Privacy Policy.

1. Who we are (the data controller)

The website estiagreekhome.online ("the Website") and the Estia service ("the Service") are operated by:

• Trading name: Estia
• Founder & data controller: Dimosthenis Chrysanthopoulos
• Registered address: [to be added — your registered business address in Greece]
• Greek Tax ID (ΑΦΜ): [to be added]
• Greek General Commercial Registry (ΓΕΜΗ): [to be added]
• Email: [email protected]

For all data-protection matters, contact us at the email address above with "Data Protection" in the subject line.

2. What data we collect

2.1 Data you provide directly

When you contact us, request information, or become a member, we collect:

• Identification data: full name, email address, phone number
• Property information: address of the Greek property concerned, ownership status, property characteristics
• Service preferences: service tier requested, special requirements
• Correspondence: the content of messages you send us by email, form, or chat
• For members specifically: billing information (handled by our payment processor — we never store full card numbers), preferred communication channels, emergency contact information

2.2 Data collected automatically

When you visit the Website:

• Technical data: IP address, browser type, device type, operating system, referrer URL
• Usage data: pages visited, time spent on each page, navigation paths
• Cookies and similar technologies: see our Cookie Policy for full details

2.3 Data we do NOT collect

We do not collect or process:

• Sensitive personal data (race, ethnicity, political opinions, religious beliefs, health data, sexual orientation) unless you voluntarily provide it as relevant to a service request
• Financial account numbers, credit card details, or other payment instrument data — these are handled exclusively by our payment processor
• Data from minors under 16 — the Service is not directed at minors

3. Why we collect your data (legal basis)

Under Article 6 of GDPR, we process your personal data on the following legal bases:

• Contract (Art. 6(1)(b)): to provide the Service to members; to respond to your enquiries about the Service
• Legitimate interests (Art. 6(1)(f)): to operate and improve the Website; to communicate with prospective customers; to protect against fraud and abuse
• Consent (Art. 6(1)(a)): for marketing communications (newsletter, marketing emails); for non-essential cookies
• Legal obligation (Art. 6(1)(c)): for accounting, tax, and other regulatory requirements under Greek law

4. Who we share data with (recipients)

We do not sell personal data. We share it only with:

• Service providers acting on our behalf ("processors" under GDPR):
  • Cloudflare, Inc. — website hosting and CDN (data may transit EU/US under Standard Contractual Clauses)
  • Google LLC — Google Fonts (loaded from Google's CDN when you view our pages)
  • Email provider — for transactional and customer communication (subject to Data Processing Agreement)
  • Payment processor — for member billing (subject to Data Processing Agreement; we never store card details)
  • Analytics provider — for understanding Website usage (only if you consent to analytics cookies)
• Greek professionals working on your behalf at your request — e.g. your Greek lawyer, accountant, building manager, contractors — only where you have authorised us to do so for the provision of the Service
• Competent authorities when required by law (court order, regulatory request)

All processors are contractually bound to process your data only on our documented instructions and to apply appropriate security measures.

5. International data transfers

Some of our processors are based outside the European Economic Area (EEA), primarily in the United States. Where this occurs, transfers are protected by:

• The European Commission's Standard Contractual Clauses (2021 version), and/or
• The processor's adherence to the EU-US Data Privacy Framework where applicable

6. How long we keep your data

We retain personal data only for as long as necessary for the purposes set out above:

• Prospective customer enquiries: 24 months from last contact, unless you become a member
• Member records: for the duration of membership plus 7 years (Greek accounting and tax requirements)
• Website analytics: aggregated data retained for up to 26 months
• Marketing consent records: until you withdraw consent or 3 years from last engagement

7. Your rights under GDPR

As a data subject under EU GDPR, you have the following rights:

• Right of access (Art. 15): request a copy of the personal data we hold about you
• Right to rectification (Art. 16): correct any inaccurate personal data
• Right to erasure (Art. 17): request deletion of your personal data, subject to legal retention obligations
• Right to restriction (Art. 18): request that we limit how we use your data
• Right to data portability (Art. 20): receive your data in a portable, machine-readable format
• Right to object (Art. 21): object to processing based on legitimate interests, including direct marketing
• Right to withdraw consent at any time where processing is based on consent
• Right not to be subject to automated decision-making (Art. 22) — we do not engage in automated decision-making

To exercise any of these rights, contact us at [email protected]. We will respond within one month.

8. Complaints

You have the right to lodge a complaint with a supervisory authority. In Greece this is the Hellenic Data Protection Authority:

• Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (Hellenic Data Protection Authority)
• Address: Kifissias Av. 1-3, 11523 Athens, Greece
• Tel: +30 210 6475600
• Web: www.dpa.gr

If you reside outside Greece, you may also lodge a complaint with the supervisory authority in your country of residence.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• HTTPS / TLS encryption on all Website pages
• Access controls on all systems holding personal data
• Confidentiality obligations on all team members and processors
• Regular security review of our procedures and providers
• Incident response procedure with 72-hour notification to authorities and affected data subjects where required

10. Children

The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and become aware that your child has provided us with personal data, please contact us immediately and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The "last updated" date at the top of this page will reflect any revisions. Material changes will be communicated to members directly by email.

12. Contact

For any questions about this Privacy Policy or our data practices, please contact us at [email protected].

Last updated: 13 May 2026 · See also: Cookie Policy · Terms of Service