Privacy Policy
Last updated 20 May 2026
Rhodes Holidays Property Management
This Privacy Policy explains how STEFANAKIS S. SINGLE-MEMBER REAL ESTATE MANAGEMENT S.A., trading as Rhodes Holidays Property Management, collects, uses, stores, discloses and protects personal data in connection with its business operations, communications with customers and partners, booking management, and the provision of hospitality and property management services.
This Policy applies when you: visit our website; contact us through a form, email, phone, WhatsApp or another channel; submit an availability or interest enquiry; make, amend or cancel a booking; use the WebHotelier booking engine; complete online check-in; make a booking through third-party platforms such as Airbnb or Booking.com; receive hospitality or additional services; subscribe to our newsletter; or interact with cookies, analytics and advertising tools on our website.
This Policy should be read together with our Cookie Policy, which describes in more detail the cookies and similar technologies used on our website. In this Policy, “we”, “us”, “the company”, “Rhodes Holidays” or “Rhodes Holidays Property Management” refer to the controller identified below.
1. Data Controller
STEFANAKIS S. SINGLE-MEMBER REAL ESTATE MANAGEMENT S.A. Trading name: RHODES HOLIDAYS PROPERTY MANAGEMENT Registered office: M. Konstantinou & Karaiskaki 36, Rhodes, Greece General Commercial Registry (G.E.MI.) No.: 145718620000 Tax Identification Number (VAT/AFM): 800956720Email: info@rhodesholidays.gr · Telephone: +30 2241 032055
The company has formally appointed a Data Protection Officer (DPO). For any personal data matter, please contact us at the above email address, with the subject line “Privacy Request”.
2. Platforms, booking engine and third-party systems
2.1 Rhodes Holidays website
When you browse, submit an enquiry, subscribe to our newsletter, or contact us, Rhodes Holidays acts as data controller for the data collected for these purposes.
2.2 WebHotelier, Hotelizer and Loggia — one provider, different functions
These three systems belong to the same provider group, Revplus Hellas S.A., also known as webhotelier | primalres (5th km Rhodes-Lindos Ave., 851 00 Rhodes, Greece). They are not three independent third parties, but a single processor supplying us with different tools for different purposes:
- WebHotelier — the booking engine used for direct bookings through our website (availability search, booking, payment, confirmation).
- Hotelizer — the same provider’s cloud PMS, designed for hotel-type accommodation.
- Loggia — the same provider’s cloud PMS / channel manager / guest communication / online check-in tool, designed specifically for short-term rentals, which we use for booking management, pricing, availability, guest communication, invoicing and online check-in.
All three tools act as processors on our behalf, in accordance with our instructions, in the context of booking management and guest communication. The provider (Revplus Hellas S.A.) is established in Greece (EU), so processing through these systems does not, in itself, involve a transfer of data outside the European Economic Area (EEA).
2.3 Online check-in
We use an online check-in feature (via Loggia) that allows guests to complete arrival details in advance. This involves: guest names, contact details, estimated arrival time, number of guests, vehicle details (if provided), and acceptance of house rules/terms. We do not collect passport numbers, national ID numbers, or other travel document data through the online check-in process or any other channel. Accuracy note: Greek legislation on tourist/hotel guest registration may, depending on the type of accommodation, require the recording of identity document data. If this applies to your properties, this section should be updated to reflect actual practice.
2.4 Airbnb, Booking.com and other booking platforms
These platforms generally act as separate, independent data controllers for the processing they carry out through their own websites, apps, accounts and payment systems.
- Booking.com B.V. (Netherlands, EU) is the controller for data it collects through its own platform, and in certain cases acts as a joint controller with strategic partners; where transfers outside the EEA occur to such partners, Booking.com applies Standard Contractual Clauses (SCCs).
- Airbnb Ireland UC (Ireland, EU) is the “data exporter” for hosts outside Japan/Brazil. When it transfers guest data to us (names, contact details, dates, property location, unique Airbnb ID), controller-to-controller Standard Contractual Clauses apply (Module 1, EU Commission Implementing Decision (EU) 2021/914), meaning we receive the data as an independent controller, not as a processor for Airbnb. The competent supervisory authority under this clause is the Irish Data Protection Commission.
