Privacy Policy

2. Data We Collect

We collect different categories of personal data depending on your relationship with Roomzy.

2.1 Property owners & managers (subscribers)

• Account data: Full name, email address, phone number, company name, and billing address collected at registration and during account management.
• Payment data: Billing information and payment card details processed securely by our payment processor (Stripe). We never store full card numbers.
• Property data: Hotel or property details, room configurations, rate plans, policies, and operational content entered into the platform.
• Usage & log data: IP address, browser type, session identifiers, pages visited, and feature usage statistics collected automatically during platform use.

2.2 Hotel guests (processed on behalf of subscribers)

When property owners use Roomzy to manage reservations, we process guest data as a data processor on their behalf under GDPR. This may include:

• Guest name, email address, phone number, and nationality
• Check-in / check-out dates, room preferences, and special requests
• Identification document details (passport or national ID) where required by local law
• Payment method and booking source (OTA channel or direct booking)

The property owner is the data controller for guest data. Our Data Processing Agreement (DPA) governs this relationship and is available on request.

2.3 Website visitors

• Contact form data: Name, email address, and message when you submit an enquiry.
• Analytics data: Aggregated, anonymised data about website visits and interactions.
• Cookie data: See Section 6 for full details.

3. Purposes & Legal Basis

We process your personal data for the purposes below, relying on the indicated legal grounds under GDPR Article 6:

4. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by applicable law.

• Account data: Retained for the duration of your active subscription, plus 3 years after account closure for legal and dispute resolution purposes.
• Billing & invoice data: Retained for 10 years in accordance with Greek and EU tax regulations.
• Guest reservation data: As directed by the property owner (data controller). Our default retention is 5 years unless we receive instructions to the contrary.
• Website contact enquiries: Retained for 2 years from the date of last contact.
• Log & analytics data: Raw server logs are retained for 90 days for security purposes and anonymised thereafter; aggregated analytics are kept indefinitely.

When personal data is no longer required, it is securely deleted or irreversibly anonymised.

5. Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights with respect to your personal data:

To exercise any of these rights, email us at info@roomzy.gr. We will respond within 30 days. You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) at www.dpa.gr.

6. Cookies

We use cookies and similar tracking technologies on the Roomzy website and platform. Cookies are small text files stored on your device that help us provide, secure, and improve our services.

You can manage or withdraw cookie consent at any time through your browser settings. Note that disabling essential cookies may affect platform functionality.

7. Third-Party Services & Processors

We share personal data with trusted third-party service providers (data processors) who act on our behalf under GDPR-compliant Data Processing Agreements. We do not sell your personal data to any third party.

When guest data is shared with OTA partners as part of a booking, it is subject to those platforms' privacy policies. Property owners are responsible for informing guests of this data sharing as part of the reservation process.

8. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• TLS/SSL encryption for all data in transit between your device and our servers
• Encryption of sensitive data at rest
• Role-based access controls limiting data access to authorised personnel only
• Regular security audits and vulnerability assessments
• Secure, geo-redundant backups hosted within the European Union
• Payment data handled exclusively by PCI-DSS certified processor (Stripe)

In the event of a personal data breach likely to affect your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

9. International Data Transfers

Our primary infrastructure is hosted within the European Union, meaning your data generally remains within the EEA. In certain cases, data may be transferred to countries outside the EEA — for example, when OTA partners or service providers operate globally.

Any such transfers are conducted in accordance with GDPR Chapter V, using appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission for the recipient country
• Binding Corporate Rules (BCRs) where applicable

10. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify active subscribers by email or via an in-platform notification
• Where required by law, seek fresh consent for any new processing activities

We encourage you to review this policy periodically. Continued use of Roomzy after changes take effect constitutes acceptance of the revised policy.

11. Contact Us

For any questions, requests, or concerns regarding this Privacy Policy or the way we handle your personal data, please contact us:

You also have the right to lodge a complaint directly with the supervisory authority. In Greece, this is: