Skip to main contentSkip to navigation
Skip to main content

Privacy Policy

Last updated: May 2026

Protecting your Personal Data is a priority for us. TRAVELnDO processes your Personal Data exclusively in accordance with the EU General Data Protection Regulation ("GDPR") and applicable Greek data protection legislation. This Privacy Policy explains how we collect, use, and safeguard your Personal Data when you use TRAVELnDO services, including our website, booking platform, and communication channels. It also informs you of your rights and how to exercise them.

This Privacy Policy is drafted in English. In the event of any inconsistency between an English and a translated version, the English version shall prevail.

I. Definitions

"Activity/Experience"

Experiences, tours, events, or other services offered by independent Activity Providers through the TRAVELnDO Platform.

"Activity Provider"

A third-party business offering Activities listed on the TRAVELnDO Platform.

"GDPR"

Regulation (EU) 2016/679 on the protection of natural persons regarding the processing of Personal Data.

"Personal Data"

Any information relating to an identified or identifiable natural person.

"TRAVELnDO Platform"

The website and booking platform operated by TRAVELnDO, accessible via www.travelndo.com and related domains.

II. Controller and Contact

The Controller responsible for processing Personal Data when you access or use TRAVELnDO services is:

TRAVELnDO G.P. (TRAVELnDO Ο.Ε.)

  • GEMI Number: 181487527000
  • EUID: ELGEMI.181487527000
  • Tax ID (ΑΦΜ): 802717844
  • Registered Office: Olympias 2, 71409 Heraklion, Crete, Greece
  • Phone: +30 6974097717
  • Email: [email protected]

Please note: Activity Providers act as independent data controllers when processing Personal Data necessary to deliver their Activities. Their own privacy policies apply.

III. Data Processing Activities

1. Automated Data Collection

When you visit the TRAVELnDO Platform, we automatically collect:

  • IP address
  • Date and time of access
  • Device information (browser, OS, device type)
  • Referrer URL
  • Pages visited and interactions
  • Error logs

This processing is necessary to ensure platform security, stability, and fraud prevention (Art. 6(1)(f) GDPR).

The TnD Platform is hosted by Vercel Inc. with application logic running on Vercel's European serverless infrastructure where possible. Application data (your account, bookings, reviews, messages, and uploaded files) is stored in Supabase's European Union database (AWS eu-west-1, Ireland). Uploaded media (photos and documents) is additionally distributed via Cloudflare R2 (global edge cache). See Section 7c for details.

2. Data Collected When You Make a Booking

When you book an Activity, we collect:

  • First name
  • Last name
  • Email address
  • Phone number
  • Booking details (activity, date, participants)

This processing is necessary to perform the contract (Art. 6(1)(b) GDPR).

We share only the necessary booking information with the relevant Activity Provider so they can deliver your Activity.

TRAVELnDO services are not intended for individuals under 16. We do not knowingly collect Personal Data from children.

3. Customer Accounts & Login

Creating an account is optional.

If you register via email, we collect:

  • Full name
  • Email address
  • Password

If you log in through Google, we receive:

  • Name
  • Email address
  • Profile photo (if provided by the third party)
  • Authentication token

Processing basis: Performance of contract (Art. 6(1)(b)).

4. Customer Service

Customer support tickets are stored in our own application database (Supabase, see Section 7c). We additionally use Brevo for the email delivery layer (notifications, confirmations) and as our customer-relationship-management (CRM) tool. Brevo processes:

  • Name
  • Email address
  • Booking information
  • Any data voluntarily shared in the conversation

Legal basis: TRAVELnDO's legitimate interest in assisting users (Art. 6(1)(f)).

5. Email Communication & Newsletters (Brevo)

If you subscribe to our newsletter, we process:

  • Email address
  • Interaction data (e.g., opens, clicks)

Legal basis: Consent (Art. 6(1)(a)).

If you have booked an Activity, we may send you service-related emails (confirmations, reminders, updates) based on contractual necessity (Art. 6(1)(b)).