Rhodes Holidays acts as controller for guest data it receives in the context of booking management, provision of accommodation, communication, invoicing, guest services, and legal compliance. We recommend reviewing the privacy policies of the relevant platforms as well.
3. Categories of personal data we collect
3.1 Browsing data: IP address, device/browser/OS type, pages visited, time on site, referral source, approximate location, cookie preferences, analytics/advertising events (with consent).
3.2 Enquiry and communication data: full name, email, phone number, country of residence, message content, preferred travel dates, accommodation preferences, number of guests, special requests, communication history.
3.3 Newsletter/marketing data: email, name (if provided), consent status, subscription date, communication preferences, unsubscribe status, basic campaign interaction data (opens/clicks).
3.4 Booking, hospitality and online check-in data: lead guest and co-traveller names, email, phone, postal address, country, arrival/departure dates, property selected, number of guests/children, preferences, arrival time, vehicle details (if provided), booking reference, booking status, amendments/cancellations. We do not collect passport, ID card, or other travel document numbers.
3.5 Payment and transaction data: payment status, deposit/balance amounts, payment dates, transaction references, invoicing details, refund details. We do not, as a rule, store full card details — card payments are processed through secure payment providers or booking platforms.
3.6 Email, phone and WhatsApp communications: messages, call notes, concierge requests, complaints, feedback.
3.7 Additional services: data required for transfers, car rental, private chef, cleaning services, grocery delivery, yacht cruises, excursions, restaurant bookings, accessibility support.
3.8 Third-party data: if you provide us with data about other guests, family members or travel companions, you confirm you are entitled to do so and that you have informed them of this Privacy Policy.
4. Special categories of data
We do not, as a rule, request special categories of personal data (health, disability, dietary information linked to health or religion, racial or ethnic origin, biometric or genetic data, criminal convictions, etc.). If you voluntarily provide such data (e.g. accessibility needs, allergies), we process it only to the extent necessary to respond to your request, protect your health or safety, or provide the requested service, based on your explicit consent (Article 9(2)(a) GDPR) or, where applicable, vital interest grounds.
5. Children
Our website and booking services are not directed at children. Bookings must be made by adults. Where you provide data about children travelling with you, we process it only to the extent necessary for booking management, provision of accommodation, guest safety, appropriate hospitality services, and legal compliance.
6. Sources of data collection
Directly from you (website, forms, email, phone, WhatsApp, newsletter, WebHotelier, online check-in via Loggia, amendments/cancellations, payments, reviews, complaints) and from third parties (WebHotelier / Hotelizer / Loggia, Airbnb, Booking.com, other booking platforms, payment providers, travel agencies, property owners, hospitality service providers, Google Analytics, Meta Pixel, Google Ads, persons booking on your behalf).
7. Purposes of processing, legal bases, recipients and retention periods
| # | Purpose of processing | Data categories | Legal basis (GDPR) | Recipients / processors | Retention period |
|---|---|---|---|---|---|
| 1 | Website operation & security | IP, device/browser data, strictly necessary cookies | Article 6(1)(f) — legitimate interest | Hosting/IT provider | Session duration or up to 13 months (log files) |
| 2 | Website analytics (Google Analytics 4) | Browsing data, analytics events, pseudonymised IDs | Article 6(1)(a) — consent via cookie banner | Google LLC (certified under the EU-US Data Privacy Framework since 10 July 2023) | Until consent is withdrawn / GA4 retention setting (typically 2-14 months) |
| 3 | Advertising / remarketing (Meta Pixel, Google Ads) | Browsing data, cookies, advertising IDs, ad interaction data | Article 6(1)(a) — consent via cookie banner | Meta Platforms Ireland Ltd. / Meta Platforms Inc., Google LLC (both certified under the EU-US Data Privacy Framework) | Until consent is withdrawn / tool retention setting (typically up to 180 days for Meta Pixel) |
