Privacy Policy

1. Who We Are

Naxos Quads Guides is a guided quad tour operator based on Naxos Island, Greece. We are the data controller for the personal data you provide to us through our website, booking engine, or direct communications.

If you have any questions about this policy or how we handle your data, please contact us at info@naxosquadsguides.com or +30 698 4825 798.

2. What Data We Collect

We may collect the following categories of personal data:

• Contact information: your name, email address, phone number
• Booking data: tour selection, session date and time, number of riders and passengers
• Payment data: processed securely through Stripe. We do not see or store your card details.
• Identification data: a copy of your driving licence, collected for verification purposes and permanently deleted after your reservation is fulfilled
• Communication data: messages sent to us via email, WhatsApp, Viber, or Instagram, including any personal information you voluntarily share
• Technical data: anonymised usage data collected via our self-hosted Umami analytics instance (see section 9)

3. How We Collect Your Data

We collect your data when you:

• Book a tour through our website or the CaptainBook booking engine
• Submit an enquiry via our contact form (powered by Web3Forms)
• Contact us by phone, email, WhatsApp, Viber, or Instagram
• Visit our website (anonymised analytics only)

4. Why We Process Your Data

We process your personal data for the following purposes:

• To process and confirm your booking
• To send you booking confirmations and pre-tour reminder emails
• To verify your driving licence as required by law
• To communicate with you about your booking via the channel you prefer (email, phone, WhatsApp, Viber, or Instagram)
• To improve our website and services using anonymised analytics
• To comply with legal and regulatory obligations

5. Lawful Basis for Processing

We process your personal data under the following lawful bases as defined by the GDPR:

• Contract performance: processing your booking, sending confirmations and reminders
• Legal obligation: verifying your driving licence and retaining records as required by Greek law
• Consent: analytics (via our cookie-free Umami setup) and any optional communications you opt into
• Legitimate interest: improving our services, responding to enquiries, and protecting our legal rights

6. Driving Licence Data — Retention & Deletion

If we request a copy of your driving licence for verification purposes, we collect it solely to confirm your eligibility to operate a quad. Your licence data is stored securely and permanently deleted immediately after your reservation has been fulfilled. We do not retain copies of your driving licence for any other purpose.

7. Payment Data

All payments are processed through Stripe, a PCI-DSS compliant payment processor. We do not collect, store, or have access to your credit or debit card details. Stripe's privacy policy governs the handling of your payment data.

8. Third-Party Services

We use the following third-party services that may process your data:

• CaptainBook: our booking engine, which stores your booking and contact data
• Stripe: payment processing (we do not store your card details)
• Web3Forms: contact form submission handling
• Umami: self-hosted, privacy-friendly analytics (no cookies, no personal data sent to third parties)

9. Analytics — Umami (Self-Hosted)

We use our own self-hosted Umami analytics instance to understand how visitors use our website. Umami is cookie-free and does not track personal data. It collects only anonymised, aggregated information such as page views, referrer sources, browser type, and device type. No data is shared with third parties. No personal identifiers (IP addresses, user IDs, cookies) are stored.

10. Data Sharing & Transfers

We do not sell, rent, or trade your personal data. We may share your data with the third-party service providers listed in section 8, who act as data processors and are contractually bound to protect your data. Some of these providers may be located outside the European Economic Area (EEA); in such cases we ensure appropriate safeguards (Standard Contractual Clauses) are in place.

11. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Booking and contact data: retained for the duration of your booking plus 12 months for accounting and legal purposes
• Driving licence data: deleted immediately after your reservation is fulfilled
• Analytics data: retained indefinitely in anonymised, aggregated form only
• Communication data: retained for the duration of the enquiry plus 6 months

12. Your Rights Under GDPR

As a data subject in the European Economic Area, you have the following rights:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: correct inaccurate or incomplete data
• Right to erasure: request deletion of your personal data, subject to legal retention obligations
• Right to restriction: limit how we process your data
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interest
• Right to withdraw consent: withdraw your consent at any time, without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, please contact us at info@naxosquadsguides.com. We will respond within 30 days.

13. Cookies

Our website does not use cookies. Our self-hosted Umami analytics solution is completely cookie-free and does not require a cookie consent banner.

14. Changes to This Policy

We may update this privacy policy from time to time. Changes take effect immediately upon posting on this page. We encourage you to review this page periodically.

15. Contact & Complaints

If you have any concerns about how we handle your data, please contact us first:

• Email: info@naxosquadsguides.com
• Phone / WhatsApp / Viber: +30 698 4825 798

You also have the right to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr).