Privacy Policy
Introduction
Phi Aegina ("Phi", "we", "us", "our") operates the website at phiaegina.gr. This policy explains what we do — and, more often, what we deliberately do not do — with information when you visit.
We are the data controller for this website. You can reach us about anything in this policy by email at reservations@phiaegina.gr.
Phi Aegina, Agiou Mina, Agia Marina 180 10, Aegina, Greece.
What we collect
We have kept this list short on purpose. In plain terms:
- Server request logs. Our host,
Vercel, keeps standard request logs — a truncated IP address, the browser's user agent, the page requested, and the response code. These exist for security and reliability, are retained for no more than 30 days, and are not used to build any profile of you. - Cookieless analytics. We use
Umamito count page views and referrers, and to see when someone clicks through to the booking engine.Umamiis cookieless by design and stores no tracking identifier on your device — the numbers are aggregated, never tied to you as an individual. - One functional cookie. We set a single first-party cookie,
NEXT_LOCALE, which remembers whether you chose English or Greek. It is functional, not analytics, and it is described in full in our Cookies Policy. - No marketing-form data. There is no contact form, no newsletter sign-up, no lead capture. When you book, you leave our site for a third-party booking engine — no booking details are posted back to us.
- AI prompts (v2, forward-looking). A future "Compose Your Stay" feature will let you type a free-text prompt. When it ships, those prompts will be treated as ephemeral: processed to answer you, then discarded — no storage, no logging of personal data, no reuse across visits. This is stated here so the policy is correct in advance.
What we do not collect
To be explicit, we do not:
- collect any data through a marketing-side form (there isn't one);
- track you across other websites;
- run third-party advertising networks or pixels;
- fingerprint your device.
Lawful basis
Under Article 6 of the GDPR:
- Legitimate interest covers our cookieless, aggregated site analytics — understanding which pages are useful, with no impact on you as an individual. Our analytics provider derives its counts from a short-lived server-side hash and discards the IP address used to compute it, so no profile of you is created or retained.
- Performance of a contract covers the booking handoff, which is carried out by a third-party reservation engine under its own privacy policy (linked from the booking listing).
- Consent is not required for cookieless
Umamianalytics together with a single functional cookie — because no non-essential information is stored on or read from your device for tracking, consistent with guidance from the Hellenic Data Protection Authority and the European Data Protection Board.
Your rights under the GDPR
You have the following rights. For most of them the practical answer in our case is small, because we hold so little:
- Access (Art. 15) — ask us what we hold about you. In almost every case the honest answer is "a truncated server log entry from your visit, due to be deleted within 30 days."
- Rectification (Art. 16) — ask us to correct anything inaccurate.
- Erasure / "right to be forgotten" (Art. 17) — ask us to delete what we hold.
- Restriction (Art. 18) — ask us to pause processing while a question is resolved.
- Portability (Art. 20) — ask for a copy of your data in a portable form.
- Object (Art. 21) — object to processing based on legitimate interest.
- Withdraw consent — wherever we rely on consent, you can withdraw it at any time.
- Lodge a complaint — you can complain to the Hellenic Data Protection Authority (HDPA) at https://www.dpa.gr.
How to exercise your rights
Email reservations@phiaegina.gr from the address you would like us to act on, and tell us what you want done. We respond within 30 days (GDPR Article 12(3)). If you are asking us to erase data, that is the channel — email gives both of us an auditable record.
Three things we will never do
No matter how much easier it would make the marketing:
- We will never publish a partner-operator phone number on this site. If you would like to reach a taverna or a guide we recommend, our reception introduces you on request — that is the only path.
- We will never set an analytics cookie. We use
Umami, which is cookieless by design. The only cookie we set is the small one that remembers your language (NEXT_LOCALE).Umamimay read one opt-out flag from your browser's storage so you can switch analytics off — that is not a cookie and not an identifier. - We will never store the free-text prompts you give the v2 Compose Your Stay tool. Each one is processed and forgotten — no logs, no cross-visit memory.
International transfers
Vercel serves this site from EU regions by default, and our analytics run on Umami Cloud's EU region, which keeps the aggregated analytics data within the European Union. Umami is cookieless and stores no directly identifying data — IP addresses are turned into a short-lived hash and then discarded. Umami Cloud is operated by Umami Software, Inc., a United States company, so to the extent any analytics data is ever processed outside the EEA, that transfer is covered by the European Commission's Standard Contractual Clauses, incorporated through Umami's Data Processing Agreement. You can read Umami's privacy notice and its Data Processing Agreement.
Children
This site is not directed at children. We do not knowingly collect data from anyone under 16. If you believe a minor's data is in our logs, email reservations@phiaegina.gr and we will erase it.
Changes to this policy
We may update this policy. When we make a material change, we increase the version number and the effective date shown at the top of this page. The version you are reading is recorded above the body.
Contact
For any question about privacy or your data, email reservations@phiaegina.gr.