Privacy Notice

Data controller

The data controller is:

Contact details

Email: info@rhodesholidays.gr
Telephone: +30 2241 032055

For privacy-related requests, please contact us using the email above and include “Privacy Request” in the subject line.

Our website and the WebHotelier booking engine

Our website provides information about villas, services, offers, and ways to contact us.

When you browse our website, submit an enquiry, subscribe to our newsletter, contact us by email or WhatsApp, or interact with our analytics and cookie tools, we process that data as the data controller.

Bookings and payments are completed through the WebHotelier booking engine. WebHotelier operates the booking engine and related booking/payment infrastructure. When WebHotelier processes personal data on our behalf for reservations and booking management, it acts as our data processor.

When you proceed to the WebHotelier booking engine, additional privacy, payment, cookie, and technical terms from WebHotelier or its payment partners may also apply.

WebHotelier’s Data Protection Officer contact, where applicable, is: dpo@webhotelier.net.

Personal data we collect

We collect and process different categories of personal data depending on how you interact with us.

Website browsing and analytics data

When you visit our website, we may process:

• IP address;
• device type;
• browser type;
• operating system;
• pages viewed;
• referral source;
• approximate location based on device or IP data;
• cookie consent choices;
• analytics events, where analytics cookies are accepted.

Enquiry and contact data

When you contact us or submit an enquiry, we may process:

• full name;
• email address;
• telephone number;
• country of residence;
• message content;
• preferred travel dates;
• villa preferences;
• number of guests;
• special requests;
• communication history.

Newsletter and marketing data

When you subscribe to our newsletter or marketing updates, we may process:

• email address;
• subscription status;
• marketing consent;
• unsubscribe status;
• campaign interaction data, such as email opens or clicks, where available.

Booking and reservation data

When you make or manage a booking through the WebHotelier booking engine, we may process:

• full name;
• guest names;
• email address;
• telephone number;
• postal address;
• arrival and departure dates;
• villa or accommodation selected;
• number of guests;
• guest preferences;
• special requests;
• booking reference;
• booking status;
• cancellation or amendment history.

Payment and transaction data

Where payments are required, we may process:

• payment status;
• deposit and balance information;
• transaction references;
• invoicing details;
• refund details.

We do not normally store full card details. Card payments are processed through secure payment providers connected to the booking/payment process.

Communication data

We may process:

• emails;
• contact form messages;
• WhatsApp messages;
• telephone enquiry notes;
• guest support requests;
• concierge requests;
• complaints and feedback.

Third-party guest data

If you provide personal data about another guest, family member, friend, or traveller, you confirm that you have authority to provide that data and that you have made them aware of this Privacy Notice.

Sensitive personal data

We do not normally ask for sensitive personal data.

You should not send us sensitive personal data unless it is necessary for your stay or request.

Sensitive personal data includes information about health, disability, dietary requirements linked to religion or health, race or ethnic origin, political opinions, religious beliefs, biometric data, genetic data, trade union membership, or criminal records.

Where you voluntarily provide sensitive information, for example accessibility needs, health-related accommodation requests, or dietary requirements, we process it only where necessary to respond to your request, protect your wellbeing, or provide the requested service.

Children

Our website and booking services are not directed at children.

Bookings must be made by adults. If you provide personal data about children travelling with you, we process that data only as needed to manage the booking, provide the accommodation, meet guest safety needs, or comply with legal obligations.

How we collect personal data

We collect personal data when:

• you browse our website;
• you accept or reject analytics cookies;
• you submit an enquiry form;
• you contact us by email, telephone, WhatsApp, form, or social media;
• you subscribe to our newsletter;
• you make, amend, or cancel a booking through the booking engine;
• you make a payment;
• you request concierge or additional services;
• you leave feedback or a review.

We may also receive personal data from:

• WebHotelier;
• payment providers;
• booking platforms;
• travel agents;
• property owners;
• service providers;
• analytics providers;
• guests who book on behalf of others.

