Privacy Policy

Last updated 20 May 2026

Rhodes Holidays Property Management

This Privacy Policy explains how STEFANAKIS S. SINGLE-MEMBER REAL ESTATE MANAGEMENT S.A., trading as Rhodes Holidays Property Management, collects, uses, stores, discloses and protects personal data in connection with its business operations, communications with customers and partners, booking management, and the provision of hospitality and property management services.

This Policy applies when you: visit our website; contact us through a form, email, phone, WhatsApp or another channel; submit an availability or interest enquiry; make, amend or cancel a booking; use the WebHotelier booking engine; complete online check-in; make a booking through third-party platforms such as Airbnb or Booking.com; receive hospitality or additional services; subscribe to our newsletter; or interact with cookies, analytics and advertising tools on our website.

This Policy should be read together with our Cookie Policy, which describes in more detail the cookies and similar technologies used on our website. In this Policy, “we”, “us”, “the company”, “Rhodes Holidays” or “Rhodes Holidays Property Management” refer to the controller identified below.

1. Data Controller

STEFANAKIS S. SINGLE-MEMBER REAL ESTATE MANAGEMENT S.A. Trading name: RHODES HOLIDAYS PROPERTY MANAGEMENT Registered office: M. Konstantinou & Karaiskaki 36, Rhodes, Greece General Commercial Registry (G.E.MI.) No.: 145718620000 Tax Identification Number (VAT/AFM): 800956720

Email: info@rhodesholidays.gr · Telephone: +30 2241 032055

The company has formally appointed a Data Protection Officer (DPO). For any personal data matter, please contact us at the above email address, with the subject line “Privacy Request”.

2. Platforms, booking engine and third-party systems

2.1 Rhodes Holidays website

When you browse, submit an enquiry, subscribe to our newsletter, or contact us, Rhodes Holidays acts as data controller for the data collected for these purposes.

2.2 WebHotelier, Hotelizer and Loggia — one provider, different functions

These three systems belong to the same provider group, Revplus Hellas S.A., also known as webhotelier | primalres (5th km Rhodes-Lindos Ave., 851 00 Rhodes, Greece). They are not three independent third parties, but a single processor supplying us with different tools for different purposes:

  • WebHotelier — the booking engine used for direct bookings through our website (availability search, booking, payment, confirmation).
  • Hotelizer — the same provider’s cloud PMS, designed for hotel-type accommodation.
  • Loggia — the same provider’s cloud PMS / channel manager / guest communication / online check-in tool, designed specifically for short-term rentals, which we use for booking management, pricing, availability, guest communication, invoicing and online check-in.

All three tools act as processors on our behalf, in accordance with our instructions, in the context of booking management and guest communication. The provider (Revplus Hellas S.A.) is established in Greece (EU), so processing through these systems does not, in itself, involve a transfer of data outside the European Economic Area (EEA).

2.3 Online check-in

We use an online check-in feature (via Loggia) that allows guests to complete arrival details in advance. This involves: guest names, contact details, estimated arrival time, number of guests, vehicle details (if provided), and acceptance of house rules/terms. We do not collect passport numbers, national ID numbers, or other travel document data through the online check-in process or any other channel. Accuracy note: Greek legislation on tourist/hotel guest registration may, depending on the type of accommodation, require the recording of identity document data. If this applies to your properties, this section should be updated to reflect actual practice.

2.4 Airbnb, Booking.com and other booking platforms

These platforms generally act as separate, independent data controllers for the processing they carry out through their own websites, apps, accounts and payment systems.

  • Booking.com B.V. (Netherlands, EU) is the controller for data it collects through its own platform, and in certain cases acts as a joint controller with strategic partners; where transfers outside the EEA occur to such partners, Booking.com applies Standard Contractual Clauses (SCCs).
  • Airbnb Ireland UC (Ireland, EU) is the “data exporter” for hosts outside Japan/Brazil. When it transfers guest data to us (names, contact details, dates, property location, unique Airbnb ID), controller-to-controller Standard Contractual Clauses apply (Module 1, EU Commission Implementing Decision (EU) 2021/914), meaning we receive the data as an independent controller, not as a processor for Airbnb. The competent supervisory authority under this clause is the Irish Data Protection Commission.

Rhodes Holidays acts as controller for guest data it receives in the context of booking management, provision of accommodation, communication, invoicing, guest services, and legal compliance. We recommend reviewing the privacy policies of the relevant platforms as well.

3. Categories of personal data we collect

3.1 Browsing data: IP address, device/browser/OS type, pages visited, time on site, referral source, approximate location, cookie preferences, analytics/advertising events (with consent).

3.2 Enquiry and communication data: full name, email, phone number, country of residence, message content, preferred travel dates, accommodation preferences, number of guests, special requests, communication history.

3.3 Newsletter/marketing data: email, name (if provided), consent status, subscription date, communication preferences, unsubscribe status, basic campaign interaction data (opens/clicks).

3.4 Booking, hospitality and online check-in data: lead guest and co-traveller names, email, phone, postal address, country, arrival/departure dates, property selected, number of guests/children, preferences, arrival time, vehicle details (if provided), booking reference, booking status, amendments/cancellations. We do not collect passport, ID card, or other travel document numbers.

3.5 Payment and transaction data: payment status, deposit/balance amounts, payment dates, transaction references, invoicing details, refund details. We do not, as a rule, store full card details — card payments are processed through secure payment providers or booking platforms.

3.6 Email, phone and WhatsApp communications: messages, call notes, concierge requests, complaints, feedback.

3.7 Additional services: data required for transfers, car rental, private chef, cleaning services, grocery delivery, yacht cruises, excursions, restaurant bookings, accessibility support.

3.8 Third-party data: if you provide us with data about other guests, family members or travel companions, you confirm you are entitled to do so and that you have informed them of this Privacy Policy.

4. Special categories of data

We do not, as a rule, request special categories of personal data (health, disability, dietary information linked to health or religion, racial or ethnic origin, biometric or genetic data, criminal convictions, etc.). If you voluntarily provide such data (e.g. accessibility needs, allergies), we process it only to the extent necessary to respond to your request, protect your health or safety, or provide the requested service, based on your explicit consent (Article 9(2)(a) GDPR) or, where applicable, vital interest grounds.

5. Children

Our website and booking services are not directed at children. Bookings must be made by adults. Where you provide data about children travelling with you, we process it only to the extent necessary for booking management, provision of accommodation, guest safety, appropriate hospitality services, and legal compliance.

6. Sources of data collection

Directly from you (website, forms, email, phone, WhatsApp, newsletter, WebHotelier, online check-in via Loggia, amendments/cancellations, payments, reviews, complaints) and from third parties (WebHotelier / Hotelizer / Loggia, Airbnb, Booking.com, other booking platforms, payment providers, travel agencies, property owners, hospitality service providers, Google Analytics, Meta Pixel, Google Ads, persons booking on your behalf).

