Privacy Policy
Contents
1. Data Controller
The data controller responsible for your personal data is:
ChalKi DreamChalki Island, Dodecanese, Greece 851 10
Email: info@chalkidream.gr
Phone: +30 694 246 9401
Website: https://chalkidream.gr
ChalKi Dream is a licensed tourist accommodation operating in Greece and processes personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and applicable Greek legislation.
2. Data We Collect
2.1 Data you provide directly
- Booking data: First name, last name, email address, phone number, country of residence, check-in/out dates, number and ages of guests, special requests.
- Payment data: Processed exclusively by Stripe (PCI-DSS Level 1). We do not store your card number, CVV, or expiry date.
- Contact messages: Name, email address, message content, subject.
- Reviews: Name, country, star rating, review text (after moderation and with your explicit consent). Only information that you have consented to publish will be displayed publicly.
2.2 Data collected automatically
- Server logs: Server logs are retained only for as long as necessary for security and operational purposes and are then deleted or anonymised in accordance with hosting-provider policies.
- Cookies: See Section 8.
3. Purposes & Legal Bases
| Purpose | Legal Basis (GDPR Art.) |
|---|---|
| Processing and managing your booking | Art. 6(1)(b) – Contract performance |
| Processing payment via Stripe | Art. 6(1)(b) – Contract performance |
| Sending booking confirmations & communications | Art. 6(1)(b) – Contract performance |
| Responding to contact/enquiry messages | Art. 6(1)(b) – Taking steps at the request of the data subject prior to entering into a contract, or Art. 6(1)(f) – Legitimate interest where no booking relationship exists. |
| Publishing guest reviews (with consent) | Art. 6(1)(a) – Consent |
| Security monitoring & fraud prevention | Art. 6(1)(f) – Legitimate interest |
| Compliance with legal obligations (e.g. tax records) | Art. 6(1)(c) – Legal obligation |
4. Data Retention
- Booking and invoicing records: Retained for as long as required by applicable tax, accounting, tourism and other legal obligations, and thereafter securely deleted or anonymised.
- Contact messages: Retained for up to 12 months after the last communication unless a booking relationship is established or a longer retention period is required by law.
- Server logs: Anonymised after 30 days and deleted after 90 days unless required for security investigations.
- Published reviews: Retained until consent is withdrawn or removal is requested.
- Cookie preferences: Stored for up to 12 months.
6. International Transfers
Some of our service providers may process personal data outside the European Economic Area (EEA). In particular, payment transactions are processed by Stripe, which may transfer and process personal data in countries outside the EEA.
Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with the General Data Protection Regulation (GDPR), including adequacy decisions adopted by the European Commission or the use of Standard Contractual Clauses (SCCs) and other legally recognised transfer mechanisms where required.
Further information regarding Stripe's privacy practices is available at stripe.com/privacy.
This website also uses Google Fonts, which may involve the transfer of technical information such as your IP address to Google when the fonts are loaded from Google's servers.
7. Your Rights (GDPR)
Under GDPR, you have the following rights:
- Right of access (Art. 15): Request a copy of your personal data.
- Right to rectification (Art. 16): Correct inaccurate data.
- Right to erasure (Art. 17): Request deletion ("right to be forgotten"), subject to legal retention obligations.
- Right to restriction (Art. 18): Restrict processing while a dispute is resolved.
- Right to portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)): Withdraw consent at any time for consent-based processing (e.g. reviews).
To exercise any right, email info@chalkidream.gr. We will respond without undue delay and in any event within one month, in accordance with Article 12 GDPR.
Right to complain
You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):
www.dpa.gr | Kifissias 1-3, 11523 Athens | Tel: +30 210 6475600
9. Security
We implement appropriate technical and organisational measures including:
- TLS 1.2/1.3 encryption for all data in transit (HTTPS).
- PCI-DSS Level 1 compliant payment processing via Stripe (no card data stored on our servers).
- HTTP security headers (HSTS, CSP, X-Frame-Options).
- IP-based rate limiting on all form submissions.
- Honeypot fields and input sanitisation to prevent spam and injection attacks.
- Regular software updates and security patches via Top.Host.
- Access to guest data limited to authorised personnel only.
In the event of a personal data breach that poses a risk to your rights, we will notify you and the HDPA within 72 hours as required by GDPR Art. 33–34.
10. Children's Privacy
Our website is not directed at children under 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe a child has provided us with personal data, please contact us for immediate deletion.
11. Changes to this Policy
We may update this Privacy Policy to reflect changes in our practices or applicable law. We will post the updated version with a revised "Last updated" date. For significant changes affecting your rights, we will notify you by email (for existing guests) or prominent notice on the website.
12. Contact & Complaints
For any privacy-related enquiries or to exercise your rights:
ChalKi Dream – Data PrivacyEmail: info@chalkidream.gr
Phone: +30 694 246 9401
Response time: without undue delay and in any event within one month