Comarch Member Portal

Logo Comarch CLM
Logo Comarch CLM

Join now

Create an account and enjoy your benefits
Loyalty card


Privacy Notice for the “EKO App”

Date 24/09/2025

1. Subject Matter

The company under the name “HELLENIC FUELS AND LUBRICANTS SINGLE MEMBER INDUSTRIAL AND COMMERCIAL SOCIETE ANONYME” (hereinafter the “Company”), with its registered office at Maroussi, Attica, 8A Chimarras Street, 15125, acting as Data Controller, collects and further processes your personal data through the “EKO app” (hereinafter the “Application”) only when this is necessary for clear and lawful purposes, in accordance with the applicable personal data protection legislation, in particular Regulation (EU) 2016/679 and Law 4624/2019, as in force.

This Privacy Notice(hereinafter the “Notice”) clearly explains the manner in which we collect and further process information concerning you, as data subjects (hereinafter “you” and/or “your”), when you access and use the Application. In this context, detailed information is provided, among other things, regarding the purpose of processing, the recipients of your data, and your rights. In addition, the use of the Application is also governed by the Terms and Conditions of the Application.

We reserve the right to amend, update, add, or remove parts of this Notice at any time, whenever deemed necessary for compliance with regulatory requirements and/or for the optimization and enhancement of the services provided by the Application. In case of changes, the date at the top of this Notice will be modified accordingly, and in certain cases (e.g., if we intend to use your data in a substantially different manner than described in this Notice), you will be provided with additional prior specific notice.

The Application offers the following functionalities:
a) participation in a loyalty program, awarding and redeeming points through the Application,
b) scheduling of vehicle washing,
c) electric vehicle charging services,
d) making purchases from the Application’s e-shop,
e) payment for products/services through the “Scan & Pay” function,
f) navigation and use of maps in order to locate nearby points of interest,
g) provision of informational and advertising material for services and products of the Company and other companies of the Helleniq Energy Group and specifically Elpedison,
h) user support by Help Desk.

The above services under points (a), (b), (d), (e), and (h) are provided only upon the registration of the user in the Application (registered member).

If the user does not wish to register, the Application offers the ability to use the functionalities under points (c), (f), and (g) to simple, i.e. non-registered / non-logged-in users (the “guest users”). The charging data are stored on the mobile device of the guest user, and if geolocation is used, the location is processed by Google Maps.

For service (h), namely the provision of informational and promotional material, the Company collects the email and/or the mobile phone number of the guest user, provided that they consent to declare it.

2. Sources of Data Collection

Your personal data is collected in one of the following ways:

  1. Through the Application (available for mobile phones).
  2. By submitting a registration application at petrol stations bearing the EKO brand and subsequently completing your details & activating your account through the link that will be sent to the declared mobile phone.

3. Data Collected

Registration & Account Creation

For your registration in the Application and the creation of your account, the Company collects the following categories of personal data:

  • Personal identifiers (First name and Surname),
  • Contact details (mobile phone, email),
  • Date of birth (optional),
  • Type of car fuel (optional),
  • Type of car (optional),
  • Car license plate (optional),
  • Physical address details (city, street, number, postal code, prefecture). May be provided for primary and secondary address (optional),

Loyalty Program

For the execution of the loyalty program through the relevant (digital or physical) card, the Company collects the following categories of personal data:

  • Reward data (e.g., number of points, type and value of gifts or coupons, details of discounts, rewards and/or offers, redemption data),
  • Order/purchase/transaction data (e.g., type and price of product and/or service provided, transaction date). These data are collected automatically by the Company,
  • Statistical data relating to the user’s transactions, such as the value of transactions made and the products purchased most frequently.

The loyalty program is governed by its terms of use, available at the following address: https://eko.gr/

Scan & Pay Service

In the context of providing the Scan & Pay service through the Application, we collect and process the following personal data:

  • Contact details,
  • User’s transaction history and details thereof, such as date and value of the transaction. These data are collected automatically by the Company.

Car Wash Service

In the context of providing the car wash service through the Application, we collect and process the following personal data:

  • First name and Surname,
  • Contact details,
  • Appointment details,
  • Vehicle type,
  • Vehicle license plate,
  • Vehicle profiles created by the customer (optional),
  • Previous sessions, for easier rebooking (optional),
  • User’s transaction history and details thereof, such as the date and value of the transaction. These data are collected automatically by the Company,
  • Statistical data relating to the user’s transactions, such as the value of transactions made and the services most frequently chosen,
  • Location data, i.e. real-time information about the location of the user’s device through the Google Maps application. The user’s location is identified on the basis of the wireless network location or the Wi-Fi access points within range.

E-shop

In the context of making purchases in the e-shop through the Application, we collect and process the following personal data:

  • First name and Surname,
  • Mobile phone number,
  • Main address (street, number, city, country, postal code),
  • Landline number (optional),
  • Favorites list (e.g., e-shop products) (optional),
  • User’s transaction history and details thereof, such as the date and value of the transaction. These data are collected automatically by the Company,
  • Statistical data relating to the user’s transactions, such as the value of transactions made and the products most frequently purchased.

