Last updated January 19th 2021
We respect the protection of the Users’ personal data (hereinafter also “You”) and their privacy and we comply with the applicable data protection and privacy laws. We encourage you to carefully read this Privacy Notice as well as our Cookies Notice, available on our Website, which have been written clearly and simply to facilitate their understanding. In both Notices we provide you with transparent information on how we process your personal data.
2. Who are we? Who is the Data Controller?
Our Company operates its booking system through WebHotelier Technologies Limited (hereinafter “WebΗotelier”). Webhotelier processes data on behalf of us and in accordance with our instructions. There is a strict contractual framework between us and Webhotelier regarding the protection of your personal data. We ensure you that we have explicitly asked for the maximum safeness and confidentiality for your data.
3. What Personal Data do we collect?
Depending on how you interact with us and the purposes for which we need to process your personal information, you voluntarily provide us with the following categories of data:
- identity and locational data such as your name, surname, telephone number, residential address, email address, country from which you interact with us, etc.;
- financial and transaction information (e.g. information on your bookings, how you pay, credit details)
- correspondence data (e.g. your messages through our contact form)
However, we also collect information automatically when you visit our Website by using Cookies and similar technologies. For more information about cookies, see our Cookies Notice.
4. What are the purposes and the legal basis for the processing of your personal data?
When you fill in our contact form (requested data: name, e-mail address, subject, message), we process this data to fulfill your requests by answering your questions and providing information. In this case, the legal basis for the processing is the consent that you give by ticking the specific check-box before submitting your message.
When you make a booking from our booking engine, we ask for personal information including your full name, email address, telephone number and financial details. You can voluntarily provide us with your postal address (City, Region/State, Postal Code) and additional comments such us the purpose of your visit. The requested information is required to manage your booking, facilitate your payment, and communicate with you in this regard. The processing of the said data is necessary for the performance of a contract to which you are party.
When you want to become a member of our Loyalty Club and benefit from booking your stay with privileged rates, you can sign in by providing a valid email address. We automatically send you an email message to the indicated address with a one-time PIN which you have to submit to the Website to conclude your registration. Our Website offers registration via a social network login, namely you can continue with Facebook or Google Account. In case you choose to continue with Facebook, Facebook will disclose to us your name, your profile photo and, if you choose so, your email address. If you continue with Google, Google provides us with your name, your email address, your language preferences and your profile photo. We process this data to authenticate you and manage your registration. The legal basis for the processing is the consent you give us by accepting this Privacy Notice.
We may also use the contact details of our existing customers (e.g. visitors, holders of member cards) for marketing purposes to inform them about our latest offers and deals. The processing of personal data for marketing purposes may be regarded as carried out for our legitimate interest to promote our products and services. However, you are always entitled to object to this processing since we provide an opt-out option (“unsubscribe”) within each marketing email you receive.
5. Who do we share your personal data with?
Your data shall not be disclosed to any third party, apart from the following:
(a) Vendors who are required to have access to personal data to provide their services. All vendors are bound by specific agreements ensuring protection of your data.
(b) Authorized employees who have access to personal data only when this is necessary (e.g. to handle your requests) and are bound by non-disclosure and confidentiality agreements.
(c) National Authorities. We will disclose personal data when it is necessary to comply with applicable laws or a legal process, to respond to requests from public and government authorities, including authorities outside your country of residence, to meet national security or law enforcement requirements, to protect the rights, privacy, safety or property of our own, you or others and finally, to pursue available remedies or limit the damages that we may sustain.
(d) Third-party partners setting cookies. Some Cookies are put in place by third-party service providers. Therefore, these partners have access to cookie related information (for more information about cookies, see our Cookies Notice).
(e) Social Networks when you register through a social network login. When you choose to register through a social network account, this activity involves data transfer between us and the social network. The social network provides us with the required information for your registration and acquires access to data related to your registration. It should be clarified that we are not responsible for any subsequent processing activities that social media networks carry out since we can no longer determine or influence the purpose and the means of the data processing. By using the social network login function on our Website, we enable only the data transmission and we may be jointly responsible with the social media provider only for the said processing activity. For more information about social logins, what types of data social networks process and for what purpose, we encourage you to read the Privacy Notices of the respective Social Network and manage your privacy preferences.
6. How long do we keep your data?
We will retain your Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Notice. The criteria used to determine our retention periods include:
(a) The length of time we have an ongoing relationship with you and provide the Services to you (for example, for as long as you keep using the Services or if you have a booking or any request through our contact form, that has not yet been fulfilled)
(b) Whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them)
(c) Whether retention is advisable considering our legal position (such as, for statutes of limitations, litigation or regulatory investigations).
7. Data security – International Data Transfers
We process your data at all times in a confidential way, maintaining the mandatory duty to secrecy regarding the said data under the provisions set out in the applicable laws. We have adopted measures of a technical and organizational nature (e.g. antivirus, antimalware software, firewalls, encryption) required to guarantee the security of your data and prevent them from being altered, lost, processed, or accessed illegally, depending on the state of the technology, the nature of the stored data, and the risks to which they are exposed.
Our servers are located in Greece, which is member of the European Economic Area (EEA). For service efficiency purposes, some of our third-party providers such as advertising and marketing related partners, hold servers outside the EEA. We inform you that this data is transferred with adequate safeguards and is always kept safe.
8. What are the rights of Data subjects?
- to request access to the personal data that we hold;
- to request rectification of inaccurate or incomplete data;
- to request erasure of your personal data to the extent that they are no longer necessary for the purpose for which we need to keep processing them, as we have explained above, or when we are no longer legally permitted to process them;
- to request that we limit the processing of your personal data, which entails that in certain cases you can request us to temporally suspend the processing of the data or that we keep them longer than necessary;
- if you have given us your consent to process your data, you also have the right to withdraw such consent at any time. In the event that you withdraw your consent, this will not affect the legality of the processing carried out previously.
- When we process your data based on your consent of for the purposes of a contract, you can also request portability of your personal data.
- When the processing of your data is based on our legitimate interest, you are entitled to object to the processing.
Finally, we inform you that you have the right to lodge a complaint regarding the processing of your personal data by us before the Hellenic Data Protection Authority (DPA, https://www.dpa.gr/ ).
9. Changes to the Privacy Notice
We may amend the information contained in this Privacy Notice when we consider this appropriate. Should we do so, we will notify you by various procedures through the Website, or we may even send you a notice to your email address when the change in question is relevant to your privacy, for you to be able to review the changes, assess them and, as the case may be, object or unsubscribe from any service or functionality. We will also change the “Last Updated” date at the beginning of this Privacy Notice. In any case, we suggest you to review this Privacy Notice from time to time in case minor changes are made. Any changes we make to our Privacy Notice are effective as of the “Last Updated” date and replace any prior Privacy Notices.