Why we process personal data

We process personal data for the following purposes.

Website operation

• to operate and secure our website;
• to display villa information, availability links, offers, and service information;
• to manage website forms;
• to maintain website performance;
• to record cookie choices.

Enquiries and guest communications

• to respond to enquiries;
• to provide availability information;
• to answer questions;
• to send requested information;
• to manage guest communications.

Newsletter and marketing

• to send newsletters, offers, promotions, and property updates where we have a lawful basis;
• to manage subscription preferences;
• to record unsubscribe requests;
• to measure campaign performance.

Analytics and website improvement

• to understand how visitors find and use our website;
• to measure page performance;
• to improve the website and booking journey;
• to assess which villas, services, and pages receive attention.

Analytics cookies are used only where consent is required and has been given.

Booking and reservation management

• to process bookings;
• to confirm availability;
• to manage reservations;
• to amend or cancel reservations;
• to send booking confirmations;
• to provide check-in and arrival information.

Guest service and accommodation delivery

• to prepare the accommodation;
• to manage guest requests;
• to arrange guest support;
• to provide concierge services;
• to coordinate transfers, car hire, private chef, grocery delivery, yacht cruises, or other guest services where requested.

Payments and financial administration

• to process deposits, balances, refunds, and payments;
• to issue invoices or receipts;
• to keep accounting records;
• to prevent payment fraud.

Legal and regulatory compliance

• to comply with Greek tax, accounting, tourism, hospitality, consumer protection, and data protection laws;
• to respond to lawful requests from public authorities;
• to maintain legally required records.

Security and fraud prevention

• to protect our website, systems, guests, staff, owners, and business;
• to detect misuse, fraud, or unauthorised access;
• to manage complaints, disputes, and legal claims.

Legal basis for processing

We process personal data under the following legal bases.

Contract

We process personal data where necessary to take steps before entering into a booking contract, manage your reservation, provide accommodation, process payments, handle amendments, and deliver requested services.

Legal obligation

We process personal data where required by Greek, EU, tax, accounting, hospitality, tourism, consumer protection, anti-fraud, and data protection laws.

Legitimate interests

We process personal data where necessary for our legitimate business interests, provided your rights and freedoms do not override those interests.

Our legitimate interests include:

• running and improving our website;
• responding to enquiries;
• managing guest relationships;
• securing our systems;
• preventing fraud;
• maintaining business records;
• dealing with complaints and claims;
• measuring non-consent-based operational performance.

Consent

We rely on consent where required, including for:

• newsletter and direct marketing emails where consent is required;
• analytics cookies;
• optional tracking technologies;
• processing sensitive personal data where explicit consent is required;
• optional guest services where consent is the appropriate basis.

You may withdraw consent at any time. Withdrawal does not affect processing already carried out before consent was withdrawn.

Marketing communications

We send marketing communications only where we have a lawful basis to do so.

If you subscribe to our newsletter, we use your email address to send occasional updates, offers, and property news.

You may unsubscribe at any time by:

• clicking the unsubscribe link in our emails;
• contacting us at info@rhodesholidays.gr.

After you unsubscribe, we keep limited data to ensure we respect your marketing preferences.

Cookies and analytics

Our website uses cookies and similar technologies.

Some cookies are strictly necessary for the website or internal staff features to work. These cookies do not require consent.

We use Google Analytics to understand how visitors find and use the website. Google Analytics cookies are only set where you accept analytics cookies through our cookie consent tool.

According to our current Cookies page, our website does not use advertising, marketing, or social media tracking cookies. We do not build advertising profiles about you, and we do not share your browsing data with third parties for their own marketing.

Bookings are completed through the WebHotelier booking engine. When you proceed to the booking engine, WebHotelier and its partners may use their own cookies and similar technologies under their own cookie rules.

For more information, please read our Cookies page.

Sharing personal data

We may share personal data with:

• WebHotelier, for booking engine, reservation, and booking/payment processing;
• payment providers;
• website hosting providers;
• IT and security providers;
• email and communication platforms;
• newsletter and marketing platforms;
• analytics providers;
• accounting and tax advisers;
• legal advisers;
• property owners, where needed for booking or accommodation management;
• cleaning, maintenance, transfer, concierge, and guest service partners;
• public authorities, where legally required;
• courts, regulators, or law enforcement bodies, where required or permitted by law.

We require service providers acting as processors to protect personal data and process it only under our instructions.

International transfers of personal data

Some of our service providers and sub-processors process or store personal data outside the European Economic Area.

Where personal data is transferred outside the EEA, we ensure that the transfer is made only where permitted under Chapter V of the GDPR.

This includes, where applicable:

• transfers to countries covered by a European Commission adequacy decision;
• transfers to US organisations certified under the EU-US Data Privacy Framework;
• the use of the European Commission’s Standard Contractual Clauses;
• additional contractual, technical, and organisational safeguards where required.

Our service providers may include cloud hosting, booking, payment, analytics, email, and communication providers. Where US-based providers process personal data, we rely on the appropriate transfer safeguards available at the time of transfer, including the EU-US Data Privacy Framework where applicable, Standard Contractual Clauses, and provider data processing terms.

We do not rely on the invalidated EU-US Privacy Shield framework.

Data security

We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration, disclosure, or destruction.

These measures include, where appropriate:

• secure hosting;
• access controls;
• encryption;
• restricted staff access;
• processor contracts;
• payment security controls;
• monitoring and system protection;
• internal policies and procedures.

No online system is completely risk-free, but we take reasonable steps to protect personal data.

Data retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Notice.

Retention periods depend on:

• the nature of the data;
• the purpose of processing;
• legal, accounting, and tax obligations;
• whether a booking or guest relationship is ongoing;
• whether there is a complaint, dispute, or legal claim;
• whether consent has been withdrawn.

Examples:

• enquiry records are kept for a reasonable period after the enquiry is resolved;
• newsletter records are kept until you unsubscribe or withdraw consent, plus a limited suppression record;
• booking records are kept for as long as needed to manage the booking and meet legal, tax, accounting, and dispute-related requirements;
• payment and invoice records are kept for the period required by applicable law;
• analytics data is kept according to the settings of the relevant analytics tools and your cookie choices;
• cookie consent records are kept for a reasonable period to evidence your preferences.

Your rights

Subject to the GDPR and applicable law, you have the right to:

• request access to your personal data;
• request correction of inaccurate or incomplete data;
• request deletion of your personal data;
• object to processing based on legitimate interests;
• request restriction of processing;
• request data portability;
• withdraw consent at any time where processing is based on consent;
• object to direct marketing;
• lodge a complaint with a supervisory authority.

To exercise your rights, contact us at info@rhodesholidays.gr. Please include “Privacy Request” in the subject line.

We may need to verify your identity before responding.

Complaints

You should contact us first if you have a concern about how we process your personal data.

You also have the right to lodge a complaint with the Hellenic Data Protection Authority.

Telephone: +30 210 6475600
Email: contact@dpa.gr
Website: www.dpa.gr

Third-party websites and booking platforms

Our website may link to third-party websites, including the WebHotelier booking engine, payment pages, social media pages, maps, review platforms, and partner services.

We are not responsible for the privacy practices of third-party websites or platforms where they act as separate controllers. You should read their privacy notices before submitting personal data to them.

Changes to this Privacy Notice

We update this Privacy Notice from time to time.

When we make material changes, we update the “Last updated” date and, where appropriate, notify users through the website or other suitable means.

Contact

For questions about this Privacy Notice or your personal data, contact:

Email: info@rhodesholidays.gr
Telephone: +30 2241 032055