Privacy Policy

Last Updated: February 21, 2026

KefaloniaTransfers.com (powered by KCG Travel) is committed to protecting your privacy and ensuring the security of your personal data.

This Privacy Policy explains how we collect, use, store, and protect your information when you use our website and services, in compliance with the General Data Protection Regulation (GDPR) and Greek data protection laws.

By using our website and booking our services, you agree to the collection and use of information in accordance with this Privacy Policy.

📋 Table of Contents

1. WHO WE ARE

Data Controller:

[COMPANY_NAME_PLACEHOLDER]
[VAT_NUMBER_PLACEHOLDER]
[ADDRESS_PLACEHOLDER]
[GEMI_NUMBER_PLACEHOLDER]

Contact Information:

Data Protection Contact:

For all data protection inquiries, please contact us at: [email protected]

2. WHAT PERSONAL DATA WE COLLECT

We collect and process the following categories of personal data:

2.1 Information You Provide Directly

Data CategoryExamples
Contact InformationFull name, email address, phone number
Travel DetailsFlight/ferry number, arrival/departure times, pickup and drop-off addresses
Passenger InformationNumber of passengers, names of all passengers (for group bookings)
Children's InformationAge and name (only for child seat requests)
Payment InformationCredit/debit card details (processed securely by Stripe - we do not store full card details)
Special RequestsWheelchair access, special equipment, dietary requirements (for tours)
CommunicationsContent of emails, phone calls, or messages you send us

2.2 Information We Collect Automatically

Data CategoryExamples
Technical DataIP address, browser type and version, device type, operating system
Usage DataPages visited, time spent on pages, links clicked, referral source
Location DataGeneral location based on IP address (not precise GPS location)
Cookie DataSession cookies, analytics cookies (see Section 9)
Important Notes:
  • We do NOT collect sensitive personal data (racial/ethnic origin, political opinions, religious beliefs, health data) unless strictly necessary for service provision (e.g., wheelchair access request).
  • We do NOT use automated decision-making or profiling.

3. HOW WE COLLECT YOUR DATA

We collect your personal data through the following methods:

3.1 Direct Interactions

  • Online Booking Form: When you complete a booking on our website
  • Phone/Email/WhatsApp: When you contact us to make a reservation or inquiry
  • Contact Form: When you submit a request for tours, group bookings, or special services
  • Customer Support: When you contact us for assistance or complaints

3.2 Automated Technologies

  • Cookies: Session cookies and analytics cookies (see Section 9)
  • Website Analytics: Manus Analytics tracks how visitors use our website
  • Server Logs: Our web server automatically records technical data (IP address, browser, etc.)

3.3 Third Parties

  • Payment Processors: Stripe provides payment confirmation and transaction data
  • Email Service: Resend/Google Workspace handles email delivery confirmations

4. WHY WE COLLECT YOUR DATA (LEGAL BASIS)

Under GDPR, we must have a lawful basis to process your personal data. Here are the legal bases we rely on:

PurposeLegal Basis (GDPR Article 6)
Processing bookings and providing transfer servicesContractual Necessity - necessary to perform our contract with you
Processing paymentsContractual Necessity + Legal Obligation (tax/accounting laws)
Storing financial records for 11 yearsLegal Obligation - Greek accounting and tax law
Sending booking confirmations, reminders, and service-related emailsContractual Necessity - essential to provide the service
Customer support and complaint handlingLegitimate Interest - to provide customer service and resolve issues
Website analytics (Manus Analytics)Legitimate Interest - to improve our website and services
Preventing fraud and ensuring securityLegitimate Interest - to protect our business and customers
Your Rights:

If we process your data based on Legitimate Interest, you have the right to object to this processing. See Section 10 for details on how to exercise your rights.

