The restored neoclassical facade of Avlí & Phós at dusk in Thissio, Athens
Privacy

Privacy Policy

Last updated April 2026

Avlí & Phós (“we”, “us”, “our”) respects your privacy. This policy explains what personal information we collect when you visit avli-phos.com or stay with us, how we use it, who we share it with, and the rights you have under the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and Greek law (Law 4624/2019).

1. Who we are

Avlí & Phós operates a small boutique accommodation at Amfiktyonos 33, Thissio, 11851 Athens, Greece. For any privacy-related question or to exercise your rights, you can reach our data controller at info@avli-phos.com.

2. Information we collect

We only collect what we need:

  • Booking & stay data — name, email, phone, postal address, payment data, ID/passport details (where required by Greek law for guest registration), arrival/departure dates, party composition, room preferences, special requests.
  • Contact form data — anything you submit via the website contact form (name, email, phone, message). Delivered via the Brevo transactional email service.
  • Newsletter data — name and email if you opt in to our newsletter.
  • Browser data — IP address, device type, operating system, browser, pages visited, time spent. Collected via privacy-respecting analytics described below.
  • Cookies — see section 7.

3. Why we process your data

  • To fulfil your booking and stay (Art. 6(1)(b) GDPR — performance of contract).
  • To meet legal obligations, including guest registration with Greek authorities and tax/accounting records (Art. 6(1)(c) GDPR).
  • To answer your enquiries via the contact form (Art. 6(1)(b) GDPR — pre-contractual measures).
  • To send you our newsletter, only with your explicit opt-in consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time via the unsubscribe link.
  • To improve the website via aggregated, non-identifying analytics (Art. 6(1)(f) GDPR — legitimate interest).

4. Who we share data with

We do not sell your data. We share it only with carefully selected service providers, all bound by data-processing agreements:

  • Brevo (Sendinblue SAS, France) — sends transactional and marketing email on our behalf.
  • Google Maps (Google Ireland Ltd.) — renders the embedded map on the location and contact pages.
  • Google Fonts (Google Ireland Ltd.) — serves the typography. Loaded directly from Google’s servers; an IP address is shared.
  • Hosting provider — stores the website and database, located within the EU.
  • Greek authorities — guest registration data is shared as required by law.
  • Booking partners (e.g. Booking.com, where applicable) — only the data needed to fulfil reservations made through them.

5. International transfers

Some of our processors (notably Google) may transfer data outside the European Economic Area. In such cases the transfer is governed by Standard Contractual Clauses approved by the European Commission, supplemented by additional safeguards where needed.

6. How long we keep your data

Data Retention
Booking & stay records 10 years (Greek tax requirement)
Contact form messages 2 years from last contact, then deleted
Newsletter subscription Until you unsubscribe
Web analytics 14 months
Server / security logs 30 days

7. Cookies

This website uses a minimal set of cookies:

  • Strictly necessary cookies — for the site to function (session, language preference, WPML language switcher). No consent required.
  • Functional cookies — remember non-essential preferences (e.g. menu state). Set only with your consent.
  • Analytics cookies — measure aggregate visitor traffic. Set only with your consent. We do not use cookies for advertising.

You can change or withdraw consent at any time using the cookie preferences link in the footer. You can also block cookies entirely via your browser settings; some site features may then not work correctly.

8. Your rights

Under GDPR you can, free of charge:

  • Access — receive a copy of the data we hold about you.
  • Rectify — correct any inaccurate or incomplete data.
  • Erase — request deletion, where retention is no longer required by law.
  • Restrict or object to certain processing.
  • Portability — receive your data in a portable, machine-readable format.
  • Withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, write to info@avli-phos.com. We respond within 30 days. If you are not satisfied with our response, you can complain to the Hellenic Data Protection Authority — www.dpa.gr.

9. Security

We use HTTPS encryption across the site, secure password hashing, and access controls limited to staff who need the data to do their job. Payment data is handled by PCI-DSS-compliant payment processors; we never see or store your full card details on our servers.

10. Children

Our services are not directed at minors. We do not knowingly collect data from anyone under 16 without verifiable parental consent.

11. Updates to this policy

We may revise this policy from time to time. Material changes will be highlighted on this page and, where appropriate, communicated by email. The “Last updated” date at the top reflects the most recent revision.

12. Contact

For any privacy-related question, write to info@avli-phos.com.

This policy is provided as a starting template and should be reviewed by qualified legal counsel before publication on a live site.