Privacy 

Policy

Compliant with the EU General Data Protection Regulation (EU) 2016/679, Greek Law 4624/2019, the ePrivacy Directive (2002/58/EC), Greek Law 3471/2006, and all applicable EU and Greek data protection legislation.

Effective Date: 14 March 2026 · Last Updated: 14 March 2026 · Version: 1.0

1. Introduction and Data Controller

This Privacy Policy explains how Aurea Mare (the "Property," "we," "us," or "our") collects, uses, stores, protects, and shares personal data when you visit our website at www.aureamaresuites.gr (the "Website"), communicate with us, or make a reservation to stay at our suites in Chrysi Ammoudia (Golden Beach), Thassos 640 04, Greece.

We are committed to protecting your privacy and processing your personal data in full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Greek implementing legislation under Law 4624/2019, the ePrivacy Directive as transposed by Greek Law 3471/2006, and all other applicable European Union and Greek data protection laws and regulations.

1.1 Data Controller Identity

Controller: Aurea Mare

Address: Chrysi Ammoudia (Golden Beach), Thassos 640 04, Greece

Email: aureamaresuites@gmail.com

Telephone: +30 697 351 8908

Website: www.aureamaresuites.gr

For any data protection inquiries, including requests to exercise your rights under this policy, please contact us using the details above. We will respond to all privacy-related communications within the timeframes required by applicable law.

2. Scope of This Policy

This Privacy Policy applies to all personal data processing activities carried out through or in connection with:

  • Your visits to and use of our Website, including all pages and subdomains
  • Submission of reservation requests via our online forms
  • Communications via email, telephone, or WhatsApp
  • Your stay at any Aurea Mare suite, including check-in and on-site interactions
  • Any other interaction with Aurea Mare in which personal data is provided to us

3. Categories of Personal Data We Collect

We collect and process the following categories of personal data. We adhere strictly to the data minimisation principle under Article 5(1)(c) GDPR and collect only what is necessary for the specific purposes outlined in Section 4.

3.1 Data You Provide Directly

Category Specific Data Elements Source
Identity Data Full name Reservation form, email, WhatsApp, phone
Contact Data Email address, phone number (including WhatsApp number) Reservation form, direct communication
Reservation Data Suite preference, arrival and departure dates, number of adults and children, special requests or notes Reservation form on the Website
Communication Data Content of messages, emails, and WhatsApp conversations with us Email, WhatsApp, phone calls
Payment Data Bank transfer details or other payment information (collected only during booking confirmation, not via the Website) Direct communication (email or WhatsApp)
Guest Registration Data Passport or ID details, nationality, date of birth (collected at check-in as required by Greek law) Check-in process

3.2 Data Collected Automatically

Category Specific Data Elements Collection Method
Technical Data IP address, browser type and version, operating system, device type, screen resolution Server logs, Webflow hosting
Usage Data Pages visited, time spent on pages, click patterns, referring URL, exit pages Webflow analytics, cookies
Cookie Data Session identifiers, preferences, consent choices Cookies and similar technologies (see Section 8)

3.3 Children's Data

Our Website and services are not directed at children under the age of 15 (the minimum age for independent consent to information society services in Greece under Law 4624/2019, Article 21). We do not knowingly collect personal data from children under 15 without verifiable parental or guardian consent. The "Children" field in our reservation form refers to the number of minor guests accompanying an adult, and we do not collect names or personal data of children through this field. If we learn that we have inadvertently collected personal data from a child under 15 without proper consent, we will promptly delete it.

4. Purposes and Legal Bases for Processing

Under Article 6 GDPR, we process personal data only when we have a valid legal basis. The following table details each processing purpose, the data involved, and the legal basis relied upon.