5. HOW WE USE YOUR DATA

We use your personal data for the following purposes:

5.1 Service Delivery

  • Processing and confirming your booking
  • Assigning drivers and vehicles
  • Coordinating pickup and drop-off logistics
  • Monitoring flight/ferry arrivals to adjust pickup times
  • Providing Meet & Greet service at the airport
  • Communicating with you about your transfer (confirmations, reminders, driver details)

5.2 Payment Processing

  • Processing payments via Stripe
  • Issuing invoices and receipts
  • Processing refunds and chargebacks
  • Maintaining financial records for accounting and tax purposes

5.3 Customer Support

  • Responding to your inquiries and requests
  • Handling changes and cancellations
  • Resolving complaints and disputes
  • Investigating driver/passenger no-show incidents

5.4 Service Improvement

  • Analyzing website usage via Manus Analytics to improve user experience
  • Gathering feedback through post-service quality review emails
  • Identifying and fixing technical issues

5.5 Legal Compliance

  • Complying with Greek and EU laws (tax, accounting, data protection)
  • Responding to lawful requests from authorities
  • Preventing fraud and ensuring transaction security
What We DON'T Do:
  • We do NOT send marketing or promotional emails (newsletters, offers, ads)
  • We do NOT sell, rent, or trade your personal data to third parties
  • We do NOT use your data for automated decision-making or profiling
  • We do NOT track you across other websites (no remarketing/retargeting)

6. WHO WE SHARE YOUR DATA WITH

We may share your personal data with the following trusted third parties:

6.1 Service Providers (Data Processors)

ProviderPurposeData Shared
StripePayment processingName, email, payment card details, transaction amount
ResendEmail delivery (confirmations, reminders)Name, email address, booking details
Google WorkspaceEmail communications (customer support)Name, email address, message content
Manus AnalyticsWebsite analytics and hostingIP address, browser type, pages visited, session data
Data Processing Agreements:

All third-party service providers act as Data Processors under our instructions and are bound by GDPR-compliant Data Processing Agreements (DPAs). They are contractually obligated to protect your data and use it only for the specified purposes.

6.2 Legal Obligations

We may disclose your personal data if required by law or in response to valid requests from public authorities, including:

  • Greek tax authorities (for accounting and tax compliance)
  • Law enforcement agencies (for criminal investigations)
  • Courts and regulatory bodies (in legal proceedings)
  • Hellenic Data Protection Authority (HDPA) (for data protection audits)

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the new owner, subject to the same privacy protections outlined in this Privacy Policy.

We Do NOT Share Your Data With:
  • Advertising networks or marketing platforms
  • Social media companies (for ad targeting)
  • Data brokers or list rental companies
  • Any third party for their own marketing purposes

7. INTERNATIONAL DATA TRANSFERS

Your personal data is primarily stored and processed within the European Union (EU) and the European Economic Area (EEA).

7.1 EU-Based Infrastructure

  • Hosting: Manus (EU-based servers)
  • Email Services: Resend, Google Workspace (EU data centers)
  • Payment Processing: Stripe (processes payments in EU, GDPR-compliant)
GDPR Compliance:

All data transfers within the EU/EEA benefit from GDPR protections. We do not transfer your personal data outside the EU/EEA.

7.2 Safeguards for Third-Party Services

In the rare event that data is transferred outside the EU/EEA (e.g., for technical support or system maintenance), we ensure that such transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy Decisions (for countries deemed to have adequate data protection by the EU)
  • Data Processing Agreements (DPAs) with GDPR-compliant safeguards

8. HOW LONG WE KEEP YOUR DATA

We retain your personal data only as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law.

Data CategoryRetention PeriodReason
Booking & Passenger Data11 years from date of serviceGreek accounting and tax law
Payment Records11 years from transaction dateGreek accounting and tax law
Email Communications11 years from last communicationLegal compliance and dispute resolution
Analytics Data (Manus)14 monthsStandard analytics retention period
Session CookiesUntil browser is closedTechnical necessity
Customer Support Tickets11 years from resolutionLegal compliance and service improvement
After the Retention Period:

Once the retention period expires, we will securely delete or anonymize your personal data, unless we are legally required to retain it for longer (e.g., for ongoing legal proceedings).

8.1 Early Deletion Requests

You have the right to request deletion of your data before the retention period ends (see Section 10 - Right to Erasure). However, we may be unable to delete data that we are legally required to retain (e.g., for tax purposes).

9. COOKIES & TRACKING TECHNOLOGIES

9.1 What Are Cookies?

Cookies are small text files stored on your device (computer, tablet, smartphone) when you visit our website. They help us provide you with a better experience and allow us to analyze how our website is used.

