Privacy Policy
Privacy Policy
Last updated: 10/07/2026
1. Introduction
This Privacy Policy applies to Sunset Hotel Corfu, operated by POLITIS S.A. (hereinafter referred to as “we”, “us”, or “our”).
We are committed to protecting and respecting your privacy and to processing your personal data in a lawful, fair, and transparent manner, in accordance with Greek and European data protection laws, including the General Data Protection Regulation (GDPR) (EU) 2016/679 (“GDPR”).
This Policy explains how we collect, use, process, disclose, and safeguard personal data that we collect from you or that you provide to us when using our website and booking system.
By accessing or using our services, you acknowledge that you have read and understood this Privacy Policy.
2. Scope of Application
This Privacy Policy applies to all services provided through the website: sunsethotelcorfu.gr
References to “booking system”, “booking engine”, “platform”, “website”, or “services” refer to all pages and functionalities available through this domain, unless otherwise specified.
3. Data Controller
The Data Controller responsible for the processing of your personal data is:
POLITIS S.A.
Sunset Hotel Corfu
Alikes Potamou, Corfu, Greece
Email:
4. Data Protection Officer / Privacy Contact
Sunset Hotel Corfu has not appointed a Data Protection Officer, as this is not mandatory for its current processing activities. For any privacy-related matter or request concerning your personal data, you may contact us at:
Email:
5. Sources of Personal Data
We may collect personal data directly from you, as well as from third parties where lawful and necessary, including booking platforms, online travel agencies, travel agents, corporate clients, accompanying guests, or persons making a booking on your behalf.
6. Personal Data We Collect
When you make a booking, contact us, use our website, or use our services, we may collect and process the following categories of personal data:
• Identification data, such as full name
• Contact details, such as email address, telephone number, and postal address
• Guest information, including details of accompanying guests where provided
• Booking and reservation details
• Arrival and departure dates
• Accommodation preferences and special requests
• Payment-related information, processed through secure third-party payment providers
• Communication data, including messages, enquiries, complaints, and feedback
• Technical data, such as IP address, browser type, device information, operating system, and website usage data
• Transaction and service usage data
• Marketing preferences, where applicable
• Identification and check-in data, such as identity card or passport number, nationality, date of birth, country of residence, and arrival/departure information, where required or lawfully collected.
Providing certain personal data may be necessary in order to complete a booking, provide accommodation services, comply with legal obligations, or respond to your requests. Failure to provide required information may prevent us from providing certain services.
We may request to view an identity document or passport for identification and check-in purposes. We do not retain copies of identity cards or passports unless this is specifically required by applicable law or strictly necessary for a documented legal purpose.
7. Sensitive Personal Data and Special Requests
If you voluntarily include information in a special request that may reveal health data, accessibility needs, dietary restrictions, allergies, or other special categories of personal data, we will process such information only to the extent necessary to assess and respond to your request, provide appropriate accommodation services, protect health and safety, or establish, exercise, or defend legal claims, where applicable.
Where processing involves special categories of personal data under Article 9 GDPR, we will rely on an applicable condition under Article 9 GDPR, such as your explicit consent where required, or another lawful condition permitted by applicable law. We ask you not to provide sensitive information unless it is necessary for your stay or request.
8. Personal Data Relating to Other Guests
If you provide personal data relating to other individuals, such as accompanying guests, you confirm that:
• You are authorised to provide such personal data to us
• You have informed those individuals that their personal data may be processed in accordance with this Policy
• The information provided is accurate, complete, and lawfully provided
You are responsible for ensuring that any third-party personal data you provide to us has been lawfully obtained and disclosed.
9. Purposes of Processing
We process your personal data for the following purposes:
• To manage bookings and reservations
• To process booking requests and confirmations
• To provide accommodation and related hotel services
• To process payments and complete transactions
• To communicate with you regarding your booking or enquiry
• To respond to customer service requests, complaints, and disputes
• To manage chargeback procedures and payment-related issues
• To improve our website, services, and user experience
• To conduct surveys and request feedback following your stay
• To send marketing communications where you have provided consent or where otherwise permitted by law
• To measure website performance and advertising effectiveness, subject to cookie consent where required
• To comply with legal, tax, accounting, and regulatory obligations
• To protect our rights, property, business, guests, and systems
10. Legal Basis for Processing
We process personal data only where there is a valid legal basis under applicable data protection law.
