Privacy Policy

Welcome to Kidoni Cottage. Your privacy is important to us. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website or make a booking with us.

1. Who We Are

Kidoni Cottage is a holiday rental accommodation located in Doukades, Corfu, Greece. For the purposes of the General Data Protection Regulation (GDPR), we are the Data Controller of your personal information.

2. What Personal Data We Collect

We may collect the following categories of personal data:

• Identity Data: Full name, passport/ID number (required by Greek law for guest registration)
• Contact Data: Email address, phone number, address
• Booking Data: Arrival/departure dates, number of guests, special requests, preferences
• Payment Data: Payment method information (processed securely through our payment provider - we do not store credit card details)
• Technical Data: IP address, browser type, device information, cookies (see our Cookie Policy)
• Communication Data: Any correspondence with us via email, phone, or contact forms

3. Legal Basis for Processing (GDPR Article 6)

Under GDPR, we process your personal data based on the following legal grounds:

• Contract (Article 6.1.b): To process your booking, manage your reservation, and provide accommodation services.
• Legal Obligation (Article 6.1.c): To comply with Greek law requiring guest registration and tax reporting.
• Legitimate Interests (Article 6.1.f): To improve our services, prevent fraud, and maintain security.
• Consent (Article 6.1.a): For marketing communications and non-essential cookies.

4. How We Use Your Personal Data

We use your information for the following purposes:

• ✅ Process and confirm your booking
• ✅ Register guests as required by Greek law (Article 1 of Presidential Decree 9/2018)
• ✅ Communicate with you about your reservation
• ✅ Send booking confirmations, reminders, and post-stay follow-ups
• ✅ Process payments and issue invoices
• ✅ Respond to your inquiries and requests
• ✅ Improve our website and services (using analytics with your consent)
• ✅ Send marketing communications ONLY with your explicit consent
• ✅ Comply with legal and regulatory obligations

5. Guest Registration (Greek Legal Requirement)

Under Greek law (Law 3448/2006 and implementing regulations), all accommodation providers must register guests with the Greek National Tourism Organization (GNTO). This requires collecting and retaining for a period of 5 years:

• Full name
• Passport or ID card number
• Nationality
• Dates of stay

This is a legal obligation. Failure to provide this information means we cannot host you.

6. Data Retention Period

We retain your personal data only for as long as necessary:

• Booking records: 5 years (required by Greek tax law and guest registration requirements)
• Invoices and payment records: 7 years (Greek tax law)
• Marketing consent records: Until you withdraw consent
• Cookies preferences: 12 months
• Inquiry form data: 12 months

7. Who We Share Your Data With

We never sell your personal data. We may share your data with:

• Service Providers: Payment processors (e.g., Stripe, PayPal), booking system providers, email service providers
• Legal Authorities: When required by Greek law (e.g., tax authorities, police, GNTO)
• Professional Advisors: Accountants, lawyers, auditors (under confidentiality agreements)

All third-party service providers are contractually obligated to protect your data and comply with GDPR.

8. International Data Transfers

Your data is stored within the European Economic Area (EEA). If any data is transferred outside the EEA (e.g., using US-based services like Google Analytics with your consent), we ensure adequate safeguards such as Standard Contractual Clauses (SCCs) are in place.

9. Your Rights Under GDPR

As a data subject in the EU, you have the following rights:

• Right to Access (Article 15): Request a copy of your personal data
• Right to Rectification (Article 16): Correct inaccurate or incomplete data
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten") — subject to legal retention requirements
• Right to Restrict Processing (Article 18): Limit how we use your data
• Right to Data Portability (Article 20): Receive your data in a machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent (Article 7): Withdraw consent at any time (for marketing or non-essential cookies)
• Right to Lodge a Complaint (Article 77): File a complaint with the Hellenic Data Protection Authority

How to Exercise Your Rights

To exercise any of these rights, contact us at kidonicottagecorfu@gmail.com. We will respond within 30 days as required by GDPR.

10. Cookies

Our website uses cookies to enhance your browsing experience. You can manage your cookie preferences through our cookie banner. For detailed information about the cookies we use, please see our Cookie Policy.

11. Data Security

We implement appropriate technical and organizational security measures to protect your personal data, including:

• 🔒 SSL/TLS encryption for all website communications
• 🔒 Secure servers with firewalls
• 🔒 Limited access to personal data on a need-to-know basis
• 🔒 Regular security reviews and updates

12. Children's Privacy

Our website and services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The latest version will always be posted on this page with the "Last updated" date. We encourage you to review this policy periodically.

14. Right to Complain to Supervisory Authority

If you believe we have violated your data protection rights, you have the right to lodge a complaint with the:

← Back to Home