Privacy Policy
Last updated: January 2026
Vlatos.gr (“we”, “us”, or “our”) operates the website www.vlatos.gr (the “Site”), a community and tourism information platform for the village of Vlatos, Western Crete, Greece, including promotion of the Vlatos Jazz Festival, event ticketing, accommodation reservations (such as the Hermitage Luxury Private Villa), and related cultural activities. We are committed to protecting your privacy and handling your personal data responsibly in accordance with the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) and applicable Greek data protection laws.
1. Who is the Data Controller? The data controller is the Exoraistikos kai Ekpolitistikos Syllogos Vlatou “Neoi Orizontes” (Cultural Association of Vlatos “New Horizons”), a non-profit association based in Vlatos, Kissamos, Chania, Crete, Greece.
For data protection inquiries: Contact us via the site’s social media channels (e.g., admin@vlatos.gr, @JazzonCrete on X, Vlatos Jazz on Facebook/Instagram) or through the relevant reservation/event form.
2. Personal Data We Collect We collect only the personal data necessary for the purposes described below, including:
- Reservation and booking requests (e.g., Hermitage villa stays, event tickets): name, email address, phone number (optional), dates of stay/event, number of persons, any special requests or messages you provide.
- Event ticket purchases / merchandise orders: billing name, email, and payment-related data processed securely by PayPal (we do not store full payment card details).
- Automatically collected data: IP address, browser type, device information, pages visited, time/date of access, and referral sources (via server logs and possible analytics tools).
- Cookies and similar technologies: We may use essential cookies for site functionality and, if applicable, analytics cookies (e.g., Google Analytics) or marketing cookies. A cookie consent banner will be implemented where required.
We do not collect special categories of personal data (sensitive data) unless you voluntarily provide it in a message/request.
3. Purposes and Legal Basis for Processing We process your personal data for the following purposes and legal bases:
| Purpose | Legal Basis (GDPR) | Data Retention Period |
|---|---|---|
| Handling reservation/ticket requests and communicating costs/confirmation | Performance of a contract / pre-contractual steps (Art. 6(1)(b)) | Up to 12 months after last interaction (or longer if required by tax/accounting law) |
| Processing event ticket / merchandise payments via PayPal | Performance of a contract (Art. 6(1)(b)) | Transaction data retained per PayPal’s policy; we keep minimal records for 5–10 years for tax purposes |
| Operating and improving the Site (analytics, security) | Legitimate interests (Art. 6(1)(f)) – site functionality & abuse prevention | Logs: up to 12–24 months; analytics data: up to 26 months (or per tool settings) |
| Sending direct information about Vlatos Jazz events (only if you expressly opt-in) | Consent (Art. 6(1)(a)) | Until you withdraw consent |
| Complying with legal obligations (e.g., tax, accounting) | Legal obligation (Art. 6(1)(c)) | As required by Greek law (typically 5–10 years) |
4. Sharing of Personal DataWe share your data only when necessary:
- With PayPal for payment processing (subject to PayPal’s privacy policy).
- With hosting/server providers and IT service providers under strict data-processing agreements.
- With competent authorities if required by law.
- We do not sell your personal data or share it for marketing purposes with third parties.
5. International Transfers
Some recipients (e.g., PayPal, analytics providers) may be located outside the EEA. Where applicable, we rely on adequacy decisions, standard contractual clauses, or other appropriate safeguards under GDPR Chapter V.
6. Your Rights Under GDPR you have the right to:
- Access, rectify, or erase your personal data
- Restrict or object to processing
- Data portability
- Withdraw consent (where processing is based on consent)
- Lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr) (www.dpa.gr)
To exercise your rights, contact us via the site or social channels.
7. Security We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or misuse (e.g., secure forms, limited access).
8. Changes to This Policy We may update this policy from time to time. Changes will be posted here with an updated effective date.By using the Site or submitting a reservation/event request, you acknowledge this Privacy Policy.