Depending on the nature of the data and the purpose of processing, we may rely on one or more of the following legal bases under the GDPR:
• Performance of a contract: where processing is necessary to manage your booking, provide accommodation services, process payments, communicate with you about your reservation, or take steps at your request before entering into a contract.
• Legal obligation: where processing is necessary for compliance with legal, tax, accounting, regulatory, public authority, or other statutory obligations applicable to the Hotel.
• Legitimate interests: where processing is necessary for the Hotel’s legitimate interests or those of a third party, provided that such interests are not overridden by your interests, rights, and freedoms. This may include fraud prevention, security, service improvement, dispute handling, chargeback management, record keeping, network security, protection of guests, staff, property and systems, and the establishment, exercise, or defence of legal claims.
• Consent: where you have provided consent for specific processing activities, such as newsletter subscription, certain marketing communications, analytics cookies, advertising cookies, remarketing technologies, or other optional technologies.
• Special categories of personal data: where processing involves special categories of personal data, such as health-related information, accessibility needs, allergies, or other sensitive information that you voluntarily provide, we will process such data only where an applicable condition under Article 9 GDPR applies, such as your explicit consent where required, or another lawful condition permitted by applicable law.
Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Where we rely on legitimate interests, we assess whether the processing is necessary, proportionate, and balanced against your rights and freedoms. You may object to processing based on legitimate interests in accordance with your rights under the GDPR.
The following table provides an indicative overview of the main purposes of processing and the corresponding legal bases:
| Purpose of processing | Legal basis under the GDPR and applicable law |
|---|---|
| Managing bookings, confirming reservations, and providing accommodation services | Article 6(1)(b) of the GDPR — performance of a contract or steps taken before entering into a contract |
| Communicating with you regarding your booking, enquiry, stay, or service request | Article 6(1)(b) of the GDPR — performance of a contract; and/or Article 6(1)(f) of the GDPR — legitimate interest in responding to enquiries and managing guest relations |
| Processing payments, pre-authorisations, refunds, charges, transaction records, and chargebacks | Article 6(1)(b) of the GDPR — performance of a contract; Article 6(1)(c) of the GDPR — legal obligations; and Article 6(1)(f) of the GDPR — legitimate interest in fraud prevention, payment security, dispute handling, and protection of legal rights |
| Keeping tax, accounting, invoicing, and regulatory records | Article 6(1)(c) of the GDPR — compliance with legal obligations |
| Managing complaints, disputes, legal claims, insurance matters, and chargeback procedures | Article 6(1)(f) of the GDPR — legitimate interest in handling disputes and establishing, exercising, or defending legal claims; and, where applicable, Article 6(1)(c) of the GDPR — compliance with legal obligations |
| Protecting the safety and security of guests, visitors, staff, premises, facilities, property, and business operations, including CCTV where used | Article 6(1)(f) of the GDPR — legitimate interest in safety, security, protection of persons and property, and prevention or investigation of incidents |
| Operating and securing the Hotel’s guest Wi-Fi network, including technical logs where generated or retained | Article 6(1)(b) of the GDPR — provision of a requested service; Article 6(1)(f) of the GDPR — legitimate interest in network security, troubleshooting, abuse prevention, and protection of systems; and, where applicable, Article 6(1)(c) of the GDPR — compliance with legal obligations |
| Improving our website, services, internal operations, and guest experience, where the processing does not require cookie consent | Article 6(1)(f) of the GDPR — legitimate interest in service improvement, business administration, and operational efficiency |
| Sending newsletters or marketing communications where you have subscribed or provided consent | Article 6(1)(a) of the GDPR — consent |
| Sending marketing communications in the context of an existing customer relationship, where legally permitted | Article 6(1)(f) of the GDPR — legitimate interest in promoting our own similar services, subject to the conditions and safeguards required by applicable electronic communications law, including the right to object at the time of collection and in every subsequent communication |
