Privacy Policy

Last updated: 05/04/2026

1. Introduction

Coastbook (hereinafter "we", "us" or "Platform") is committed to protecting your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Greek Law 4624/2019, and any other applicable data protection legislation.

This Privacy Policy explains in detail what data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what your rights are. It applies to all users of the platform, including business owners (beach bars), customers making bookings, and website visitors.

By using the Coastbook platform, you acknowledge that you have read and understood this policy. If you do not agree with how we process your data, please do not use our services.

2. Data Controller

The data controller of your data is Coastbook, based in Greece. For any matter regarding your personal data, you can contact us:

  • Email: privacy@coastbook.gr
  • Data Protection Officer (DPO): dpo@coastbook.gr

Our Data Protection Officer is available to answer any questions about how we process your personal data and to assist you in exercising your rights.

3. Data We Collect

We collect various categories of personal data depending on how you interact with our platform:

A. Customer Data (Bookings)

  • Full name — for booking identification
  • Email address — for sending confirmation, reminders, and updates
  • Phone number (optional) — for communication in case of changes
  • Booking date and time, selected beachbeds and zone
  • Payment amount and payment method (online or on-site)

B. Payment Data

  • Card payments are processed exclusively by Stripe, Inc.
  • Coastbook does not store card numbers, CVV, or full payment details
  • We only store: transaction amount, payment status, Stripe identifier

C. Business Account Data

  • Owner name, email, and password (encrypted)
  • Business name, description, address, phone, website, social media
  • Logo and cover photo
  • Stripe Connect details for receiving payments
  • Geographic coordinates (latitude/longitude) of location

D. Technical Data

  • IP address
  • Browser type and operating system
  • Pages visited and time spent
  • Referrer URL
  • Cookies and similar technologies (see Cookie Policy)

4. Purpose of Processing

We use your data for the following specific purposes:

  • Booking processing: Creating, confirming, modifying, and cancelling beachbed bookings
  • Payment processing: Charging via Stripe, issuing receipts, managing refunds
  • Communication: Sending booking confirmation emails, pre-date reminders, daily reports to owners, cancellation notifications
  • Account management: Creating and maintaining business accounts, authentication, subscription management
  • Platform improvement: Usage analysis, bug detection, performance optimization, A/B testing
  • Security: Fraud prevention, suspicious activity detection, protection against malicious use
  • Legal compliance: Meeting tax obligations, responding to court orders or authority requests

5. Legal Basis for Processing

Each data processing activity is based on one of the following GDPR legal bases:

  • Contract performance (Article 6(1)(b)): Processing is necessary to fulfill bookings, payments, and operate business accounts. Without this data, we cannot provide our services.
  • Legitimate interest (Article 6(1)(f)): For platform improvement, usage analysis, fraud prevention, and security. We perform a balancing test to ensure our interests do not override your rights.
  • Consent (Article 6(1)(a)): For analytics and marketing cookies. You can withdraw your consent at any time through cookie settings or by contacting us.
  • Legal obligation (Article 6(1)(c)): For maintaining tax documents and accounting records in accordance with the Greek Tax Procedure Code (Law 4174/2013) and the Code of Books and Records.

6. Data Recipients

Your data may be shared with the following recipients, exclusively for the purposes described above:

  • Beach businesses: Owners receive booking details (name, email, phone, booking details) to serve you. Businesses act as independent data controllers for the data they receive.
  • Stripe, Inc.: For payment processing. Stripe is based in the USA and is certified under the EU-US Data Privacy Framework. Stripe Privacy Policy.
  • Cloudflare, Inc.: For CDN (Content Delivery Network), DDoS protection, and file storage (R2). Cloudflare Privacy Policy.
  • Mapbox, Inc.: For providing maps and geospatial services. Mapbox Privacy Policy.
  • Email providers: For sending transactional emails (confirmations, reminders, etc.).
  • Google Analytics: For usage analysis (only with your consent). Google Privacy Policy.

We do not sell, rent, or exchange your personal data with third parties for their own commercial purposes.

7. Data Retention

We retain your data only for as long as necessary for the purpose for which it was collected:

  • Customer booking data: 3 years after the booking date, to handle potential claims or disputes
  • Tax documents and receipts: 5 years in accordance with the Greek Tax Procedure Code (Law 4174/2013)
  • Business account data: Until account deletion by the user, plus a 30-day grace period
  • Technical logs: 90 days
  • Analytics data (aggregated): 26 months

After the retention period expires, data is permanently deleted or fully anonymized so it can no longer be associated with you.

8. Data Security

We implement appropriate technical and organizational measures (Article 32 GDPR) to protect your data from unauthorized access, loss, destruction, or alteration:

Technical measures:

  • SSL/TLS encryption (TLS 1.2+) on all communications
  • Secure password storage with bcrypt hashing
  • CSRF protection on all forms
  • Automated database backups
  • Web Application Firewall (WAF) via Cloudflare
  • PCI DSS compliance via Stripe (we do not store card data)

Organizational measures:

  • Principle of least privilege — access restricted to authorized personnel only
  • Regular security audits
  • Data breach incident response protocol

9. Your Rights

Under the GDPR (Articles 15-22), you have the following rights regarding your personal data:

  • Right of access (Article 15): To know if we process your data, receive a copy of it, and information about the processing
  • Right to rectification (Article 16): To request correction of inaccurate or completion of incomplete data
  • Right to erasure (Article 17): To request deletion of your data under certain conditions
  • Right to restriction (Article 18): To request restriction of processing while a dispute is being examined
  • Right to data portability (Article 20): To receive your data in a machine-readable format (JSON/CSV)
  • Right to object (Article 21): To object to processing based on legitimate interest or for direct marketing
  • Right to withdraw consent: To withdraw your consent at any time, without affecting the lawfulness of prior processing

We will respond to your request within 30 days. In complex cases, the deadline may be extended by 60 days, with notification to you.

For detailed information and instructions about each right, visit the GDPR Rights page.

10. International Data Transfers

Some of our service providers are based outside the European Economic Area (EEA), primarily in the USA. In these cases, we ensure your data is protected through:

  • EU-US Data Privacy Framework (DPF): Stripe and Cloudflare are certified under the DPF
  • Standard Contractual Clauses (SCCs): Where no adequacy decision exists, we use EU Commission-approved SCCs

You can request a copy of the appropriate safeguards by contacting privacy@coastbook.gr.

11. Cookies

We use cookies and similar technologies for the operation, analysis, and improvement of the platform. Cookies are categorized into necessary, analytics, and marketing. Non-essential cookies are activated only with your explicit consent.

For detailed information about the cookies we use, their purposes, and how to manage them, refer to our Cookie Policy.

12. Children's Privacy

The Coastbook platform is not directed at individuals under 18 years of age. We do not knowingly collect data from minors. Bookings must be made by adults (18+). If we discover that we have collected data from a minor, we will delete it immediately. If you believe a minor has provided us with personal data, please contact privacy@coastbook.gr.

13. Changes to this Policy

We may update this policy from time to time to reflect changes in our practices, legislation, or services. In case of material changes:

  • We will publish the updated policy on our website
  • We will update the "Last updated" date at the top
  • For significant changes, we will notify you via email or a notification on the platform

We encourage you to periodically check this page. Continued use of the platform after publication of changes constitutes acceptance of the updated policy.