9.2 Types of Cookies We Use

Cookie TypePurposeConsent Required?
Essential Cookies (Session Cookies)Enable core website functionality (booking form, secure connections). Without these cookies, the website cannot function properly.No - These are strictly necessary
Analytics Cookies (Manus Analytics)Help us understand how visitors use our website (pages visited, time spent, user behavior) so we can improve the user experience.Yes - These require your consent

9.3 How to Manage Cookies

You can control and manage cookies in several ways:

Browser Settings:

Most web browsers allow you to:

  • View and delete cookies
  • Block third-party cookies
  • Block all cookies
  • Delete cookies when you close your browser

Here are links to cookie management guides for popular browsers:

⚠️ Important:

If you block or delete essential cookies, some parts of our website (especially the booking form) may not work properly.

9.4 Analytics Cookies - Details

Manus Analytics helps us understand:

  • Which pages are most visited
  • How long visitors stay on each page
  • What devices and browsers visitors use
  • Where visitors come from (referral sources)

Legal Basis: Legitimate Interest (website optimization and improvement)

Retention Period: 14 months

Your Choice: You can opt out of analytics tracking by disabling analytics cookies in your browser settings or by using browser privacy extensions.

9.5 We Do NOT Use:

  • Marketing/Advertising Cookies: We do not track you for ad targeting or remarketing
  • Social Media Cookies: We do not use Facebook Pixel, LinkedIn Insight Tag, or similar tracking tools
  • Third-Party Advertising Networks: We do not share your data with ad networks

10. YOUR RIGHTS UNDER GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

10.1 Right of Access (Article 15)

What it means: You have the right to request a copy of the personal data we hold about you.

How to exercise: Email us at [email protected] with the subject line "Data Access Request".

Response time: We will respond within 30 days.

10.2 Right to Rectification (Article 16)

What it means: You have the right to request correction of inaccurate or incomplete personal data.

How to exercise: Email us at [email protected] with the corrected information.

Response time: We will update your data within 30 days.

10.3 Right to Erasure / "Right to Be Forgotten" (Article 17)

What it means: You have the right to request deletion of your personal data in certain circumstances.

When we can delete:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw your consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed

When we CANNOT delete:

  • We are legally required to retain the data (e.g., 11 years for tax/accounting purposes)
  • The data is necessary to establish, exercise, or defend legal claims

How to exercise: Email us at [email protected] with the subject line "Data Deletion Request".

Response time: We will respond within 30 days and delete your data (subject to legal retention requirements) within 30 days of approval.

10.4 Right to Restriction of Processing (Article 18)

What it means: You have the right to request that we limit how we use your data in certain circumstances.

When you can restrict:

  • You contest the accuracy of the data (while we verify)
  • Processing is unlawful but you don't want the data deleted
  • We no longer need the data, but you need it for legal claims
  • You have objected to processing (pending verification of our legitimate grounds)

10.5 Right to Data Portability (Article 20)

What it means: You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., CSV, JSON).

Scope: Applies only to data you provided to us and that we process based on consent or contract.

How to exercise: Email us at [email protected] with the subject line "Data Portability Request".

10.6 Right to Object (Article 21)

What it means: You have the right to object to processing of your data based on Legitimate Interest.

Examples:

  • Object to analytics cookies (Manus Analytics)
  • Object to use of your data for service improvement

How to exercise: Email us at [email protected] with the subject line "Objection to Processing".

10.7 Right to Withdraw Consent (Article 7)

What it means: Where we process your data based on consent, you have the right to withdraw that consent at any time.

Note: Withdrawing consent does not affect the lawfulness of processing before withdrawal.

10.8 Right to Lodge a Complaint

What it means: You have the right to file a complaint with the Hellenic Data Protection Authority (HDPA) if you believe we have violated your data protection rights.

See Section 17 for HDPA contact details.

How to Exercise Your Rights

To exercise any of these rights, please contact us:

Email: [email protected]

Subject Line: Include the specific right you wish to exercise (e.g., "Data Access Request")

Identity Verification: We may ask you to verify your identity before processing your request (to protect your privacy).

Response Time: We will respond to all requests within 30 days. In complex cases, we may extend this by an additional 60 days and will notify you of the delay.

No Fee: Exercising your rights is free of charge, unless your request is manifestly unfounded or excessive.

11. CHILDREN'S PRIVACY

11.1 Age Restriction

Our services are not intended for children under 18 years of age. To book a transfer, you must be at least 18 years old.