| 4 | Responding to enquiries/communications | Full name, email, phone, message content | Article 6(1)(b) — pre-contractual steps at the data subject's request | Internal staff, email provider | 12-24 months after the communication ends, if no booking results |
| 5 | Booking (creation, confirmation, amendment, cancellation) & online check-in | Contact details, booking data, dates, booking reference, check-in details | Article 6(1)(b) — performance of a contract | WebHotelier / Hotelizer / Loggia (Revplus Hellas S.A. — EU), Airbnb/Booking.com where applicable | Duration of booking + statute of limitations for claims (up to 5 years) |
| 6 | Additional services (transfers, chef, cleaning, etc.) | Contact details, preferences, special requests | Article 6(1)(b) — performance of a contract | Partners/providers of the relevant service | Duration of service provision + reasonable period |
| 7 | Payments, invoicing, refunds | Payment status (no full card data), transaction references | Article 6(1)(b) performance of a contract; Article 6(1)(c) legal obligation (tax/accounting) | WebHotelier, payment providers, accountants | Generally 5 years under the Greek Tax Procedure Code (may be extended in case of audit) |
| 8 | Newsletter / direct marketing | Email, name, consent status | Article 6(1)(a) — consent (or soft opt-in under Article 11, Law 3471/2006, for existing customers) | Newsletter/marketing platform provider | Until consent is withdrawn; indefinite suppression list after unsubscribing |
| 9 | System security & fraud prevention | Log files, suspicious communications, transaction data | Article 6(1)(f) — legitimate interest | IT/security providers, payment providers | Up to 12 months, or until an incident investigation is concluded |
| 10 | Handling complaints / legal claims | Contact details, complaint content, supporting evidence | Article 6(1)(f) legitimate interest; possibly 6(1)(c) | Legal advisors, insurers | Until the statute of limitations for the claim expires (5-20 years depending on the claim) |
| 11 | Communication with property owners for booking management | Booking data, guest data (to the extent necessary) | Article 6(1)(b)/(f) | Property owners | Duration of the property management agreement |
| 12 | Voluntarily provided health/accessibility/allergy data | Special categories of data (Article 9) | Article 9(2)(a) explicit consent, or 9(2)(c) vital interest | Front desk staff, provider of the relevant service | Duration of stay + reasonable period, then deletion/anonymisation |
| 13 | Responding to lawful requests from authorities | Any data lawfully requested | Article 6(1)(c) — legal obligation | Courts, prosecutors, police, Hellenic DPA | As determined by the request/applicable law |
- 1Website operation & security
- Data categories
- IP, device/browser data, strictly necessary cookies
- Legal basis (GDPR)
- Article 6(1)(f) — legitimate interest
- Recipients / processors
- Hosting/IT provider
- Retention period
- Session duration or up to 13 months (log files)
- 2Website analytics (Google Analytics 4)
- Data categories
- Browsing data, analytics events, pseudonymised IDs
- Legal basis (GDPR)
- Article 6(1)(a) — consent via cookie banner
- Recipients / processors
- Google LLC (certified under the EU-US Data Privacy Framework since 10 July 2023)
- Retention period
- Until consent is withdrawn / GA4 retention setting (typically 2-14 months)
- 3Advertising / remarketing (Meta Pixel, Google Ads)
- Data categories
- Browsing data, cookies, advertising IDs, ad interaction data
- Legal basis (GDPR)
- Article 6(1)(a) — consent via cookie banner
- Recipients / processors
- Meta Platforms Ireland Ltd. / Meta Platforms Inc., Google LLC (both certified under the EU-US Data Privacy Framework)
- Retention period
- Until consent is withdrawn / tool retention setting (typically up to 180 days for Meta Pixel)
- 4Responding to enquiries/communications
- Data categories
- Full name, email, phone, message content
- Legal basis (GDPR)
- Article 6(1)(b) — pre-contractual steps at the data subject's request
- Recipients / processors
- Internal staff, email provider
- Retention period
- 12-24 months after the communication ends, if no booking results
- 5Booking (creation, confirmation, amendment, cancellation) & online check-in
- Data categories
- Contact details, booking data, dates, booking reference, check-in details
- Legal basis (GDPR)
- Article 6(1)(b) — performance of a contract
- Recipients / processors
- WebHotelier / Hotelizer / Loggia (Revplus Hellas S.A. — EU), Airbnb/Booking.com where applicable
- Retention period
- Duration of booking + statute of limitations for claims (up to 5 years)
- 6Additional services (transfers, chef, cleaning, etc.)
