Privacy Policy

We respect your privacy and process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Greek law. This policy applies to visitors, guests, and hosts using our website and related services.

1. Data controller

The data controller for the Greece2Stay platform is the operator of the service. For privacy requests contact: legal@greece2stay.com.

2. What we collect

Account data

• Email address and authentication credentials (passwords are stored hashed; we never store plain-text passwords).
• Account identifiers from our authentication provider (e.g. Supabase Auth), including sign-in timestamps.
• If you sign in with Google OAuth, we receive basic profile information permitted by that provider (such as email and name).

Listing and host data

• Property descriptions, photos, pricing, location, amenities, and availability information you submit.
• Optional contact details displayed to guests (e.g. phone number for WhatsApp or Viber).
• Host plan, billing interval, and listing activation status.

Guest and messaging data

• In-platform messages between guests and hosts, conversation metadata, and read receipts.
• Reports you submit about listings (reason and optional reporter email).

Technical data

• Essential cookies and similar technologies for session management, security, and remembering your legal consent.
• Server logs (IP address, browser type, pages viewed, timestamps) for security and troubleshooting.

3. Why we use your data

We process personal data on the following legal bases:

• Contract: to provide the platform, accounts, listings, and messaging you request.
• Legitimate interests: to secure the service, prevent fraud and abuse, improve features, and enforce our terms—balanced against your rights.
• Legal obligation: where we must comply with law or valid authority requests.
• Consent: where required (e.g. non-essential marketing cookies, if we introduce them in future).

4. How we share data

• Other users: listing content and contact details you choose to publish are visible to guests; messages are visible to conversation participants.
• Service providers: hosting, database, authentication, and infrastructure partners (e.g. Supabase) that process data on our instructions under appropriate safeguards.
• Legal and safety: when required by law or to protect rights, safety, and integrity of users and the platform.

We do not sell your personal data.

5. International transfers

Our providers may process data in the European Economic Area and other countries. Where data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions, as applicable.

6. Retention

• Account data is kept while your account is active and for a reasonable period after deletion for backups and legal compliance.
• If you register with email but do not confirm within 7 days, the unverified account and related profile data are automatically deleted so you can register again with the same address.
• Messages and listings may be retained according to operational needs and legal obligations.
• Security logs are retained for a limited period unless needed for investigations.
• Legal consent records are stored locally in your browser and in a cookie to remember your choice.

7. Cookies

We use the following types of cookies:

• Strictly necessary: authentication session cookies, security, and consent storage—the site cannot function properly without these.
• Functional: preferences you set while using the platform, where applicable.

When you first use the site, we ask you to accept our Terms and this Privacy Policy before continuing. You can read legal pages without accepting; other features require acceptance. You may clear cookies in your browser, but you will be prompted to accept again.

8. Your rights

Under GDPR you may have the right to:

• Access, rectify, or erase your personal data.
• Restrict or object to certain processing.
• Data portability, where applicable.
• Withdraw consent at any time (without affecting prior lawful processing).
• Lodge a complaint with the Hellenic Data Protection Authority (DPA) or your local supervisory authority.

To exercise rights, email legal@greece2stay.com. We may need to verify your identity before responding.

9. Security

We use technical and organisational measures appropriate to the risk, including encryption in transit (HTTPS), access controls, and reputable infrastructure providers. No method of transmission or storage is 100% secure.

10. Children

The platform is not directed at children under 16. We do not knowingly collect data from children.

11. Changes

We may update this policy. The "Last updated" date will change when we do. Material changes may require renewed consent where legally necessary.

12. Contact

Privacy enquiries: legal@greece2stay.com