Privacy Policy

Last updated: May 202

1. Who We Are

SantoMax Tours & Transfer (‘SantoMax’, ‘we’, ‘us’, ‘our’) is a licensed tour operator based in Santorini, Greece. We provide private tours, wine experiences, cruises, gastronomy experiences, transfers and related travel services.

• Website: https://santomax.com
• Email: info@santomax.com
• Phone: +30 694 395 9262
• Address: Kamari, Santorini 84700, Greece
• GNTO Licence: 1167E60001068801

SantoMax is the data controller for the personal data collected through this website and through our booking process. This means we are responsible for deciding how and why your personal data is used

2. What Personal Data We Collect and Why

2.1 Booking & Enquiry Data

When you make a booking, submit an enquiry or contact us via our website contact form, we collect the following personal data:

• Full name
• Email address
• Phone number
• Number of guests and any special requirements you provide
• Date and details of the service you are booking
• Payment information (processed securely via PayPal or our card payment processor — we do not store full card details)

We use this data to: confirm and manage your booking, communicate with you before and after your tour, process your payment, send your booking voucher and provide the service you have booked. The legal basis for processing this data is the performance of a contract — without it, we cannot fulfil your booking.

2.2 Website Usage Data (Analytics)

We use Google Analytics to understand how visitors use our website. Google Analytics collects anonymised data including: pages visited, time spent on each page, your approximate geographic location (country/city level), the device and browser you use, and how you arrived at our website (e.g. from a search engine or social media). This data does not identify you personally. We use it to improve our website and understand which content is most useful to our visitors.

You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on, available at: tools.google.com/dlpage/gaoptout

2.3 Contact Form Data

When you submit a message through our contact form, we collect your name, email address and the content of your message. We use this data solely to respond to your enquiry. We do not add contact form submissions to any marketing list without your explicit consent.

2.4 Comments

If you leave a comment on our blog, we collect your name, email address, website (optional) and the content of your comment, along with your IP address and browser information for spam detection purposes. An anonymised version of your email may be sent to Gravatar to check for a profile picture

2.5 Cookies

Our website uses cookies — small text files stored on your device. We use the following types of cookies:

• Essential cookies: Required for the website to function correctly (e.g. session cookies, security cookies).
• Analytics cookies: Google Analytics cookies that help us understand website usage (see section 2.2 above).
• Preference cookies: Remember your settings and preferences on the site.

When you first visit our website, you will be asked to consent to non-essential cookies. You can withdraw this consent at any time by clearing your browser cookies or adjusting your browser settings. Note that disabling cookies may affect some website functionality.

2.6 Embedded Content

Pages on this website may include embedded content from third-party services such as YouTube, Google Maps and social media platforms. These third-party services may collect data about you, use their own cookies and track your interaction with the embedded content, in accordance with their own privacy policies.

3. How Long We Retain Your Data

   We retain your personal data only for as long as necessary for the purposes for which it was collected:

• Booking data: Retained for 5 years after the date of your tour or cruise, to comply with Greek tax and accounting requirements.
• Enquiry and contact form data: Retained for 2 years if no booking results, or deleted sooner upon your request.
• Analytics data: Retained by Google Analytics for 26 months (anonymised).
• Blog comment data: Retained indefinitely unless you request deletion.
• Marketing data (if you have opted in): Retained until you unsubscribe or request deletion

4. Who We Share Your Data With

   We do not sell your personal data to any third party. However, we share data with the following categories of third-party service providers who process data on our behalf:

   • Payment processors: PayPal and our credit/debit card payment provider process payment data securely. We do not store full card details. These processors are bound by their own privacy policies and security standards.
   • Google LLC: For Google Analytics (website usage data) and Google Workspace (email). Google may process data outside the EU under Standard Contractual Clauses.
   • Booking platforms: If your booking was made through Viator, GetYourGuide or TripAdvisor Experiences, your data is also processed by those platforms under their respective privacy policies.
   • Email service providers: We may use a third-party email platform to send booking confirmations and communications.
   • Legal and regulatory authorities: We may disclose your data if required to do so by Greek law, court order or regulatory authority.

   All third-party processors we work with are required to handle your data securely and in accordance with GDPR.

5. Your Rights Under GDPR

   As a resident of the European Union (or where EU law applies), you have the following rights regarding your personal data:

   • Right of access: You can request a copy of the personal data we hold about you.
   • Right to rectification: You can ask us to correct inaccurate or incomplete data.
   • Right to erasure (‘right to be forgotten’): You can ask us to delete your personal data, subject to certain legal retention requirements.
   • Right to restriction: You can ask us to limit how we use your data in certain circumstances.
   • Right to data portability: You can request your data in a machine-readable format.
   • Right to object: You can object to our processing of your data for marketing purposes at any time.
   • Right to withdraw consent: Where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

   To exercise any of these rights, please contact us at info@santomax.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) at www.dpa.gr.

6. How We Protect Your Data

   We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction or alteration. These measures include:

   • Our website uses HTTPS encryption (SSL certificate) to protect data transmitted between your browser and our server.
   • Access to personal data is restricted to authorised SantoMax staff who need it to perform their job.
   • Payment data is processed by PCI DSS-compliant payment processors. We do not store card numbers or CVV codes.
   • Our email systems use standard security protocols to protect communications.

   While we take all reasonable steps to protect your data, no system is completely secure. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the Hellenic Data Protection Authority within 72 hours and inform affected individuals without undue delay, as required by GDPR.

7. Data Breach Procedures

   In the event of a personal data breach, SantoMax will:

   • Contain the breach and assess the risk to individuals as quickly as possible.
   • Notify the Hellenic Data Protection Authority (HDPA) within 72 hours of becoming aware of the breach, if it poses a risk to individuals’ rights and freedoms.
   • Notify affected individuals directly without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
   • Document all breaches, including those that do not require notification, as required by GDPR Article 33

8. Marketing Communication

   We will only send you marketing emails or newsletters if you have explicitly opted in to receive them. You can unsubscribe from marketing communications at any time by clicking the ‘unsubscribe’ link in any email or by contacting us at info@santomax.com. We do not add customers to marketing lists automatically based on a booking. Receiving a booking confirmation is not the same as opting in to marketing

9. Data We Receive From Third Parties

   When bookings are made through third-party platforms such as Viator, GetYourGuide or TripAdvisor Experiences, we receive your name, contact details and booking information from those platforms in order to fulfil your booking. We process this data solely for the purpose of delivering the service you have booked.

10. International Data Transfer

    Some of the third-party services we use (such as Google Analytics) may transfer and process your data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, to protect your data to EU standards

11. Children’s Privacy

    Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at info@santomax.com and we will delete it promptly

12. Changes to This Privacy Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. When we make significant changes, we will update the ‘Last updated’ date at the top of this page. We encourage you to review this page periodically. Your continued use of our website after any changes constitutes your acceptance of the updated policy.

13. Contact Us & Data Protection Queries

    If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your personal data, please contact us:

    • Email: info@santomax.com
    • Phone: +30 694 395 9262
    • Address: Kamari, Santorini 84700, Greece

    If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority:

    • Hellenic Data Protection Authority (HDPA)
    • Website: www.dpa.gr
    • Address: Kifisias 1-3, 115 23 Athens, Greece
    • Phone: +30 210 6475 600