Legal · Privacy
Privacy Policy
How we handle the small amount of personal data this site collects, your rights under the EU General Data Protection Regulation (GDPR), and how to reach us.
1. Who we are (Data Controller)
This site (the “Site”) is a personal, non-commercial guest companion website for the short-stay apartment Travelers’ Dream / Acropolis Steps, located in Koukaki, Athens, Greece. The apartment is rented out via Booking.com; this Site neither sells nor processes any service.
The data controller for the personal data processed through this Site is the apartment’s host, acting in a private capacity. You can contact the host at hello@acropolis-steps.com or via the contact form. The host’s full legal identification is disclosed where it is legally required — on the Booking.com listing for the apartment.
2. What personal data we collect, and why
a) Guest tips submissions
When you submit a guest tip we collect: your first name, the country you’re from (optional), your Booking.com confirmation number, the date of your stay, and the text of your tip. We also store a one-way SHA-256 hash of your IP address and a timestamp.
- Lawful basis: Art. 6(1)(b) GDPR — performance of a service you actively request (publishing your tip), combined with Art. 6(1)(f) — our legitimate interest in preventing spam and abuse.
- Booking number is used only to verify that a real reservation exists. It is never published.
- Retention: approved tips are kept as long as the Site is online. Rejected tips are deleted within 90 days. IP hashes used for rate-limiting are kept for 30 days.
b) Contact form messages
When you write to us via the contact form, we store your name, email address, the message you sent, and a hash of your IP.
- Lawful basis: Art. 6(1)(b) GDPR — taking steps at your request prior to entering a possible arrangement.
- Retention: messages are kept for 24 months for reference, then deleted.
c) Photo uploads
If you upload a photo (subject to host approval), we strip EXIF metadata before storing it. We keep an IP hash and the upload timestamp solely for moderation and abuse prevention.
d) Self-hosted analytics
If — and only if — you grant analytics consent on the cookie banner, we record one row per page view: the URL, an anonymous session ID, a hashed IP, your country (looked up via ipwho.is), device type, browser and OS family, and whether you appear to be a bot. We never store raw IP addresses. See the Cookie Policy for full detail.
- Lawful basis: Art. 6(1)(a) GDPR — your consent, which you can withdraw at any time from the cookie chip in the bottom-left of any page.
3. Who we share your data with
We do not sell your data and do not share it with advertisers. Limited disclosures occur only with:
- Namecheap, Inc. — the hosting provider, based in the United States. Hosting necessarily means that any personal data you submit, as well as standard server logs (including your IP address), reside on servers operated by Namecheap. See the “Transfers” section below.
- Google LLC — the Site loads the “Fraunces” and “Inter” web fonts from
fonts.googleapis.comandfonts.gstatic.com. Google may receive your IP address when serving the font files. - ipwho.is — only the IP address is sent for country lookup when you have given analytics consent. The lookup is one-off and ipwho.is is operated from outside the EEA. You can disable it by rejecting analytics cookies.
- Viator (Tripadvisor LLC) — the Excursions page embeds a Viator partner widget that loads tour listings from viator.com. The widget is only loaded after you grant marketing-cookie consent. Once loaded, your browser sends your IP and user-agent to viator.com and Viator may set affiliate-attribution cookies on the viator.com domain under Viator’s own privacy policy. If you do not grant marketing consent, no request is made to viator.com from this Site.
- Greek authorities where we are legally required to do so (e.g. a valid request from the Hellenic Data Protection Authority or law-enforcement order).
Booking-related personal data (name, dates, payment) is processed by Booking.com under their own privacy policy; we never see your credit-card information. The same applies to bookings you make on Viator.
4. Transfers outside the EEA
The Site is hosted in the United States by Namecheap, Inc. This means that any personal data you submit through the Site (contact-form messages, guest tips, photo uploads), together with technical data such as your IP address in server logs, is transferred to and stored in the United States. The same applies, to a lesser extent, to the optional analytics country-lookup call to ipwho.is, to font requests served by Google LLC, and — only when you choose to click an affiliate link on the Excursions page — to the referral request sent to Viator (Tripadvisor LLC).
Under Chapter V of the GDPR, such transfers require an appropriate legal basis. We rely on:
- The EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023), where the relevant US recipient is self-certified under the Framework; and/or
- Standard Contractual Clauses approved by the European Commission under Art. 46(2)(c) GDPR, as incorporated in the recipient’s terms of service, where Framework certification does not apply.
You should be aware that, despite these safeguards, US public authorities may in principle access personal data held by US-based providers under US surveillance laws (e.g. FISA 702), and the protections available to EU residents in that context differ from those available within the EEA. If you do not wish your data to be transferred to the United States, please do not submit personal data through the contact form, tips form, or photo upload, and reject analytics cookies on the consent banner.
5. Your rights under GDPR
You have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate data (Art. 16).
- Erase your data (“right to be forgotten”, Art. 17) — e.g. removal of a published tip.
- Restrict processing (Art. 18).
- Data portability — receive your data in a machine-readable format (Art. 20).
- Object to processing based on our legitimate interests (Art. 21).
- Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3)).
To exercise any of these rights, write to hello@acropolis-steps.com. We will reply within 30 days as required by GDPR.
6. Complaints
7. Security
We use HTTPS (when deployed publicly), CSRF tokens on all forms, hashed IPs, and stripped EXIF on uploads. The database is stored on the server with restricted file permissions. Despite reasonable precautions, no online service can guarantee absolute security; we ask you not to send sensitive personal information through public forms.
8. Children
This Site is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has submitted data, please contact us and we will delete it.
9. Changes to this policy
We may update this policy when the Site changes. The “Last updated” date at the top reflects the most recent revision. Material changes will be highlighted on the cookie banner when relevant.