Privacy Policy

 Introduction

Parea is committed to protecting the privacy and security of personal data of website visitors, individuals making reservations, Guests staying with us, our marketing recipients, and other interacting parties. This Privacy Policy describes how we collect, use, store, disclose and protect your personal data (“Personal Data”), what rights you have, and how you may exercise them.

We operate furnished tourist accommodation under an MHTE licence in Greece. We use various web tools, booking engines, direct and OTA channels, email marketing platforms, and engage service providers both in the EU and potentially outside the EU/EEA.

This Policy applies to:

• Visitors to our website or mobile platforms;
• Guests who book or stay with us;
• Individuals who engage with our marketing or website communications;
• Third-party partners, service providers, travel agents, and related parties.

Your Personal Data will be processed in accordance with this Privacy Policy, based on the applicable legal bases under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Greek law.

2. Data Controller and Contact Information

The Data Controller for your Personal Data is:

PAREA OPERATIONS ΜΟΝΟΠΡΟΣΩΠΗ ΑΝΩΝΥΜΗ ΕΤΑΙΡΕΙΑ, a company duly incorporated and existing under the laws of  Greece, with Registered seat at Aischylou 36, Greece, and email address info-parea-paros@parealife.com

If you have any questions about this Privacy Policy or about how we process your Personal Data, you may contact us using the above details.

Where applicable, we may share Personal Data with entities within the same group (if any). Where required, you will be informed of the identity of such entities at the time your Personal Data is collected.

For any data protection queries, please contact us at: info-parea-paros@parealife.com

3. Categories of Personal Data Collected

We collect and process various categories of Personal Data depending on your interaction with us. These include:

3.1 Booking and Stay-Related Data

• Name, surname
• Nationality
• Passport and/or ID card details, date of birth (where required for guest registration)
• Contact details (email, phone number, postal address)
• Booking details (dates, unit type, number of guests, duration)
• Payment details/transaction references (card details are typically processed via payment providers and not stored by us)
• Guest preferences and special requests
• Arrival/departure times, check-in/check-out records
• Security deposit authorisation, damage deposit details (where applicable)

3.2 Website / Online Data

• IP address
• Browser type and version
• Operating system and device identifiers
• Referring website, pages visited, time on site
• Cookies, tracking identifiers, pixels, marketing tags
• Location data (country/region), where legally permitted

3.3 Marketing and Communication Data

• Consent or opt-in records for marketing communications
• Email open and click records
• Preferences for offers, newsletters, and re-engagement campaigns
• Interaction history with our marketing tools and third-party platforms

3.4 Third-Party Data / Security Data

• Data received from OTAs, travel agents, booking engines
• Aggregated or derived data from analytics and measurement tools
• CCTV or security footage (where the property is equipped), for safety and legal compliance
• Data on visitors or third-party individuals associated with a Guest booking

3.5 Special Category Data

In limited cases, you may voluntarily provide information that may qualify as special category data under the GDPR (e.g., health-related information such as allergies or dietary needs). If you choose to provide such information, we will process it only to the extent necessary to accommodate your request and will not use it for unrelated purposes.

4. Legal Bases for Processing

We rely on the following legal bases under the GDPR to process Personal Data:

(a) Performance of a Contract (Article 6(1)(b))

Processing necessary to manage your reservation, payment, stay, check-in/check-out, property access, and the provision of accommodation services.

(b) Legal Obligation (Article 6(1)(c))

Processing required under applicable Greek law (including tourist accommodation obligations, tax and accounting requirements, guest registration, and lawful reporting obligations).

(c) Legitimate Interest (Article 6(1)(f))

Processing necessary for our legitimate business interests, including:

• improving our services and guest experience,
• ensuring property security and preventing fraud,
• analytics and website performance monitoring,
• limited marketing to past Guests, where permitted by law.

Where we rely on legitimate interest, we ensure we consider your interests, rights and freedoms, and you always retain the right to object.

(d) Consent (Article 6(1)(a))

Where required, we will request your consent, including for:

• non-essential cookies and tracking technologies,
• direct marketing communications (where required),
• certain optional services or communications.

You may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.

5. Purposes of Processing

We process your Personal Data for the following purposes:

• enabling and managing reservations, payments, and accommodation services;
• managing guest check-in/check-out and guest identification requirements;
• fulfilling guest registration obligations with authorities where required by applicable Greek law;
• communicating booking information, changes, service updates and Guest correspondence;
• operating our website, analysing usage and improving performance and security;
• sending marketing and promotional communications, subject to lawful basis and your preferences;
• ensuring safety, access control and security, including CCTV (where applicable);
• detecting, preventing and investigating fraud or misuse;
• complying with applicable legal and regulatory obligations;
• transferring Personal Data to service providers, OTAs, partners, or group entities as necessary to deliver services;
• retaining records for accounting, auditing, claims management and legal defence.

6. Sharing and Disclosure of Personal Data

We may share your Personal Data with the following categories of recipients:

6.1 Service Providers (Processors)

We may engage service providers acting as processors on our behalf, such as:

• IT hosting and infrastructure providers,
• booking engine providers,
• email marketing providers,
• analytics providers,
• CRM systems,
• security, cleaning and maintenance providers.

Where such parties act as processors, we ensure appropriate contractual arrangements are in place (including GDPR-compliant data processing terms).

6.2 Booking Platforms / OTAs / Travel Agents

Where you book through a third party (e.g., OTAs or travel agents), such parties may act as independent controllersunder their own privacy policies. We recommend reviewing their privacy policies separately.

6.3 Payment Providers

Payments may be processed by secure third-party payment providers. Depending on the service, such providers may act as independent controllers or processors. We do not intentionally store full payment card details unless strictly necessary and legally permitted.

6.4 Public Authorities

We may disclose Personal Data to competent authorities where required by law, including for:

• guest registration obligations,
• tax and accounting compliance,
• emergency or safety reasons.

6.5 Corporate Transactions

In the event of a merger, acquisition, restructuring or sale of assets, Personal Data may be transferred as part of the transaction, subject to applicable privacy safeguards.

We do not sell Personal Data in the sense of uncontrolled disclosure. Any sharing for advertising or marketing purposes will be carried out only where lawful and with appropriate transparency and choices.

6.6 Third Parties Associated with a Booking

Guests acknowledge that Personal Data of third parties provided during a booking (e.g., family members, companions, occupants, visitors) may be collected and processed for booking management, safety and legal compliance. Guests should ensure that such individuals are informed accordingly.

7. International Transfers of Data

As a business operating in Greece with global service providers, we may transfer Personal Data to countries outside the European Economic Area (EEA), including countries with different data protection laws.

Where this occurs, we ensure appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• transfers to countries with an adequacy decision;
• contractual and organisational measures ensuring GDPR-level protection.

Where required, we also assess the recipient country and implement supplementary measures in line with applicable EU data protection requirements.

You may contact us for details of international transfers and safeguards.

8. Data Retention and Deletion

We retain Personal Data only for as long as necessary for the purposes set out in this Privacy Policy and in accordance with applicable legal obligations.

Retention criteria may include:

• Tax / accounting records and invoices: retained for up to 10 years, in line with applicable Greek obligations (as applicable).
• Guest registration / identification details (where required): retained for the legally required period under applicable tourist accommodation regulations.
• Guest communications and service requests: retained for a reasonable period after your stay, unless longer retention is required (e.g., for complaints, disputes, legal claims).
• Marketing data: retained until you unsubscribe, withdraw consent, or object; thereafter we may keep minimal suppression records to ensure compliance with opt-out preferences.
• Technical logs and analytics: typically retained for a limited duration (e.g., 12–24 months) unless needed for security investigations or legal defence.
• CCTV footage (if applicable): retained for the minimum period permitted/required (often 5–30 days), unless an incident requires longer retention.