7. Purposes of processing, legal bases, recipients and retention periods

  • 1Website operation & security
    Data categories
    IP, device/browser data, strictly necessary cookies
    Legal basis (GDPR)
    Article 6(1)(f) — legitimate interest
    Recipients / processors
    Hosting/IT provider
    Retention period
    Session duration or up to 13 months (log files)
  • 2Website analytics (Google Analytics 4)
    Data categories
    Browsing data, analytics events, pseudonymised IDs
    Legal basis (GDPR)
    Article 6(1)(a) — consent via cookie banner
    Recipients / processors
    Google LLC (certified under the EU-US Data Privacy Framework since 10 July 2023)
    Retention period
    Until consent is withdrawn / GA4 retention setting (typically 2-14 months)
  • 3Advertising / remarketing (Meta Pixel, Google Ads)
    Data categories
    Browsing data, cookies, advertising IDs, ad interaction data
    Legal basis (GDPR)
    Article 6(1)(a) — consent via cookie banner
    Recipients / processors
    Meta Platforms Ireland Ltd. / Meta Platforms Inc., Google LLC (both certified under the EU-US Data Privacy Framework)
    Retention period
    Until consent is withdrawn / tool retention setting (typically up to 180 days for Meta Pixel)
  • 4Responding to enquiries/communications
    Data categories
    Full name, email, phone, message content
    Legal basis (GDPR)
    Article 6(1)(b) — pre-contractual steps at the data subject's request
    Recipients / processors
    Internal staff, email provider
    Retention period
    12-24 months after the communication ends, if no booking results
  • 5Booking (creation, confirmation, amendment, cancellation) & online check-in
    Data categories
    Contact details, booking data, dates, booking reference, check-in details
    Legal basis (GDPR)
    Article 6(1)(b) — performance of a contract
    Recipients / processors
    WebHotelier / Hotelizer / Loggia (Revplus Hellas S.A. — EU), Airbnb/Booking.com where applicable
    Retention period
    Duration of booking + statute of limitations for claims (up to 5 years)
  • 6Additional services (transfers, chef, cleaning, etc.)
    Data categories
    Contact details, preferences, special requests
    Legal basis (GDPR)
    Article 6(1)(b) — performance of a contract
    Recipients / processors
    Partners/providers of the relevant service
    Retention period
    Duration of service provision + reasonable period
  • 7Payments, invoicing, refunds
    Data categories
    Payment status (no full card data), transaction references
    Legal basis (GDPR)
    Article 6(1)(b) performance of a contract; Article 6(1)(c) legal obligation (tax/accounting)
    Recipients / processors
    WebHotelier, payment providers, accountants
    Retention period
    Generally 5 years under the Greek Tax Procedure Code (may be extended in case of audit)
  • 8Newsletter / direct marketing
    Data categories
    Email, name, consent status
    Legal basis (GDPR)
    Article 6(1)(a) — consent (or soft opt-in under Article 11, Law 3471/2006, for existing customers)
    Recipients / processors
    Newsletter/marketing platform provider
    Retention period
    Until consent is withdrawn; indefinite suppression list after unsubscribing
  • 9System security & fraud prevention
    Data categories
    Log files, suspicious communications, transaction data
    Legal basis (GDPR)
    Article 6(1)(f) — legitimate interest
    Recipients / processors
    IT/security providers, payment providers
    Retention period
    Up to 12 months, or until an incident investigation is concluded
  • 10Handling complaints / legal claims
    Data categories
    Contact details, complaint content, supporting evidence
    Legal basis (GDPR)
    Article 6(1)(f) legitimate interest; possibly 6(1)(c)
    Recipients / processors
    Legal advisors, insurers
    Retention period
    Until the statute of limitations for the claim expires (5-20 years depending on the claim)
  • 11Communication with property owners for booking management
    Data categories
    Booking data, guest data (to the extent necessary)
    Legal basis (GDPR)
    Article 6(1)(b)/(f)
    Recipients / processors
    Property owners
    Retention period
    Duration of the property management agreement
  • 12Voluntarily provided health/accessibility/allergy data
    Data categories
    Special categories of data (Article 9)
    Legal basis (GDPR)
    Article 9(2)(a) explicit consent, or 9(2)(c) vital interest
    Recipients / processors
    Front desk staff, provider of the relevant service
    Retention period
    Duration of stay + reasonable period, then deletion/anonymisation
  • 13Responding to lawful requests from authorities
    Data categories
    Any data lawfully requested
    Legal basis (GDPR)
    Article 6(1)(c) — legal obligation
    Recipients / processors
    Courts, prosecutors, police, Hellenic DPA
    Retention period
    As determined by the request/applicable law

You may withdraw your consent for analytics/advertising cookies at any time through the website’s cookie settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

8. Marketing communications

If you subscribe to our newsletter, we use your email to send updates, offers and information based on consent (or, for existing customers regarding similar products/services, on the soft opt-in basis under Article 11, Law 3471/2006, with the ability to object in every message). You may unsubscribe at any time via the unsubscribe link in our emails, or by contacting info@rhodesholidays.gr. After unsubscribing, we retain a limited suppression record.

9. Cookies, analytics and advertising

Strictly necessary cookies operate without consent. Our website uses Google Analytics 4 for statistical analysis of website traffic, as well as Meta Pixel and Google Ads / remarketing for advertising purposes and retargeting of users who have visited our website. All of the above are placed only with your explicit consent via the cookie banner, and you may disable or change your choices at any time through the cookie settings.

Google LLC and Meta Platforms are certified under the EU-US Data Privacy Framework, which the European Commission has recognised (adequacy decision of 10 July 2023) as providing an adequate basis for transferring data to the United States. Please note that this framework is currently subject to ongoing legal challenges before EU courts, and we will monitor any developments that could affect the legal basis for these transfers.

When you navigate to WebHotelier, Airbnb or Booking.com, their own cookies and policies apply. For details, see our website’s Cookie Policy.

10. Disclosure of personal data

WebHotelier / Hotelizer / Loggia (Revplus Hellas S.A. — single provider, EU), Airbnb/Booking.com/other platforms, payment providers, website hosting, IT/security providers, email/communication providers, newsletter/marketing platform, Google LLC (analytics/advertising), Meta Platforms (advertising), accountants, legal advisors, property owners, cleaning/maintenance/transfer/concierge partners, public authorities where required by law, courts/regulatory authorities. Where third parties act as processors, we require them to process data only on our instructions and to apply appropriate technical and organisational measures (Article 28 GDPR, under a written data processing agreement).