| Using analytics cookies, advertising cookies, remarketing technologies, conversion tracking, or similar non-essential technologies | Article 6(1)(a) of the GDPR — consent, together with the applicable rules on cookies and electronic communications |
| Processing special requests that may reveal health data, allergies, accessibility needs, dietary restrictions, or other special categories of personal data | Article 6 of the GDPR, depending on the purpose, and Article 9 of the GDPR where special categories of personal data are involved, such as explicit consent where required or another lawful condition permitted by applicable law |
| Responding to data protection rights requests and maintaining records of such requests | Article 6(1)(c) of the GDPR — compliance with legal obligations; and Article 6(1)(f) of the GDPR — legitimate interest in demonstrating compliance |
| Maintaining records of cookie consent, marketing consent, withdrawal of consent, or opt-out requests | Article 6(1)(c) of the GDPR — compliance with legal obligations; and Article 6(1)(f) of the GDPR — legitimate interest in demonstrating compliance and respecting your preferences |
11. Payment Processing
Payments are processed through secure third-party payment providers that are required to comply with applicable security standards, including PCI DSS where applicable.
We do not store full payment card details on our own systems.
Payment-related data may be processed for the purposes of:
• Completing transactions
• Confirming payments
• Preventing fraud
• Handling disputes
• Managing refunds
• Handling chargeback procedures
• Complying with accounting, tax, and legal obligations
12. Booking System Provider / Data Processor
We use BookOnlineNow as our booking system provider.
BookOnlineNow
Address: 124 Ionias Ave, Alimos, 17456, Athens, Greece
BookOnlineNow may process personal data on our behalf for the purpose of managing reservations, booking requests, booking confirmations, and related services.
Where BookOnlineNow processes personal data on behalf of the Hotel, it acts as a data processor under a contractual arrangement in accordance with Article 28 of the GDPR.
For further information on how BookOnlineNow processes personal data, including details on data storage, security measures, and user rights, you are encouraged to review its official Privacy Policy:
https://www.bookonlinenow.net/privacy-policy
13. Data Sharing and Processors
We do not sell your personal data.
We may share your personal data with the following categories of recipients, where necessary and lawful:
• Booking system providers, including BookOnlineNow
• Payment service providers
• IT, hosting, technical support, and system maintenance providers
• Website, analytics, and marketing service providers, where applicable and subject to consent where required
• Professional advisors, including accountants, lawyers, auditors, and consultants
• Public authorities, courts, regulators, tax authorities, police, or other competent authorities where required by law
• Other service providers acting under contractual obligations
All third parties are required to process personal data in accordance with applicable data protection laws.
Where service providers process personal data on our behalf, they are required to process such data only in accordance with our documented instructions and under appropriate contractual safeguards.
Where personal data are processed on behalf of the Hotel by a data processor, such processing is governed by contractual arrangements in accordance with Article 28 of the GDPR.
These arrangements ensure that data processors:
• Process personal data only on documented instructions from the Hotel
• Implement appropriate technical and organisational security measures
• Ensure confidentiality of personal data
• Assist the Hotel in complying with data protection obligations
• Notify the Hotel without undue delay in the event of a personal data breach
• Engage sub-processors only under equivalent data protection obligations
• Delete or return personal data upon termination of services, unless retention is required by law
The Hotel remains responsible for ensuring that processors provide sufficient guarantees for the protection of personal data.
14. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including where we use service providers such as Google or other technology providers.
Where personal data are transferred outside the EEA, we rely on an appropriate transfer mechanism under Chapter V of the GDPR, such as an adequacy decision of the European Commission, the EU-US Data Privacy Framework for certified US recipients where applicable, Standard Contractual Clauses approved by the European Commission, or another lawful transfer mechanism. Where required, we also assess whether supplementary safeguards are necessary.
15. Guest Wi-Fi
When guests use the Hotel’s Wi-Fi network, limited technical data may be processed for the operation of the network, security, technical support, abuse prevention, protection of the Hotel’s systems, and compliance with legal obligations.