When data is no longer needed, we securely delete, anonymise, or aggregate it.

9. Data Subject Rights

Under the GDPR and applicable Greek law, you may exercise the following rights:

• Right of access
• Right of rectification
• Right of erasure (“right to be forgotten”)
• Right to restriction of processing
• Right to object, particularly where processing is based on legitimate interest or for direct marketing
• Right to data portability
• Right to withdraw consent, where processing is based on consent
• Right to lodge a complaint with the competent supervisory authority

Requests can be submitted to: info-parea-paros@parealife.com

We may request additional information to verify your identity prior to responding.

We will respond within the timeframe required by law (typically within 1 month, or up to 3 months for complex cases, where legally permitted).

Supervisory Authority

You may lodge a complaint with the Hellenic Data Protection Authority (HDPA) if you consider that your rights have been infringed.

10. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to provide functionality and deliver analytics and marketing services.

10.1 Types of Cookies

• Strictly Necessary Cookies: required for basic website and booking engine functionality and security.
• Functional Cookies: remember preferences such as language settings.
• Analytics Cookies: help us understand usage and improve performance.
• Marketing / Retargeting Cookies: used to deliver customised advertising and measure campaign effectiveness.

10.2 Consent

Except for strictly necessary cookies, we will obtain your prior consent before placing non-essential cookies or trackers.

You may change your cookie preferences at any time via the “Cookie Settings” link or through your browser settings.

10.3 Cookie Banner and Preference Tool

Upon first visit, you will see a cookie banner offering options such as: “Accept All”, “Reject Non-Essential”, and “Manage Settings”. Your choices are stored and timestamped, and can be revisited at any time. We document and manage consent choices through our cookie management platform.

11. Marketing Communications

When you provide your email address to us (for example, during a reservation, enquiry, digital check-in, newsletter signup, or through forms on our website), you may be asked whether you wish to receive promotional emails, newsletters, and special offers.

• Where required, marketing communications will be sent only if you have provided consent (opt-in).
• We may send communications relating to accommodation services based on our legitimate interest, provided that you were given the opportunity to opt out at the time your contact details were collected and in every subsequent communication.

In all cases, you may opt out at any time by:

• clicking the unsubscribe link in any marketing email, or
• contacting us at: info-parea-paros@parealife.com

You also have the right to object at any time to direct marketing.

We may retain certain Personal Data for longer periods where necessary to establish, exercise, or defend legal claims.

12. Security and Data Protection

We implement appropriate technical and organisational measures to protect Personal Data, including:

• encryption of data in transit (HTTPS) and where applicable at rest;
• access controls and restricted internal access;
• data minimisation and pseudonymisation where possible;
• security audits and vulnerability assessments;
• staff training and confidentiality obligations;
• an incident response plan for data breaches.

Despite our efforts, no system can be guaranteed fully secure. You should take appropriate precautions when using digital services.

Personal Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected individuals and/or the competent authority as required by applicable law.

13. Profiling and Automated Decision-Making

We may carry out limited profiling based on Personal Data (e.g., identifying repeat Guests, offering personalised offers, analysing booking patterns).

We do not engage in automated decision-making that produces legal or similarly significant effects without an appropriate lawful basis and, where required, your explicit consent.

14. Children’s Data

Our services are not intentionally designed for children under 18. We do not knowingly collect Personal Data of minors without parental or guardian consent. If you believe we have collected Personal Data relating to a child without proper consent, please contact us so that we can take appropriate steps.

15. Third-Party Links

Our website may contain links to third-party websites (such as OTAs, social media platforms, or external service providers). We are not responsible for the privacy practices of third parties. We encourage you to review their privacy policies before providing Personal Data.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our operations, legal obligations, or technology.

We will publish the updated version on our website with an updated “Last Updated” date. Continued use of our website and services means that you have been informed of the updated Policy.

17. Contact Information and Complaints

If you have questions or requests regarding this Privacy Policy or our data practices, please contact:

info-parea-paros@parealife.com