Data Privacy Policy

1. Introduction and Scope

This Data Privacy Policy applies to all personal information processed by CheapCarRentalsCrete.com ("we", "us", "our") in connection with vehicle rental services offered on the island of Crete, Greece. This includes bookings made for pickup at Heraklion Airport (HER), Chania Airport (CHQ), Heraklion Port, and any hotel or villa delivery location across the island.

We are committed to protecting the privacy and security of every customer. This policy explains what data we collect, how we use it, who we share it with, and what rights you have under applicable Greek and European Union law - primarily Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and the Greek Law 4624/2019 implementing the GDPR at national level.

By using our website, submitting a booking enquiry, or completing a reservation, you acknowledge that you have read and understood this policy. If you do not agree, please do not submit personal data through our platform.

2. Data Controller

The data controller responsible for your personal information is:

CheapCarRentalsCrete.com
Crete, Region of Crete, Greece
Email: [email protected]
Phone: +1 (412) 538-6595

All data processing activities described in this policy are carried out by or under the direction of this entity. For any privacy-related questions, concerns, or requests, please contact us using the details above.

3. Information We Collect

3.1 Personal Identification Details

When you make a booking or contact us, we may collect your full name, email address, phone number, home address, nationality, and date of birth. For vehicle rental purposes we also collect driver licence number, licence issuing country, and licence expiry date. Passport or national identity document details may be collected at the point of vehicle handover in accordance with Greek rental regulations.

3.2 Booking and Transaction Data

We collect details related to your rental: pickup and return locations (e.g., Heraklion Airport, Chania, Rethymnon port area), rental start and end dates, selected vehicle category, optional extras such as child seats or GPS, and any special instructions you provide. This forms the core record of your contract with us.

3.3 Payment Information

We do not store full payment card details on our servers. Payment transactions are processed by PCI-DSS compliant third-party payment processors. We receive confirmation of successful payment and a transaction reference, but sensitive card data is handled entirely by the processor. Where a booking is made with no deposit, the confirmation and any applicable payment processing still takes place through our secure third-party gateway.

3.4 Browsing and Device Data

When you visit our website, we automatically collect certain technical information including your IP address, browser type and version, operating system, referring URL, pages viewed, and time spent on site. This data is collected via server logs and, where applicable, analytics cookies. It helps us maintain site security and improve user experience.

3.5 Location Data

If you use location features on our website (for example, finding the nearest pickup point in Crete), your device may share approximate location data with us. This is only processed with your explicit browser-level permission and is not stored beyond the immediate session.

4. How We Use Your Data

4.1 Processing Bookings and Fulfilling Contracts

The primary reason we collect personal data is to process your vehicle rental booking and fulfill the rental contract. This includes confirming your reservation, sending booking vouchers, coordinating airport pickup logistics, arranging child seat or other extras, and managing any changes or cancellations. The legal basis is the performance of a contract (GDPR Article 6(1)(b)).

4.2 Customer Support

We use your contact and booking details to respond to support queries, resolve disputes, manage complaints, and assist you during your rental period anywhere on the island - from the Samaria Gorge trailhead in the south to the coastal road east of Agios Nikolaos. The legal basis is our legitimate interest in providing quality service (GDPR Article 6(1)(f)).

4.3 Service Improvement

Aggregated and anonymised browsing and booking data helps us understand how customers find and use our service, which vehicle categories are most in demand by season, and how our website can be improved. No individually identifiable data is used for this purpose without appropriate safeguards.

4.4 Marketing Communications

We may send you promotional emails, seasonal offers, or information about our rental fleet if you have given explicit consent during booking. You can withdraw consent at any time by clicking the unsubscribe link in any email or by contacting us directly. We will not send marketing communications based solely on a legitimate interest where you have not opted in.

4.5 Legal Compliance

We process and retain certain data as required by applicable Greek and EU law, including tax and accounting obligations, anti-fraud measures, and obligations imposed by Greek transport or tourism authorities. The legal basis is compliance with a legal obligation (GDPR Article 6(1)(c)).