11. Payments

Through WebHotelier, payment providers, bank transfer, secure payment links, or Airbnb/Booking.com where the booking is made through them. You should not make payments through unverified links or messages that do not come from our official channels or the official booking platform. The company never asks for passwords, full card details, or other sensitive information through unverified email, SMS or WhatsApp links. If you receive a suspicious message requesting payment or data entry, please contact us immediately through our official contact details.

12. International data transfers (by provider)

  • WebHotelier / Hotelizer / Loggia (Revplus Hellas S.A.): provider established in Greece (EU) — does not, in itself, involve a transfer outside the EEA.
  • Google Analytics 4 / Google Ads (Google LLC, USA): transfer based on the EU-US Data Privacy Framework (Google LLC certified since 10 July 2023, European Commission adequacy decision).
  • Meta Pixel (Meta Platforms Ireland Ltd. / Meta Platforms Inc., USA): transfer based on the EU-US Data Privacy Framework (certified company).
  • Airbnb Ireland UC → Airbnb Inc. (USA): transfer based on controller-to-controller Standard Contractual Clauses (Module 1, EU Commission Implementing Decision (EU) 2021/914); governing law: Ireland; competent supervisory authority: Irish Data Protection Commission.
  • Booking.com B.V. (Netherlands, EU): generally does not, in itself, involve a transfer outside the EEA; where strategic partners outside the EEA are involved, Booking.com applies Standard Contractual Clauses.

We do not rely on the invalidated EU-US Privacy Shield. Where the EU-US Data Privacy Framework applies, we monitor legal developments that could affect it and will update this Policy accordingly.

13. Data security and incidents

Technical and organisational measures may include: secure hosting, access controls, restricted staff access, password management, MFA where supported, encryption/secure transmission protocols, contracts with providers, endpoint protection tools, security policies, incident management procedures. In the event of a personal data breach, we assess the incident under Articles 33-34 GDPR, notifying the Hellenic DPA within 72 hours where required, and informing affected individuals where the risk is high.

14. Data retention periods

See the table in Section 7 for purpose-specific retention periods. General rules: booking/invoicing data is retained for the statute of limitations period under tax/accounting obligations (generally 5 years under the Greek Tax Procedure Code, with possible extension in case of audit); newsletter records until consent is withdrawn; analytics/advertising consent records according to tool settings; incident/complaint/claim data for as long as required by the statute of limitations for civil claims (generally 5-20 years depending on the basis of the claim).

15. Your rights

Right of access (Article 15), rectification (16), erasure (17), restriction (18), objection (21), data portability (20), withdrawal of consent, and the right to lodge a complaint with a supervisory authority. Contact: info@rhodesholidays.gr, subject line “Privacy Request”. We may need to verify your identity before responding to your request.

16. Complaints

Please contact us first so we can review and respond to your concern. You also have the right to lodge a complaint with the competent supervisory authority:

Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα) Kifisias Ave. 1-3, 115 23 Athens, Greece

Telephone: +30 210 6475600
Email (complaints): complaints@dpa.gr
Website: www.dpa.gr

If you reside in another EU/EEA member state, you may also contact the supervisory authority of your country of residence.

17. Third-party websites/platforms

Our website may contain links to WebHotelier, Airbnb, Booking.com, payment platforms, maps, social media, and review platforms. We are not responsible for the privacy practices of third-party websites or platforms when they act as independent data controllers.

18. Updates to this Policy

We may update this Privacy Policy from time to time. Where material changes are made, we will update the “Last updated” date and, where appropriate, provide notice via the website or another suitable means.

19. Contact

STEFANAKIS S. SINGLE-MEMBER REAL ESTATE MANAGEMENT S.A. (Rhodes Holidays Property Management) M. Konstantinou & Karaiskaki 36, Rhodes, Greece · G.E.MI. No.: 145718620000 · VAT/AFM: 800956720

Email: info@rhodesholidays.gr · Telephone: +30 2241 032055

Sources

Deals and new properties, once a month

No spam. Unsubscribe anytime. Join 4,000+ travellers planning their Rhodes escape.


© 2026 Rhodes Holidays Property Management · ΓΕΜΗ: 145718620000 · ΑΦΜ: 800956720