Brevo may process Personal Data in the EU or other jurisdictions using approved GDPR safeguards.

You may withdraw consent at any time.

We may send marketing emails to customers only where permitted under the "soft opt-in" rule of Greek ePrivacy law, and only for similar products or services. You may opt out at any time.

6. Payments (Stripe & PayPal)

We offer payments via:

  • Stripe
  • PayPal

When processing payments, we do not receive or store full payment card details.

Stripe and PayPal act as independent controllers for payment processing. More information is available in their respective privacy policies.

We only receive confirmation of successful or failed payments and partial card details (masked).

Legal basis: Performance of contract (Art. 6(1)(b)).

Activity Providers act as independent controllers for all processing necessary to deliver their Activities. TRAVELnDO and payment providers (Stripe, PayPal) act as separate controllers for their respective processing activities.

7. Analytics (Google Analytics)

We use:

  • Google Analytics for aggregated traffic analytics

Depending on your consent preferences, these tools may process:

  • IP address
  • Device information
  • User interactions
  • Events on the platform

Legal basis: Consent (Art. 6(1)(a)) for non-essential analytics.

Users can manage preferences via our cookie consent banner (powered by CookieYes), which allows granular category-level consent.

7b. Error Tracking & Performance Monitoring (Sentry)

We use Sentry (Functional Software, Inc., U.S.-headquartered, with data hosted in the EU — Frankfurt, Germany) to capture application errors and monitor platform performance. When an error occurs in your browser or on our servers, Sentry processes:

  • Error message and stack trace
  • Browser, operating system, and device information
  • Page URL where the error occurred
  • IP address at the network layer (not displayed in error reports)
  • For authenticated users: account email address and user identifier (used by our team to triage issues and, where appropriate, contact you about a booking)
  • For up to 5% of page visits: anonymous performance timing data (page load, API latency)
  • For sessions where a browser error fires: a recording of the last ~30 seconds of activity (form fields are masked; only page text and clicks are visible). Recordings are limited to ~50 per month and only triggered by errors.

Legal basis: Legitimate interest in maintaining a stable, secure, and performant platform, and in resolving user-reported issues quickly (Art. 6(1)(f) GDPR).

Data residency: All Sentry processing occurs in the EU region (Frankfurt, Germany). Cross-border safeguards (Standard Contractual Clauses and the EU–U.S. Data Privacy Framework) apply where Sentry, Inc. accesses data outside the EEA, in accordance with Articles 44–49 GDPR.

Retention: Error events and session replays are retained by Sentry as configured in our organisation settings (currently up to 90 days for session replays; shorter for error events depending on plan). We do not extend Sentry's defaults.

Sentry's privacy policy is available at sentry.io/privacy; Sentry's Data Processing Addendum is available at sentry.io/legal/dpa.

7c. Hosting & Data Storage Infrastructure

To deliver the TnD Platform we use the following infrastructure providers:

  • Vercel Inc. — application hosting (web servers, serverless functions). Vercel processes every page request and may temporarily log request metadata (URL, response status, latency) for operational purposes. Cross-border safeguards: Standard Contractual Clauses and the EU–U.S. Data Privacy Framework.
  • Supabase Inc. — primary application database (PostgreSQL hosted in the EU on AWS eu-west-1, Ireland), authentication, and file storage. All account data, bookings, reviews, messages, and uploaded files are stored on Supabase. Cross-border safeguards: Standard Contractual Clauses and the EU–U.S. Data Privacy Framework.
  • Cloudflare, Inc. (R2 object storage and Stream video hosting) — distributes uploaded photos, host documents, and videos via Cloudflare's global edge network. Cross-border safeguards: Standard Contractual Clauses and the EU–U.S. Data Privacy Framework.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR) for serving the platform you are using.

8. International Data Transfers

Some of our service providers may process Personal Data outside the European Economic Area (EEA). Where such transfers occur, TRAVELnDO ensures an adequate level of protection in accordance with Articles 44 - 49 GDPR, including the use of Standard Contractual Clauses (SCCs), the EU–U.S. Data Privacy Framework (where applicable), or other valid transfer mechanisms.

