Privacy Policy | North Santorini

1. Introduction

Experience North Santorini ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our website at experience-northsantorini.com (the "Site") and related services.

We are the data controller for purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). Our contact details are provided in the Contact Us section below.

2. Data We Collect

Category	Specific Data	Purpose	Lawful Basis
Account Information	Email, name, phone number	Create and manage your account	Contract performance
Booking Data	Dates, guest count, preferences, special requests	Process and fulfil your reservations	Contract performance
Contact Form	Name, email, phone, message	Respond to your enquiries	Legitimate interest
Payment Data	Card details (processed by Viva, never stored by us)	Process payments securely	Contract performance
Technical Data	IP address, browser type, device info, pages visited	Security, performance monitoring, abuse prevention	Legitimate interest
Error Monitoring	JavaScript errors, stack traces, anonymised session replays	Identify and fix technical issues	Legitimate interest
Analytics	Page views, referrer, anonymous visitor metrics, anonymised IP (Google Analytics)	Understand site usage and improve our services	Consent

3. How We Use Your Data

We process your personal data for the following purposes:

Fulfilling bookings — processing your experience, dining, spa, cruise, and transfer reservations.
Processing payments — securely handling transactions through Viva. We never store your card details on our servers.
Transactional emails — sending booking confirmations, reminders, and cancellation notices via Resend.
Site security — protecting against abuse, bot attacks, and fraudulent activity using Cloudflare and Cloudflare Turnstile.
Error monitoring — identifying and fixing bugs through Sentry (with all text masked and no PII collected).
Analytics — understanding how visitors use our site through Google Analytics 4 (with IP anonymisation) and Vercel Analytics (only with your consent).
Media delivery — serving optimised images and videos through Cloudflare R2 and Mux.

4. Cookies & Tracking

We use cookies and similar technologies to operate our site. You can manage your preferences at any time by clicking "Cookie Settings" in the footer or .

Strictly Necessary Cookies

These cookies are essential for the site to function and cannot be disabled. They include authentication tokens (Supabase), cart and trip planner storage (localStorage), and your cookie consent preference.

Analytics Cookies

With your consent, we use Google Analytics 4 and Vercel Analytics to understand how visitors use our site. Google Analytics collects anonymised data (IP addresses are anonymised) and sets cookies such as _ga and _ga_* to distinguish unique visitors. Vercel Analytics collects anonymous page-view data without cookies. No personal information is shared with third parties. You can opt out at any time through your cookie preferences.

Functional Cookies

With your consent, Sentry may record anonymised session replays to help us diagnose technical issues. All text content and media are masked before any data is captured.

5. Third-Party Services

We share data with the following third-party service providers, each acting as a data processor under GDPR:

Service	Data Shared	Purpose	Location
Supabase	Account data, bookings, profiles	Database and authentication	EU (Frankfurt)
Viva	Payment card details, billing info	Payment processing	EU / US
Vercel	Anonymous page views (with consent)	Hosting and analytics	Global edge network
Google Analytics	Anonymised IP, page views, referrer, device info (with consent)	Website analytics	US (EU DPF certified)
Sentry	Error logs, masked session replays (with consent)	Error monitoring	US (EU DPF certified)
Resend	Email address, name	Transactional emails	US (EU DPF certified)
Cloudflare	IP address, request metadata	CDN, DDoS protection, bot management	Global edge network
Cloudflare R2	Uploaded files (admin only)	Image storage and delivery	Global edge network
Upstash	IP-based identifiers (hashed)	Rate limiting to prevent abuse	EU (Frankfurt)
Mux	IP address, playback metrics	Video streaming and delivery	US (EU DPF certified)

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

Data Type	Retention Period
Account data	While your account is active, plus 30 days after deletion request
Booking records	7 years (Greek tax and accounting requirements)
Contact form submissions	12 months
IP addresses (rate limiting)	24 hours (auto-expire in Upstash)
Error logs (Sentry)	90 days
Analytics data	12 months (aggregated and anonymised)
Payment records	As required by Viva; we do not store card details

7. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data:

Right of access — request a copy of the personal data we hold about you.
Right to rectification — request correction of inaccurate or incomplete data.
Right to erasure — request deletion of your personal data (subject to legal retention obligations).
Right to restriction — request that we limit how we process your data.
Right to data portability — receive your data in a structured, machine-readable format.
Right to object — object to processing based on legitimate interest.
Right to withdraw consent — withdraw consent at any time for consent-based processing (e.g. analytics cookies) without affecting the lawfulness of processing before withdrawal.
Right to lodge a complaint — you may file a complaint with the Hellenic Data Protection Authority (HDPA) at www.dpa.gr or your local EU supervisory authority.

To exercise any of these rights, please contact us at infonorthsantorini.com. We will respond within 30 days.

8. International Data Transfers

Some of our service providers process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place:

EU-US Data Privacy Framework — Google, Sentry, Resend, Mux, and Vercel are certified under the EU-US Data Privacy Framework.
Standard Contractual Clauses (SCCs) — where the DPF does not apply, we rely on EU-approved Standard Contractual Clauses.
EU-based processing — our primary database (Supabase) and rate limiting infrastructure (Upstash) are hosted in the EU (Frankfurt).

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

Encryption in transit — all connections use HTTPS/TLS, enforced by Cloudflare.
Password security — passwords are hashed using bcrypt via Supabase Auth.
Row Level Security — database access is restricted so users can only access their own data.
Rate limiting — API endpoints are rate-limited to prevent brute-force and abuse attacks.
Bot protection — Cloudflare Turnstile verifies human users on sensitive forms.
Error monitoring — Sentry provides real-time alerting with all PII masked.

10. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we may also notify you via email or a prominent notice on our website.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Experience North Santorini
Pyrgos, Santorini 847 00
Cyclades, Greece

Email: infonorthsantorini.com
Phone: +30 22860 71234