Privacy Policy

Last updated: [DD Month YYYY]
Company: [Company Legal Name] (“we”, “us”, “our”)
Trading as: [Brand/Trading Name – e.g., tftales]
Registered address: [Address, City, Country]
VAT/Tax ID: [Number] • Tourism License: [No]
Email: [privacy@yourdomain] • Phone: [number]

We respect your privacy. This Policy explains how we collect, use, share, secure, and store your personal data in line with GDPR (EU/EEA) and Greek law.

1) Who is the Data Controller?

[Company Legal Name], [Address].
Contact for privacy matters: [privacy@yourdomain].
If you appoint a Data Protection Officer (DPO), add: DPO: [Name], [Email].

2) What data we collect

We only collect what’s necessary for bookings, payments, and running our services.

a) You provide directly

  • Identity & contact: name, email, phone, country, billing details, passport/ID names for ticketing.
  • Booking & preferences: dates, participants, dietary needs, allergies, mobility needs, rooming, age ranges.
  • Communications: emails, forms, chat messages, reviews, support requests.
  • Marketing choices: newsletter opt-ins, consent preferences.

b) Collected automatically

  • Device/usage data: IP address, device type, browser, pages visited, timestamps, referral URLs.
  • Cookies & similar tech (see §8).

c) From third parties (when needed)

  • Payment providers (payment status, last 4 digits/brand—no full card data).
  • Travel partners (ticketing confirmations, pickup details).
  • Analytics/ads tools (aggregated performance/attribution).

3) Purposes & Legal Bases

We process data only when lawful:

PurposeExamplesLegal Basis
Booking & service deliverycreate/manage bookings, issue vouchers/tickets, customer supportContract (GDPR Art. 6(1)(b))
Payments & invoicingprocess payments, refunds, anti-fraud checksContract; Legal obligation
Personalisation & safetydietary/allergy/mobility arrangements; age checks for alcoholVital interests; Legitimate interests; Consent (for sensitive details)
Communicationpre-trip info, changes, cancellationsContract; Legitimate interests
Marketingnewsletters, offersConsent (opt-in)
Analytics & site securityperformance, error logs, DDoS/abuse preventionLegitimate interests
Legal & complianceaccounting, tax, regulator requestsLegal obligation

Special categories (e.g., allergies): we process only if you voluntarily provide them and only to deliver the service, based on your explicit consent (you may withdraw any time—see §11).

4) Do we share your data?

Only when necessary, with:

  • Service providers / processors: hosting, CRM, email/SMS tools, analytics, payment gateways, IT support.
  • Travel suppliers / partners: hotels, guides, restaurants, transport, activity providers—to fulfil your booking.
  • Authorities/insurers: where required by law or for claims.
  • Business transfers: if we reorganize, merge, or sell parts of our business.

We require processors to protect your data under GDPR-compliant contracts.

5) International transfers

Some providers may process data outside the EEA. When they do, we use adequate safeguards (e.g., EU Commission Adequacy Decisions or Standard Contractual Clauses) and assess risk where relevant. Ask us for a copy of applicable safeguards.

6) How long we keep data (Retention)

We keep data only as long as needed:

  • Booking/financial records: up to 10 years (tax/accounting rules).
  • Support emails & forms: typically 2–3 years.
  • Marketing data: until you unsubscribe or withdraw consent.
  • Cookies: see §8.

We will securely delete/anonymize data once retention ends.

7) Children

Our services are for adults. If a booking includes minors, a parent/guardian must provide any necessary data and consents. Contact us if you believe a child’s data was provided without consent.

8) Cookies & similar technologies

We use cookies to run the site, remember choices, improve performance, and measure marketing.

Types of cookies

  • Strictly necessary (essential; cannot be turned off).
  • Performance/analytics (e.g., page usage).
  • Functional (preferences).
  • Advertising/retargeting (only with consent).

You can manage cookies via our Cookie Banner and your browser settings. For analytics/ads, we respect your consent choices.

Example tools you might use (edit to match your setup):
Google Analytics, Google reCAPTCHA, Meta Pixel, WP Travel / WooCommerce cookies, Stripe/PayPal checkout cookies, WPForms/Contact Form 7.

9) Payments

We do not store full card details. Payments are processed by [Stripe/PayPal/Bank] acting as an independent controller/processor under their own privacy terms. We receive a token/confirmation and partial card info for receipts and fraud prevention.

10) Your rights (EU/EEA)

You have the right to:

  • Access your data and get a copy.
  • Rectify inaccurate or incomplete data.
  • Erase data (“right to be forgotten”) where applicable.
  • Restrict processing in certain cases.
  • Object to processing based on legitimate interests or direct marketing.
  • Data portability (structured, commonly used, machine-readable format).
  • Withdraw consent at any time (doesn’t affect past lawful processing).
  • Lodge a complaint with a Supervisory Authority.

How to exercise: email [privacy@yourdomain]. We may need to verify your identity.

Greek Supervisory Authority:
Hellenic Data Protection Authority (HDPA) – Kifisias 1-3, 115 23 Athens, Greece – www.dpa.grcontact@dpa.gr – Tel. +30 210 6475600.

11) Marketing communications

We send marketing only with your consent or as allowed by law. You can unsubscribe anytime via the email footer or by contacting us. We do not sell your personal data.

12) Profiling & automated decisions

We do not make decisions producing legal or similarly significant effects solely by automated means. We may segment audiences for marketing (e.g., “food tours in Athens”) based on your interactions, only with consent where required.

13) Security

We use appropriate technical and organizational measures (TLS encryption, access controls, least-privilege accounts, backups, staff training). No method is 100% secure; we monitor and improve continuously.

14) Third-party links

Our site may link to third-party websites. Their privacy practices are their own; please review their policies.

15) Changes to this Policy

We may update this Policy to reflect changes in our services or the law. We’ll post the new version with a new “Last updated” date and, where appropriate, notify you.

16) Contact us

Questions or requests about privacy: [privacy@yourdomain]
Postal: [Company Legal Name], [Address, City, Country]