The e-shop is governed by its terms of use, available at the following address: https://eko.gr/

Provision of Informational and Advertising Material for services and products of the Company and other companies of the Helleniq Energy Group

The Application offers all its users (registered and not) informational and advertising material regarding services and products of the Company and other companies of the Helleniq Energy Group, in particular Elpedison. For the sending of this material, the user declares their email and/or mobile phone number.

Provision of Electric Vehicle Charging Services

In the context of providing electric vehicle charging services, we collect and process the following personal data:

  • First name and Surname,
  • Email address,
  • Mobile phone number,
  • Main address (street, number, city, country, postal code),
  • RFID card number (if declared),
  • User’s transaction history and details thereof, such as the name of the charging point and the date and value of the transaction. These data are collected automatically by the Company from the charging points at which the user used the declared Card for EV charging,
  • Statistical data relating to the user’s transactions, such as the value of transactions made, energy consumption (kWh), and most frequently purchased products,
  • Location data, i.e. real-time information about the location of the user’s device through the Google Maps application. The user’s location is identified on the basis of the wireless network location or Wi-Fi access points within range.

Navigation and Use of Maps with the aim of locating nearby places of interest

  • Location data, i.e. real-time information about the location of the user’s device through the Google Maps application. The user’s location is identified on the basis of the wireless network location or Wi-Fi access points within range.

Support of Registered Users by Help Desk

In the context of supporting registered users of the Application, we collect and process, among other things, the following personal data:

  • First name and Surname,
  • Email address,
  • Mobile phone number,
  • Main address (street, number, city, country, postal code),
  • Electricity supply number,
  • User’s transaction history and details thereof, such as the date and value of the transaction,
  • Call details and content.

Other Data

a) Usage data, i.e. data relating to access and use of the services, your interaction with emails, push notifications, and text messages you may receive from the Company, including traffic data, logs, and other communication data.
b) If the user gives consent, the Company collects their location data, i.e. real-time information about the location of the user’s device either through the Application or through the Google Maps application. The user’s location is identified based on the wireless network location or Wi-Fi access points within range, as well as through the use of the Global Positioning System (GPS).

4. Purposes and Legal Basis of Processing

The Company collects and processes your personal data referred to above for one or more of the following purposes:

  • For the creation and maintenance of your individual account in the Application,
  • To enable the execution of the following transactions through the Application: a) ordering heating oil for household use, b) making purchases from the Application’s e-shop, c) scheduling vehicle washing, d) charging electric vehicles,
  • For participation in the loyalty program and awarding/redeeming points,
  • To ensure the optimal, secure, and uninterrupted operation of the Application,
  • For the security of your personal account in the Application,
  • For communication, service, and support on matters of use and secure access to your personal account in the Application,
  • For the sending of informational and promotional material on behalf of the Company and subsidiaries, in particular Elpedison,
  • For the legal support of the Company,
  • To inform you about the nearest service points,
  • For the provision of navigation directions to such charging points through integration of the relevant online digital maps service, including real-time traffic information via Google Maps,
  • To provide you the ability to manage your cards,
  • For access to your order history and monitoring of statistics based on your transactions,
  • To calculate CO₂ emission avoidance,
  • To improve the services provided,
  • To create a user profile; if we obtain your consent for this processing, we take into account the data you provide us and the information resulting from your use of our services in order to send you commercial messages tailored to your preferences and profile, and to adapt our services and products to your individual needs.

To achieve the above purposes, the Company collects and processes your personal data based on the following legal grounds:

  • Consent (Art. 6(1)(a) GDPR), e.g. for the sending of promotional or informational material. You always have the right to withdraw this consent at any time, either by disabling the sending of promotional material in your account, or by sending an email to DPO@helleniq.gr. If you withdraw your consent, the processing based on it will no longer be possible. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal,
  • Execution of the Company’s contractual obligations (Art. 6(1)(b) GDPR) in the context of carrying out your transactions through the Application,
  • Compliance with the Company’s legal obligation for the security of the Application and your personal account,
  • The Company’s legitimate interest for its legal support, namely for the exercise, establishment, and/or defense of legal claims against it.

5. Retention Period

The Company retains your personal data for as long as necessary to achieve the purposes described in this Notice. The retention period is determined by factors such as the nature, scope, and purpose of processing, as well as the existence of legitimate interest or legal obligation requiring their retention.

It is noted that personal data processed on the basis of your consent are retained until such consent is withdrawn. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

In any case, if your account in the Application remains inactive for five (5) years, it will be deleted together with all the personal data it contains.

6. Information Security

The Company applies appropriate technical and organizational security measures, in order to ensure the integrity, confidentiality, and availability of the personal data it processes. These measures are aimed at preventing accidental or unlawful loss, unauthorized access, alteration, or malicious use of data. In any case, the security of data in the Application environment is subject to factors beyond the Company’s control, such as technical problems or other network malfunctions or failures of third-party service providers, for which the Company is not responsible.