Purpose Data Used Legal Basis (Article 6 GDPR)
Processing and managing reservation requests Identity, Contact, Reservation Data Article 6(1)(b): Performance of a contract or pre-contractual steps at your request
Confirming bookings and coordinating your stay (including pre-arrival information) Identity, Contact, Reservation, Communication Data Article 6(1)(b): Performance of a contract
Processing payments and issuing invoices or receipts Identity, Contact, Payment Data Article 6(1)(b): Performance of a contract; Article 6(1)(c): Legal obligation (Greek tax law)
Fulfilling guest registration requirements under Greek hospitality law Identity, Guest Registration Data (ID/passport, nationality, date of birth) Article 6(1)(c): Legal obligation (Greek Law 4179/2013; Police Decree 8/2012)
Responding to inquiries via email, phone, or WhatsApp Identity, Contact, Communication Data Article 6(1)(f): Legitimate interest in providing customer service
Maintaining and improving our Website, ensuring security, and preventing fraud Technical Data, Usage Data Article 6(1)(f): Legitimate interest in website security and improvement
Complying with legal obligations (tax records, accounting, regulatory requirements) Identity, Contact, Payment, Reservation Data Article 6(1)(c): Legal obligation under Greek and EU law
Establishing, exercising, or defending legal claims All categories as relevant Article 6(1)(f): Legitimate interest in legal protection
Sending marketing communications (only with your prior explicit consent) Identity, Contact Data Article 6(1)(a): Consent (which may be withdrawn at any time)

Where we rely on legitimate interests (Article 6(1)(f)), we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may contact us at any time to request details of these assessments.

5. Data Sharing and Recipients

We do not sell, rent, or trade your personal data. We share personal data only with the following categories of recipients, and only to the extent necessary for the purposes described in this policy.

Recipient Purpose Safeguards
Webflow, Inc. (USA), Website Hosting Platform Website hosting, content delivery, form submission processing EU Standard Contractual Clauses (SCCs) per Commission Implementing Decision (EU) 2021/914; Webflow's Data Processing Agreement
Meta Platforms Ireland Ltd (WhatsApp), Communication Platform Processing WhatsApp messages for reservations and guest communication WhatsApp's Terms of Service and Privacy Policy; end-to-end encryption; EU-US Data Privacy Framework
Google LLC / Google Ireland Ltd, Maps and Navigation Providing Google Maps link for directions to the property Google's Privacy Policy and Terms; EU-US Data Privacy Framework; data processing only upon user click-through
Apple Inc., Maps and Navigation Providing Apple Maps link for directions to the property Apple's Privacy Policy; data processing only upon user click-through
Greek Police Authorities Mandatory guest registration and reporting under Greek hospitality legislation Legal obligation; data shared strictly as required by law
Greek Tax Authorities (AADE) Tax compliance, invoice reporting, myDATA platform obligations Legal obligation under Greek tax legislation
Payment service providers (bank) Processing bank transfers for booking payments Banking secrecy obligations; contractual safeguards
Professional advisors Legal, accounting, or audit services as needed Professional confidentiality obligations; Data Processing Agreements where applicable

6. International Data Transfers

Some of our service providers (specifically Webflow, Inc. and, where applicable, Meta Platforms, Inc. and Google LLC) are established in the United States. When your personal data is transferred outside the European Economic Area (EEA), we ensure that adequate safeguards are in place as required by Chapter V of the GDPR, including:

  • EU Standard Contractual Clauses (SCCs) adopted by the European Commission under Implementing Decision (EU) 2021/914, supplemented by additional technical and organisational measures where necessary following a Transfer Impact Assessment
  • Adequacy decisions, including the EU-US Data Privacy Framework (DPF) as validated by the General Court of the EU on 3 September 2025, for recipients certified under the DPF
  • Binding Corporate Rules where applicable

You may request a copy of the relevant safeguards by contacting us using the details in Section 1.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The specific retention periods are:

Data Category Retention Period Basis
Reservation and booking data 5 years from the end of your stay Greek tax and accounting obligations (Greek Tax Code, Article 13)
Guest registration data (ID/passport details) Duration required by Greek police authorities; typically submitted and not retained beyond check-out unless required by law Greek Law 4179/2013; Police Decree 8/2012
Payment and invoice records 10 years from the fiscal year of the transaction Greek tax legislation (Presidential Decree 186/1992 as amended)
Communication records (emails, WhatsApp messages) 3 years from the last communication, unless related to an active booking or legal dispute Legitimate interest in service quality and legal protection
Website technical and usage data 12 months from collection Legitimate interest in website security and improvement
Cookie consent records 3 years from the date consent was given or modified Accountability obligation under Article 5(2) GDPR
Marketing consent records Duration of consent plus 3 years after withdrawal Accountability obligation under Article 5(2) GDPR

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised. Where data must be retained for legal proceedings, the retention period is extended until the resolution of the matter plus any applicable limitation period.

