Privacy Policy
This website sets no tracking cookies, runs no analytics, and embeds no third-party trackers. There is no consent banner because nothing here requires consent. This page explains the little data that is unavoidably processed when you visit, and what your rights are.
1. Who we are
This policy is issued under the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Greek Law 4624/2019 which supplements it in national law, and Greek Law 3471/2006 on privacy in electronic communications. The controller of the personal data described here, within the meaning of Article 4(7) GDPR, is:
- Trading name
- Any Destination
- Registered legal name
- TODO — full legal entity name as registered
- Registered address
- TODO — street, number, postcode, Athens, Greece
- Tax number (ΑΦΜ / VAT)
- TODO — ΑΦΜ
- Companies registry (ΓΕΜΗ)
- TODO — ΓΕΜΗ number
- Tourism registry (ΜΗ.Τ.Ε. / GNTO licence)
- TODO — ΜΗ.Τ.Ε. number
- bookings@any-destination.com
- Telephone
- +30 698 076 4013
We have not appointed a Data Protection Officer. Article 37 GDPR does not require one for an operation of this size and nature. Use the email address above for any question or request about your data.
2. Cookies and similar technologies
We use none for tracking, measurement or advertising. Concretely, this website:
- sets no analytics, advertising, profiling or preference cookies;
- writes nothing to
localStorage,sessionStorage, or IndexedDB; - loads no analytics, no advertising and no tag manager;
- loads no third-party fonts, scripts, iframes, videos, maps or social widgets;
- serves every image, stylesheet and script from its own domain.
Article 4(5) of Greek Law 3471/2006, which implements the ePrivacy Directive 2002/58/EC, requires consent before storing information on, or gaining access to information already stored in, a visitor's device, unless the storage is strictly necessary to provide the service the visitor has asked for. We store nothing that falls outside that exception, so no consent is sought and no banner is shown.
2.1 Strictly necessary security cookies
Our hosting provider, Cloudflare, may set a cookie on your device when its network
defends the site against automated abuse — typically __cf_bm, which
expires after 30 minutes, or cf_clearance if you are asked to complete a
security challenge. These cookies distinguish human visitors from bots. They contain no
identifiers we can read, carry no advertising or profiling function, and are not used to
track you across sites. They fall within the “strictly necessary” exception in
Article 4(5) of Law 3471/2006, so they are set without consent. If Cloudflare's bot
protection is not triggered during your visit, no cookie is set at all.
3. What is processed when you visit
3.1 Server and network logs
The site is hosted on Cloudflare Pages. Like every web server, the hosting infrastructure records technical connection data in order to deliver the page and to defend against attack and abuse. This typically includes your IP address, the date and time of the request, the page or file requested, the HTTP status code, your browser's user-agent string and, where sent by your browser, the referring page.
An IP address is personal data. We do not use these logs to identify you, we do not combine them with anything else, and we do not build profiles from them.
- Legal basis: Article 6(1)(f) GDPR — our legitimate interest in operating a functioning, available and secure website.
- Retention: logs are held by our hosting provider for a short period under its own retention schedule and are then deleted or aggregated. We do not keep separate copies.
3.2 If you email or call us
The email and phone links on this site open your own mail client or dialler. Nothing is transmitted to us until you choose to send a message or place a call. When you do, we process the data you supply — your name, contact details, and whatever you write in your message — for the sole purpose of answering you and, where relevant, arranging the trip or experience you are asking about.
- Legal basis: Article 6(1)(b) GDPR where the exchange concerns steps taken at your request before entering into a contract, or performance of that contract; otherwise Article 6(1)(f) GDPR, our legitimate interest in responding to enquiries addressed to us.
- Retention: correspondence that leads nowhere is deleted at the latest twelve months after the exchange ends. Where an enquiry results in a booking, the related accounting and transaction records are kept for five years from the end of the financial year in which the transaction took place, as Article 13 of the Greek Code of Tax Procedure (Law 4987/2022) requires.
- Provision of data: you are under no statutory or contractual obligation to give us any of it. Nothing on this site obliges you to write to us. If you do not, we simply cannot answer you or arrange a booking (Article 13(2)(e) GDPR).
3.3 Booking through TripAdvisor
The Book Now button is an ordinary hyperlink to our profile on TripAdvisor. It loads no TripAdvisor code into this page and passes no data about you before you click it. Once you follow the link you are on TripAdvisor's website, under TripAdvisor's own privacy policy, and TripAdvisor acts as an independent controller for anything it collects there. The same applies to any other external site we link to.
4. What we never do
We do not sell, rent or trade personal data. We do not use it for advertising. We do not profile you and we take no decisions about you by automated means within the meaning of Article 22 GDPR. This site is not directed at children.
5. Who else sees the data
Access to the technical data described in section 3.1 is limited to the providers that run the infrastructure on our behalf. They act as processors under Article 28 GDPR and are bound to process the data only on our instructions:
- Cloudflare, Inc. — website hosting and content delivery.
- TODO — email provider — hosting of
the
bookings@any-destination.commailbox.
We may also disclose data where the law obliges us to, for instance to a competent authority acting within its powers.
6. Transfers outside the EEA
Cloudflare, Inc. is established in the United States and operates a global network, so technical connection data may be processed outside the European Economic Area. Such transfers are covered by the safeguards permitted under Chapter V GDPR — the European Commission's Standard Contractual Clauses and, where the recipient is certified, the EU–U.S. Data Privacy Framework adequacy decision of 10 July 2023. You may request a copy of the safeguards we rely on by writing to the address in section 1.
7. Security
The site is served exclusively over HTTPS and applies a strict Content Security Policy, HTTP Strict Transport Security and related hardening headers, as required by Article 32 GDPR. Because the site collects nothing, stores nothing in your browser and contains no forms, its exposure is by design very small.
8. Your rights
Under Articles 15 to 22 GDPR you have the right to request access to your personal data, its rectification or erasure, the restriction of its processing, and its portability, and you have the right to object to processing based on legitimate interest. Where processing rests on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out beforehand.
Write to bookings@any-destination.com to exercise any of these rights. We answer within one month, as Article 12(3) GDPR requires. Note that for server logs we hold no means of linking an IP address to you, so we may be unable to identify your data and may have to ask you for information that makes identification possible, per Article 11 GDPR.
9. Complaints
If you believe we have handled your data unlawfully you may lodge a complaint with the Greek supervisory authority, without prejudice to any other remedy:
- Authority
- Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα)
- Address
- 1–3 Kifissias Avenue, 115 23 Athens, Greece
- Telephone
- +30 210 6475600
- Website
- www.dpa.gr
10. Changes to this policy
If the site ever starts to use analytics, embeds or any other technology that reads from or writes to your device, this policy will be updated before that technology goes live, and consent will be sought where the law requires it. The date at the top of this page records the last revision.