9. Cookies & Tracking Technologies

We use:

Strictly Necessary Cookies

Required for website functionality, including authentication and session management (Art. 6(1)(b)) — cannot be disabled.

Analytics Cookies

Google Analytics — only with consent.

Marketing Cookies

Meta Pixel, Google Analytics 4 (GA4) conversion tracking, Google remarketing. When you interact with the booking funnel, we send hashed (SHA256) versions of your email and phone number to these platforms for ad performance measurement (Google Enhanced Conversions, Meta Advanced Matching). GA4 and Meta Pixel tags fire only after you grant consent through our cookie banner — Google Consent Mode v2 enforces this gate.

Functional Cookies

Google Maps — used to display interactive maps for experience locations. Google may collect data as described in their privacy policy.

Marketing cookies allow us to measure campaign performance and deliver personalised ads. Recipients may include Meta Platforms Ireland and Google Ireland, which may act as joint controllers for certain processing activities. See their respective privacy notices for further details.

Users may withdraw consent at any time.

Your cookie preferences are managed through our cookie consent banner (powered by CookieYes), which appears when you first visit our website. You can accept or reject non-essential cookies by category, and your preference is saved. Non-essential cookies are only activated after consent is given. For more details, see our Cookie Policy.

10. Sharing of Data

We share Personal Data only when necessary:

  • With Activity Providers for delivering Activities
  • With secure service providers (processors), such as:
  • Vercel Inc. (application hosting)
  • Supabase Inc. (database, authentication, file storage — EU region)
  • Cloudflare, Inc. (file/image/video CDN — R2 and Stream)
  • Brevo (email & CRM)
  • Stripe & PayPal (payments)
  • Google Ireland Ltd. (Google Analytics 4, Google Tag Manager, Google Maps Platform, Google OAuth)
  • Meta Platforms Ireland Ltd. (Meta Pixel, Conversions API for marketing measurement)
  • Sentry (Functional Software, Inc.) — error tracking and performance monitoring (EU region; see Section 7b)
  • CookieYes Ltd. (cookie consent management)

We ensure all processors comply with GDPR (Art. 28 GDPR).

We may disclose data if legally required (Art. 6(1)(c)) or to establish/exercise legal claims (Art. 6(1)(f)).

We do not sell Personal Data.

Data Retention

We retain Personal Data only as long as necessary:

  • Booking data: kept for legal/financial compliance periods
  • Account data: until account deletion
  • Newsletter data: until you withdraw consent
  • Analytics data: as per tool retention settings (e.g., GA default periods)

Backup copies may be retained where required for legal claims.

  • Booking records: retained for 10 years in accordance with Greek tax legislation.
  • Customer support data: retained for 3 years after resolution.
  • User accounts: retained until deletion and anonymised within 30 days thereafter.
  • Newsletter data: retained until consent withdrawal.
  • Analytics data: retained according to tool settings (e.g., Google Analytics 14 months unless otherwise specified).

IV. Your Rights Under GDPR

You may exercise any of the following rights:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restrict processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to withdraw consent (Art. 7(3))

Data Export (Art. 20)

If you have an account, you can download a copy of your personal data directly from your profile settings. The export includes your profile information, booking history, reviews, and messages in a portable JSON format.

Account Deletion (Art. 17)

You can delete your account from your profile settings. When you delete your account, your personal data is removed and any past bookings or reviews are anonymized to protect your privacy while maintaining necessary records for legal compliance.

To exercise other rights, contact us at: [email protected]

You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA).

V. Automated Decision-Making

TRAVELnDO does not use automated decision-making or profiling that produces legal or significant effects on users.

VI. Changes to this Privacy Policy

We may update this Privacy Policy to reflect legal, technical, or business developments. The most recent version will always be available on our website.

Security Measures

We implement appropriate technical and organisational measures such as encryption in transit, access controls, secure backups, and pseudonymisation where appropriate.