8. Cookies and Similar Technologies

Our Website uses cookies and similar technologies. This section provides an overview; for full details please also refer to our separate Cookie Policy.

8.1 What Are Cookies

Cookies are small text files placed on your device when you visit a website. They serve various functions such as enabling the website to work correctly, remembering your preferences, and collecting analytical data.

8.2 Categories of Cookies We Use

Category Purpose Legal Basis Consent Required
Strictly Necessary Essential for the Website to function (e.g., security, form submissions, load balancing) Article 6(1)(f) GDPR; exempt under ePrivacy Directive Article 5(3) No
Analytical / Performance Help us understand how visitors use the Website (e.g., pages visited, bounce rate) Article 6(1)(a) GDPR: Consent Yes
Functional Remember your preferences (e.g., language, region) Article 6(1)(a) GDPR: Consent Yes

8.3 Webflow Hosting Cookies

Our Website is hosted on Webflow. Webflow may set cookies that are strictly necessary for the delivery and security of the Website. These cookies do not track you across other websites and are essential for the functioning of the platform.

8.4 Managing Cookies

When you first visit our Website, a cookie consent banner will be presented, allowing you to accept or reject non-essential cookies before they are placed on your device. You may change your preferences at any time through the cookie settings accessible in the Website footer. You may also control cookies through your browser settings. Please note that disabling strictly necessary cookies may affect the functionality of the Website.

We do not use "dark patterns" in our cookie consent interfaces. The option to reject non-essential cookies is presented with equal prominence to the option to accept them, in compliance with GDPR enforcement guidance and EDPB recommendations.

9. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR and Greek Law 4624/2019. These rights apply to all personal data we hold about you and can be exercised free of charge.

Right Description
Right of Access (Article 15) You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data together with information about the processing.
Right to Rectification (Article 16) You have the right to request correction of inaccurate personal data or completion of incomplete data without undue delay.
Right to Erasure (Article 17) You have the right to request deletion of your personal data where it is no longer necessary for its original purpose, where you withdraw consent, or where there is no overriding legitimate ground for processing. This right does not apply where retention is required by law.
Right to Restriction of Processing (Article 18) You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of data or object to processing pending verification.
Right to Data Portability (Article 20) You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract and carried out by automated means.
Right to Object (Article 21) You have the right to object to processing based on legitimate interests (including profiling). We will cease processing unless we demonstrate compelling legitimate grounds. You have an absolute right to object to direct marketing at any time.
Right to Withdraw Consent (Article 7(3)) Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right Not to Be Subject to Automated Decision-Making (Article 22) You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant effects. We do not currently engage in such automated decision-making.
Right to Lodge a Complaint You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) or any other competent EU supervisory authority.

9.1 How to Exercise Your Rights

To exercise any of the above rights, please contact us at aureamaresuites@gmail.com or by post at our registered address. We will verify your identity before processing your request. We will respond within one (1) month of receiving your request. If the request is complex or we receive a high volume of requests, this period may be extended by a further two (2) months, in which case we will inform you of the extension and the reasons for it within the initial one-month period.

9.2 Hellenic Data Protection Authority

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):

Authority: Hellenic Data Protection Authority (HDPA)

Address: Kifissias 1-3, 115 23 Athens, Greece

Telephone: +30 210 647 5600

Email: contact@dpa.gr

Website: www.dpa.gr

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Article 32 GDPR. These measures include, but are not limited to:

  • SSL/TLS encryption (HTTPS) for all data transmitted between your browser and our Website
  • Access controls limiting data access to authorised personnel only, on a need-to-know basis
  • Secure hosting through Webflow's infrastructure, which includes DDoS protection, automated backups, and SOC 2 Type II compliance
  • Regular review and assessment of security measures to ensure ongoing effectiveness
  • End-to-end encryption for WhatsApp communications
  • Confidentiality agreements with all staff and third-party service providers who handle personal data

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Hellenic Data Protection Authority within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34 GDPR.