Such data may include connection data, device identifiers, IP address, date and time of connection, duration of connection, and technical logs, where such data are generated or retained by the Hotel or its service providers.
The legal basis for this processing may include the provision of services requested by the guest, the Hotel’s legitimate interest in maintaining secure and reliable network services, and compliance with legal obligations, where applicable.
We do not use the guest Wi-Fi network to monitor the content of guests’ communications. Technical logs, where generated or retained, are used only for network operation, security, troubleshooting, abuse prevention, and legal compliance. Guest Wi-Fi technical logs, where retained, are normally kept for up to seven (7) days, unless a security incident, legal request, dispute, or legal obligation requires longer retention.
16. Video Surveillance / CCTV
For security and safety purposes, Sunset Hotel Corfu may operate a closed-circuit television system (CCTV) in selected areas of the Hotel.
The CCTV system is used for the protection of guests, visitors, staff, property, facilities, and the Hotel’s legitimate business interests, as well as for the prevention, investigation, and handling of unlawful acts, security incidents, accidents, damages, disputes, or threats to persons or property.
The CCTV system does not record audio. Cameras are positioned so as to avoid, as far as reasonably possible, unnecessary monitoring of areas where individuals have a reasonable expectation of privacy and are not used for systematic monitoring of employees’ performance.
CCTV cameras may be installed in common areas, entrances, exits, reception areas, corridors, outdoor areas, parking areas, pool/common external areas, and other areas where surveillance is necessary and proportionate for security purposes.
CCTV cameras are not positioned to focus unnecessarily on guests’ room doors, sunbeds, dining tables, or other areas where continuous monitoring would be disproportionate.
CCTV cameras are not installed in guest rooms, bathrooms, changing areas, or other areas where guests or visitors have a reasonable expectation of privacy.
The legal basis for this processing is the Hotel’s legitimate interest in ensuring the safety and security of persons, property, facilities, and business operations, in accordance with Article 6(1)(f) of the GDPR. Where CCTV footage is required for the establishment, exercise, or defence of legal claims, processing may also be based on the protection of the Hotel’s legal rights.
Access to CCTV footage is strictly limited to authorised personnel and, where necessary, authorised technical service providers acting under confidentiality and data protection obligations.
CCTV footage may be disclosed to competent public authorities, police authorities, courts, legal advisors, insurance companies, or other authorised recipients, where required or permitted by law, or where necessary for the investigation of an incident, the protection of rights, or the handling of legal claims.
CCTV footage is retained only for the period strictly necessary for the purposes for which it was collected and, in principle, for no longer than fifteen (15) days, unless a specific incident, legal obligation, investigation, dispute, or legal claim requires longer retention. In such cases, only the relevant footage will be retained for as long as necessary and lawfully permitted.
Appropriate signs are displayed in areas where CCTV is in operation, in order to inform guests, visitors, and staff before entering monitored areas.
17. Data Retention
Personal data are retained only for the period necessary to fulfil the purposes for which they were collected, including:
• Managing reservations and providing accommodation services
• Processing payments and completing transactions
• Complying with legal, tax, accounting, and regulatory obligations
• Handling complaints, disputes, and chargeback procedures
• Maintaining records for administrative and operational purposes
• Protecting the Hotel’s legal rights and legitimate business interests
Retention periods are determined based on:
• The duration of the contractual relationship with the guest
• Applicable legal obligations under Greek and EU law
• Tax, accounting, and regulatory retention requirements
• Legitimate business needs, including dispute resolution and fraud prevention
• The establishment, exercise, or defence of legal claims
Indicative Retention Periods
The following table provides indicative retention periods for the main categories of personal data processed by the Hotel. The actual retention period may vary depending on the nature of the data, the purpose of processing, applicable legal obligations, operational requirements, and the need to establish, exercise, or defend legal claims.
