This Policy establishes the fundamental principles for the effective management and protection of personal data within the company “THE LUXURIANS” (hereinafter referred to as the “Company”), as well as the preservation of the confidentiality of such data. It outlines the Company’s directions and objectives regarding the organizational and technical measures adopted in the context of implementing the General Data Protection Regulation of the European Union (Regulation [EU] 2016/679) and other applicable legislation.

What purpose does this policy serve?

This Policy applies to the Company and may extend to third parties, partners, and others who receive, transmit, collect, access, or otherwise process personal data on behalf of the Company, either as joint controllers or as processors.

This Policy covers all forms of data, systems, processes, and procedures relating to the collection, storage, use, or transfer of personal data managed by the Company in the course of its business activities.

Definitions

The Company is committed to respect and protect the personal data it collects and processes in the context of its operations, in full compliance with European and national data protection laws. To that end, it provides the following key definitions under the applicable legislation:

«Data Subject»: Any natural person whose personal data can be identified, directly or indirectly, especially through identifiers such as name, ID number or characteristics related to their physical, psychological, economic or social identity.

«Personal Data»: Any information relating to a data subject, sufficient to identify that individual.

«Special Categories of Data»: Sensitive data including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sexual life or orientation, genetic or biometric data used for identification, and data on criminal convictions or offenses.

«Data Controller»: The entity (in this case, the Company) that determines the purposes and means of processing personal data.

«Data Processor»: A person or organization that processes personal data on behalf of the Data Controller (The Company).

«Recipient»: Any person, authority, or organization to whom personal data is disclosed.

«Processing of personal data»: Any operation performed on personal data, such as collection, recording, organization, retention or storage, alteration, retrieval, use, transmission, dissemination, correlation or combination, linking, restriction, erasure, or destruction.

Why do we collect your personal data?

The Company processes personal data for the following purposes:

  • To provide its services to customers.
  • To ensure its proper and efficient business operation.
  • For billing purposes and fulfillment of financial obligations with business partners.
  • To manage communications and reservations made electronically via its website.
  • To communicate and send informational material regarding its services, including for promotional and marketing purposes.
  • To assess and collect data for communication purposes and to improve the quality and effectiveness of the Company’s services, websites, programs, and applications.
  • To comply with legal obligations, including court decisions or orders issued by judicial or other authorities.
  • For the conclusion and execution of agreements with external partners.

What data we collect?

The Company may collect and process the following categories of personal data:

  • Identification Data: full name, ID card number/passport number, date of birth
  • Contact Data: mobile number, email address, postal address
  • Accommodation-related Data: check-in and check-out dates, purchases and consumption of goods during stay
  • Payment Data: bank account number, credit/debit card numbers
  • Tax and Social Security Data: Tax Identification Number (TIN), Tax Office (DOY)
  • Health Data (Article 9(1) GDPR): processed for customer service purposes during their stay (e.g., allergies), when necessary.

 Data Subjects’ Rights

Data subjects are entitled to exercise the following rights regarding their personal data (Articles 12–22 GDPR):

  • Right of information: The Company must provide clear and transparent information about the identity of the data controller, the purposes and legal bases for processing, recipients, and other relevant details (Articles 13 & 14 GDPR). The Company informs its customers about the processing of their personal data through its website, prior to making a reservation.
  • Right of access: Individuals have the right to know whether their personal data is being processed and, if so, to access that data (Article 15 GDPR).
  • Right to rectification: The Company must correct inaccurate or incomplete personal data upon request (Article 16 GDPR).
  • Right to erasure (“right to be forgotten”): Personal data must be deleted under certain conditions, such as when it is no longer necessary, consent is withdrawn, or processing is unlawful (Article 17 GDPR).
  • Right to restriction of processing: Individuals may request the restriction of processing, for example, when data accuracy is contested or processing is unlawful but deletion is not desired (Article 18 GDPR).
  • Right to object: Individuals can object to the processing of their personal data. The Company must cease processing unless it demonstrates compelling legitimate grounds (Article 21 GDPR).
  • Right to withdraw consent: Where processing is based on consent, individuals have the right to withdraw it at any time, without affecting the lawfulness of prior processing (Articles 6(1)(a) & 9(2)(a) GDPR).
  • Right to lodge a complaint: Data subjects have the right to file a complaint with the Hellenic Data Protection Authority (dpa.gr).

The Company is obligated to respond to and facilitate the exercise of these rights in accordance with applicable legal requirements and within the timeframes prescribed by law.

To exercise your data protection rights, you may submit your request to the Company “THE LUXURIANS” by contacting:

  • In writing at the postal address: 31B Makrygianni Street, Marousi, Attica – 15126, Greece
  • By phone at: +30 2106109676
  • By email at: [email protected]

Use and sharing of your Information – Recipients

  • When making a booking or inquiry, we will handle your personal data based on the necessity, for fulfilling your contract with us or to facilitate any pre-contractual steps at your request. We might also need to do so to adhere to a legal obligation or to safeguard your vital interests.
  • When you make a reservation, we will share only necessary personal data with the suppliers involved in your arrangements (such as but not limited to: villa owners, experienced providers, chefs, car hire companies, aviation companies, yacht companies, private transfer companies, restaurants etc.) to ensure your holiday is arranged smoothly.
  • The information may also be shared with public authorities (such as customs, immigration or TAX authorities etc.) if requested or as mandated by law.

Third Parties – Data Processors – Joint Data Controllers

The processing of personal data by any means is permitted solely by authorized personnel, including employees and partners of the Company, and only for the aforementioned purposes. Such individuals operate under a written contractual agreement and are explicitly bound by confidentiality obligations and the duty to protect personal data.

The Company engages data processors (such as but not limited to: Google Inc, Dropbox, Vision Solutions, Mozaik, Mailchimp etc.) who provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures, in accordance with the requirements set out by the General Data Protection Regulation (GDPR). The processing by such processors is governed by a written contract between the processor and the Company, in line with Article 28 GDPR.

Where the Company jointly determines the purposes and means of processing with another controller, a joint controller agreement is concluded, which clearly defines the respective roles and responsibilities of each controller.

Security and Data Protection Measures

The Company has implemented all necessary and appropriate organizational and technical measures to ensure the security and protection of your personal data against any form of accidental or unlawful processing, both at the physical and logical security level. These measures include, but are not limited to, physical security procedures, protection of IT systems, software and network infrastructure etc.

Enhanced safeguards are specifically applied in cases involving the processing of special categories of personal data (e.g., access restricted to specially authorized personnel).

These measures are subject to periodic review and adjustment, either at the Company’s discretion or in order to ensure compliance with updated legal and regulatory requirements.

For how long are we allowed to keep and handle your personal data?

The Company retains personal data only for the strictly necessary period required to fulfill the aforementioned processing purposes, to comply with applicable legal obligations, or in accordance with the terms of this Policy.

In the event that the data subject withdraws their consent to the collection and processing of their personal data, the Company proceeds with the deletion of such data from both its electronic and physical records, unless their continued retention is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims or legitimate interests before judicial authorities.

Where processing is required by provisions of applicable legislation, personal data is retained for the period mandated by the relevant legal framework.

Where processing is based on a contractual obligation, personal data is retained for as long as is necessary to perform the contract and to establish, exercise, or defend legal claims arising from it.

Data Controller

The Data Controller is the company “THE LUXURIANS”, with registered address at 31B Makrigianni Street, Marousi, Attica, 15126, Greece.

Telephone: +30 210 6109676

Email: [email protected]

Entry into Force and Amendments

This Privacy Policy entered into force upon its approval by the Company.

The Company reserves the right to amend this Policy at its discretion whenever it deems it necessary