7. Disclosure to Third Parties

The Company provides access to or transfers your personal data to:

  • Companies belonging to the Helleniq Energy Group when required for: data processing and storage, providing access to our services, customer support, decision-making on the improvement of our services, content development,
  • Third-party service providers, who perform on behalf of the Company various services, specifically telephone support services, issuance of physical electric vehicle cards, e-shop, electric vehicle charging service, loyalty program, as well as providers of technical and support services and IT consultants,
  • Our partner providing geolocation and navigation services through Google Maps,
  • Third-party developers through the use of the Application Programming Interface (“API”), such as Google Maps. The use of third-party applications developed using the API is subject to the terms of use and privacy policy of those third parties. When the user uses the Application, some third parties may use automatic data collection technologies to collect information relating to the user or their device. Such third parties may use tracking technologies to collect information about the user whenever they use the services of the Application. The information they collect may relate to the user’s personal data or they may collect information, including personal data, relating to the user’s activities within the Application. Such third parties may use this information to provide interest-based (behavioral) advertising or other targeted content. The Company does not control these third-party tracking technologies or the way in which they may be used,
  • Our external partner who manages on behalf of the Company the central RFID Card Management application and payment service when the user uses this specific service,
  • Other service providers used by the Company to provide marketing, advertising, communication, infrastructure and IT services, for personalization and optimization of provided services, processing of transactions via credit cards or other payment methods, customer service, data analysis and improvement (including data on user interactions with the functionalities of the Application), as well as processing and management of consumer surveys. In the context of providing these services, such Service Providers may have access to your personal data or other information. We do not authorize them to use or disclose your personal data, beyond what is necessary to provide their services.

The processing of your personal data by the above cooperating entities is carried out under our control and only on our instructions and is subject to the same guarantees of privacy and personal data security.

8. Transfer to Third Countries (outside EU/EEA)

The Company stores and further processes your personal data within the EU/European Economic Area (EEA). Any transfer of data to third countries outside the EU/EEA (i.e., outside the member states of the European Union, Norway, Iceland, and Liechtenstein) is carried out exclusively in accordance with the applicable legal framework for the protection of personal data and only provided adequate safeguards are offered for the security and protection of your data, in accordance with Chapter 5 of the General Data Protection Regulation (GDPR).

In such cases, relevant information will be provided, published either through the Application, or through the website https://eko.gr/, or in any other manner the Company deems appropriate.

9. Your Rights

Based on the applicable personal data protection legislation, in particular the General Data Protection Regulation (EU) 2016/679 (“GDPR”), we inform you that you have the following rights regarding the processing of your personal data by the Company:

  • Right of access: You have the right to be informed about your personal data processed by the Company and to obtain access to such data. You may be asked for additional information to confirm your identity, for the secure handling of your request. Submitting an access request is free of charge, unless the request is manifestly unfounded, excessive, or repetitive, or if additional copies of the same data are requested, in which case a reasonable administrative fee may be charged. If the Company has lawful grounds to refuse your request, you will be informed in writing of the specific reasons for refusal.
  • Right to rectification: You have the right to request the correction of your personal data if it is inaccurate or incomplete. Where relevant functionality is provided, you may also update your details yourself through the Application.
  • Right to erasure (“right to be forgotten”): You have the right to request the deletion of your personal data when they are no longer necessary for the purposes for which they were collected or there is no lawful reason for their continued processing. The right of erasure is not absolute insofar as there is a specific legal obligation or other lawful reason for the Company to retain your data. In this context, you also have the right at any time to delete your personal account maintained through the Application yourself, by pressing “Delete Account” at the relevant point, or by calling the EKO Consumer Communication Line at +30 210 7725555 or 18198.
  • Right to restriction of processing: In certain cases, you have the right to request the restriction of processing of your personal data. This means that the Company may retain your data but will not process them further, unless:
    – you have given your explicit consent,
    – processing is necessary for the establishment, exercise, or defense of legal claims,
    – processing is required to protect the rights of another natural or legal person.
  • Right to object: You have the right to object to the processing of your personal data, particularly when processing is based on the Company’s legitimate interest. If you exercise your right to object, the Company will stop processing, unless it demonstrates compelling and legitimate grounds overriding your interests, rights, and freedoms, or if processing is necessary for the establishment, exercise, or defense of legal claims. Note that in cases where processing is based on contractual obligations, exercising the right to object may affect the proper execution of the contract or, in certain cases, make it impossible.

10. Submission of Complaint

For further information and advice about your rights or to lodge a complaint, you may contact the Hellenic Data Protection Authority (HDPA), or visit its website: http://www.dpa.gr.

You may contact the Hellenic Data Protection Authority in the following ways:

  • Postal Address: Hellenic Data Protection Authority, Offices: 1-3 Kifisias Avenue, 115 23, Athens
  • Call Center: +30-210 6475600
  • Fax: +30-210 6475628
  • Email: contact@dpa.gr

11. Data Protection Officer Contact Details

For any questions you may have regarding the processing of your personal data, your rights, or this Notice, please contact us by sending your query to the following email address: DPO@helleniq.gr, for the attention of the Data Protection Officer.