| Category of Personal Data | Indicative Retention Period |
|---|---|
| Booking and reservation data | For as long as necessary to manage the booking, provide accommodation services, handle post-stay matters, and thereafter for the period required for legal, accounting, tax, administrative, or dispute-resolution purposes |
| Guest identification and check-in data | For as long as required for accommodation, administrative, legal, regulatory, public authority, or security purposes, and thereafter only where retention is required or permitted by law |
| Payment and transaction-related data | For as long as necessary to complete the transaction, manage refunds, disputes, fraud prevention, chargebacks, accounting, tax, and legal obligations |
| Accounting and tax records | At least five (5) years from the end of the relevant period, or for any longer period required by applicable law |
| Communication data, enquiries, complaints, and disputes | For as long as necessary to handle the communication, request, complaint, or dispute, and thereafter for the establishment, exercise, or defence of legal claims |
| Marketing communications and newsletter data | Until you withdraw your consent, unsubscribe, or request deletion, unless limited retention is necessary to keep a record of your consent or opt-out for compliance purposes |
| Cookie consent records | For as long as necessary to demonstrate consent or withdrawal of consent, in accordance with our Cookie Policy and applicable law |
| Cookies and similar technologies | As specified in our separate Cookie Policy, depending on the category, purpose, provider, and duration of each cookie or similar technology |
| Analytics, advertising, and remarketing data | For the period specified by the relevant provider and our Cookie Policy, subject to your consent where required by law |
| CCTV footage | In principle, for no longer than fifteen (15) days, unless a specific incident, investigation, legal obligation, dispute, insurance matter, or legal claim requires longer retention |
| Guest Wi-Fi technical logs, where retained | Guest Wi-Fi technical logs, where retained, are normally kept for up to seven (7) days for network operation, security, troubleshooting, abuse prevention, and legal compliance, unless a security incident, legal request, dispute, or legal obligation requires longer retention |
| Data relating to legal claims or disputes | For as long as necessary for the establishment, exercise, or defence of legal claims, and in accordance with applicable limitation periods |
Where personal data are no longer required for the purposes for which they were collected, they will be securely deleted, anonymised, or otherwise disposed of in accordance with applicable law and internal procedures.
18. Data Security
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
These measures are intended to protect personal data against:
• Unauthorised access
• Accidental or unlawful destruction
• Loss
• Misuse
• Alteration
• Unauthorised disclosure
• Unauthorised processing
Access to personal data is restricted to authorised personnel and service providers on a need-to-know basis.
Although we take appropriate measures to protect personal data, no method of transmission over the internet or electronic storage is completely secure. Therefore, we cannot guarantee absolute security.
19. Personal Data Breaches
In the event of a personal data breach, we will assess the incident and take appropriate technical, organisational, and legal measures in accordance with applicable data protection laws.
Where required by law, we will notify the competent supervisory authority without undue delay and, where feasible, not later than seventy-two (72) hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where required by law, we will also notify the affected individuals without undue delay.
20. Reviews, Feedback, and Surveys
Following your stay, we may contact you to request feedback about your experience, invite you to complete a survey, or ask you to leave a review, where this is permitted by applicable law and based on our legitimate interest in improving our services and guest experience.
Any feedback, survey response, or review you provide may be used internally by the Hotel for quality control, service improvement, staff training, complaint handling, and operational purposes.
Reviews may also be submitted or displayed through third-party review platforms, in accordance with the terms and privacy policies of those platforms.
We will not publish your name, image, contact details, room number, booking details, or other identifiable information in connection with a review on our own website or marketing materials without your consent, unless you have already made such information public on a third-party review platform.
Where a review or comment is published by you on a third-party platform, that platform is responsible for the processing of personal data carried out through its own services, in accordance with its own privacy policy.
21. Marketing Communications and Newsletter
We may process your personal data to send you marketing communications, promotional offers, updates, and information about our services.
We will send marketing communications only where:
• You have provided your explicit prior consent; or
• We are otherwise permitted to do so under applicable law, such as in the context of an existing customer relationship, where legally allowed
If you subscribe to our newsletter:
• We will use your email address to send updates, offers, and promotional content related to our services
• Subscription is voluntary and based on your consent
• You may unsubscribe at any time by clicking the “unsubscribe” link in any email or by contacting us directly
• We may maintain a record of your consent, including date and time, for compliance purposes
Where we rely on an existing customer relationship to send marketing communications, we will do so only for our own similar services, only where we obtained your contact details in the context of a booking or service, and only where you were given a clear opportunity to object at the time of collection and in every subsequent communication.
