Privacy Policy

topos design studio

Last updated: April 2026

1. Who We Are

Topos Design Studio ("we," "us," or "our") is an interior design studio based in Nicosia, Cyprus, providing design services for residential, hospitality, and commercial projects across Europe.

Data Controller: Topos Design Studio Nicosia, Cyprus Email: hello@topos.design  Phone: 00357 97423333

If you have any questions about how we handle your personal data, you can contact us using the details above.

2. What Personal Data We Collect

We may collect and process the following categories of personal data:

Information you provide directly:

  • Name, email address, phone number, and postal address

  • Project-related information (property details, design preferences, budget indications)

  • Correspondence and communications with us

  • Billing and invoicing details (company name, VAT number, billing address)

  • Photographic or visual material you share for project purposes

Information collected automatically (via our website):

  • IP address and approximate geographic location

  • Browser type, device type, and operating system

  • Pages visited, time spent, and referring URLs

  • Cookie identifiers and similar tracking technologies (see Section 9)

Information from third parties:

  • Referrals from architects, contractors, or other collaborators (name and contact details only, with the referrer's confirmation that you have been informed)

3. Why We Process Your Data and Our Legal Basis

We process personal data only where we have a lawful basis to do so under Article 6 of the GDPR. The specific purposes and corresponding legal bases are set out below.

When you contact us with a project enquiry or request a quote, we process your contact details and any information you share about your project on the basis of our legitimate interest in responding to pre-contractual communications. Once a design agreement is in place, we process the personal data necessary to deliver our interior design services on the basis of performance of a contract. Similarly, we process billing details, invoicing information, and payment records as necessary for the performance of our contract with you, and to meet our legal obligations under applicable tax and accounting law.

Where we wish to feature project imagery or visuals in our portfolio, on our website, or in marketing materials, we do so only with your consent. Likewise, if you subscribe to our newsletter or opt in to receive marketing communications, we process your contact details on the basis of your consent, which you may withdraw at any time.

We use website analytics tools to understand how visitors interact with our website and to improve our services. This processing is based on our legitimate interest in maintaining and enhancing the quality of our online presence. We also process personal data where necessary to comply with legal obligations (such as regulatory or court orders), and to establish, exercise, or defend legal claims, which constitutes a legitimate interest.

Where we rely on legitimate interest as our legal basis, we have assessed that our interests do not override your fundamental rights and freedoms.

4. Who We Share Your Data With

We do not sell your personal data. We may share data with the following categories of recipients, only to the extent necessary:

  • Project collaborators — Architects, contractors, suppliers, and other professionals involved in delivering your project, who receive only the information needed for their role.

  • Professional advisors — Accountants, legal advisors, and auditors, under professional confidentiality obligations.

  • Technology providers — Website hosting, email services, cloud storage, analytics platforms, and CRM tools (e.g., Google Workspace, Framer, analytics providers), acting as data processors under written agreements.

  • Public authorities — Tax authorities or regulators, where required by law.

All third-party processors are bound by data processing agreements that require them to protect your data in accordance with the GDPR.

5. International Data Transfers

Our studio is based in Cyprus (EU). Some of our technology providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as:

  • European Commission adequacy decisions

  • Standard Contractual Clauses (SCCs) approved by the European Commission

  • Other safeguards permitted under Chapter V of the GDPR

You may request a copy of the relevant safeguards by contacting us.

6. How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes described in this policy.

Project and contractual records are retained for six years after project completion, in line with Cyprus limitation periods and tax obligations. Invoices and financial records are similarly retained for six years to meet our legal and tax obligations. If you have provided consent for marketing communications, we keep your consent records until you withdraw that consent, along with a record of the withdrawal itself. Website analytics data is retained for up to 26 months, or as configured in our analytics platform. General enquiries that do not lead to a project are retained for two years from the date of our last contact with you.

When these retention periods expire, your data is securely deleted or anonymised.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you.

  • Rectification — Ask us to correct inaccurate or incomplete data.

  • Erasure ("right to be forgotten") — Ask us to delete your data where there is no compelling reason to continue processing it.

  • Restriction of processing — Ask us to temporarily limit how we use your data.

  • Data portability — Receive your data in a structured, commonly used, machine-readable format, or ask us to transfer it to another controller.

  • Objection — Object to processing based on legitimate interests or direct marketing.

  • Withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

  • Automated decision-making — You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently use automated decision-making.

To exercise any of these rights, contact us at [insert contact email]. We will respond within one month. If your request is complex, we may extend this by a further two months, and we will inform you of the reason.

If you are not satisfied with our response, you have the right to lodge a complaint with our supervisory authority:

Office of the Commissioner for Personal Data Protection Kypranoros 15, 1061 Nicosia, Cyprus P.O. Box 23378, 1682 Nicosia, Cyprus Tel: +357 22818456 Email: commissioner@dataprotection.gov.cy Website: www.dataprotection.gov.cy

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or destruction. These measures include:

  • Encryption of data in transit and at rest

  • Access controls limiting data access to authorised personnel

  • Secure cloud storage with reputable providers

  • Regular review of security practices

While no system can guarantee absolute security, we are committed to maintaining reasonable and proportionate safeguards.

9. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. These fall into the following categories:

  • Strictly necessary cookies — Required for the website to function (no consent needed).

  • Analytics cookies — Help us understand how visitors use our site (e.g., Google Analytics). Placed only with your consent.

  • Marketing cookies — Used to deliver relevant content or advertisements. Placed only with your consent.

You can manage your cookie preferences through our cookie banner when you first visit the site, or by adjusting your browser settings. For more detail, see our Cookie Policy [link if applicable].

10. Third-Party Links

Our website may contain links to external websites. We are not responsible for the privacy practices of those sites and encourage you to read their privacy policies.

11. Children's Data

We do not knowingly collect personal data from children under the age of 16. If you believe we have inadvertently collected such data, please contact us so we can delete it promptly.

12. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. The "last updated" date at the top of this document will always reflect the most recent version. Where changes are significant, we will notify you by email or through our website.

13. Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or our data processing practices, please contact:

Topos Design Studio Nicosia, Cyprus

Email: hello@topos.design

Phone: 00357 97423333