Privacy Policy
Effective date: 10 June 2026 Last updated: 10 June 2026
1. Who we are
This Privacy Policy explains how TRAVEL ACTIVITY GUIDE LTD ("we", "us", "Greece Activity Guide") collects, uses, and shares personal data when you use greeceactivityguide.com (the "Site") or make a booking through it.
- Registered office: Vavyla 3, Block A, Flat/Office 204, Pera Chorio, 2572 Nicosia, Cyprus
- Company number: HE 493917
- VAT number: pending registration
- Jurisdiction of incorporation: Cyprus
- Contact for privacy matters: support@greeceactivityguide.com
- Data Protection Officer: not appointed — we are below the Article 37 GDPR thresholds (our core activities involve neither large-scale regular monitoring nor large-scale special-category processing). We review this assessment annually. This mirrors the statement in Cookie Policy §9.
We are the data controller for the personal data described in this Policy, except where we act as a processor on behalf of a third party (rare; flagged in §5).
2. The short version
- We collect the data you give us at booking (name, email, phone, payment details via Stripe), what you do on the Site, and what you tell us in messages. For Tours that legally require a passenger manifest (for example boat trips), we also collect each participant's date of birth, passport or ID number, and nationality — and delete those details shortly after the Tour.
- We use it to deliver the booking, run our service, comply with the law, remind you about a booking you started but did not finish (you can opt out of these reminders at any time), and — only with your separate consent — send marketing.
- We share booking details with the relevant Operator so they can run the Tour, with Stripe to take payment, with Twilio and Resend to message you, with Clerk to manage your account, and with our hosting providers (Vercel, Neon). We do not sell your data.
- We keep most booking and payment records for 8 years (accounting/tax), then delete or anonymise them.
- You have rights to access, correct, delete, port, restrict, and object — see §11.
3. What we collect
3.1 You give us, directly
- At checkout: first name, last name, email, phone number, number and ages of participants, pickup location (if applicable), free-text notes (allergies, special requests, accessibility), and participant names for Tours that require them.
- Passenger-manifest details, only where the Tour legally requires them: some Tours — typically boat trips — are legally required to file a passenger manifest. For those Tours the booking form additionally asks for each participant's date of birth, passport or identity-document number, and nationality. The form tells you when this applies. These fields are passed to the Operator (§5.1), are never sent by SMS or WhatsApp, and are deleted shortly after the Tour (§7).
- Payment: card details and billing address — entered on the Stripe payment page; we do not see or store full card data. We store a Stripe customer ID and a payment-method reference so we can issue refunds.
- Account (optional): the data above plus an authentication identifier from Clerk. If you sign in with Google or another social provider, we receive the basic profile fields that provider gives us.
- Customer messages: the content of emails you send us and replies to SMS/WhatsApp messages.
3.2 We collect automatically
- Technical data: IP address, user-agent string, device type, language, browser settings — used for security, abuse prevention, and basic analytics.
- Usage data: pages visited, searches performed, Tours viewed, items in cart, click and scroll signals — used to improve the Site and (with consent where required) for remarketing.
- Cookies and similar: see §8.
3.3 From third parties
- Stripe — payment-result codes, fraud signals, partially-masked card details (last four digits, expiry, brand).
- Operators — confirmation/decline messages and any notes they send us about your booking.
- Affiliate networks (where applicable) — the referrer identifier showing which affiliate brought you to us.
- Auth providers (Clerk and the social providers behind it) — profile data you authorise on sign-in.
We do not buy contact lists and we do not enrich profiles from data brokers.
3.4 Data we do not collect
For the avoidance of doubt, we do not collect:
- full payment-card numbers, CVCs, or PINs (Stripe handles all of this — we see only masked references);
- biometric data, genetic data, or health data beyond what you voluntarily put in the customer-notes field;
- precise geolocation from your device (we do not request the browser location permission);
- the contents of your address book, photos, files, or other apps on your device;
- social-media data beyond the basic profile fields the auth provider returns on sign-in;
- information about you from third parties for the purpose of building a profile.
