Home / Privacy Policy

Your data

Privacy Policy

Last updated: 9 July 2026

This Privacy Policy explains how RPS16 P.C. collects and uses personal data when you visit this website or book a stay at our apartments in Kolonaki, Athens. In short: we collect what we need to host your stay, we never sell your data, and analytics tools run only if you consent.

Who we are (data controller)

The data controller is RPS16 P.C. (Greek: RPS16 Ι.Κ.Ε.), a company registered in Greece (VAT EL801295252, GEMI 153756501000) with its registered office at Syngrou 106, Athens, Greece. We operate this website for direct online bookings of two licensed furnished tourist apartments in Kolonaki, Athens. For anything related to your personal data, contact us at [email protected].

What data we collect

We collect only what we need to take and fulfil your booking and to run this website:

  • Booking details: your name, stay dates, number of guests, the apartment booked, and the amounts you pay.
  • Contact details: your email address and phone number, used to confirm your booking and communicate about your stay.
  • Payment metadata: the status, amount and reference of your payment. Card details are entered directly in Revolut's secure card field and are processed by Revolut. We never see or store your full card number.
  • Technical data: server logs (IP address, browser type, pages requested), kept briefly for security and troubleshooting.
  • Analytics and advertising data: collected by Google tools only after you give consent in the cookie banner (see 'Cookies and analytics' below).

Purposes and legal bases

We process personal data for the following purposes:

  • To take, confirm and manage your booking. Necessary for the performance of our contract with you (GDPR Art. 6(1)(b)).
  • To issue invoices and meet tax, accounting and guest-registration obligations under Greek law. Compliance with a legal obligation (Art. 6(1)(c)).
  • To keep the website and booking system secure and prevent fraud. Our legitimate interest (Art. 6(1)(f)).
  • To measure website use and run advertising. Only with your consent (Art. 6(1)(a)), which you can withdraw at any time.

Who receives your data

We share personal data with a small number of service providers, each of which receives only what it needs:

  • Revolut Processes your card payment (Revolut Merchant services). Your card data is entered in Revolut's payment field and handled entirely by Revolut. We receive only the payment status, amount and reference.
  • Smoobu Our channel manager, where your reservation is registered so availability stays in sync across platforms. We do not share your real email address with Smoobu. The system uses an internal proxy address, and all guest communication is handled by our own system.
  • Google Tag Manager, Google Analytics 4 and advertising pixels, which load only after you consent in the cookie banner.
  • Cloudflare Hosts our website and infrastructure (Pages, Workers, D1 database, R2 storage). Booking data (name, contact details, stay dates, amounts) is stored in our database on Cloudflare's platform.
  • Greek authorities Where the law requires it, for example tax authorities and the guest-registration obligations that apply to licensed tourist accommodation.

We do not sell personal data, and we do not share it with anyone else.

International transfers

Booking data lives in our own database hosted on Cloudflare. Google and Cloudflare are international providers and may process some data outside the European Economic Area. Where that happens, transfers rely on recognised safeguards such as the European Commission's Standard Contractual Clauses or an adequacy decision (including the EU-US Data Privacy Framework, where applicable).

How long we keep your data

Booking and invoicing records are kept for as long as Greek tax law requires, typically at least five years after the end of the relevant tax year. Marketing and analytics data based on consent is kept until you withdraw that consent. Technical logs are kept for a short period and then deleted.

Cookies and analytics

When you first visit, a cookie banner asks for your consent. Strictly necessary cookies do not require consent and are always active. These include the session and CSRF cookies used by our admin area, and the browser storage entry that records your consent choice. Google Tag Manager, Google Analytics 4 and advertising pixels load only after you accept them in the banner. You can change or withdraw your consent at any time via the 'Cookie settings' link in the footer of every page.

Your rights

Under the GDPR (EU 2016/679) and Greek Law 4624/2019 you have the right to access the personal data we hold about you, to have it rectified or erased, to restrict or object to its processing, and to receive it in a portable format. Where processing is based on consent, you may withdraw that consent at any time. To exercise any of these rights, email us at [email protected]. You also have the right to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr).

Contact and changes

For any question about this policy or your personal data, contact RPS16 P.C. at [email protected] or by post at Syngrou 106, Athens, Greece.

We may update this policy from time to time; the 'Last updated' date at the top shows the current version.