- Data categories
- Contact details, preferences, special requests
- Legal basis (GDPR)
- Article 6(1)(b) — performance of a contract
- Recipients / processors
- Partners/providers of the relevant service
- Retention period
- Duration of service provision + reasonable period
- 7Payments, invoicing, refunds
- Data categories
- Payment status (no full card data), transaction references
- Legal basis (GDPR)
- Article 6(1)(b) performance of a contract; Article 6(1)(c) legal obligation (tax/accounting)
- Recipients / processors
- WebHotelier, payment providers, accountants
- Retention period
- Generally 5 years under the Greek Tax Procedure Code (may be extended in case of audit)
- 8Newsletter / direct marketing
- Data categories
- Email, name, consent status
- Legal basis (GDPR)
- Article 6(1)(a) — consent (or soft opt-in under Article 11, Law 3471/2006, for existing customers)
- Recipients / processors
- Newsletter/marketing platform provider
- Retention period
- Until consent is withdrawn; indefinite suppression list after unsubscribing
- 9System security & fraud prevention
- Data categories
- Log files, suspicious communications, transaction data
- Legal basis (GDPR)
- Article 6(1)(f) — legitimate interest
- Recipients / processors
- IT/security providers, payment providers
- Retention period
- Up to 12 months, or until an incident investigation is concluded
- 10Handling complaints / legal claims
- Data categories
- Contact details, complaint content, supporting evidence
- Legal basis (GDPR)
- Article 6(1)(f) legitimate interest; possibly 6(1)(c)
- Recipients / processors
- Legal advisors, insurers
- Retention period
- Until the statute of limitations for the claim expires (5-20 years depending on the claim)
- 11Communication with property owners for booking management
- Data categories
- Booking data, guest data (to the extent necessary)
- Legal basis (GDPR)
- Article 6(1)(b)/(f)
- Recipients / processors
- Property owners
- Retention period
- Duration of the property management agreement
- 12Voluntarily provided health/accessibility/allergy data
- Data categories
- Special categories of data (Article 9)
- Legal basis (GDPR)
- Article 9(2)(a) explicit consent, or 9(2)(c) vital interest
- Recipients / processors
- Front desk staff, provider of the relevant service
- Retention period
- Duration of stay + reasonable period, then deletion/anonymisation
- 13Responding to lawful requests from authorities
- Data categories
- Any data lawfully requested
- Legal basis (GDPR)
- Article 6(1)(c) — legal obligation
- Recipients / processors
- Courts, prosecutors, police, Hellenic DPA
- Retention period
- As determined by the request/applicable law
You may withdraw your consent for analytics/advertising cookies at any time through the website’s cookie settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
8. Marketing communications
If you subscribe to our newsletter, we use your email to send updates, offers and information based on consent (or, for existing customers regarding similar products/services, on the soft opt-in basis under Article 11, Law 3471/2006, with the ability to object in every message). You may unsubscribe at any time via the unsubscribe link in our emails, or by contacting info@rhodesholidays.gr. After unsubscribing, we retain a limited suppression record.
10. Disclosure of personal data
WebHotelier / Hotelizer / Loggia (Revplus Hellas S.A. — single provider, EU), Airbnb/Booking.com/other platforms, payment providers, website hosting, IT/security providers, email/communication providers, newsletter/marketing platform, Google LLC (analytics/advertising), Meta Platforms (advertising), accountants, legal advisors, property owners, cleaning/maintenance/transfer/concierge partners, public authorities where required by law, courts/regulatory authorities. Where third parties act as processors, we require them to process data only on our instructions and to apply appropriate technical and organisational measures (Article 28 GDPR, under a written data processing agreement).
11. Payments
Through WebHotelier, payment providers, bank transfer, secure payment links, or Airbnb/Booking.com where the booking is made through them. You should not make payments through unverified links or messages that do not come from our official channels or the official booking platform. The company never asks for passwords, full card details, or other sensitive information through unverified email, SMS or WhatsApp links. If you receive a suspicious message requesting payment or data entry, please contact us immediately through our official contact details.
