Privacy Policy

Tati's Rooms ('we', 'our', or 'us') is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or communicate with us.

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the site. By using our website, you consent to the data practices described in this privacy policy.

We may collect information about you in a variety of ways. The information we may collect via the website includes:

• Account Registration Data: When you create an account, we collect your name, email address, phone number (with country code), and a securely hashed password. We also collect your preferred language/locale setting for personalized communications.
• Authentication Data: We use secure session management and may store authentication tokens for your login sessions. We collect OTP (One-Time Password) verification codes sent to your email for account verification and email changes. These codes are temporary and automatically deleted after use or expiration (10 minutes).
• Booking Data: When you make a reservation (either through your account or as a guest without an account), we collect check-in and check-out dates, number of guests, room preferences, special requests, and any additional information you provide during the booking process. For guest bookings (bookings made without an account), we collect your name, email, and phone number to process the reservation.
• Payment Data: We use Stripe, a third-party payment processor, to handle all payment transactions. We do not store your full credit card details. Stripe processes and stores payment information securely according to PCI DSS standards. We only store payment transaction IDs, amounts, payment status, and booking references for accounting and customer service purposes.
• Derivative Data: Information our servers automatically collect when you access the website, such as your IP address, browser type, operating system, access times, and the pages you have viewed directly before and after accessing the website.
• Mobile Device Data: Device information, such as your mobile device ID, model, and manufacturer, and information about the location of your device, if you access the website from a mobile device.
• Communication Data: We collect and store email communications sent to you, including booking confirmations, check-in instructions, invoice notifications, OTP verification codes, and account-related messages. We maintain email logs for customer service and legal compliance purposes.
• Contact Form Data: When you submit a contact form inquiry, we collect your name, email address, phone number (if provided), subject/topic, and message content. This information is used to respond to your inquiry and is shared with our administrative team.

We may use the information we collect from you in the following ways:

• Account Management: To create and manage your user account, authenticate your identity, verify your email address through OTP codes (for both registration and email changes), enable password changes, allow profile updates (name, phone, language preferences), and enable you to access your booking history and account settings.
• Booking Processing: To process your room reservations, calculate pricing, manage availability, send booking confirmations, and provide check-in instructions.
• Payment Processing: To process payments through Stripe, generate invoices according to Greek tax regulations, and maintain financial records for accounting and legal compliance.
• Communication: To send you transactional emails including booking confirmations, check-in instructions (sent 1 day before arrival), invoice notifications, OTP verification codes, account updates, and customer service communications. All emails are sent in your preferred language.
• Customer Service: To respond to your inquiries (including contact form submissions), handle booking modifications or cancellations, process refunds according to our cancellation policy, and provide support.
• Legal Compliance: To comply with Greek tax regulations, maintain booking and payment records for accounting purposes, and fulfill legal obligations.
• Website Improvement: To analyze website usage, improve our services, enhance user experience, and develop new features.

We may use cookies, web beacons, tracking pixels, and other tracking technologies on the website to help customize the website and improve your experience. By using the website, you agree to be bound by our Cookie Policy.

Most browsers are set to accept cookies by default. You can remove or reject cookies, but be aware that such action could affect the availability and functionality of the website.

Types of Cookies We Use

• Essential Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.
• Performance Cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.
• Functional Cookies: These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages.

We may share information we have collected about you in certain situations. Your information may be disclosed as follows:

• Payment Processing (Stripe): We share payment information with Stripe, a PCI DSS compliant payment processor, to securely process your credit card payments. Stripe handles all payment data according to their privacy policy and security standards. We do not have access to your full credit card numbers.
• Email Service Providers: We use Brevo to send transactional emails. Your email address and name are shared with this service provider solely for the purpose of delivering emails to you.
• Hosting and Infrastructure: Our website and database are hosted on secure cloud infrastructure. Your data is stored in databases that comply with data protection regulations.
• By Law or to Protect Rights: If we believe the release of information about you is necessary to respond to legal process, to investigate or remedy potential violations of our policies, or to protect the rights, property, and safety of others, we may share your information as permitted or required by any applicable law, rule, or regulation, including Greek tax authorities for invoice and booking records.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to the same privacy protections.

Under GDPR and Greek data protection laws, you have the following rights regarding your personal data:

• Right to Access: You can access your personal data through your account dashboard, including your profile information, booking history, and invoices.
• Right to Rectification: You can update your personal information (name, email, phone) directly through your account settings. You can also change your password at any time.
• Right to Erasure (Account Deletion): You have the right to request deletion of your account. When you delete your account: (a) Your user account data (name, email, phone, password) is permanently deleted; (b) Your bookings are anonymized (linked to your account is removed, but booking records are retained for legal and accounting compliance); (c) Payment and invoice records are retained as required by Greek tax law; (d) OTP verification records are deleted. Note: You cannot delete your account if you have active (PENDING or CONFIRMED) bookings.
• Right to Data Portability: You can request a copy of your personal data in a structured, machine-readable format.
• Right to Object: You can object to processing of your personal data for certain purposes, though this may affect our ability to provide services to you.
• Right to Withdraw Consent: You can withdraw consent for data processing at any time, though this may affect our ability to provide services.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Greek Data Protection Authority if you believe your data protection rights have been violated.

We retain your personal data for the following periods:

• Account Data: Your account information is retained while your account is active. When you delete your account, personal data is immediately deleted, except as noted below.
• Booking Records: Booking records (including dates, guests, amounts) are retained indefinitely for legal and accounting compliance, as required by Greek tax regulations. When you delete your account, these records are anonymized (your personal link is removed).
• Payment Records: Payment transaction records are retained for 10 years as required by Greek tax law, even after account deletion.
• Invoice Records: Invoice records are retained for 10 years as required by Greek tax law, even after account deletion.
• OTP Verification Codes: OTP codes are automatically deleted after 10 minutes (expiration) or immediately after successful verification.
• Email Logs: Email communication logs are retained for customer service and legal compliance purposes for up to 2 years.
• Session Data: Authentication session data is stored temporarily and automatically expires after 30 days of inactivity or when you log out.

We implement appropriate technical and organizational measures to protect your personal data:

• Password Security: All passwords are hashed using bcrypt before storage. We never store passwords in plain text.
• Encryption: Data is transmitted over HTTPS/TLS encrypted connections. Sensitive data is encrypted at rest.
• Access Controls: Access to personal data is restricted to authorized personnel only, on a need-to-know basis.
• Payment Security: All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. We do not store credit card numbers.
• OTP Security: OTP codes are single-use, expire after 10 minutes, and are automatically deleted after use.
• Regular Updates: We regularly update our security measures and monitor for potential vulnerabilities.

If you have questions or comments about this Privacy Policy, please contact us at:

• Email: contact@tatisrooms.com
• Address: Vathy, Meganisi 31083, Lefkada, Greece