Company Logo

Menu

Navigate to different sections of the page.

Tinos Beyond Privacy Policy

Last Updated: June 2025

Your privacy is a priority for us. This Privacy Policy (hereinafter: the “Privacy Policy”) explains clearly and transparently what personal data we process at Tinos Beyond, for what purpose, what rights you have and how you can exercise them, as well as any other important information you need to know about how your data is processed. This is to ensure that you are fully informed in a clear, concise and transparent manner before you fill out the request form and potentially enter into an agreement with us for the provision of third-party services or services provided directly by us.

This Policy applies to our processing of personal data of any individual interacting with us, either by submitting a request through the website www.tinosbeyond.com (hereinafter: the “Website”), or in the context of entering into a contract with us regarding the arrangement/booking of third-party services or the direct provision of services by us.

We invite you to read this Privacy Policy carefully and in its entirety to ensure you fully understand it.

You may copy, print, and download the Policy by clicking here.

Contents

  1. The essentials you need to know
    1.1. Who is the Data Controller of your data?
    1.2. What categories of your data do we process?
    1.3. For what purposes may we process your data?
    1.4. What rights do you have regarding the processing of your data?
    1.5. How can you exercise your data protection rights?
    1.6. How will we facilitate the exercise of your rights?
    1.7. What else is important to consider?
  2. Where do we collect your data from?
  3. On what legal basis do we process your data?
    3.1. To make a service proposal, conclude and perform a contract between us
    3.2. Because we have a legitimate interest
    3.3. Because we are legally obligated
    3.4. Because you provide your explicit consent
  4. Who do we share or transfer your data with?
    4.1. With us and our staff
    4.2. With specific categories of recipients
  5. Where is your data stored, in which countries, how securely, and for how long?
    5.1. Data storage
    5.2. Data security and processing
    5.3. Data retention period
  6. Other matters concerning your privacy and this Policy
    6.1. Changes to this Privacy Policy
    6.2. Third-party privacy policies
    6.3. Statement of information, understanding, and acceptance

1. The essentials you need to know

1.1. Who is the Data Controller of your data?

The sole proprietorship under the name “MARIA NIKOLAOU VELALOPOULOU” with the trade name “Tinos Beyond” (hereinafter: “Tinos Beyond”), registered in Greece under GEMI number 184823538000, VAT number EL 302570689, and based in Tinos, ZANNACHI ALAVANOU Street, no. 34, Postal Code: 84200, Greece.

You can contact the data controller for any issue related to your data and this Policy:

1.2. What categories of your data do we process?

We may process the following personal data you provide:

  • First name
  • Last name
  • Phone number (mobile)
  • Email
  • Preferred dates for services (by third parties or us) and type/characteristics or other information related to desired services and travel that may identify you as a natural person
  • Any other personal data (including potentially special categories of data such as ethnic/racial origin, religious belief, or health status) that you choose to disclose when submitting a request through the Website or communicating with us regarding that request
  • Billing details for invoice issuance to a natural person (sole proprietorship), if requested

1.3. For what purposes may we process your data?

For the following specified, explicit, and lawful purposes:

a. To process and handle your request submitted through the Website and potentially enter into a service agreement with us.

Specifically, we collect, record, retrieve, transmit, use, and store all categories of data you submit via the request form on the Website, in order to:

  • Propose selected services provided by third-party partners based on your request, and offer our mediation service for ordering/booking these on your behalf (concierge services)
  • Conclude a service agreement with you for our mediation in booking/ordering services from third parties on your behalf
  • Propose services directly provided by us
  • Enter into a direct service agreement between us

b. To send electronic communications for marketing purposes.

We may collect, retrieve, store, transfer and use your data to lawfully send you marketing communications containing updates, news, and offers related to Tinos Beyond services.

c. To establish, exercise, or defend legal claims.

We may collect, retrieve, store, transfer, disclose, and use your data in the context of legal or extrajudicial proceedings to enforce terms of any agreement between us, including the Website’s Terms and Conditions.

d. In the event of a change in legal structure.

We may transfer your personal data to any lawful universal successor of our sole proprietorship in the context of a change of legal form, acquisition, or merger.

e. To comply with legal obligations.

We may collect, retrieve, transfer, disclose, and use your data to meet tax or other legal obligations.

Please note that the above purposes do not necessarily apply to you, as it is not certain that your personal data will be processed for all of the above.