12. WhatsApp Communication

We offer WhatsApp as a communication channel for reservations and guest support. By initiating a WhatsApp conversation with us at +30 697 351 8908, you share your WhatsApp phone number and profile information with us and with Meta Platforms Ireland Limited (the provider of WhatsApp in the EEA). WhatsApp messages are end-to-end encrypted.

Please note that Meta Platforms processes certain metadata (such as timestamps, frequency of communication, and phone numbers) in accordance with its own privacy policy. We encourage you to review WhatsApp's Privacy Policy for full details on how Meta processes your data.

If you prefer not to use WhatsApp, you may always contact us by email at aureamaresuites@gmail.com or by phone at +30 697 351 8908.

13. Automated Decision-Making and Profiling

We do not engage in any automated decision-making or profiling that produces legal effects or similarly significant effects concerning you, as described in Article 22 GDPR. All reservation decisions and guest communications are handled by our staff.

14. Data Protection by Design and by Default

In compliance with Article 25 GDPR, we implement data protection by design and by default in all our processing activities. This means:

  • We collect only the minimum personal data necessary for each specific purpose
  • Our reservation form marks only essential fields as mandatory; optional fields are clearly indicated
  • Non-essential cookies are not loaded until you provide explicit consent
  • We regularly review our data processing activities and update our practices as regulations evolve

15. Limitations on Processor Liability

The Agency responsible for the design and technical maintenance of this Website, acts strictly as a data processor under a Data Processing Agreement compliant with Article 28 GDPR. The Agency:

  1. processes personal data exclusively under the documented instructions of Aurea Mare as Data Controller;
  2. does not determine the purposes or means of personal data processing;
  3. has no independent access to, use of, or responsibility for personal data submitted by visitors or guests, except as necessary to fulfil its contractual maintenance and support obligations;
  4. is bound by confidentiality obligations covering all personal data encountered in the course of its services;
  5. will delete or return all personal data upon termination of the service agreement, as instructed by the Data Controller.

The Data Controller (Aurea Mare) retains sole responsibility for all decisions regarding the collection, purposes, and means of processing personal data through the Website and in connection with the accommodation services.

16. Greek Hospitality Legal Obligations

As an accommodation provider operating in Greece, Aurea Mare is required by law to collect certain personal data from guests. Specifically:

  • Greek Law 4179/2013 and the relevant Police Decrees require us to collect and report guest identification data (passport or ID card details, nationality, date of birth) to the Hellenic Police
  • Greek tax legislation requires us to issue invoices and maintain financial records, which may include your name, contact details, and tax identification number where applicable
  • The myDATA platform (electronic invoicing system operated by AADE) requires digital reporting of transaction data

These legal obligations constitute the legal basis under Article 6(1)(c) GDPR for the processing of data collected to comply with them.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or regulatory guidance. Any material changes will be communicated by publishing the revised policy on this page with an updated "Last Updated" date. Where changes are significant, we may also notify you directly (for example, by email if you have an active booking). We encourage you to review this policy periodically. The current version always supersedes all previous versions.

18. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of the Hellenic Republic (Greece), including the GDPR as directly applicable EU law and Greek Law 4624/2019. Any disputes arising under or in connection with this policy shall be subject to the exclusive jurisdiction of the competent courts of Kavala, Greece, without prejudice to your right to lodge a complaint with the Hellenic Data Protection Authority or to seek judicial remedy in the courts of your habitual residence as provided by Article 79 GDPR.

19. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a concern about how we process your personal data, please contact us:

Controller: Aurea Mare

Address: Chrysi Ammoudia (Golden Beach), Thassos 640 04, Greece

Email: aureamaresuites@gmail.com

Phone / WhatsApp: +30 697 351 8908

Website: www.aureamaresuites.gr

We aim to resolve all data protection queries promptly. If you are not satisfied with our response, you have the right to escalate your complaint to the Hellenic Data Protection Authority (see Section 9.2).