Last updated: 10/6/2026
1. Introduction
This Privacy and Cookie Policy explains how Chrysopigi Single Member SA with its registered office at Vouliagmenis Avenue 82, Glyfada 16675, Greece, VAT number 800981936, company registration number 146255101000 (the “Hotel,” “we,” “us,” or “our”), collects and processes personal data when you:
- visit our website at stayatnos.com (the “Site”);
- make a booking with us directly or through a third-party channel;
- stay at the Hotel or use our facilities;
- communicate with us by email, telephone, or via our social media accounts.
The Hotel is the data controller for the personal data described in this Policy, within the meaning of Regulation (EU) 2016/679 (“GDPR”) and Greek Law 4624/2019.
Contact for data protection matters:
- Email: legal@aeternal.com
- Postal address: Vouliagmenis Ave. 82, Glyfada, 16675, Athens, Greece.
2. What we mean by “personal data”
“Personal data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
3. Categories of personal data we collect
3.1 Booking and reservation data
When you make a reservation (directly with us, through our website booking engine, or via a third-party online travel agent), we receive:
- your full name, postal address, email address, and telephone number;
- nationality and country of residence;
- arrival and departure dates, room type, number and ages of guests, special requests (e.g. dietary preferences, accessibility needs);
- booking reference and the channel through which the booking was made;
- guest preferences and history of previous stays.
3.2 Identification data required by Greek law
Greek law (in particular Law 1652/1986, Presidential Decree 43/2002, and related police and tourism regulations) requires hotels to record identification details for every guest and to report certain data to the competent Greek authorities (Hellenic Police / Tourism authorities). On check-in we therefore record:
- full name, date of birth, nationality;
- type and number of ID document (national ID card or passport);
- date of arrival and departure.
3.3 Payment data
When you make a payment, our payment processor Room Pay collects your card or payment account details directly. We do not store full card numbers on our systems. We retain only a transaction reference and a masked card identifier (e.g. last four digits and card brand) for accounting and dispute-handling purposes.
3.4 On-site and stay-related data
- folio data (charges to your room, restaurant, spa, etc.);
- guest correspondence and feedback;
- records of incidents on the premises, where relevant.
3.5 CCTV footage
Closed-circuit television cameras operate in clearly signposted public and access areas of the Hotel (reception, bar and warehouse). Cameras are not installed in guest rooms, bathrooms, changing rooms, or staff rest areas. CCTV processing is carried out in line with the Hellenic Data Protection Authority’s guidance (in particular Directive 1/2011) — see Section 7 for details.
3.6 Technical and website-usage data
When you visit the Site we automatically collect, via cookies and similar technologies (see Section 9):
- IP address and approximate location derived from it;
- device identifier, browser type and version, operating system;
- referring URL, pages viewed, time on page, clicks, and exit URL;
- preferences expressed in our cookie banner.
3.7 Sources
Most personal data is collected directly from you. We also receive:
- booking and guest data from online travel agents (e.g. Booking.com, Expedia, Hotelbeds) when you book through them;
- booking-engine data from our channel manager / property management system (Webhotelier);
- analytics and advertising data from Google and Meta when you interact with our content on those platforms or visit the Site with the corresponding cookies enabled.
4. Purposes of processing and legal bases
We process your personal data only where we have a lawful basis under Article 6 GDPR (and, for special-category data, Article 9). Our purposes and bases are:
| Purpose | Categories of data | Legal basis |
| Taking and managing your reservation, communicating with you before, during, and after your stay | Booking data, contact data, ID data on check-in | Performance of a contract (Art. 6(1)(b)) |
| Recording and reporting guest identification to the Greek Police / Tourism authorities | ID data (3.2) | Legal obligation (Art. 6(1)(c)) under Greek hospitality and immigration law |
| Processing payments, handling chargebacks and refunds | Payment data, booking data | Performance of a contract (Art. 6(1)(b)); legal obligation for tax/accounting (Art. 6(1)(c)) |
| Issuing invoices and keeping accounting records | Booking, payment, identity data | Legal obligation (Art. 6(1)(c)) under Greek tax law (Law 4308/2014 and Code of Tax Procedure) |
| Operating CCTV for security of guests, staff, and property | CCTV images | Legitimate interests (Art. 6(1)(f)) — see Section 7 |
| Operating, securing, and improving the Site (essential cookies, fraud prevention) | Technical data | Legitimate interests (Art. 6(1)(f)) |
| Analytics and advertising via Google Analytics, Google Ads, and Meta Pixel | Online identifiers, browsing data | Your consent (Art. 6(1)(a) GDPR; Art. 4(5) Greek Law 3471/2006 implementing the ePrivacy Directive) |
| Responding to enquiries and complaints | Contact and correspondence data | Performance of a contract or pre-contractual steps (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) |
| Establishing, exercising, or defending legal claims | All categories as relevant | Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have carried out a balancing test and concluded that those interests are not overridden by your rights. You may request information about that assessment using the contact details in Section 1.