3.5 Special-category data in the customer-notes field
Where you voluntarily disclose special-category data (Article 9 GDPR — including health information, allergies, religious dietary requirements, disability information) in the customer-notes field so the Operator can accommodate you, you are giving explicit consent to that disclosure for that specific purpose. We pass it to the relevant Operator, treat it with the same care as the rest of your data, and use it for no other purpose.
3.6 Booking for other people
If you book for other people, you give us their personal data (names and, for manifest Tours, dates of birth, passport/ID numbers, and nationalities). You confirm that you are authorised to do so, that you have informed them how their data will be used (this Policy), and — for any co-traveller's special-category or identity-document data — that you have their consent to share it with us and the Operator. We rely on you, as the lead booker, to pass on to your party any information we send about the booking.
4. Why we use it and on what legal basis
| Purpose | Data | Legal basis (GDPR Art. 6 / 9) |
|---|---|---|
| Take, confirm and fulfil your booking | Contact, payment, participant, pickup, notes | Contract (Art. 6(1)(b)) |
| Pass booking details to the Operator so they can run the Tour | Contact + booking details, customer notes | Contract (Art. 6(1)(b)); for health info in notes, explicit consent (Art. 9(2)(a)) |
| Send transactional emails/SMS/WhatsApp (confirmation, reminders, changes, cancellation, review request) | Contact + booking | Contract (Art. 6(1)(b)) |
| Remind you about a booking you started but did not finish — up to three emails over seven days, opt-out link in every one (§9.4) | Email + the saved booking details | Legitimate interests (Art. 6(1)(f)) + the ePrivacy "soft opt-in" (Art. 13(2) Directive 2002/58/EC as transposed in Cyprus) |
| Collect and pass passenger-manifest details where maritime law requires a manifest (§3.1, §5.1) | Participant names, dates of birth, passport/ID numbers, nationality | Legal obligation (Art. 6(1)(c) — Directive 98/41/EC) + Contract (Art. 6(1)(b)) |
| Record and evidence your consents (cookie-banner choices; Terms/Privacy acceptance at booking) | Choice made, timestamp, truncated IP, opaque consent ID, document version | Legal obligation (Art. 6(1)(c), Art. 7(1) — demonstrating consent) |
| Administer customer credits (issue, redeem at checkout, restore on eligible cancellations, expiry) | Account, booking, credit ledger | Contract (Art. 6(1)(b)) |
| Attribute a booking to the affiliate whose link brought you to us, and pay their commission (§5.7) | Referral code, booking reference, date, value | Legitimate interests (Art. 6(1)(f)) — measuring and paying for genuine referrals |
| Process payments and refunds | Payment, Stripe tokens | Contract (Art. 6(1)(b)) + Legal obligation for financial records (Art. 6(1)(c)) |
| Keep records for tax and accounting | All transactional records | Legal obligation (Art. 6(1)(c)) |
| Customer account, sign-in, sign-out | Auth identifier, account-linked bookings | Contract (Art. 6(1)(b)) |
| Customer support, dispute and refund handling | Whatever data is relevant to the case | Legitimate interests (Art. 6(1)(f)) — running our service responsibly |
| Fraud prevention, abuse and chargeback handling | Technical, payment, behavioural | Legitimate interests (Art. 6(1)(f)) |
| Service analytics, error monitoring | Technical, anonymised usage | Legitimate interests (Art. 6(1)(f)); cookie-based analytics by consent (see §8) |
| Marketing emails about new Tours, offers | Email, basic interest signals | Consent (Art. 6(1)(a)) — opt-in, opt-out at any time |
| Post-Tour review request (one email; opt-out link inside — §9.1) | Contact + booking | Contract / legitimate interests (Art. 6(1)(b) / (f)) |
| Reviews published on the Site, and possibly re-used in our own marketing materials (§9.1) | First name, review text, optional photo | Consent at the moment you submit |
| Cookies that aren't strictly necessary | Various, per §8 | Consent via the cookie banner |
We do not rely on legitimate interest for anything that materially overrides your privacy.
5. Who we share data with
5.1 Tour Operators — independent data controllers
For every booking, the relevant Operator receives: your first name, last name, phone number, email; party size and any participant names you provided; pickup location, time slot, customer notes (allergies, special requests); the booking reference and the total payable to them.