We do NOT knowingly collect personal data from children under 18, except for:

  • Age and name of child passengers (for child seat requests)
  • This information is provided by the parent or guardian (the Lead Passenger) who is responsible for the booking

11.2 Parental Consent

By booking a transfer that includes child passengers, the Lead Passenger (parent/guardian) confirms that:

  • They have the legal authority to provide the child's information
  • They consent to the processing of the child's data as described in this Privacy Policy

11.3 Limited Data Collection

We only collect the minimum necessary information about children:

  • Age: To determine the appropriate child seat type
  • Name: For booking records and service coordination

We do NOT collect or process any other data about children (photos, health data, etc.) unless explicitly requested by the parent/guardian for special requirements (e.g., medical conditions affecting travel).

If We Become Aware of Unauthorized Child Data:

If we discover that we have inadvertently collected personal data from a child under 18 without proper parental consent, we will delete that data immediately. If you believe we have collected data from a child improperly, please contact us at [email protected].

12. DATA SECURITY

We take the security of your personal data very seriously and have implemented appropriate technical and organizational measures to protect it from unauthorized access, loss, misuse, alteration, or destruction.

12.1 Technical Security Measures

Security MeasureDescription
SSL/TLS EncryptionAll data transmitted between your browser and our website is encrypted using industry-standard SSL/TLS protocols (HTTPS).
Secure Payment ProcessingAll payment transactions are processed by Stripe, a PCI-DSS Level 1 certified payment processor. We do NOT store full credit card details on our servers.
Data Encryption at RestSensitive data stored on our servers is encrypted using strong encryption algorithms.
Firewall & DDoS ProtectionOur website is protected by advanced firewall systems and DDoS mitigation through our hosting provider (Manus).
Regular Security AuditsWe conduct regular security assessments and vulnerability scans to identify and address potential threats.
Secure BackupsRegular encrypted backups are performed to ensure data can be restored in case of system failure.

12.2 Organizational Security Measures

  • Access Controls: Only authorized personnel have access to your personal data, on a strict need-to-know basis.
  • Two-Factor Authentication (2FA): All administrative accounts require 2FA for added security.
  • Employee Training: Our staff receive regular training on data protection and security best practices.
  • Data Processing Agreements: All third-party service providers are contractually bound to protect your data in accordance with GDPR.
  • Confidentiality Agreements: All employees and contractors sign confidentiality agreements.

12.3 Your Role in Data Security

While we implement robust security measures, you also play a role in protecting your data:

  • Keep your login credentials secure (if you create an account in the future)
  • Use strong, unique passwords
  • Do not share your booking confirmation details publicly
  • Report any suspicious activity to us immediately at [email protected]
⚠️ No System is 100% Secure

Despite our best efforts, no data transmission over the Internet or electronic storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately.

13. DATA BREACH NOTIFICATION

13.1 What is a Data Breach?

A data breach occurs when personal data is accidentally or unlawfully destroyed, lost, altered, disclosed, or accessed without authorization.

13.2 Our Obligations

In the event of a data breach that poses a risk to your rights and freedoms, we are legally required under GDPR to:

Notify the Supervisory Authority:

  • Report the breach to the Hellenic Data Protection Authority (HDPA) within 72 hours of becoming aware of it
  • Provide details of the nature of the breach, affected individuals, potential consequences, and measures taken to address it

Notify Affected Individuals:

  • If the breach poses a high risk to your rights and freedoms (e.g., risk of identity theft, financial loss), we will notify you without undue delay
  • The notification will include:
    • Nature of the breach and data affected
    • Potential consequences
    • Measures we are taking to address the breach
    • Recommended actions you can take to protect yourself

13.3 How We Will Contact You

In the event of a data breach requiring notification, we will contact you via:

  • Email (to the email address you provided in your booking)
  • Website Notice (prominently displayed on our homepage)
  • Direct Communication (phone call if the breach is severe and immediate action is required)

13.4 Our Commitment

We are committed to:

  • Responding to data breaches swiftly and transparently
  • Taking immediate action to contain and remediate the breach
  • Cooperating fully with the HDPA and other authorities
  • Learning from incidents to strengthen our security measures
Reporting Suspected Breaches:

If you suspect that your personal data has been compromised or you notice any suspicious activity related to your booking, please contact us immediately at:

Email: [email protected]

Phone: +30 697 651 4295

14. THIRD-PARTY LINKS & SOCIAL MEDIA

14.1 Third-Party Websites

Our website may contain links to third-party websites, plugins, or applications (e.g., payment gateways, review platforms, social media).