We do not carry out automated decision-making producing legal or similarly significant effects within the meaning of Article 22 GDPR.
5. Special-category data
We do not actively seek special-category data (health, religious beliefs, etc.). However, you may voluntarily disclose information such as dietary requirements, accessibility needs, or allergies in order to receive an appropriate service. Where you do so, we process that data on the basis of your explicit consent (Art. 9(2)(a) GDPR), and only to meet the specific request. You may withdraw consent at any time.
6. Recipients of your personal data
We share personal data only where necessary, and only with categories of recipients listed below. Service providers act as processors under written agreements that comply with Article 28 GDPR.
- Property Management System / channel manager: Webhotelier — hosts booking and guest data on our behalf.
- Online travel agents (OTAs):com, Expedia, Hotel Beds— when you book through them, they share booking data with us under their own privacy policies, as independent controllers for their own platforms.
- Payment processor: Room Pay— independent controller / joint processor for payment authorisation and PCI-DSS compliance.
- Analytics and advertising providers: Google Ireland Limited (Google Analytics, Google Ads) and Meta Platforms Ireland Limited (Meta Pixel / Facebook & Instagram Ads), where you have consented (see Section 9).
- Email, IT, and hosting providers supporting our website, reservations system, and internal communications.
- Professional advisers: accountants, auditors, and lawyers, bound by confidentiality.
- Hellenic Police, Greek Tourism Organisation, and other public authorities, where required by law (Section 4 above).
- Acquirers, successors, or merger counterparties: in the event of a corporate restructuring, sale, or transfer of assets, subject to confidentiality.
We do not sell your personal data.
7. CCTV
- Controller: the Hotel.
- Purpose: to protect persons and property at the Hotel against theft, vandalism, and unlawful conduct.
- Legal basis: legitimate interests (Art. 6(1)(f) GDPR), in line with HDPA Directive 1/2011.
- Coverage: entrance, reception, bar, warehouse. Cameras are visibly signposted before entry to monitored areas. There are no cameras in private areas (rooms, bathrooms, changing rooms, staff rest areas).
- Recording: images are recorded; no audio is recorded.
- Access: footage is accessible only to authorised security personnel and management.
- Retention: footage is automatically overwritten after 15 days, unless retained longer to investigate a specific incident or to pursue or defend a legal claim, in which case it is retained only for as long as necessary for that purpose.
- Your rights: you may request access to footage in which you appear, or its erasure or restriction, by contacting us at gm@stayatnos.com. To help us locate the relevant footage, please provide the date, approximate time, and location, and a description of yourself or a photograph.
8. International transfers
Some of our service providers — in particular Google, Meta, and certain hosting and email providers — are based in, or transfer data to, countries outside the European Economic Area, including the United States.
Where we transfer personal data outside the EEA, we ensure an appropriate level of protection by relying on one or more of the following safeguards under Chapter V GDPR:
- the European Commission’s adequacy decisions (Art. 45), including the EU-US Data Privacy Framework for transfers to certified US recipients;
- Standard Contractual Clauses (Art. 46(2)(c)), together with any supplementary technical and organisational measures identified following a transfer impact assessment;
- the limited derogations in Article 49 where strictly applicable.
You may request a copy of the safeguards we use for a specific transfer by emailing us legal@aeternal.com.
9. Cookies and similar technologies
9.1 What cookies are
Cookies are small text files placed on your device when you visit a website. They may contain identifiers and information about your use of the Site. Cookie identifiers and similar online identifiers can constitute personal data under the GDPR.
9.2 Categories of cookies on the Site
- Strictly necessary cookies — required for the Site, the booking engine, and the cookie banner itself to function. These do not require your consent (Art. 4(5) Law 3471/2006).
- Performance / analytics cookies — Google Analytics, used to understand audience size and behaviour. Set only with your prior consent.
