Privacy Policy
Last updated: 27 June 2026
This Privacy Policy explains how ΓΕΩΡΓΙΟΣ ΚΑΙ ΕΜΜΑΝΟΥΗΛ ΠΟΛΙΤΗΣ Ο.Ε. ("we", "us", "our", the "Company") collects and processes personal data when you visit and use our website and when you submit booking requests for transfers.
This policy is intended to explain our handling of personal data under the General Data Protection Regulation (EU) 2016/679 (GDPR), Greek Law 4624/2019 and applicable Greek legislation on privacy and electronic communications, including Law 3471/2006 as amended.
1. Data Controller
ΓΕΩΡΓΙΟΣ ΚΑΙ ΕΜΜΑΝΟΥΗΛ ΠΟΛΙΤΗΣ Ο.Ε.
Registered seat: Andrea Nathena 22, 71500 Heraklion, Crete, Greece
VAT: 800784210
Activity: Non-scheduled passenger road transport
Tax Authority: Δ.Ο.Υ. Γ' Ηρακλείου
Tel.: +30 6970 225 992
Email: info@kretarides.com
2. Categories of Personal Data We Process
Depending on how you use the website, we may process the following categories of personal data:
2.1. Booking and contact data
When you submit a booking request or contact form, we process:
- Name and surname
- Email address
- Phone number, including WhatsApp or Viber if provided
- Pick-up and drop-off location, date and time
- Flight number if you choose to provide it
- Selected vehicle, number of passengers, luggage and child seats
- Route estimate, booking reference, booking status, total price, custom or proposed price and your accept/decline decision where applicable
- Additional notes or requests you write in free-text fields
These data are necessary to handle your booking request and to provide our transfer services.
When a route is custom or a price changes, we may send you a secure email link to accept or decline the proposed price. Until you decide, the booking may remain pending. We also keep limited email delivery and status logs so staff can see which operational messages were sent.
2.2. Technical and usage data
When you browse our website, certain data are collected automatically, such as:
- IP address and approximate location
- Device type, browser type and version, operating system
- Date and time of visit, pages visited, link clicks, referrer URL
- Booking attribution data such as landing page, conversion page, UTM parameters, ad click IDs, general country/region from Cloudflare, browser, device type and timezone
- Route-search or geocoding queries you type into the booking form, such as hotel or place names in Crete
- Cookies, local storage, session storage and similar technologies
This information is collected through web server logs, third-party analytics and webmaster tools such as Google Analytics, Microsoft Clarity, Google Search Console and Bing Webmaster Tools, and map/routing providers used to suggest places and estimate transfer routes.
3. Purposes and Legal Bases of Processing
We process personal data only when there is a lawful basis under the GDPR.
3.1. Booking and performance of contract
- Handling your booking request
- Communicating with you regarding your transfer
- Providing the transfer service and related customer support
- Sending operational emails such as booking confirmations, price proposal links, cancellation notices, 24-hour pickup reminders and optional calendar invite links or files
Legal basis: Article 6(1)(b) GDPR, performance of a contract or taking steps at your request before entering into a contract.
These operational emails are part of the booking service and are not marketing emails.
3.2. Legal obligations
- Compliance with tax, accounting and other legal obligations
- Responding to requests from public authorities or courts where required by law
Legal basis: Article 6(1)(c) GDPR, compliance with a legal obligation.
3.3. Analytics
We use Google Analytics to understand how visitors use the website and to measure booking-funnel events such as booking button clicks, route searches, price-page clicks, contact clicks, order lookups, contact form submissions and completed booking requests.
We use Microsoft Clarity to understand how visitors interact with the website through aggregated heatmaps and session-recording style diagnostics, such as clicks, scrolling and layout issues. Clarity is loaded only after analytics consent. For more information about how Microsoft collects and uses data, visit the Microsoft Privacy Statement: https://privacy.microsoft.com/privacystatement.
We also use webmaster and search-performance tools such as Google Search Console and Bing Webmaster Tools to verify site ownership, submit sitemaps, understand search queries, monitor indexing/crawl issues and improve organic search visibility. These tools report search and page-performance data and are not used to manage individual bookings.
For analytics and advertising measurement, the app may send page path, page title, language, route identifiers, vehicle identifier, route type, booking value, currency and link-click data. We do not intentionally send your name, email, phone number, hotel name, booking reference or free-text notes to Google Analytics, Microsoft Clarity or Google Ads.
Where your cookie choices allow analytics or advertising measurement, when a booking request is submitted we store a booking attribution snapshot in Supabase so staff can understand which landing page, campaign, referrer, general country, device/browser and conversion page produced the request. We do not store raw IP addresses in this attribution snapshot.
Legal basis: Article 6(1)(a) GDPR, your consent for analytics cookies.
3.4. Advertising and remarketing
We may use Google Ads and related advertising cookies to run remarketing campaigns, measure advertising performance and attribute booking requests, accepted bookings, phone clicks, WhatsApp clicks, email clicks and contact form submissions to campaigns. Google Ads conversions are currently measured by importing Google Analytics conversion events into Google Ads, including website_booking_request as the primary booking-request conversion and website_booking_confirmed as the secondary accepted-booking conversion.
