PRIVACY POLICY AND GDPR COMPLIANCE

Kastellakia Bay Villas and its respective sites keavillarent.com and kastellakiabayvillas.gr are operated by INTRAFAC LTD Cyprus.

INTRAFAC LTD (herein after The Company, or we/ us) is the leading real estate developer, manager and short-term villa rental specialist in Cyprus, based in Pavlou Anagnostou Court office 1, Vassili Krokou 31a, Larnaca 6532 ,Tel: +357 99 727243, operating, advertising and promoting though its own platforms numerous quality villas and houses in Greece and Cyprus.

This Privacy Policy outlines the Company’s general policy and practices for complying - among others - with the applicable EU General Data Protection Regulation 2016/679 (GDPR), including the types of personal data we process, the purpose and the legal basis for that processing, the technical and security measures that we apply and the rights that individuals have under GDPR. This Privacy Policy applies to all personal information (as these are defined under the GDPR) of natural persons received by our company, whether in electronic, paper or verbal format.

Notice

The Company shall inform individuals of the purpose for which it collects and uses their personal data and the types of third parties to which it may disclose that information. The Company shall provide individuals with the choice and means for limiting the use and disclosure of their personal information, where applicable. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to The Company , or as soon as practicable thereafter, and in any event before The Company or discloses the information for a purpose other than that for which it was originally collected.

1. What is personal data?
1.1 Personal data means any information relating to you which allows us to identify you, such as your name, contact details, booking reference number, id or passport numbers, payment details and information about your access to our website.
1.2 We may collect personal data from you when you do a reservation with us (either directly or indirectly through our trusted third party partners), use our website and other websites accessible through our website, or when you contact us.
1.3 By Law we have to collect such data as your ID or passport number
2. What Types of Personal Data does The Company Process and How do we Use your Personal Data?
2.1 We will only use your personal data in ways that are compatible with the purposes for which it was collected or authorized by you. Unless required or authorized by Law, we will not process sensitive personal information about individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the individual. In case we need to process such data, we shall implement high security standards, according to relevant Law.
2.2 Personal details about your physical or mental health, alleged commission or conviction of criminal offences, or photographs of you in electronic version are considered special categories of personal data under applicable data protection law. We do not collect or store such data.
2.3 We will only process your information, where:
• you have given your consent to such processing (which you may withdraw at any time, as detailed below);
• the processing is necessary to provide our contractual services to you;
• the processing is necessary for compliance with our legal obligations (e.g. for tax reasons or to prevent a threat to life, health or safety of a customer); and/or
• the processing is necessary for our legitimate interests (e.g. safety internet connection) or those of any third party recipients/partner of ours that receive your personal information.
2.4 More specifically, we may process your personal data for specific purposes, as follows:

a) Provision of our booking services

Following your request for a reservation, either if you act as an individual client, a villa owner, or a villa management company, we shall collect and process your personal data in order to provide you the services that you require from us.

We may collect:

i) Your name, age, address, telephone number, email, ID or passport number, nationality and country of residence, necessary for the provision of our services to you.
ii) Information for the payment of our services, such as bank account number, including associated billing address(es), according to your explicit consent, as provided by you at a specific authorization form and as described below.
iii) Other information necessary to facilitate your travel or other services, including travel companion(s) names/ passport numbers/age, any dietary or other restrictions
- Use of products and services such as self-service devices, flight status notification and web check-in, necessary for the services required by us.



b) Payment Information

When you use our Payment Services, such as when booking accommodation or a travel-related experience through us or establishing a supplier relationship via us, we require certain financial information (like your bank account or credit card information) in order to process payments and comply with applicable Law. If you are a Supplier/Owner, we may require additional information such as your ID or tax ID (where required by applicable Law), and other proof of identification or verification in order to verify your identity, provide the Payment Services to you, and comply with applicable Law. If you are a Guest, we may retain your financial information to assist you with booking travel-related experiences with third parties. We only process such data according to your explicit consent and written authorization.
The above information is kept in safe place for yup to 60 days after your departure as Law dictates.

c) Advertising and Marketing Related Purposes

Following your explicit consent we may process information such as your email address or your IP address, in order to:

i) Send you promotional messages, marketing, advertising, and other information that may be of interest to you, based on your communication preferences (including information about The Company or our partners’ campaigns and services).
ii) Administer referral programs, rewards, surveys, sweepstakes, contests, or other promotional activities or events sponsored or managed by us or our third party business partners.
iii) Carry out profiling on your characteristics and preferences (based on the information you provide to us, your interactions with our services, and your search and booking history) in order to send you promotional messages, marketing, advertising and other information that we think may be of interest to you.



d) Employee and Human Resource Related Purposes

i) The Company collects personal information from applicants to open positions within the Company, including private contact details, CVs, professional qualifications and previous employment history, necessary to reach to employment decisions. Once employed, The Company collects information on staff for human resource, performance, payroll and tax purposes. The Company may process similar information relating to consultants contracted on a freelance basis.



