Privacy Policy
Last updated: March 2026
1. Who We Are
Cruise2Greece ("we", "us", "our") operates the website cruise2greece.com. We act as an authorized booking agent for Celestyal Cruises, helping travelers discover and book Mediterranean cruise holidays departing from Greece.
We are committed to protecting your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Greek data protection law (Law 4624/2019).
2. Data We Collect
a) Data you provide directly:
- Booking data: Full name, title, gender, date of birth, nationality, passport number, email address, phone number — required to process your cruise booking with Celestyal Cruises
- Payment data: We do not store credit card details. Payments are processed securely by PayPal. We store only the transaction reference and amount.
- Booking lookup: Reservation ID and email address — used to retrieve your booking details
- Newsletter: Email address — to send you cruise deals and travel tips
- Contact form: Name, email, phone, message — to respond to your inquiry
b) Data collected automatically:
- IP address and approximate location
- Browser type, device type, and operating system
- Pages visited, time on site, and referring URL
- Cookie preferences (stored locally in your browser)
3. Why We Process Your Data
| Purpose | Legal Basis |
|---|---|
| Process your cruise booking | Contract performance |
| Process payments via PayPal | Contract performance |
| Send booking confirmations & invoices | Contract performance |
| Respond to contact inquiries | Legitimate interest |
| Send newsletter & promotional offers | Consent (opt-in) |
| Analytics & site improvement | Consent (cookie banner) |
| Fraud prevention & security | Legitimate interest |
| Comply with maritime passenger regulations | Legal obligation |
4. Who We Share Your Data With
- Celestyal Cruises: Passenger details to fulfill your cruise booking (name, DOB, nationality, passport). Celestyal's own privacy policy applies once data is transferred.
- PayPal: Payment processing. We never see or store your payment card details.
- Email service provider: To send booking confirmations and newsletters.
- Hosting infrastructure: Our servers process your data to operate the website.
We never sell, rent, or trade your personal data to third parties for marketing purposes.
5. Cookies
We use the following types of cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| c2g-cookie-consent | Essential | Stores your cookie preference | Persistent |
| _ga, _gid | Analytics | Google Analytics — site usage statistics | Up to 2 years |
Analytics cookies are only set if you click "Accept All" on our cookie banner. You can change your preference at any time via the "Cookie Settings" link in our footer.
6. Data Retention
- Booking data: 5 years after the voyage date (tax and legal requirements)
- Payment records: 7 years (Greek tax law)
- Newsletter subscribers: Until you unsubscribe
- Contact inquiries: 1 year after resolution
- Analytics data: 26 months (Google Analytics default)
- Cookie preferences: Until you clear your browser data
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access: Request a copy of all personal data we hold about you
- Right to rectification: Correct any inaccurate or incomplete information
- Right to erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention requirements
- Right to restrict processing: Limit how we use your data
- Right to data portability: Receive your data in a machine-readable format
- Right to object: Object to processing based on legitimate interest or direct marketing
- Right to withdraw consent: Withdraw consent at any time (e.g., newsletter, cookies)
To exercise any of these rights, email us at [email protected]. We will respond within 30 days as required by GDPR.
8. International Transfers
Your data is primarily processed within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g., PayPal's US servers), it is protected by appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All data transmitted via HTTPS (TLS encryption)
- Passwords hashed using bcrypt with salt
- Rate limiting to prevent brute-force attacks
- Role-based access controls for internal systems
- Security headers (HSTS, X-Frame-Options, X-Content-Type-Options)
- Regular security reviews and dependency updates
10. Children's Privacy
Our booking service requires at least one guest to be 18 years or older. We collect children's data (name, date of birth, nationality, passport) only as required for cruise passenger registration, with the consent of a parent or legal guardian who completes the booking.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For significant changes, we will notify registered users by email.
12. Contact & Complaints
For any privacy-related questions or to exercise your rights:
If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):
Hellenic Data Protection Authority
Kifisias 1-3, 115 23 Athens, Greece
Phone: +30 210 6475 600
Website: www.dpa.gr
Email: [email protected]