← Back to ChalKi Dream
ChalKiDream
Last updated: June 2026 · GDPR Compliant

Privacy Policy

Contents

  1. Data Controller
  2. Data We Collect
  3. Purposes & Legal Bases
  4. Data Retention
  5. Data Sharing
  6. International Transfers
  7. Your Rights (GDPR)
  8. Cookies
  9. Security
  10. Children's Privacy
  11. Changes to this Policy
  12. Contact & Complaints

1. Data Controller

The data controller responsible for your personal data is:

ChalKi Dream
Chalki Island, Dodecanese, Greece 851 10
Email: info@chalkidream.gr
Phone: +30 694 246 9401
Website: https://chalkidream.gr

ChalKi Dream is a licensed tourist accommodation operating in Greece and processes personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and applicable Greek legislation.

2. Data We Collect

2.1 Data you provide directly

  • Booking data: First name, last name, email address, phone number, country of residence, check-in/out dates, number and ages of guests, special requests.
  • Payment data: Processed exclusively by Stripe (PCI-DSS Level 1). We do not store your card number, CVV, or expiry date.
  • Contact messages: Name, email address, message content, subject.
  • Reviews: Name, country, star rating, review text (after moderation and with your explicit consent). Only information that you have consented to publish will be displayed publicly.

2.2 Data collected automatically

  • Server logs: Server logs are retained only for as long as necessary for security and operational purposes and are then deleted or anonymised in accordance with hosting-provider policies.
  • Cookies: See Section 8.

3. Purposes & Legal Bases

PurposeLegal Basis (GDPR Art.)
Processing and managing your bookingArt. 6(1)(b) – Contract performance
Processing payment via StripeArt. 6(1)(b) – Contract performance
Sending booking confirmations & communicationsArt. 6(1)(b) – Contract performance
Responding to contact/enquiry messagesArt. 6(1)(b) – Taking steps at the request of the data subject prior to entering into a contract, or Art. 6(1)(f) – Legitimate interest where no booking relationship exists.
Publishing guest reviews (with consent)Art. 6(1)(a) – Consent
Security monitoring & fraud preventionArt. 6(1)(f) – Legitimate interest
Compliance with legal obligations (e.g. tax records)Art. 6(1)(c) – Legal obligation

4. Data Retention

  • Booking and invoicing records: Retained for as long as required by applicable tax, accounting, tourism and other legal obligations, and thereafter securely deleted or anonymised.
  • Contact messages: Retained for up to 12 months after the last communication unless a booking relationship is established or a longer retention period is required by law.
  • Server logs: Anonymised after 30 days and deleted after 90 days unless required for security investigations.
  • Published reviews: Retained until consent is withdrawn or removal is requested.
  • Cookie preferences: Stored for up to 12 months.

5. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with:

  • Stripe, Inc. – payment processing. Privacy Policy: stripe.com/privacy
  • Top.Host – web hosting (server located in Greece/EU). Privacy Policy: top.host
  • Booking platforms (where applicable) – such as Booking.com, Airbnb or similar reservation platforms when you choose to make a reservation through those services. Their processing of personal data is governed by their own privacy policies.
  • Greek tax authorities – when required by law.
  • Law enforcement – when required by a valid legal order.

All third-party processors are bound by Data Processing Agreements (DPAs) as required by GDPR Art. 28.

6. International Transfers

Some of our service providers may process personal data outside the European Economic Area (EEA). In particular, payment transactions are processed by Stripe, which may transfer and process personal data in countries outside the EEA.

Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with the General Data Protection Regulation (GDPR), including adequacy decisions adopted by the European Commission or the use of Standard Contractual Clauses (SCCs) and other legally recognised transfer mechanisms where required.

Further information regarding Stripe's privacy practices is available at stripe.com/privacy.

This website also uses Google Fonts, which may involve the transfer of technical information such as your IP address to Google when the fonts are loaded from Google's servers.

7. Your Rights (GDPR)

Under GDPR, you have the following rights:

  • Right of access (Art. 15): Request a copy of your personal data.
  • Right to rectification (Art. 16): Correct inaccurate data.
  • Right to erasure (Art. 17): Request deletion ("right to be forgotten"), subject to legal retention obligations.
  • Right to restriction (Art. 18): Restrict processing while a dispute is resolved.
  • Right to portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time for consent-based processing (e.g. reviews).

To exercise any right, email info@chalkidream.gr. We will respond without undue delay and in any event within one month, in accordance with Article 12 GDPR.

Right to complain

You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):
www.dpa.gr | Kifissias 1-3, 11523 Athens | Tel: +30 210 6475600

8. Cookies

We use the following cookies:

CookieTypePurposeDuration
cookieConsentEssentialStores your cookie consent preference12 months
Stripe cookiesFunctionalSecure payment processingSession
flatpickrFunctionalDate picker stateSession

We do not use advertising, tracking, or analytics cookies. We do not use Google Analytics or Facebook Pixel.

You can manage cookies in your browser settings. Blocking essential cookies may prevent the booking system from functioning correctly.

Full details: Cookie Policy.

9. Security

We implement appropriate technical and organisational measures including:

  • TLS 1.2/1.3 encryption for all data in transit (HTTPS).
  • PCI-DSS Level 1 compliant payment processing via Stripe (no card data stored on our servers).
  • HTTP security headers (HSTS, CSP, X-Frame-Options).
  • IP-based rate limiting on all form submissions.
  • Honeypot fields and input sanitisation to prevent spam and injection attacks.
  • Regular software updates and security patches via Top.Host.
  • Access to guest data limited to authorised personnel only.

In the event of a personal data breach that poses a risk to your rights, we will notify you and the HDPA within 72 hours as required by GDPR Art. 33–34.

10. Children's Privacy

Our website is not directed at children under 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe a child has provided us with personal data, please contact us for immediate deletion.

11. Changes to this Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. We will post the updated version with a revised "Last updated" date. For significant changes affecting your rights, we will notify you by email (for existing guests) or prominent notice on the website.

12. Contact & Complaints

For any privacy-related enquiries or to exercise your rights:

ChalKi Dream – Data Privacy
Email: info@chalkidream.gr
Phone: +30 694 246 9401
Response time: without undue delay and in any event within one month

© ChalKi Dream | Terms | Cookies | Cancellation | Inclusion