E Easy Crete Transfer
English Ελληνικά Deutsch Français

Privacy Policy

Last updated: June 2026. This is a template, have it reviewed by a lawyer before launch.

1. Who we are

Easy Crete Transfer is the data controller for personal data processed through this website. Our company details and contact information are on the company information page. This policy explains what data we collect, why, who receives it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR).

2. Data we collect and why

We only collect data we need to run the booking service. The main categories are:

  • Booking data: name, email address, phone number, pickup and drop-off locations, dates and times, passenger and luggage counts, requested extras such as child seats, and any notes you add. Purpose: to arrange and perform your transfer and to send you booking confirmations, driver details, trip reminders and service messages. Legal basis: performance of a contract.
  • Flight numbers: for airport pickups we use your flight number to monitor your flight and adjust the pickup time for delays. Legal basis: performance of a contract.
  • Account data: if you choose to create an optional customer account, we store your login email and a hashed password, plus your booking history. Legal basis: performance of a contract (the account service you requested).
  • Payment data: card payments are processed by Stripe. Your card details go directly to Stripe; we never see or store full card numbers. We keep payment status, amounts and Stripe transaction references. Legal basis: performance of a contract and legal obligations (accounting).
  • Driver location data: during an active transfer, the assigned driver's device may send position updates so that you can follow the vehicle on a live tracking map. This is the driver's location, not yours; we do not track customers. Positions are sent over secured, time-limited links. Legal basis: legitimate interest in providing reliable pickup coordination, and the operator agreement with the driver.
  • Communications: emails, and where used SMS, WhatsApp or Viber messages, sent in connection with your booking, plus messages you send to our support. Legal basis: performance of a contract and legitimate interest in keeping records of support requests.
  • Reviews: if you leave a review, we store your rating and text and publish your first name with the review after moderation. Legal basis: consent, which you can withdraw by asking us to remove the review.
  • Deal alert subscriptions: if you subscribe, we store your email address and chosen routes to send you offer alerts. Legal basis: consent. Every alert contains an unsubscribe link and unsubscribing takes effect immediately.
  • Partner attribution: if you arrive via a referral partner's link or widget, a cookie stores the partner code for up to 30 days so that a resulting booking can be credited to that partner. Legal basis: legitimate interest in operating the partner programme. This does not affect your price and involves no advertising profile.
  • Technical data: IP addresses, request logs and error reports, used for security, abuse prevention and fixing faults. Legal basis: legitimate interest in keeping the service secure and working.

3. Who receives your data

We share data only where needed to deliver the service, with the following recipients:

  • Your assigned operator and driver: receive your name, phone number, pickup details, flight number, passenger and luggage counts and any notes, so they can perform the transfer.
  • Stripe (payment processing): receives your card details and billing data when you pay online, and processes refunds.
  • Twilio (SMS and WhatsApp) and Yuboto (Viber): receive phone numbers and message content when notifications are sent through these channels, primarily for operator alerts.
  • AeroDataBox (flight data): receives your flight number and date so we can monitor the flight. No other personal data is sent.
  • Google (Places address autocomplete): when you search for an address, your search text is sent to Google through our server, which limits the personal data Google receives directly from your browser.
  • OpenStreetMap tile servers: your browser loads map images directly, so the tile provider receives your IP address.
  • Cloudflare Turnstile (anti-bot protection): receives technical signals from your browser on protected forms to distinguish humans from bots, without advertising tracking.
  • Sentry (error monitoring): receives technical error reports, which may include your IP address and the request that triggered the error.
  • Hosting and infrastructure providers: store and process data on our behalf under data processing agreements.

All processors act on our documented instructions under GDPR Article 28 agreements. We do not sell personal data, and we do not share it with advertising networks.

4. International transfers

We aim to keep data in the EU/EEA. Some of the providers listed above, such as Stripe, Twilio, Google, Cloudflare and Sentry, are US companies or use infrastructure outside the EEA. Where data leaves the EEA, the transfer is protected by an adequacy decision such as the EU-US Data Privacy Framework, or by the European Commission's Standard Contractual Clauses, together with additional safeguards where appropriate.

5. Cookies

We use only functional cookies. We do not use advertising, analytics profiling, or cross-site tracking cookies, which is why our cookie banner has no marketing toggles.

  • Session cookie: keeps you logged in and preserves your booking in progress. Expires when the session ends.
  • Locale cookie: remembers your chosen language. Kept for up to 1 year.
  • Consent cookie: remembers that you have seen the cookie notice. Kept for up to 1 year.
  • partner_ref cookie: stores a referral partner code if you arrived via a partner link or widget. Kept for 30 days.

A currency display preference may also be stored so prices are shown in your chosen currency; charges are always made in euro.

6. How long we keep your data

  • Bookings, payments and invoices: kept for as long as Greek tax and accounting law requires, currently in the range of 5 to 10 years from the relevant tax year.
  • Customer accounts: kept until you delete your account, subject to the booking retention above.
  • Deal alert subscriptions: kept until you unsubscribe, then removed from the mailing list.
  • Driver location data: kept only as long as needed for the active transfer and short-term quality checks, then deleted.
  • Reviews: published until you ask us to remove them.
  • Technical and security logs: kept briefly, typically for a few weeks.
  • Backups: we make daily encrypted database backups for disaster recovery. Backups are rotated and overwritten on a fixed schedule, so deleted data also disappears from backups after the rotation period.

7. Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you and receive a copy;
  • correct inaccurate or incomplete data;
  • request deletion, where no legal retention duty applies;
  • restrict or object to processing based on legitimate interest;
  • receive your data in a portable, machine-readable format;
  • withdraw consent at any time, for example for reviews or deal alerts, without affecting processing already carried out.

To exercise any right, contact us using the details on the company information page. We respond within one month. You also have the right to lodge a complaint with the Hellenic Data Protection Authority (dpa.gr) or the supervisory authority of your country of residence.

8. Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects for you. Anti-bot checks (Cloudflare Turnstile) and payment fraud screening by Stripe are technical safeguards; if a payment is declined you can always contact us to complete your booking another way.

9. Children

Our service is intended for adults making travel bookings. We do not knowingly collect personal data from children. Passenger counts may include children for capacity and child seat purposes, but we do not collect children's names or other identifying details.

10. How we protect your data

  • All traffic to and from the website is encrypted in transit (HTTPS/TLS).
  • Card data is handled exclusively by Stripe, a PCI DSS certified payment processor.
  • Manage-booking, tracking and unsubscribe links use unique, hard-to-guess tokens or cryptographically signed URLs.
  • Staff and operator access is role-based, and staff accounts are protected with two-factor authentication.
  • Administrative actions are recorded in an audit log.
  • Daily backups protect against data loss, and access to backups is restricted.

No system is perfectly secure, but we review and improve these measures on an ongoing basis.

11. Data you provide about others

If you book on behalf of other passengers, you confirm that you are entitled to share their details with us and that you have informed them of this policy.

12. Operators as recipients

Operators receive your data as independent recipients in order to perform the carriage contract they conclude with you. They must process it only for the transfer and in line with data protection law, and they are contractually required to do so under our operator agreements.

13. Sources of your data

We collect data directly from you when you book, subscribe or contact us. We receive flight status information about your flight number from AeroDataBox, and payment outcome information from Stripe. If you arrive via a referral partner, we receive only the partner code, not any personal data from the partner.

14. Changes to this policy

We may update this policy when the service or the law changes. The date at the top shows the latest revision. For significant changes that affect you, we will provide more prominent notice, for example by email to account holders.

Nous n'utilisons que des cookies fonctionnels — pas de pistage, pas de publicité. Confidentialité