You may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
22. Analytics, Advertising and Remarketing Technologies
We may use analytics, advertising, and remarketing technologies provided by third parties, including Google, to measure website performance, understand user behaviour, measure the effectiveness of advertising campaigns, track conversions such as completed bookings, and improve our marketing activities.
These technologies may involve the processing of information such as IP address, device information, browser information, pages visited, website interactions, referring URLs, and booking-related conversion actions.
Where these technologies involve the use of cookies or similar technologies, they are used in accordance with our Cookie Policy and, where required by applicable law, only after obtaining your prior consent.
Google may process certain data in accordance with its own Privacy Policy: https://policies.google.com/privacy
23. Cookies and Similar Technologies
Our website may use cookies and similar technologies to ensure the proper operation of the website and booking system, improve user experience, analyse website performance, and, where you have provided consent, support advertising, remarketing, and conversion tracking activities.
Certain cookies are strictly necessary for the operation of the website and the provision of services requested by the user. These cookies do not require prior consent.
Non-essential cookies are not activated unless and until you provide the relevant consent through our cookie banner or cookie settings.
Non-essential cookies and similar technologies, including analytics, advertising, marketing, remarketing, and third-party tracking technologies, are used only where you have provided prior consent, where required by applicable law.
You may manage or withdraw your cookie consent at any time through the cookie settings available on our website.
For detailed information about the cookies and similar technologies we use, including their categories, purposes, duration, providers, and whether consent is required, please refer to our separate Cookie Policy.
24. Automated Decision-Making and Profiling
We do not use your personal data for automated decision-making that produces legal effects concerning you or similarly significantly affects you.
Where advertising or analytics tools involve audience segmentation, remarketing, or similar profiling activities, such processing is carried out only where permitted by law and, where required, based on your prior consent.
25. Children’s Data
Our website and booking services are not directed to individuals under the age of 16. However, where minors stay at the Hotel as accompanying guests, we may process limited personal data relating to them where necessary for the provision of accommodation services, legal compliance, safety, or where provided by a parent or legal guardian.
We do not knowingly collect personal data from children without appropriate consent or legal basis.
If we become aware that we have collected personal data from a child unlawfully, we will take appropriate steps to delete such data.
26. Your Rights
Subject to applicable law, you have the following rights in relation to your personal data:
• Right of access to your personal data
• Right to rectification of inaccurate or incomplete personal data
• Right to erasure of your personal data
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time where processing is based on consent
• Right to lodge a complaint with a competent data protection authority
To exercise your rights, please contact us using the contact details provided in this Policy or on our website.
We may need to verify your identity before responding to certain requests.
We will respond to your request without undue delay and, in any case, within one month of receiving the request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.
27. Right to Lodge a Complaint
You have the right to lodge a complaint with a competent data protection supervisory authority if you believe that the processing of your personal data infringes applicable data protection law.
In Greece, the competent supervisory authority is the Hellenic Data Protection Authority. Further information is available through the Authority’s official website.
28. No Sale of Personal Data
We do not sell your personal data. Your personal data is used only for the purposes described in this Policy and in accordance with applicable law.
29. Updates to this Policy
We reserve the right to update this Privacy Policy from time to time to reflect changes in legal, technical, operational, or business developments.
Any updated version of this Privacy Policy will be published on our website and will apply from the date of publication, unless otherwise stated. Where changes are material or where required by law, we may provide additional notice or request your consent before carrying out processing that requires consent.
30. Contact
For any questions regarding this Privacy Policy, or to exercise your data protection rights, you may contact us at:
POLITIS S.A.
SUNSET HOTEL CORFU
Alikes Potamou, Corfu, Greece
Email:
Site: https://www.sunsethotelcorfu.gr/

