Privacy Policy

Last updated: 15 May 2026

Eclipse Retreats O.E. ("Eclipse Retreats", "we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have under the EU General Data Protection Regulation (GDPR — Regulation 2016/679) and Greek Law 4624/2019.

1. Data controller

Eclipse Retreats O.E.

  • Registered address: Vernis 13, 85132, Rhodes, Greece
  • Tax ID (ΑΦΜ): EL802567420
  • GEMI: 178736120000
  • Contact for privacy matters: [email protected]

For the purposes of GDPR, Eclipse Retreats O.E. is the data controller of your personal data.

2. What data we collect

2.1 Information you provide to us

  • Identification data: full name, date of birth, passport or national ID number, nationality (required by Greek law for guest registration)
  • Contact data: email address, phone number, postal address
  • Booking data: dates of stay, property booked, number and identity of guests, special requests
  • Payment data: card details are processed directly by Stripe; we receive only a payment confirmation token and the last four digits of the card
  • Communication data: emails, messages, and any other correspondence between you and us

2.2 Information collected automatically

  • Technical data: IP address, browser type, device type, operating system, referring URL
  • Usage data: pages viewed on our website, time spent, clicks, search terms
  • Cookies and similar technologies: see Section 8

2.3 Information from third parties

  • Booking and channel partners (Airbnb, Booking.com) where the booking is later transferred to us
  • Stripe (payment confirmation and fraud-screening data)
  • Public sources where necessary to verify identity in cases of suspected fraud

3. Why we collect it and our legal basis

Purpose Legal basis (GDPR Article 6)
Processing your booking and providing accommodation Contract performance — Art. 6(1)(b)
Taking payment and refunds Contract performance — Art. 6(1)(b)
Guest registration with Greek authorities Legal obligation — Art. 6(1)(c)
Issuing invoices and tax compliance Legal obligation — Art. 6(1)(c)
Pre-arrival communications and check-in instructions Contract performance — Art. 6(1)(b)
Responding to enquiries and complaints Legitimate interest — Art. 6(1)(f)
Marketing emails (newsletters, offers) Consent — Art. 6(1)(a) — opt-in only
Website analytics and performance Legitimate interest — Art. 6(1)(f) or consent for non-essential cookies
Fraud prevention and security Legitimate interest — Art. 6(1)(f)
Defending legal claims Legitimate interest — Art. 6(1)(f)

4. Who we share your data with

We do not sell your personal data. We share it only with the following categories of recipients:

  • Stripe Payments Europe Ltd. — payment processing (Ireland / EU)
  • RentalWise — our property management system (data processor)
  • Email service providers (e.g. for transactional emails)
  • Cloud hosting providers — for website and database hosting
  • Greek authorities — AADE, tourism authorities, and law enforcement where required by Greek law
  • Channel partners — Airbnb, Booking.com — only for bookings originating from those platforms
  • Professional advisors — accountants, lawyers, auditors, under confidentiality obligations
  • Insurers — in the event of a claim

All third parties acting as data processors are bound by written data processing agreements requiring them to protect your data in line with GDPR.

5. International transfers

Most of our processors are based in the EU/EEA. Where data is transferred outside the EEA (for example, certain cloud or email providers), we ensure transfers are protected by:

  • an EU Commission adequacy decision, or
  • Standard Contractual Clauses approved by the EU Commission, or
  • another lawful transfer mechanism under GDPR Chapter V.

6. How long we keep your data

Data type Retention period
Booking and guest registration data 10 years (Greek tax and accounting law)
Invoices and payment records 10 years (Greek tax law)
Marketing data Until consent is withdrawn
Website analytics Up to 26 months
Correspondence 3 years after last contact, unless needed longer for legal claims
Security and fraud data Up to 7 years

After these periods, data is securely deleted or anonymised.

7. Your rights

Under GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate or incomplete data (Art. 16)
  • Erase your data, subject to legal retention obligations (Art. 17)
  • Restrict processing in certain circumstances (Art. 18)
  • Data portability — receive your data in a portable format (Art. 20)
  • Object to processing based on legitimate interest, including direct marketing (Art. 21)
  • Withdraw consent at any time, where processing is based on consent (Art. 7)
  • Not be subject to solely automated decision-making with legal effects (Art. 22) — we do not carry out such decision-making
  • Lodge a complaint with the Greek Data Protection Authority (Hellenic DPA / Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα) at www.dpa.gr

To exercise any of these rights, contact us at [email protected]. We will respond within one month, as required by GDPR.

8. Cookies

Our website uses cookies and similar technologies:

  • Strictly necessary cookies — required for the site to function (e.g. session, security, booking cart). These do not require consent.
  • Analytics cookies — to understand how visitors use the site. Set only with your consent.
  • Marketing cookies — to measure ad performance and personalise content. Set only with your consent.

You can manage cookie preferences at any time via the cookie banner or your browser settings. Disabling strictly necessary cookies may prevent the site from working correctly.

9. Security

We implement technical and organisational measures to protect your data, including:

  • HTTPS encryption for all data in transit
  • access controls and authentication on all systems holding personal data
  • PCI-DSS-compliant payment processing through Stripe
  • staff training on data protection
  • regular review of our security practices

No system is 100% secure. In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify the Hellenic DPA within 72 hours and, where required, inform you directly.

10. Children

We do not knowingly collect personal data from children under 16 except as part of a family booking made by a parent or guardian. Parents are responsible for the data of minors included in their booking.

11. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top indicates the current version. Material changes will be notified by email to recent guests and by a prominent notice on our website.

12. Contact

For any privacy-related question, request, or complaint:

Email: [email protected] Phone: +30 694 301 0268 Post: Eclipse Retreats O.E., Vernis 13, 85132, Rhodes, Greece

You may also contact the Hellenic Data Protection Authority directly:

  • Website: www.dpa.gr
  • Address: Kifissias 1-3, 11523 Athens, Greece
This site uses cookies to enhance your booking experience and help us understand how you discover us. By continuing, you agree to our use of cookies.
whatsapp