Privacy Policy

The entity responsible for the processing of personal data ("Data Controller" under the General Data Protection Regulation — GDPR) is: ΠΑΠΑΚΩΝΣΤΑΝΤΙΝΟΥ ΝΙΚΟΛΑΟΣ ΚΑΙ ΣΙΑ ΕΕ VAT Number: 093598634 Registered office: Paralia Tinou (Tinos Port), Greece Email: info@islandpass.gr For any question regarding the processing of your personal data or to exercise your GDPR rights, please contact us using the details above.

We collect information that you provide directly when using our services: - Personal details: name, email address, phone number. - Booking information: travel dates, passenger details, vehicle information. - Account data: login credentials (Supabase Auth). - Payment information: ferry ticket payments are processed securely by our certified payment provider EveryPay (PCI-DSS compliant). We neither store nor have access to credit/debit card details. For accommodation and vehicle requests, no payment information is requested or stored.

Your information is used to: - Process bookings and requests. - Send confirmations and updates. - Marketing: Send newsletters, provided you have given your explicit consent. - Provide customer support and platform security.

We share your personal information only when necessary: - Ferry companies: for issuing your tickets. - Accommodation hosts & vehicle providers: Your name and contact details are forwarded to the provider to complete the booking entirely and directly with them. - EveryPay (payment processing): To complete ferry ticket payments, the necessary transaction data is forwarded to our payment provider EveryPay, which acts as an independent data controller under its own PCI-DSS standards. We have no access to card details. - Technical Providers: Resend (email), Supabase (database). Data may be transferred outside the EEA under Standard Contractual Clauses (SCCs).

We implement industry-standard security measures to protect your data: - All personal information (names, emails, phone numbers, dates of birth) is encrypted at rest using AES-256-GCM encryption - All data is transmitted over HTTPS/TLS - Access to personal data is restricted to authorized services only - We use rate limiting and CAPTCHA to prevent abuse - Regular security reviews and monitoring are performed

We use essential cookies for site functionality. With your explicit consent ("Accept All"), we also use: - Microsoft Clarity: for improving user experience. - Sentry: for error monitoring. Note: If you choose 'Essential Only', Microsoft Clarity is not activated and no session recording takes place.

We retain your data for the following periods: - Booking records: 5 years (legal requirement for travel agencies in Greece) - User accounts: until you request deletion - Audit logs: 2 years (for security and dispute resolution) - Analytics data: as governed by Microsoft Clarity and Sentry retention policies You can request earlier deletion of your account and personal data at any time.

Under the General Data Protection Regulation (GDPR), you have the right to: - Access: request a copy of your personal data - Rectification: correct inaccurate personal data - Erasure: request deletion of your personal data ("right to be forgotten") - Restriction: limit how we process your data - Portability: receive your data in a structured, machine-readable format - Objection: object to certain types of processing - Withdraw consent: revoke previously given consent at any time To exercise any of these rights, contact us at info@islandpass.gr. We will respond within 30 days.

Our services are not directed at children under 16. We do not knowingly collect personal information from children under 16 without parental consent. Passenger information for minors is collected only as part of a booking made by an adult guardian.

We may update this Privacy Policy from time to time. Changes become effective immediately upon posting. We recommend reviewing this page periodically. For significant changes, we will notify registered users via email.

For privacy-related inquiries, please contact us on our Contact page.