For Tours that legally require a passenger manifest, the Operator additionally receives each participant's date of birth, passport/ID number, and nationality (§3.1) so it can file the manifest. We send identity-document details to the Operator only through secured channels (the Operator portal, the booking-notification email, and the printable manifest) — never by SMS or WhatsApp, which carry participant names at most.
Sharing can also run the other way: where it is necessary to deliver the Tour or to handle a dispute between you and an Operator (for example over a cancellation or a refund), we may pass relevant information from the Operator to you — such as meeting-point instructions, schedule changes, or the Operator's response to a complaint — and relevant booking information from you to the Operator.
The Operator uses this data to deliver the Tour. The Operator is an independent data controller for its own processing of your data after handover — including for its own legal record-keeping. Operators are required by their agreement with us to comply with applicable data-protection law and to use the data only to deliver the Tour.
Our Operators are based in Greece (within the EEA), so this is not an international transfer.
After the Tour, the Operator keeps its own copy under its own retention policy and law; that copy is the Operator's responsibility, and a subject-access request about data the Operator holds should be directed to the Operator. We can supply the Operator's contact details on request.
Photographs taken by Operators. Operators frequently photograph or film Tours for their own marketing. To the extent these recordings contain identifiable images of you, the Operator is the controller for that processing — speak to the Operator about consents, takedowns, and copies. Where we have asked the Operator for a copy of an image for our own marketing, we are the controller for that specific copy and you may also contact us.
5.2 Service providers — processors acting for us
We share only what each provider needs. We have data-processing terms in place with each, or rely on their standard data-processing terms incorporated into the service contract.
| Provider | Role | Data it processes | Where | Transfer safeguard (verified 2026-06-10) |
|---|---|---|---|---|
| Stripe Payments Europe Ltd (EU contracting entity) | Payment processing, fraud screening | Payment + contact data | Ireland; US group entity Stripe, LLC | DPF Active (EU + UK + Swiss; certified 2026-05-11); SCCs in Stripe's DPA as fallback |
| Twilio Inc. (contracting via Twilio Ireland Ltd) | SMS and WhatsApp delivery | Name, phone, message content | Ireland; group entities incl. USA | DPF Active (EU + UK + Swiss) |
| Resend (legal entity Plus Five Five, Inc.) | Transactional email delivery | Name, email, message content | USA | DPF Active (EU + UK; no Swiss cert); DPA also incorporates the EU SCCs |
| Clerk, Inc. | Authentication and account management | Auth identifier, email, name | USA | DPF Active (EU + UK + Swiss; re-certification under review); DPA includes SCCs |
| Vercel Inc. | Application hosting and CDN | Technical data, anything in requests | USA; EU edge | DPF Active (EU + UK + Swiss) |
| Neon (Neon, LLC, an affiliate of Databricks, Inc.) | Database hosting (EU region) | All stored personal data, at rest in the EU | EU region; US parent | DPF Active via Databricks, Inc. (Neon, LLC is a listed covered entity; Neon's standalone certification lapsed 2025-10-23 — do not cite it); terms via the Databricks DPA |
| Slack Technologies, LLC | Internal new-booking alerts to our private workspace | Name, booking summary | Ireland; group entities incl. USA | DPF Active via Salesforce, Inc. (Slack is a listed covered entity) |
| Google Ireland Ltd / Google LLC (Google Analytics 4) — not yet active; loads only after analytics consent | Usage analytics | Technical + usage data (Consent Mode v2, default-denied) | Ireland; group entities incl. USA | DPF Active (EU + UK + Swiss) |
| Meta Platforms Ireland Ltd / Meta Platforms, Inc. (Meta Pixel) — not yet active; loads only after advertisement consent | Advertising measurement | Technical + event data | Ireland; group entities incl. USA | DPF Active (EU + Swiss; no UK Extension — UK-origin transfers rely on Meta's UK addendum/IDTA) |
5.3 Authorities
We disclose data to courts, regulators, tax authorities, or law-enforcement bodies where legally required, or where necessary to protect our or a third party's rights, property, or safety.