e) Web visitors- IP addresses - Cookies

i) The Company collects named information about visitors to our websites keavillarent.com or kastellakiabayvillas.gr where this is provided by them by filing our online contact form, for example where a client requests information The Company . Through the use of cookie-based technologies, The Company may collect various data linked to virtual identities (IP addresses) allocated to visitors when they access our website. This data is used for various purposes, including site analytics and first party or third party marketing. In certain cases, these virtual identities are linked to the real world identities of visitors only when they choose to provide their named information at the contact form, as described.
ii) Automatically Generated Data
In the course of using the pages on our website personal data may be automatically processed. Typically, this relates to the name of your internet provider, your IP address, your location, the time and date of access, the browser you are using, your operating system, the web pages you visited on our website and the website from which you accessed our website. This information is used to analyse trends, administer the Site, track user's movement, and gather broad demographic information for aggregate use.


iii) Cookies Policy
More specifically, our websites, greekvillas4rent.com, rentgreek.villas, mykonos-santorini.villas, tinavillas4rent.com, keavillarent.com, use cookies to improve and optimize your experience as a user. Cookies are small text files that are placed on your computer, smartphone or other device when you access the internet. A cookie cannot read data from your hard disk or read cookie files created by other sites.
- We use cookies to:
a) Ensure that our web page can function properly, b) Know your experience navigation and c) Collect anonymous statistical information, such as which sections you have visited, and how long you have been in our environment. You may modify and / or block the installation of cookies sent by our website; however, the quality of the operation of the services may be affected.
- Moreover, we use Google Analytics cookies to monitor and understand more about how our websites and services are used and accessed, which in turn lets us optimise the user experience and build a website that suits the needs of our users and drive the direction of our business. You may refuse to treat data or information by refusing to use Cookies by selecting the appropriate settings from your browser.
- In addition to using cookies and related technologies as described above, we also may permit certain third party companies to help us tailor advertising that we think may be of interest to users and to collect and use other data about user activities on our Sites and/or Services (e.g., to allow them to tailor ads on third party services). These companies may deliver ads that might also place cookies and otherwise track user behaviour.
- Our websites may use Google AdWords re-marketing service to advertise on third party websites (including Google) to previous visitors to our site. With re-marketing, you may see ads for our products you have previously looked at. For this to happen, Google, or other remarketing providers will read a cookie that is already in your browser, or they place a cookie in your browser when you visit our site (This can only happen if your browser is set to let it happen). You can set preferences for how Google advertises to you using the Google Ad Preferences page, and opt out of interest-based advertising entirely by cookie settingsor by using the Google Analytics Opt-Out Browser add on.
3. Is personal information disclosed to third parties?
3.1 We do not and will not sell, rent out or trade your personal information. We will only disclose (transfer, share, send, or otherwise make available or accessible) your personal information to third parties in the ways set out in this Policy.
3.2 The Company may disclose your personal information to a third party or use it for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual, only if you consent to such further processing, or if it required by Law.
3.3 We may also share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above.
3.4 In case we need to transfer your information to our affiliate companies, or to other service providers (e.g. in the course of sending goods or promotional material, or in the case of competitions), we will ensure that they adhere to our contract and to the relevant legal data protection regulations and obligations thereof.
3.5 We may share individuals’ personal information with our agents, contractors or partners in connection to services that they perform for, or with, The Company, such as tour operators, airlines, hotels, car rental companies, transfer handlers and other related service providers. We shall ensure that any third party to which personal information may be disclosed subscribes to the principles set hereby and is subject to applicable legal framework (including GDPR), providing the same level of privacy protection as is required by these principles and agree in writing to provide an adequate level of privacy protection. Also, our employees’ information may be transferred to travel agencies in order to facilitate the arrangement of business travels and bookings and to arrange travel related services and/or products.
3.6 We may transfer your data to our external business advisers (such as lawyers, accountants, auditors and recruitment consultants), and our contractors, suppliers including suppliers of IT based solutions that assist us in providing products and services to you (such as any external data hosting providers we may use);
3.7 In some cases, The Company may disclose personal information if required to do so by Law, if disclosure is required to be made to law enforcement authorities, if we believe disclosure is necessary or appropriate to prevent vital individual’s interests (e.g. from physical harm) or in connection with an investigation of suspected or actual illegal activity.
3.8 We may also transfer personal information in the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, The Company will direct the transferee to use personal information in a manner that is consistent with this Policy.
3.9 We may disclose your personal information to certain overseas recipients. We will ensure that any such international transfers, which are lawfully enforced or are necessary for the performance of our contract, are made subject to appropriate contractual and technical safeguards, as required by GDPR and any other applicable law. We will provide you with copies of the relevant safeguard documents upon request.
3.10 For example, we may transfer your information to Google, mainly for the provision of Google Analytics, Google AdWords or Yandex International, as described above and in accordance to their Privacy Policy.
4. Security measures
4.1 The Company employs reasonable physical, electronic, managerial and technical procedures to safeguard and secure any personal information from loss, misuse, un-authorized access or disclosure, alteration or destruction. Applied information security management helps us not only to grow, innovate and expand our services, as well as identify the risks related to these information, and to put in place appropriate controls to mitigate and manage the risk thereof. We destroy or de-identify personal information once we no longer require it for our business purposes, or as otherwise required by law.
4.2 Moreover, we train all personnel meticulously and we expect them to follow the principle of compliance with all relevant legal requirements.
4.3 We have a privacy incident response policy designed to promptly respond to and escalate all privacy-related questions, complaints, concerns, including any potential privacy or security breach incident.
4.4 Furthermore:
a) General Controls: Controls are implemented on workstations (automatic computer locking, regular updates, physical security, etc.) to reduce the possibility to exploit software properties (operating systems, business applications etc.) to adversely affect personal data. Our offices are supplied with shredders, in order to eliminate the possibility of unauthorized access to files containing personal data. Regular back-up procedures to our CRM server are implemented. Also, data saved to our server are encrypted.
b) Paper format files storage and protection: The Company to store and process some necessary files (such as contracts, consent forms, invoices etc) containing personal information in hard-copy versions. All such paper-formatted files are archived and stored in specially designed storage areas within our company. These areas are locked and access is only granted to personnel at a need-to-know basis.
c) Electronic Filing and Storage:Some of your personal information will be stored in the database of this site or of our company’s system (CRM). Each of our personnel accesses this database with his/her personal log-in passwοrds and have access to files saved at our network containing personal data, and especially personal data of special categories only on a need-to-know basis. Also, restrictions to the number of unsuccessful log-in attempts are provided. Also, we have applied strong anti-virus protection to all our computers.
5. Data Integrity
The Company shall only process personal information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes The Company shall take reasonable steps to ensure that personal information is accurate, complete, current and reliable for its intended use. 