Enhanced conversions are not currently enabled. If we enable them later, first-party contact data such as email or phone may be normalized and hashed before being sent to Google, and this policy will be updated if required.
Legal basis: Article 6(1)(a) GDPR, your consent for advertising cookies.
3.5. Legitimate interests
In limited cases, we may process data based on our legitimate interest, such as ensuring the security and proper functioning of the website.
After a transfer is marked completed, we may manually send you a review invitation by email, including a Google review request, a Trustpilot service-review invitation or a Tripadvisor/Viator review request. We use your name, email address, booking reference, review-provider choice and email delivery status only to ask for honest feedback about the service you received, improve service quality and maintain our business reputation. Review requests are optional, are not automatic marketing emails, and we do not offer incentives or rewards for reviews. Staff may choose to skip a request, and you may reply to ask us not to send further review requests.
Legal basis: Article 6(1)(f) GDPR, provided that our interests are not overridden by your rights and freedoms.
4. Data Storage Location and Retention
4.1. Cloud hosting
Our website is delivered through cloud infrastructure such as Cloudflare, and booking data are processed and stored in Supabase. Email messages are sent through email service providers such as ZeptoMail/Zoho. These providers may process data within the European Union or in countries offering an adequate level of data protection, or with appropriate safeguards such as Standard Contractual Clauses.
4.2. Retention periods
- Booking and customer data: kept for the contractual relationship and for the period required by Greek tax and accounting law, usually up to 10 years.
- Contact and communication data: kept as long as needed to respond to your request and up to 12-24 months for follow-up, unless longer retention is required by law.
- Price proposal tokens, booking status history, review-request provider/status records and email delivery logs: kept as part of the booking record so the Company can verify the booking flow and customer communications.
- Analytics and advertising data: retained according to the settings of the tools used and your cookie preferences.
When the retention period expires, personal data are deleted or anonymized.
5. Recipients of Personal Data
- Drivers and cooperating transfer providers strictly for the execution of your booking.
- Cloud, database and security providers such as Cloudflare and Supabase.
- Email providers such as ZeptoMail/Zoho for confirmations, reminders, price proposal links, review invitations and admin notifications.
- Review platforms: Trustpilot may receive limited invite data if staff sends a Trustpilot invitation; Google and Tripadvisor/Viator receive data only if you choose to open their review link or submit a review on their platform. Those platforms process your activity under their own terms and privacy notices.
- Analytics, advertising and search-performance providers such as Google Analytics, Microsoft Clarity, Google Ads, Google Search Console and Bing Webmaster Tools, only according to your cookie choices and each tool's function.
- Map, geocoding and routing providers such as OpenStreetMap/Nominatim, OSRM or OpenRouteService when needed to search locations or estimate routes.
- Communication apps or services such as WhatsApp, Viber, phone or email apps when you choose to contact us through them.
- Public authorities where required by applicable law.
We use service providers for the purposes described above. Where required, provider processing should be governed by appropriate data-processing terms or agreements.
6. International Data Transfers
Some providers, such as Google, may process data on servers located outside the European Economic Area. In such cases, we rely on available transfer mechanisms under Articles 44-49 GDPR, such as adequacy decisions or Standard Contractual Clauses, where applicable.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access
- Right to rectification
- Right to erasure in certain circumstances
- Right to restriction of processing
- Right to data portability
- Right to object, especially when processing is based on legitimate interests or direct marketing
- Right to withdraw consent at any time
To exercise your rights, contact us at info@kretarides.com.
You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA), www.dpa.gr, 1-3 Kifisias Ave., 115 23 Athens, Greece, Tel.: +30 210 6475600.
8. Cookies and Similar Technologies
Our website uses cookies and similar technologies in accordance with Law 3471/2006 as amended and the GDPR.
You can review or change your cookie preferences at any time via the Cookie settings link in the footer.
8.1. Types of cookies
- Strictly necessary cookies and local storage required for the basic functioning of the website, booking form, language preference, cookie preference, admin access/session and security.
- Analytics cookies and similar technologies such as Google Analytics and Microsoft Clarity, used only with your prior consent.
- Advertising cookies such as Google Ads, used only with your prior consent.
8.2. Cookie consent mechanism
Our cookie banner informs you about the cookies we use, allows you to accept or reject non-essential cookies with equal ease, and lets you change or withdraw consent at any time. We also send Google Consent Mode signals for analytics storage, advertising storage, advertising user data and ad personalization so Google tags receive your choices.
Your cookie preferences are stored locally in your browser and are renewed after about six months.
9. Security
We take appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including secure servers, encryption where appropriate, access restrictions and regular monitoring. However, no method of transmission or storage is completely secure.
10. Updates to this Privacy Policy
We may update this Privacy Policy from time to time. The updated version will be posted on this page with a new last updated date.
See also our Legal Notice (Imprint).