5. Data Sharing with Third Parties

We do not sell your personal data. We may share necessary data with the following categories of trusted partners:

• Payment processors - to authorise and confirm transactions securely. These providers operate under strict PCI-DSS standards and their own privacy frameworks.
• Insurance providers - where our rental includes or offers optional coverage, relevant customer and booking details may be shared with the insurer for policy issuance and claims handling.
• Booking technology integrators - we may use third-party reservation platforms or widget providers that receive booking data to generate confirmations and manage availability.
• Legal and regulatory authorities - where we are required by Greek law, court order, or regulatory instruction to disclose information.
• Analytics providers - anonymised or pseudonymised data may be shared with analytics services to help us measure website performance. These providers are bound by data processing agreements.

All third-party processors are required to handle your data only for the specified purpose and in accordance with GDPR requirements. Where data is transferred outside the European Economic Area, we ensure adequate safeguards are in place as required by Chapter V of the GDPR.

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Booking and rental records - retained for a minimum of 5 years following the rental period to comply with Greek accounting and tax obligations (Law 4308/2014).
• Customer support communications - retained for up to 2 years from the date of the last interaction unless a dispute requires longer retention.
• Marketing consent records - retained until you withdraw consent, plus an additional period of 1 year for audit purposes.
• Website log data - typically retained for up to 12 months and then deleted or anonymised.
• Payment transaction references - retained for the period required by applicable financial regulations, generally 5-7 years.

Once a retention period expires, data is securely deleted or anonymised so it can no longer be linked to an individual.

7. Your Rights Under GDPR

As a data subject under the GDPR and Greek Law 4624/2019, you have the following rights with respect to your personal data:

• Right of access - you may request a copy of the personal data we hold about you, free of charge, within 30 days of your request.
• Right to rectification - if any data we hold is inaccurate or incomplete, you may ask us to correct it without undue delay.
• Right to erasure ("right to be forgotten") - you may request that we delete your personal data where it is no longer necessary for the purpose it was collected, or where you withdraw consent, subject to our legal retention obligations.
• Right to data portability - where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
• Right to restrict processing - you may ask us to temporarily suspend processing of your data while a dispute or correction request is being resolved.
• Right to object - you may object at any time to processing based on legitimate interests, including direct marketing. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Right to withdraw consent - where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. If you are dissatisfied with our response, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) at www.dpa.gr.

8. Data Security Measures

We take reasonable and appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These measures include:

• Encrypted data transmission using TLS/SSL protocols across all website interactions.
• Access controls limiting personal data access to authorised staff on a need-to-know basis.
• Use of PCI-DSS compliant third parties for all payment data handling - we never store raw card numbers.
• Regular security assessments and updates to our website and hosting infrastructure.
• Staff training on data handling procedures and confidentiality obligations.

No method of transmission over the internet is completely secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the HDPA as required by GDPR Article 33 and 34.

9. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies. A cookie is a small text file placed on your device. We use cookies to keep our website functioning correctly, remember your preferences, analyse site traffic, and in some cases to support third-party booking integrations. You can manage cookie preferences via your browser settings or through our cookie consent tool, which is presented when you first visit the site. For full details please see our Cookies Policy.

10. Changes to This Policy

We may update this Data Privacy Policy from time to time to reflect changes in law, technology, or our business practices. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email or a prominent notice on our website. We encourage you to review this policy periodically. Continued use of our services after any update constitutes acceptance of the revised policy.

This policy was last reviewed in 2024.

11. Contact Us About Privacy

If you have any questions, concerns, or requests relating to this Data Privacy Policy or how we handle your personal data, please contact us:

CheapCarRentalsCrete.com
Crete, Region of Crete, Greece
Email: [email protected]
Phone: +1 (412) 538-6595

We aim to respond to all privacy-related enquiries within 5 business days and to fulfil any formal data subject request within 30 calendar days as required under the GDPR.