- Advertising / marketing cookies — Google Ads and Meta Pixel, used to measure campaign performance and to show you relevant ads on Google, Facebook, and Instagram. Set only with your prior consent. These cookies may involve creating audience segments and matching identifiers with Google and Meta; both companies act as independent or joint controllers for that processing under their own terms.
9.3 Cookie consent
When you first visit the Site, our consent banner allows you to accept, reject, or selectively allow non-essential cookies. No non-essential cookies are placed before you give consent. You can change your choices at any time using the cookie preferences control: https://consent.cookiebot.com/uc.js
9.4 Provider-specific information
- Google Analytics / Google Ads: provider Google Ireland Limited; transfers to the US under the EU-US Data Privacy Framework and Standard Contractual Clauses; user-level retention is set to 12 months in our GA configuration. Privacy policy: https://policies.google.com/privacy. Opt-out: decline analytics cookies in our banner, or install https://tools.google.com/dlpage/gaoptout.
- Meta Pixel: provider Meta Platforms Ireland Limited; transfers to the US under the EU-US Data Privacy Framework and Standard Contractual Clauses; Meta and the Hotel are joint controllers for the Pixel-based collection on the Site under Meta’s Controller Addendum. Privacy policy: https://www.facebook.com/privacy/policy. You can manage your Meta ad preferences at https://www.facebook.com/adpreferences.
You can also manage cookies through your browser settings; disabling strictly necessary cookies may prevent the Site (and the booking engine) from functioning.
10. How long we keep your personal data
We retain personal data only for as long as necessary for the purposes for which it was collected and to meet legal obligations.
| Category | Retention period |
| Reservation / booking records and correspondence | Duration of the booking + 5 years thereafter (limitation period for contractual claims under Greek law) |
| Identification data reported to the Hellenic Police | As required by the applicable Greek police/tourism regulations, and otherwise deleted promptly after the legal obligation is satisfied |
| Tax and accounting records (invoices, payment records) | As long as required by Greek tax law — currently a minimum of 5 years from the end of the fiscal year, extended where audits or disputes require |
| CCTV footage | 15 days, unless retained for a specific incident (Section 7) |
| Website analytics (Google Analytics) | Up to 24 months at user level; aggregated reports retained longer |
| Cookie consent records | 6–12 months, as required to demonstrate consent |
| Enquiries that do not result in a booking | 24 months from last contact |
| Data needed to establish, exercise, or defend legal claims | Until expiry of the relevant limitation period under Greek law |
After the applicable period, personal data is securely deleted or irreversibly anonymised.
11. Your rights
Subject to the conditions and exceptions in the GDPR, you have the right to:
- access the personal data we hold about you (Art. 15);
- request rectification of inaccurate or incomplete data (Art. 16);
- request erasure of your personal data (Art. 17);
- request restriction of processing (Art. 18);
- data portability — receive your data in a structured, commonly used, machine-readable format (Art. 20);
- object to processing based on our legitimate interests (Art. 21(1));
- withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing before withdrawal (Art. 7(3));
- not be subject to a decision based solely on automated processing producing legal or similarly significant effects (Art. 22).
To exercise any of these rights, contact us at legal@aeternal.com. We will respond within one month of receipt, extendable by a further two months for complex requests (Art. 12(3) GDPR). We may need to verify your identity before responding.
Right to lodge a complaint
You also have the right to lodge a complaint with a data protection supervisory authority — in particular in your country of residence, place of work, or place of the alleged infringement. The competent supervisory authority for the Hotel is the:
Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα)
- Kifissias 1-3, 11523 Athens, Greece
- Tel: +30 210 6475600
- Email: complaints@dpa.gr
- Website: www.dpa.gr
12. Security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include access controls, encryption in transit, secure hosting, staff confidentiality obligations, and incident-response procedures. No system can be guaranteed completely secure; we will notify you and the HDPA of any personal-data breach where required by Articles 33–34 GDPR.
13. Children
The Site is not directed at children. Accommodation bookings for our adult-only hotel must be made by adults. Our restaurant is open to families and welcomes children. Where children are included in a booking or reservation, any personal data relating to them is provided to us by the adult making the booking or reservation.
14. Changes to this Policy
We may update this Policy from time to time. The “Last updated” date at the top will indicate when changes were made. Where the changes are material, we will provide a more prominent notice and, where required by law, obtain renewed consent.
15. How to contact us
- Hotel: Chrysopigi Single Member SA
- Address: Vouliagmenis Ave. 82, Glyfada 16675, Athens, Greece
- Email: welcome@stayatnos.com
- Telephone: +30 22840 28957, +30 2108944650