5.4 Business transfers
If we reorganise, merge, or are acquired, your data may transfer to the successor entity. We will notify Account holders before any such transfer takes effect.
5.5 What we do not do
We do not sell personal data. We do not share it with advertising networks for cross-site profiling. We do not pass it to a sister site or third party for their own marketing. We honour the Global Privacy Control browser signal as an opt-out of any sale or sharing of personal data.
5.6 Profiling and personalisation
We may rank Tours, surface "popular" or "trending" results, and recommend Tours based on which destination and date you searched for, which Tours you have viewed or booked, and aggregated booking patterns across all customers. How ranking works is also explained in our Terms of Service.
This is personalisation, not automated decision-making with legal effects under Article 22 GDPR. You can browse without an Account; if you have an Account you can ask us to disable personalisation by emailing support@greeceactivityguide.com. We do not build psychographic profiles for marketing and do not share profile data with third parties.
5.7 Affiliates who referred you
If you arrive at the Site through an affiliate's link (a ?ref= parameter) and later book, we record the referral so the affiliate can be credited (see §8 for the cookie involved). The referring affiliate can see, in their dashboard: the booking reference, the booking date, and the booking value, together with the commission due to them. The affiliate is never shown your name, email, phone number, or any other identifying detail. Legal basis: our legitimate interest in measuring and paying for genuine referrals (Art. 6(1)(f)).
6. International transfers
Our Operators are in Greece, within the EEA — sharing booking data with them is not an international transfer.
Several of our service providers (§5.2) are US-headquartered. Where we transfer personal data outside the EEA we rely on:
- the European Commission's adequacy decisions where one exists;
- the EU-US Data Privacy Framework for certified US recipients;
- the European Commission's Standard Contractual Clauses otherwise;
- in all cases, supplementary measures (encryption in transit and at rest, access controls) appropriate to the risk.
You can request the safeguards in place for any specific transfer by emailing support@greeceactivityguide.com.
7. How long we keep data
| Category | Retention |
|---|---|
| Booking records (incl. customer details on a booking) | 8 years after the booking date, for tax, VAT and accounting |
| Passenger-manifest identity fields (date of birth, passport/ID number, nationality) | Purged 30 days after the Tour date (hard maximum 60 days, per Directive 98/41/EC); participant names remain part of the booking record |
| Unfinished (draft) bookings | 14 days after capture, then deleted |
| Payment records | 8 years, same reason |
| Consent records (cookie-banner choices; Terms/Privacy acceptance at booking) | 6 years, to evidence consent (truncated IP, opaque consent ID, document version) |
| Reminder-email opt-out list | Kept indefinitely — the suppression entry is what honours your opt-out |
| Account data (no booking activity) | Deleted 30 days after Account closure |
| Customer credits | Until expiry (per Terms §11) or 8 years after issue, whichever is later |
| Marketing email subscribers | Until you unsubscribe; suppressed indefinitely after that to honour the opt-out |
| Customer-service emails | 3 years after the case is closed |
| Reviews | Indefinitely while published; removed within 30 days of a valid takedown request |
| Server logs (IP, user-agent) | 90 days for security; anonymised in aggregate after that |
| Analytics data | 24 months, then aggregated |
| Cookies | See §8 — each cookie's lifespan is published in the cookie banner |
After the retention period we delete or anonymise the data. Some records may persist longer where we must keep them by law or are using them in a live dispute.
Aggregated and anonymised data. Where data has been anonymised so you can no longer be identified, it falls outside the scope of personal data and we may retain and use it indefinitely for service improvement and trend analysis.
Operator-held data. Once data has been shared with an Operator (§5.1), the Operator's own retention policy applies to its copy; our deletion does not delete the Operator's copy.
8. Cookies and similar technologies
Cookies have their own policy: the Cookie Policy at greeceactivityguide.com/cookies lists every cookie we set, what it does, how long it lives, and the legal basis for each. The short version:
- When you first visit the Site you are shown a consent banner with equal-weight Accept / Reject / Customise options across six categories (Necessary, Functional, Analytics, Performance, Advertisement, Other). Non-essential cookies are not deployed until you consent.