6. Access – Individuals’ rights
6.1 Upon request, and as required by Law, The Company will provide the individuals access to their personal information, transmit their personal data in a common digital format (e.g., pdf) to themselves or another organization, allow them to correct, amend or delete inaccurate information, except where the rights of other persons would be violated, legal provisions prohibit it and in any case in accordance to the relevant provisions of GDPR.
6.2 The Company reserves the right to charge in some cases a reasonable fee to cover costs for providing copies of Personal Information requested by Individuals. 

7. Data retention
7.1 We will not retain data longer than necessary to fulfil the purposes for which it was collected or as required by applicable laws and regulations.
7.2 The information you provide to us may be archived or stored periodically by us, according to backup processes and will only be retained for as long as is it required for the purposes for which it was collected, unless the law requires us to hold your personal information for a longer period, or delete it sooner, or unless you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law.
7.3 We will delete your personal data when the associated business purpose ceases to apply or as required by the relevant legal data protection framework. For instance, we will delete the CVs that individuals have sent us after 6 months upon the vacancy is filled, unless if the individuals have consented to their data being collected, processed and used for any relevant future purpose. In cases we process your data based on your consent, we will delete your data following the retraction of your approval or the discontinuation of the purpose of your consent.
8. Our commitment to children's privacy
8.1 Protecting the privacy of children is especially important for us. For that reason, we do not intend to collect or maintain information at our Website from those we know are under 16 years of age, and no part of our Website is structured to attract anyone under 16.
8.2 Also, in cases we need to collect and process personal data of children under 18 years old, we only do that after obtaining explicit consent from their parents or legal guardians.


9. Changes to this privacy policy
The Company has the discretion to update this privacy policy at any time. When we do, we will revise the updated date at the bottom of this page. We encourage you to frequently check this page for any changes to stay informed about how we are helping to protect the personal information we collect. You acknowledge and agree that it is your responsibility to review this privacy policy periodically and become aware of modifications.
10. Contact Information
10.1 The Company assesses their compliance to the GDPR, to assure compliance with this privacy policy and periodically verifies that the policy is accurate and comprehensive for the information intended to be covered. We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of personal information in accordance with this policy and GDPR. Questions, comments or complaints regarding The Company Privacy Policy or data collection and processing practices can be sent by email to: This email address is being protected from spambots. You need JavaScript enabled to view it., telephone: +357 99727248 or mail: INTRAFAC LTD, 31A Vassili Krokou street, Larnaca 6532 Cyprus
10.2 Moreover, we inform individuals within the EU, that they the right in law to complain about how their information is handled to a supervisory authority that is responsible for regulating compliance with the Regulation. A list of all EU supervisory authorities is available on the European Commission website: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.