12. International data transfers (by provider)
- WebHotelier / Hotelizer / Loggia (Revplus Hellas S.A.): provider established in Greece (EU) — does not, in itself, involve a transfer outside the EEA.
- Google Analytics 4 / Google Ads (Google LLC, USA): transfer based on the EU-US Data Privacy Framework (Google LLC certified since 10 July 2023, European Commission adequacy decision).
- Meta Pixel (Meta Platforms Ireland Ltd. / Meta Platforms Inc., USA): transfer based on the EU-US Data Privacy Framework (certified company).
- Airbnb Ireland UC → Airbnb Inc. (USA): transfer based on controller-to-controller Standard Contractual Clauses (Module 1, EU Commission Implementing Decision (EU) 2021/914); governing law: Ireland; competent supervisory authority: Irish Data Protection Commission.
- Booking.com B.V. (Netherlands, EU): generally does not, in itself, involve a transfer outside the EEA; where strategic partners outside the EEA are involved, Booking.com applies Standard Contractual Clauses.
We do not rely on the invalidated EU-US Privacy Shield. Where the EU-US Data Privacy Framework applies, we monitor legal developments that could affect it and will update this Policy accordingly.
13. Data security and incidents
Technical and organisational measures may include: secure hosting, access controls, restricted staff access, password management, MFA where supported, encryption/secure transmission protocols, contracts with providers, endpoint protection tools, security policies, incident management procedures. In the event of a personal data breach, we assess the incident under Articles 33-34 GDPR, notifying the Hellenic DPA within 72 hours where required, and informing affected individuals where the risk is high.
14. Data retention periods
See the table in Section 7 for purpose-specific retention periods. General rules: booking/invoicing data is retained for the statute of limitations period under tax/accounting obligations (generally 5 years under the Greek Tax Procedure Code, with possible extension in case of audit); newsletter records until consent is withdrawn; analytics/advertising consent records according to tool settings; incident/complaint/claim data for as long as required by the statute of limitations for civil claims (generally 5-20 years depending on the basis of the claim).
15. Your rights
Right of access (Article 15), rectification (16), erasure (17), restriction (18), objection (21), data portability (20), withdrawal of consent, and the right to lodge a complaint with a supervisory authority. Contact: info@rhodesholidays.gr, subject line “Privacy Request”. We may need to verify your identity before responding to your request.
16. Complaints
Please contact us first so we can review and respond to your concern. You also have the right to lodge a complaint with the competent supervisory authority:
Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα) Kifisias Ave. 1-3, 115 23 Athens, GreeceTelephone: +30 210 6475600
Email (complaints): complaints@dpa.gr
Website: www.dpa.gr
If you reside in another EU/EEA member state, you may also contact the supervisory authority of your country of residence.
17. Third-party websites/platforms
Our website may contain links to WebHotelier, Airbnb, Booking.com, payment platforms, maps, social media, and review platforms. We are not responsible for the privacy practices of third-party websites or platforms when they act as independent data controllers.
18. Updates to this Policy
We may update this Privacy Policy from time to time. Where material changes are made, we will update the “Last updated” date and, where appropriate, provide notice via the website or another suitable means.
19. Contact
STEFANAKIS S. SINGLE-MEMBER REAL ESTATE MANAGEMENT S.A. (Rhodes Holidays Property Management) M. Konstantinou & Karaiskaki 36, Rhodes, Greece · G.E.MI. No.: 145718620000 · VAT/AFM: 800956720Email: info@rhodesholidays.gr · Telephone: +30 2241 032055
Sources
- Hellenic DPA — contact details
- Hellenic DPA — submitting a complaint (complaints@dpa.gr)
- webhotelier | primalres — company profile
- WebHotelier Privacy Policy
- Loggia — cloud PMS for short-term rentals
- Google — Data transfer frameworks
- Google — Advertising & analytics products: international data transfers
- Booking.com Privacy Notice
- Booking.com — Standard Contractual Clauses for international data transfers
- Airbnb Privacy Policy
- Airbnb Host Privacy Standards