- You can change or withdraw your choice at any time via the Cookie Consent link in the footer; we re-ask after 12 months, or sooner if the Cookie Policy materially changes.
- Your banner choices are recorded in a consent audit log (see §4 and §7) so we can demonstrate consent.
- The affiliate referral cookie (
ref_code) is set only when you arrive through an affiliate's link — an action you took yourself — and is classed as strictly necessary under the Article 5(3) ePrivacy exemption for services you have requested. It stores a partner code only, lives 30 days, and is never used to track you across sites. See §5.7 for what the affiliate can see. - Analytics (Google Analytics 4) and advertising (Meta Pixel) tags are integrated behind the consent banner with Consent Mode v2 default-denied, but are not yet switched on.
8.1 Other tracking technologies
- Local storage and session storage — used in the browser for the same purposes as cookies (preferences, cart state). Treated the same way for consent purposes.
- Server-side logs — every request is logged with IP, user-agent, URL, and response code, for 90 days, for security and abuse prevention.
- Anti-fraud signals — Stripe runs its own device-fingerprinting on the payment page (Radar), as part of Stripe's processing under its privacy policy.
9. Email and message tracking
9.1 Email open and click tracking
Our transactional emails are delivered by Resend and contain a small tracking pixel and link-rewriting that lets us see whether an email was opened and which links were clicked. We use this only to detect delivery failures (so we can resend by SMS/WhatsApp) and to diagnose support issues ("I never got the email"). We do not aggregate this into marketing profiles. You can defeat the tracking by viewing emails in plain-text mode or blocking remote images.
Marketing emails (where offered) carry the same pixel; the unsubscribe link in every marketing email removes you from the list with one click.
Review-request emails. After your Tour we send one email inviting you to review it. We treat this as part of delivering the service (see §4). If you would rather not receive review invitations, the opt-out link in the email stops them; reviews you do submit are published under your first name and may also appear in our own marketing materials, as explained at the moment you submit.
9.4 Abandoned-booking reminder emails
If you enter your email address and start a booking on the Site but do not complete it, we may send you up to three reminder emails over the following week to give you a chance to finish. We only remind you about that specific booking — we do not use your email for general marketing without your separate consent. A notice next to the email field on the booking form tells you this at the moment we collect the address.
Legal basis: the ePrivacy "soft opt-in" for messages about a sale you began (Article 13(2) of Directive 2002/58/EC, as transposed into Cyprus law), combined with our legitimate interest under Article 6(1)(f) GDPR in completing a sale negotiation you started. You can opt out at any time using the unsubscribe link in every reminder email; we keep your address on a suppression list (§7) so the opt-out sticks.
9.2 SMS messages
SMS notifications are sent from our alpha-sender ID "GreeceGuide" through Twilio — typically a confirmation, a 24-hour reminder, and notices of changes or cancellation. Carrier charges may apply depending on your network and roaming status. To opt out of further SMS messages, reply STOP. We will continue to send time-critical operational notices (cancellation, change) by another channel for the duration of an active Booking.
9.3 WhatsApp messages
We may send WhatsApp messages through Twilio's WhatsApp Business API where you have given us your number. The first message in a conversation is a pre-approved template; the WhatsApp client lets you block or report at any time. Opt out the same way as for SMS — reply STOP, block the number, or email us. WhatsApp itself processes message metadata under its own privacy policy.
10. Security
We protect personal data with measures appropriate to the risk, including:
At the application layer — TLS 1.2+ for all traffic, HTTPS strictly enforced; session cookies marked Secure, HttpOnly, and SameSite=Lax by default; CSRF protection on state-changing actions; protection against common web vulnerabilities (XSS, SQL injection, SSRF).
At the data layer — encryption at rest for the production Postgres database (Neon, EU region); encrypted daily backups; payment-card data never received by our servers; tokenisation of cancel-links, supplier-action links, and rebook links so URLs do not leak primary keys.
At the operations layer — role-based access control with least privilege; multi-factor authentication on admin Accounts and third-party dashboards; audit logging of sensitive operations (refunds, account changes, supplier changes, data exports); secrets stored in encrypted environment variables; regular dependency updates; regular review of access lists.