1.4. What rights do you have regarding the processing of your data?

a. Right of access to your data

You have the right to request and obtain access to your personal data, which allows you to:

  • confirm whether we process your personal data, and

  • if so, receive all relevant information in an appropriate format, including:

    • the purposes and legal basis of the processing

    • the categories of data we process

    • the categories of recipients to whom your data may be disclosed

    • the storage period

    • the existence of your right to request access, correction, deletion of your data, or to request restriction or object to its processing

    • the right to lodge a complaint with the competent supervisory authority (Hellenic Data Protection Authority)

    • whether providing data is a contractual requirement and the consequences of not providing it

    • whether your data is transferred outside the EU

b. Right to receive a copy of your data

You have the right, upon request, to receive a free copy of your personal data undergoing processing, at reasonable intervals, in printed or digital format.

c. Right to rectify your data

You have the right, upon request, to ask us to correct or update any inaccurate personal data or complete any incomplete data concerning you, possibly through a supplementary statement. We will act on such requests without undue delay.

d. Right to erasure of your data

You have the right, upon request, to request the deletion of your data and the cessation of its processing, even before the end of the intended storage period. Deletion will take place without undue delay if one of the following grounds applies:

  • deletion is required due to a legal obligation we are subject to
  • your data is no longer necessary for the purposes for which it was collected
  • you have withdrawn your consent, and the processing was based solely on that consent
  • you have lawfully objected to the processing unless the processing is necessary:
  • for the establishment, exercise, or defense of legal claims
  • for compelling and legitimate grounds we can prove that override your interests and rights
  • for our compliance with a legal obligation (e.g. tax obligations)

e. Right to restrict processing of your data

You have the right, upon request, to request the restriction of processing of your personal data when:

  • you contest the accuracy of your data
  • you prefer storage rather than deletion because you need the data for the establishment, exercise, or defense of legal claims
  • you have objected to processing and we are still verifying whether our legitimate grounds override yours

f. Right to object to the processing of your data

You have the right, upon request, to object at any time to the processing of your data based on reasons related to your particular situation. In such cases, we will stop processing your data unless it is necessary:

  • for compelling and legitimate reasons which override your interests, rights and freedoms, or
  • for the establishment, exercise, or defense of legal claims. If processing is restricted, your data will only be stored by us and further processing will only occur for legal claim purposes or to protect third-party rights.

g. Right to object to direct marketing communications

With regard to the processing of your data for the purpose of sending electronic communications for direct marketing of Tinos Beyond services, it is explicitly noted—separately from the general right to object above—that you have the right, at any time and without justification, to object to such processing. You will no longer receive marketing communications from us, even if we had the legal right to send them without your prior consent.

h. Right to data portability

You have the right, upon request, to receive the data you have provided to us and request that it be transferred directly to another data controller, where technically feasible. You may also request the deletion of that data.

i. Right to lodge a complaint with the supervisory authority

As a data subject, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data by us violates applicable data protection legislation.

You may file the complaint with the authority of the EU country in which you reside, work, or where the alleged violation occurred.

If that country is Greece, the relevant authority is the Hellenic Data Protection Authority:

For details on the authority’s competence and the complaint submission process, please visit their site: Submit a complaint.

j. Right to withdraw your consent

If the processing of your personal data is based on your previously given consent, you have the right to withdraw it at any time by submitting a request as described in section 1.5 below.

1.5. How can you exercise your rights regarding the processing of your personal data?

You may submit a relevant request:

  • Electronically: We recommend submitting your request electronically by sending an email to: info@tinosbeyond.com.
  • Orally: Alternatively, you can make your request in person at our headquarters or by phone at: +30 6975623286.
  • By post: You may also send your request by mail to the address: Zannaki Alavanou 34, 84200 Tinos, Greece
  • By clicking a button: Specifically for exercising your right to object to our lawful sending of electronic communications for direct marketing purposes of our services, you may click the unsubscribe link/button located at the bottom of every message we send you. By doing so, you will automatically be removed from the mailing list for such communications.

1.6. How will we facilitate the exercise of your rights?

We are committed to making it easy for you to exercise all your rights under the applicable legal framework, provided we confirm that the requester is the individual to whom the data relates.

