1) Who we are (Controller)
– Website: https://rastoniskiathos.gr/
– Controller: Rastoni Apartments (“we”, “us”, “our”)
– Address: Skiathos, Troulos, Greece
– Email: rastoniskiathos@gmail.com
– Phone: +30 698 7034573
– Data Protection Officer (DPO): Not applicable
– EU/UK Representative: Not applicable (established in the EU)

2) Scope
This Policy explains how we process personal data when you use our website, submit the contact form, or otherwise interact with us online. It does not cover third‑party websites or services we link to (e.g., external booking platforms). Their privacy policies apply to their services.

3) What data we collect
– Data you provide (contact form)
– Name, email, and message content
– Optional: phone number, booking dates, party size, preferences (only if you choose to include them)
– Please avoid sharing sensitive data (e.g., health, religion, political opinions).

– Usability/analytics and technical data
– Usage: pages viewed, clicks, scroll depth, time on page, referring URL
– Technical: browser, OS, screen size, approximate location derived from IP
– Server logs (security/diagnostics): IP address and user agent in transient logs to maintain security and troubleshoot
– Analytics solution: configured for privacy (see Section 6). We do not use advertising, behavioral profiling, or cross‑site tracking.

– We do NOT collect on this website
– Payment/financial data (no payments on site)
– Special category data intentionally

4) Why we process data and legal bases (GDPR)
– Respond to inquiries and manage pre‑booking communications
– Data: name, email, message, optional phone/booking details
– Legal basis: Contract (Art. 6(1)(b)) to take steps at your request before entering a booking; and/or Legitimate interests (Art. 6(1)(f)) in handling inquiries; or Consent (Art. 6(1)(a)) if you explicitly consent.

– Provide and secure the website (hosting, security, fraud prevention, diagnostics)
– Data: server logs (IP, user agent), technical diagnostics
– Legal basis: Legitimate interests (Art. 6(1)(f)) in ensuring security and service integrity; Legal obligation (Art. 6(1)(c)) where applicable.

– Usability analytics to improve the site (no ads, no cross‑site tracking)
– Data: usage and technical metrics, with privacy safeguards (see Section 6)
– Legal basis: Legitimate interests (Art. 6(1)(f)) when analytics is cookieless and strictly for audience measurement; or Consent (Art. 6(1)(a)) if any non‑essential cookies or similar technologies are used under ePrivacy rules. We default to a cookieless configuration.

– Search performance insights (Google Search Console)
– Data: aggregated search and site performance reports provided by Google; does not place cookies for visitors on our site
– Legal basis: Legitimate interests (Art. 6(1)(f)) in optimizing search visibility and fixing issues

5) Recipients (who we share data with)
We do not sell your personal data. We share data only with:
– Service providers (processors) under contracts and confidentiality, solely on our instructions:
– Hosting/CDN: [Your hosting provider]
– Email delivery/SMTP or contact‑form mailer: [Provider, if used]
– Privacy‑friendly analytics: AnalyticsWP (see Section 6)
– Authorities or legal recipients when required by law or to protect rights.
– Business transfers (e.g., reorganization/merger), under confidentiality and safeguards.

6) Cookies, analytics, and measurement
– Our default analytics configuration is privacy‑preserving and cookieless:
– Analytics provider: AnalyticsWP (configured per its GDPR guidance)
– Measurement is for aggregated audience insights only; no advertising features, no cross‑site tracking, no fingerprinting, and IPs are anonymized/truncated or not retained in identifiable form.
– Result: no non‑essential analytics cookies are set, so consent via a banner is not required for this measurement.
– Strictly necessary cookies (if any) are used only to operate the site and do not require consent.
– If we ever introduce any non‑essential cookies or similar technologies, we will:
– Present a consent banner in the EEA/UK before activation
– Provide “Cookie Settings” to change/withdraw consent at any time
– Update this Policy with cookie names, purposes, and durations

7) Google Search Console
– We use Google Search Console to monitor search performance, indexing status, and site errors. It does not place cookies on visitors to our site and provides aggregated reports.
– Google acts as an independent controller for data processed within its services. For details, please refer to Google’s privacy documentation and terms. You may also manage your Google account privacy settings directly with Google.

8) International transfers
If personal data is transferred outside the EEA/UK, we implement appropriate safeguards:
– Adequacy decisions where available; and/or
– Standard Contractual Clauses (SCCs) plus supplementary measures as needed.
You can request information on the applicable safeguards via our contact details.

9) Retention periods
– Contact form inquiries: up to 12 months after last interaction, unless needed longer for ongoing communications, disputes, or legal obligations.
– Analytics metrics: stored in aggregated or pseudonymized form per our configuration (e.g., 14–26 months or less).
– Server logs (security/diagnostics): typically 30–180 days unless required longer for investigations.
After these periods, we delete or irreversibly anonymize data.

10) Your rights (EEA/UK)
Subject to conditions and local law, you have the right to:
– Access your personal data (Art. 15)
– Rectify inaccurate data (Art. 16)
– Erase data (“right to be forgotten”) (Art. 17)
– Restrict processing (Art. 18)
– Data portability (Art. 20)
– Object to processing based on legitimate interests (Art. 21), including measurement analytics
– Withdraw consent at any time where processing is based on consent (Art. 7(3)); withdrawal does not affect prior lawful processing

How to exercise your rights
– Email: rastoniskiathos@gmail.com
– We respond within one month (extendable by two months for complex requests, with notice). We may need to verify your identity.

Supervisory authority
– You have the right to lodge a complaint with a supervisory authority. In Greece: Hellenic Data Protection Authority (HDPA) – www.dpa.gr.

11) Is data provision required?
– Contact form: providing your name and email is necessary for us to respond. Without them, we cannot process your inquiry.
– Analytics: entirely optional; our default configuration is cookieless and privacy‑preserving. You can also block any cookies via your browser.

12) Security
We implement appropriate technical and organizational measures, including:
– TLS/HTTPS encryption in transit
– Access controls and least‑privilege
– Patching and vulnerability management
– Processor due diligence and confidentiality commitments
– Encrypted backups (where applicable)
No method is 100% secure; we regularly review and improve safeguards.

13) Automated decision‑making and profiling
We do not perform automated decision‑making producing legal or similarly significant effects, and we do not profile individuals.

14) Sources of data
– Directly from you (through the contact form)
– Automatically from your device during site use (technical and usage telemetry)
– From our service providers operating on our behalf (aggregated analytics metrics)
– From Google (aggregated Search Console reports as an independent service)

15) Third‑party links
Our site may include links to third‑party websites or booking services. Their privacy practices are governed by their own policies. We encourage you to review those before providing personal data.

16) Changes to this Policy
We may update this Policy. The “Last updated” date shows the latest version. Material changes will be highlighted on this page, and where required, we will seek your consent again (e.g., for new cookies).

17) Contact
– Controller: Rastoni Apartments
– Address: Skiathos, Troulos, Greece
– Email: rastoniskiathos@gmail.com
– Phone: +30 698 7034573

Purpose–basis–retention summary (quick view)
– Respond to inquiries: Contract/Legitimate interests; data = name, email, message (+optional phone/booking details); retention ~12 months
– Provide and secure website: Legitimate interests/Legal obligation; data = server logs (IP, UA), diagnostics; retention 30–180 days
– Usability analytics: Legitimate interests (cookieless) or Consent if cookies introduced; data = aggregated usage/technical metrics; retention 14–26 months (or less)
– Search performance (GSC): Legitimate interests; data = aggregated search performance reports; retention per Google’s systems

Summary
– We collect only contact form details and privacy‑friendly, cookieless analytics; no payments are processed on the site.
– Legal bases, recipients, transfers, retention, rights, and security measures are clearly stated to meet GDPR transparency requirements.
– If you later add non‑essential cookies, enable a consent banner and update Section 6 with cookie names/durations.