No system is perfectly secure. If we discover a personal-data breach likely to result in a risk to your rights, we will notify the supervisory authority within 72 hours of becoming aware, and where the breach is high-risk to you, notify you directly without undue delay.
If you discover a security issue with the Site, please report it to support@greeceactivityguide.com before disclosing it publicly. We will not pursue claims against good-faith security researchers who follow this responsible-disclosure approach.
11. Your rights
Under the GDPR you have the right to:
- Access — a copy of the personal data we hold about you.
- Rectification — correction of inaccurate or incomplete data.
- Erasure — deletion of your data where a GDPR ground applies. We cannot delete records we are legally required to keep (for example financial records during the 8-year retention window).
- Restriction — to ask us to suspend processing while a dispute is resolved.
- Portability — a copy of the data you provided, in a structured, machine-readable format.
- Objection — to object to processing based on legitimate interests, including direct marketing (we will stop processing for direct marketing in all cases).
- Withdraw consent — to withdraw any consent at any time, without affecting processing already carried out.
- Lodge a complaint with a supervisory authority. Our lead authority is the Office of the Commissioner for Personal Data Protection (Επίτροπος Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), Iasonos 1, 1082 Nicosia, Cyprus — dataprotection.gov.cy. You may also complain to the data-protection authority in your own country of residence.
11.1 Right to object — direct marketing
Article 21(2) GDPR gives you an absolute right to object to processing of your data for direct-marketing purposes. Where you exercise it, we will stop processing your data for direct marketing immediately and indefinitely, with no need to give a reason. The unsubscribe link in every marketing email is one way to exercise it; emailing us is another.
11.2 How to make a request
Email support@greeceactivityguide.com with enough detail for us to locate your data (your email address, booking reference, or Account email). We may need to verify your identity before responding. We respond within one month; complex or numerous requests may take up to three months in total, in which case we will tell you within the first month. There is no charge, except where requests are manifestly unfounded or excessive (Article 12(5) GDPR).
The data you submit when exercising a right (your message, proof of identity) is itself processed so we can fulfil the request and evidence our compliance — legal basis Article 6(1)(c) GDPR.
11.3 Automated processing in our fraud and payment checks
Some checks in our payment and fraud-prevention process are automated. Our payment processor, Stripe (including Stripe Radar), screens transactions for fraud, and a transaction assessed as high-risk may be automatically declined — which means a Booking may not complete.
If an automated decline affects you, you can ask us to review it, give us your point of view, and contest the outcome, by emailing support@greeceactivityguide.com. Apart from this fraud-screening, we do not make decisions that produce legal or similarly significant effects on you based solely on automated processing.
12. Third-party links and embedded content
Pages on the Site may link to, or embed content from, third-party services — for example map tiles, embedded videos, or links to Operator social-media profiles. Where third-party content is embedded, the third party may set its own cookies and collect technical data as soon as the content loads. We disclose this in the cookie banner and, where consent is required, load the embed only after you consent.
Following an external link takes you outside the Site. We are not responsible for the privacy practices of third-party sites — please read their own policies.
13. Children
The Service is intended for adults. We do not knowingly collect personal data of children except as part of a booking made by an accompanying adult (for example children's names — or, for manifest Tours, dates of birth and passport details — on a family Tour). We collect a child's data only where it is provided by and with the consent of a parent or guardian as part of their own booking. Children cannot create Accounts. If we discover we hold a child's data collected outside this case, or without valid parental consent, we will delete it — and if you believe that has happened, contact us.
14. Changes to this Policy
We may update this Policy from time to time. The current version is always at greeceactivityguide.com/privacy with the effective date at the top. Material changes will be notified to registered Account holders by email at least 14 days before they take effect.
This Policy is drafted in English. Any translation (including the Greek version) is provided for convenience only; if the versions diverge, the English version prevails.
15. Contact
Privacy questions or requests: support@greeceactivityguide.com Postal: Vavyla 3, Block A, Flat/Office 204, Pera Chorio, 2572 Nicosia, Cyprus
We aim to acknowledge within 3 working days and resolve within the GDPR's one-month window (see §11.2). For reporting illegal content on the Site, see Terms of Service §16.