  • Prompt response: We commit to responding to your request without undue delay, taking all necessary actions free of charge and at the latest within one month from receipt of the request.
  • Provision of information: In response to your request, we will inform you of the action taken (e.g., data deletion, correction, etc.), free of charge, and in a concise, transparent, and understandable manner. If you requested a copy of your data, we will provide it in a commonly used electronic format (e.g., email), unless you request another format. In the case of data portability requests, we will transmit the data in a structured, machine-readable format.
  • Informing data recipients: We will notify all recipients to whom your data may have been disclosed, as per this Policy, of any correction, deletion, or restriction of processing you have requested. Upon your request, we can also provide additional information about these recipients.
  • Immediate cessation of direct marketing communications: Every electronic marketing communication we lawfully send includes a clear and prominent unsubscribe link/button, allowing you to easily and freely object to the use of your data for direct marketing. If you choose to unsubscribe, you will not receive any further such communications from us, with no negative consequences.

1.7. What else should you take into account?

Transfer of Data to Other Countries:

The processing of your data may require certain processing operations to be outsourced or the storage of data to be handled by recipients we collaborate with for the operation of our business, located outside of Greece, particularly in other EU countries as well as third countries (e.g., the United States). This may involve the transfer of your data to those locations (see Section 5 for more details).

Electronic communications after a contract is concluded:

We generally retain your data only for as long as necessary for the purposes described above. Please note that if you provide your email during a service request or agreement for mediation or direct service provision, we may store and use it to send you electronic communications for the direct marketing of Tinos Beyond services—but only if a service agreement is concluded between us. In that case, your email will be retained and used for five years from the date the agreement is signed.

2. Where do we collect your data from?

We collect your data directly from you, via the contact form available on our Website.

We process the personal data described above, which you voluntarily disclose and provide to us when you choose to submit a request in order to receive a proposal from us—either for our intermediation in the provision of third-party services to you, or for the direct provision of services by us—by completing the relevant form on the Website.

Therefore:

  • The collection and processing of data requires the voluntary submission of a request by you via the Website.
  • We do not collect any data from users who are merely browsing the Website.
  • We do not monitor your device while you navigate our Website.
  • We do not intentionally seek or collect personal data of children under the age of 18 or special categories of personal data unless such information is voluntarily provided by you in your request and is absolutely necessary for processing the request in relation to the services you are seeking. If we discover that we have inadvertently collected such data, we will delete it as soon as reasonably possible.
  • We never collect your personal data related to payment methods (e.g., your credit card information, PayPal account details, or other similar payment data).

3. Why are we allowed to process your data?

3.1. For the purpose of submitting a proposal, and for the conclusion and execution of a contract between us

The processing of all the data we collect through the submission form is necessary for the purpose of taking steps at your request prior to entering into a contract, and/or for the conclusion and performance of any contract between us (whether for the mediation in the provision of services by third parties or for the direct provision of services by us to you) (Article 6(1)(b) GDPR).

Specifically, your email address and/or mobile phone number are required to communicate with you—so we can submit, discuss, finalize, and send you a service proposal either from our third-party partners (through our mediation) or directly from us, and to enter into the corresponding agreement.

If you do not provide us with your data, and we are unable to process it, we will not be able to receive and handle your request for a proposal or enter into and execute a contract with you.

3.2. Because we have a legitimate interest

The collection and/or processing of your data for the purposes of:

  • sending electronic communications for direct marketing,
  • establishing, exercising, or defending legal claims,
  • company restructuring (e.g., transition to a new legal entity),
  • or for statistical purposes,

is necessary for the purposes of our legitimate interests, which we have carefully balanced against your interests, fundamental rights, and freedoms. We concluded that our interests do not override yours, given the context of the data collection, the relationship between us, and your reasonable expectations regarding the processing of the data for these specific purposes (Article 6(1)(f) GDPR).

  • In the case of direct marketing communications via emails that include updates, news, and offers related to Tinos Beyond services (sent manually), our legitimate interest is to promote our services to former clients who may still be interested. We consider this interest to remain valid for up to five years after the conclusion of a contract between us. Under Article 11(3) and (4) of Law 3471/2006, we are allowed to send such emails lawfully if your contact details were obtained in the context of our previous transaction, and are used for the direct promotion of similar services—provided that you are clearly and easily given the opportunity to object, freely and without charge, to the use of your data for marketing. This is ensured through a clearly visible unsubscribe link at the bottom of every marketing message, where our identity and contact information are also clearly indicated.
  • In the case of processing for legal claims, our legitimate interest lies in the pursuit and support of such claims.
  • In the case of corporate restructuring, our legitimate interest is to ensure the uninterrupted continuation of our business operations.

