commissioner for the Right to Information and Protection of Personal Data, where required or permitted by law;
business-transfer parties, if Apoteca is involved in a merger, acquisition, investment, restructuring, sale of assets, financing, insolvency or transfer of business.
We require service providers that process personal data for us to use the data only for the agreed purpose and to protect it with appropriate security and confidentiality measures.
Some providers may act as independent controllers for certain processing, for example payment providers, app-store providers, social sign-in providers or authorities, where they process data under their own legal obligations or terms.
We do not sell your personal data.
11. International transfers
Some of our providers, systems or support teams may be located outside Albania and outside the European Economic Area, including in the United States or other countries that may not provide the same level of data protection as Albania.
Where personal data is transferred internationally, we use safeguards required or permitted by applicable law. These may include:
- adequacy decisions or recognized adequate jurisdictions, where available;
- standard data-protection clauses approved by the competent authority;
- contractual safeguards with processors and service providers;
- transfer-risk assessments where appropriate;
- technical and organizational safeguards, such as encryption, access controls and data minimization;
- specific legal derogations where a transfer is necessary for contract performance, legal claims or another lawful reason.
You may contact us at [email protected] for more information about international transfers and applicable safeguards.
12. How long we keep personal data
We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.
| Data category | Typical retention period |
|---|---|
| Account data | While your account is active, plus the account deletion/recovery period and any legally required or legitimate retention period |
| Deleted account data | 30-day recovery window, then deletion or anonymization of data no longer needed |
| Order and purchase records | For the period required by tax, accounting, fiscalization, consumer-protection and legal-retention rules |
| Fiscal invoices and accounting records | For the period required by Albanian tax, accounting and fiscalization law |
| Delivery records | As needed for delivery, complaints, failed delivery, COD handling, disputes and legal compliance |
| Returns, refunds and complaints | As needed to handle the issue and for legal, accounting, consumer-rights and dispute purposes |
| Payment references | As needed for payment, refund, chargeback, fraud-prevention, accounting and legal purposes |
| AI conversations | Normally 90 days, unless longer retention is needed for safety, abuse prevention, legal compliance, complaint handling, dispute resolution or protection of rights |
| Customer-support messages | As needed to handle the request and for dispute, quality, safety and legal purposes |
| Marketing consent records | While consent is active and for a reasonable period after withdrawal to prove compliance |
| Cookie and analytics data | As stated in the Cookie Policy or consent tool |
| Security, fraud and abuse logs | As needed to protect the Platform, prevent abuse, investigate incidents and comply with law |
| Loyalty, store credit and gift-card ledgers | While balances are active and as needed for accounting, fraud prevention, disputes and legal compliance |
| Product-safety and recall records | As needed for product safety, recall obligations, legal compliance and protection of customers |
When we no longer need personal data, we delete it, anonymize it, or securely retain it only where legally required or justified.
If you request deletion, we may still retain certain data where necessary for:
- tax, accounting or fiscalization obligations;
- order history and consumer-rights records;
- fraud prevention and security;
- product-safety or recall obligations;
- dispute resolution;
- legal claims;
- compliance with applicable law.
13. Account deletion
You may request deletion of your account through account settings where available or by contacting us.
Account deletion is subject to a 30-day recovery period. During this period, the account may remain recoverable.
After the recovery period, we delete or anonymize personal data that is no longer needed. However, account deletion does not delete data that we must or may retain for legal, tax, accounting, fiscalization, product-safety, security, fraud-prevention, consumer-rights, dispute or legal-claims purposes.
Unredeemed loyalty points may be forfeited when your account is permanently deleted, as explained in the Loyalty Program Terms.
Deletion of your account may also affect access to order history, saved addresses, favorites, store credit, gift-card records, loyalty benefits and personalized services.
14. Your rights
Subject to applicable law and legal limitations, you may have the right to:
- access your personal data;
- receive information about how we process your data;
- correct inaccurate or incomplete data;
- request deletion of your data;
- restrict certain processing;
- object to certain processing;
- withdraw consent at any time where processing is based on consent;
- request data portability where applicable;
- object to direct marketing;
- request human review where a significant decision is made solely by automated processing, where applicable;
- complain to the competent supervisory authority.
To exercise your rights, contact [email protected].
We may need to verify your identity before responding. We may ask for additional information where necessary to confirm that the request is genuinely from you or from a person authorized to act on your behalf.
We aim to respond within 30 days, unless a longer period is permitted by law due to complexity, number of requests or other lawful reason.
Some rights are not absolute. We may refuse or limit a request where allowed by law, including where the request is manifestly unfounded or excessive, conflicts with legal retention obligations, affects the rights of another person, relates to legal claims, or would undermine fraud prevention, security, product safety or compliance obligations.
15. Complaints to the supervisory authority
If you believe your personal data rights have been violated, you may contact us first at [email protected] so we can try to resolve the issue.
You also have the right to complain to the Albanian supervisory authority:
Commissioner for the Right to Information and Protection of Personal Data
Address: Rr. “Abdi Toptani”, Nd. 5, Kodi postar 1001, Tiranë, Albania
Email: [email protected]
Phone: +355 42 23 7200
Green number: 08002050
16. Security
We use technical and organizational measures intended to protect personal data against unauthorized access, loss, misuse, alteration or disclosure.
These measures may include:
- encryption in transit;
- access controls;
- authentication controls;
- role-based permissions;
- logging and monitoring;
- bot protection;
- firewall and WAF protection;
- secure hosting providers;
- backup and recovery procedures;
- internal access restrictions;
- vendor due diligence where appropriate.
No system is perfectly secure. You are responsible for keeping your email, phone, device, login method and account access secure. If you suspect unauthorized access to your account, contact us immediately.
17. Personal-data breaches
If we become aware of a personal-data breach, we will assess it and take appropriate steps in accordance with applicable law.
Where required, we will notify the Commissioner for the Right to Information and Protection of Personal Data and affected individuals within the legally required timeframe.
We may contact you about security incidents, account security or protective steps even if you have opted out of marketing.
18. Children
The Platform is intended for users aged 18 and over.
We do not knowingly create accounts for children or intentionally collect personal data from children for customer-account or purchase purposes.
If we reasonably believe that a child has created an account or provided personal data without appropriate legal basis, we may delete the data, close the account, cancel orders and take other appropriate action.
If you believe a child has provided us personal data, contact [email protected].
19. Third-party links and services
The Platform may contain links to third-party websites, apps, social media pages, payment pages, sign-in services, courier tracking pages or other external services.
We are not responsible for the privacy practices, security or content of third-party services. You should read their privacy policies before using them.
Where you choose to use Google sign-in, Apple sign-in, payment-provider services, WhatsApp, app-store services or other third-party services, those providers may process your data under their own terms and privacy policies.
20. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our services, technology, legal obligations, providers or data-processing practices.
The latest version will be published on the Platform with the “Last updated” date.
Where required by law or where changes are material, we may provide additional notice or request consent.
21. Contact
For privacy questions, requests or complaints, contact:
Apoteca.al
NIPT / NUIS: M61829018H
Registered address: Njësia Bashkiake Nr. 10, Rruga e Bogdanëve, Vila 22, Nr. 2, Tiranë, Albania
Data protection contact: [email protected]
General contact: [email protected]
Phone: +355 69 470 2775
