Booking Privacy

Privacy Notice (GDPR)

TDS Travel & Data Service GmbH Müllerstr. 47, 80469 München, Germany VAT/Tax No.: 129475583 Contact: info@tdsreisen.de

This Privacy Notice explains how we collect and use personal data when you make a booking, use our website, or communicate with us.

1. Controller

TDS Travel & Data Service GmbH Müllerstr. 47, 80469 München Email: info@tdsreisen.de

The company is responsible for the processing of personal data described in this notice.

2. Purposes and Legal Bases

Your data is processed only when necessary and only for clearly defined purposes:

a) Booking and Contract Management — Art. 6(1)(b) GDPR To register reservations, issue confirmations, update or cancel bookings, and manage vouchers.

b) Payments — Art. 6(1)(b) and 6(1)(f) GDPR Payments are handled through Stripe. We receive payment status information but do not store or access full credit card numbers, expiry dates, or CVV codes. Stripe ensures PCI DSS compliance.

Data is also processed to prevent fraud and manage chargebacks.

c) Legal Obligations — Art. 6(1)(c) GDPR Compliance with tax, accounting, and consumer protection requirements.

d) Legitimate Interests — Art. 6(1)(f) GDPR Maintaining IT security, server and error logs, fraud protection, and internal administrative records.

e) Marketing — Art. 6(1)(a) GDPR Used only with your explicit opt-in. Without consent, we send only operational or service-related messages.

3. Categories of Data We Process

  1. Identification and contact details: name, email, phone, address, country.
  2. Booking information: property, dates, number of guests, selected extras, rate plan, changes or cancellations.
  3. Payment-related information: payment status from Stripe; no full card data stored on our systems.
  4. Technical data: IP address, browser information, referrer, session identifiers, access logs for bookings and vouchers.

4. Data Sources

  1. Information you enter during booking or voucher access.
  2. Payment status details from Stripe.
  3. Booking data exchanged with WebHotelier (reserve-online.net / Hotelier.io) when required for availability or reservation delivery.

5. Recipients of Personal Data

Personal data may be shared with:

  1. Stripe Payments Europe Ltd. (payment processing)
  2. WebHotelier / Hotelier.io (availability and reservation connectivity)
  3. Accommodation partners (to fulfil your stay)
  4. Email and hosting providers (transactional messages and system operation)

All recipients process data strictly according to contractual instructions.

6. International Data Transfers

Some service providers (e.g., Stripe) may store or process data outside the EEA.

Such transfers are protected by EU Standard Contractual Clauses or comparable safeguards ensuring a GDPR-level of protection.

7. Retention

  1. Booking and financial records: 6–10 years under tax and accounting laws.
  2. Technical and audit logs: up to 12 months, longer when required for security or disputes.
  3. Communications: retained according to statutory obligations.

Data that is no longer needed is securely deleted or anonymized.

8. Your Rights

You have the right to:

  1. access your data
  2. request correction or deletion
  3. restrict or object to processing
  4. receive your data in a portable format
  5. withdraw consent at any time

You may lodge a complaint with your national Data Protection Authority.

Greek DPA: https://www.dpa.gr

To exercise your rights: info@followmetogreece.com

We may confirm your identity before processing your request.

9. Automated Decision-Making

We do not use automated processes that produce legal or comparable effects.

Fraud screening tools may be applied as part of payment security.

10. Cookies

We use cookies strictly required for:

  1. processing bookings
  2. maintaining secure sessions
  3. enabling payments and voucher access

Analytics or marketing cookies are used only if you approve them in the cookie banner.

11. Security Measures

  1. TLS encryption across all pages and services
  2. Restricted internal access based on role
  3. Use of PCI DSS–compliant payment processors (Stripe)
  4. Credit card numbers and CVV are never stored on our website or servers

12. Children

Services are intended for adults aged 18+.

If we learn that data relating to a minor has been collected unintentionally, we will remove it unless a legal obligation requires retention.

13. Updates to This Privacy Notice

We may update this notice to reflect legal or operational changes.

Important revisions will be highlighted on the website.