3.3. Because we are legally obligated

The processing of certain personal data we collect (e.g. your full name) is necessary for us to fulfill our obligations under applicable legal frameworks. This includes, among other things, compliance with legal obligations imposed on us (e.g. tax obligations) (Article 6(1)(c) GDPR).

3.4. Because you have provided your explicit consent through a specific declaration

We may:

  • Process special categories of data, such as racial or ethnic origin, religious beliefs, or health conditions (e.g. mobility issues, allergies) that you voluntarily disclose to us—without us requesting them—during the submission of your request or in communication regarding the discussion, finalization, and proposal of a service agreement. We will only process such data if they are strictly necessary and relevant to the requested services, and where the characteristics of those services might be affected by such data. This processing will take place only if you provide your explicit, informed, and freely given consent, by selecting the appropriate checkbox when submitting your request (Article 6(1)(a) GDPR). If you do not wish to give your consent, you should refrain from disclosing such data.

You may withdraw your consent at any time without any impact on our provision of mediation services, as your consent is not a prerequisite for receiving mediation services, but only for processing data that you voluntarily disclosed and which may affect the content of our proposed services.

4. Who do we share or transfer your data with?

4.1. With us and our personnel

Your data may be processed by the owner of the sole proprietorship, Ms. Maria Velalopoulou, and possibly by individuals directly supervised by her under employment contracts or freelance collaboration agreements. These individuals are authorized to process data, bound to comply with applicable legislation and this Privacy Policy, and have received appropriate training to lawfully process your personal data.

4.2. With specific categories of recipients

In addition to our internal processing, we may disclose or transfer your data only to the following recipients or categories of recipients, strictly for the purposes outlined above. When these recipients process data on our behalf, they may only access and use your data as necessary to perform the tasks assigned to them.

These recipients may include:

a. Service providers with whom we mediate on your behalf

We may transfer your data to our partners—independent third-party providers of the services you wish to book in your travel destination—only after entering into a mediation contract with you. That contract authorizes us to arrange/book services in your name.

The processing of your data by these third-party providers is done entirely and independently by them, based on their own privacy policies (which we will provide to you with our service proposal). You are responsible for reading and accepting those policies.

b. Web and IT service providers

We may disclose the data you submit via our Website’s contact form to:

  • Vercel Inc (www.vercel.com), based in California, USA – provides web hosting services.
  • Google Ireland Limited, based in Ireland – hosts our email server.
  • Freelance web developers and IT technicians based in Greece, who may support and develop our Website. In this context, they may access the data we’ve collected from the Website or from emails exchanged while finalizing a service proposal.

c. Payment intermediaries

We may share order-related data (e.g., order ID, payable amount) with our payment partners (such as Worldline Greece, https://worldline.com/el-gr/home) to complete payment transactions.

Note that we never receive, collect, or store your payment method details (e.g., card numbers, PayPal account, or other sensitive payment data).

d. Accountants, legal advisors, and similar professionals

We may disclose necessary data to external partners who support us in accounting or legal matters, for instance, to fulfill tax or other legal obligations (e.g., maintaining accounting records, or for the establishment, exercise, or defense of legal claims). Where necessary, your data may also be disclosed to public authorities (e.g., a court).

e. Universal successors

In the event our sole proprietorship is transferred to another entity (e.g., through acquisition, merger, or a change in legal form), we may transfer the entire data record to the legitimate universal successor, provided you are notified accordingly in advance.

Other than the recipients listed above, your data is not shared with third parties, and we do not rent or sell your personal data to any third parties for their own commercial purposes or marketing campaigns.

5. Where are your data stored, in which countries, how securely, and for how long?

5.1. Data Storage

  • In a physical, non-automated filing system located at our headquarters.
  • On the servers of the providers who offer hosting services for our website, email server, and payment processing systems.

The data collected from you when submitting a request or entering into a contract with us is stored on the servers of Vercel Inc., which utilizes data centers located in the USA.

The transfer of data to the U.S. is covered under Article 45 of the General Data Protection Regulation (GDPR), as the European Commission has issued an adequacy decision recognizing that data is sufficiently protected under the Data Privacy Framework.