⚠️ Important Disclaimer:

We are NOT responsible for the privacy practices or content of third-party websites. Once you leave our website, this Privacy Policy no longer applies. We encourage you to read the privacy policies of any third-party websites you visit.

14.2 Social Media Presence

We maintain official pages on the following social media platforms:

  • Facebook: [FACEBOOK_URL_PLACEHOLDER]
  • Instagram: [INSTAGRAM_URL_PLACEHOLDER]
  • LinkedIn: [LINKEDIN_URL_PLACEHOLDER]
  • YouTube: [YOUTUBE_URL_PLACEHOLDER]

What Data Social Media Platforms Collect:

When you interact with us on social media (like, comment, share, message), the social media platform may collect data about you according to their own privacy policies, including:

  • Your name, profile picture, and public profile information
  • Your interactions with our posts (likes, comments, shares)
  • Messages you send to our page
  • Analytics data (demographics, interests, behavior)

We do NOT control how social media platforms use your data. Please review their privacy policies:

14.3 Social Media Plugins

We do NOT use social media plugins (e.g., Facebook Like button, Twitter share button) on our website. We do not embed third-party content that tracks your browsing behavior.

14.4 Review Platforms

We may display or link to reviews from third-party platforms (e.g., Google Reviews, TripAdvisor). These platforms have their own privacy policies governing how they collect and use reviewer data.

15. CHANGES TO THIS PRIVACY POLICY

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, legal requirements, or for other operational reasons.

15.1 How We Notify You of Changes

  • Website Notification: The updated Privacy Policy will be posted on this page with a new "Last Updated" date at the top.
  • Email Notification (for material changes): If we make significant changes that materially affect your rights, we may notify you by email (at our discretion).

15.2 Your Responsibility

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of our website and services after any changes indicates your acceptance of the updated Privacy Policy.

15.3 Material Changes

Material changes may include:

  • Changes to the types of data we collect
  • Changes to how we use your data
  • Changes to data retention periods
  • Introduction of new third-party service providers
  • Changes to international data transfers
Questions About Changes?

If you have any questions or concerns about changes to this Privacy Policy, please contact us at [email protected].

16. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

KefaloniaTransfers.com

Powered by KCG Travel

Data Protection Contact:

Email: [email protected]

Phone: +30 697 651 4295

WhatsApp/Viber: +30 697 651 4295

Company Details:

[COMPANY_NAME_PLACEHOLDER]
[VAT_NUMBER_PLACEHOLDER]
[ADDRESS_PLACEHOLDER]
[GEMI_NUMBER_PLACEHOLDER]

Customer Support Hours:

Winter Season (November - May): 09:00 - 17:00

Summer Season (May - October): 09:00 - 21:00

Response Time

We aim to respond to all privacy-related inquiries within 30 days. For urgent matters (e.g., suspected data breach, security concerns), please call us directly at +30 697 651 4295.

17. SUPERVISORY AUTHORITY

Under GDPR, you have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.

Hellenic Data Protection Authority (HDPA)

Official Name: Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (ΑΠΔΠΧ)

English Name: Hellenic Data Protection Authority

Address:
Kifisias Ave. 1-3
115 23 Athens
Greece

Website: www.dpa.gr

Email: [email protected]

Phone: +30 210 6475 600

Fax: +30 210 6475 628

When to Contact the HDPA:
  • You believe we have violated your data protection rights
  • We have not responded to your request within 30 days
  • You are dissatisfied with our response to your complaint
  • You wish to file an official complaint against our data processing practices

Our Commitment to Cooperation

We are committed to working constructively with the HDPA and will cooperate fully with any investigations or audits. However, we encourage you to contact us directly first so we can try to resolve any concerns informally before escalating to the supervisory authority.

© 2026 KefaloniaTransfers.com - Powered by KCG Travel

All rights reserved.

This Privacy Policy is compliant with GDPR (EU Regulation 2016/679) and Greek Data Protection Law (Law 4624/2019).