More information can be found here:

EU-US Data Transfers

Vercel’s privacy policy is available at:

https://vercel.com/legal/privacy-policy

In addition, your email and other information contained in our communications (e.g. order details) may be stored on servers operated by Google Ireland Limited, which may be located outside the EU (e.g. the USA, Japan, etc.) in jurisdictions covered by an adequacy decision under Article 45 GDPR.

You can learn more here:

For data transfers to third countries without an adequacy decision (e.g. Singapore, Taiwan), such transfers are based on appropriate safeguards, such as the Standard Contractual Clauses under Article 46 GDPR.

More details:

Additionally, information shared with our payment service provider may be stored on the servers of the Worldline Group S.A., which are located in various countries outside the EU. Transfers to countries with an adequacy decision are covered under Article 45 GDPR. In the absence of such decisions, transfers rely on Standard Contractual Clauses or other suitable mechanisms approved by the European Commission.

More info:

https://worldline.com/el-gr/compliancy/privacy

5.2. Security of your data and processing

We take and implement appropriate technical and organizational measures to safeguard the confidentiality and integrity of your data and ensure secure processing. We choose partners who uphold a high standard of data protection and security. Specifically:

  • The physical archiving space is secured and accessible only to specifically authorized personnel employed by our business.
  • Your data are stored in encrypted form on our partners’ servers, within highly secure, certified environments, protected from public access. These environments comply with industry-standard data protection practices, with strict access control mechanisms ensuring that only authorized and trained personnel can access the data.
  • Our website is equipped with an SSL security certificate.
  • We never collect, access, or store your payment method information (such as card details or PayPal account data). All payments are processed through Worldline Greece’s Payment Link service, using their own secure transaction systems, protected by their security protocols for which they are responsible.

5.3. Data Retention Period

We retain all data you provide through the Website’s form and during our communications for the discussion, finalization, and submission of a contract proposal, until the signing of a contract between us.

  • If no contract is signed after our proposal, the data is immediately deleted, and no later than ten (10) days from the end of our communication.
  • If a contract is signed, we retain only the necessary data (e.g. name, surname, email, mobile phone) for the fulfillment of legal obligations, or for the establishment, exercise, or defense of legal claims related to our contract. These data are retained for as long as the relevant legal retention or limitation period lasts, plus two additional months, or longer if required depending on the progress of any legal claims.
  • Your email address is retained and used for sending direct marketing communications, governed by our Privacy Policy, for up to five (5) years from the date our contract was signed.

After the applicable retention period ends, your data will be permanently deleted — both through the destruction of physical files and the complete erasure of digital records from all storage locations.

Ακολουθεί η αγγλική μετάφραση της ενότητας 6 (“Other matters concerning your privacy and this Policy”):

6. Other Matters Concerning Your Privacy and This Policy

6.1. Changes to this Privacy Policy

We reserve the right to revise, amend, update, or modify this Privacy Policy at any time.

If we make any material changes regarding how we process your data—particularly if the purposes of processing change, the data controller changes, new recipients are added, or if your data is transferred to a different third country—we will provide you with prior, timely, and appropriate notice so you are informed and can exercise your rights.

6.2. Third-Party Privacy Policies

If you leave our Website or are redirected to a third-party website or application, you are no longer governed by our Privacy Policy.

This may occur, for example, when you click on external hyperlinks placed on our Website that direct you outside our domain.

We are not responsible for the privacy practices of those third-party websites. We strongly encourage you to regularly read their privacy policies and terms of use.

Similarly, we are not liable for the purposes, practices, or general data processing policies of third-party partners who ultimately provide you with the services for which we act as intermediaries.

6.3. Acknowledgement of Notice, Understanding, and Acceptance

By using our Website, submitting a request through it, participating in communications for the discussion, finalization, and submission of a service proposal, and/or entering into and executing a contract with us, you acknowledge that you have read, understood, and expressly accepted to be legally bound by this Privacy Policy and all its parts, including any documents explicitly referenced herein (whether by hyperlink or otherwise).

You agree to the collection and processing of your data by us in accordance with the General Data Protection Regulation (GDPR) and as described herein, and you give your consent where required.

You also declare and warrant that all personal data you submit is true and accurate.

If you do not agree with this Policy, you must refrain from submitting any personal information or data to us and not submit any request through the Website.