top of page

SCUBAKRETA PRIVACY POLICY

Privacy Policy of Scubakreta Diving Holidays

Effective Date: 1st of April 2025 (next scheduled review: 1st of April 2026; reviewed annually)

​

1. Who We Are
​

Business Name: G. Georgantas & SIA E.E. - Scubakreta Diving Holidays
Location: Inside Nana Golden Beach Resort, Crete 70014, Greece
Tax ID: 997109121
Email: scuba@scubakreta.gr

We act as the data controller for your personal data. While we are not currently required to appoint a Data Protection Officer under Article 37 GDPR, we have designated a Privacy Contact for questions and requests: Katerina Georganta, +306936893032, kati.geo@hotmail.com, PO BOX 67 Limenas Hersonissou, 70014.

We maintain a Record of Processing Activities (RoPA) as required under Article 30 GDPR, which is available upon request by the Hellenic Data Protection Authority or data subjects.

​

2. What Data We Collect
​

We may collect and process the following types of personal data:

a. Basic Contact and Identity Information:

  • Name, email address, phone number, home address, date of birth, level of diving certification, emergency contact

  • Father’s name (collected solely when conducting a training course, as required by the Greek Port Police)

  • Voluntary data via contact forms, social media, email, telephone, WhatsApp

b. Course and Activity Data:

  • Course start/completion dates, dive logs, instructor name, training location

c. Payment and Booking Data:

  • Payment details through VivaWallet.gr and Stripe (we do not store credit card data ourselves)

  • Booking information via GetYourGuide

d. Sensitive Health Data:

  • Medical history from pre‑dive medical questionnaires—only collected on physical paper forms, each dated and signed by the participant, with explicit consent under Article 9(2)(a) GDPR strictly for participant safety

e. Technical Data:

  • Website usage data collected via cookies and analytics tools (e.g., Google Analytics)

  • IP address, device/browser information, and page interaction data

​

3. How We Collect Data
​

Data is collected through:

  • Our website contact form (www.scubakreta.com) — includes a mandatory tickbox to accept our Terms of Service and displays a cookie consent banner upon entry, requiring opt‑in for any non‑essential cookies before they are placed.

  • Direct communication (phone, email, WhatsApp, social media)

  • SSI registration forms

  • Medical questionnaires and other paper forms (dated and signed)

​

4. Legal Basis for Processing
​

We process your personal data based on one or more of the following legal grounds:

  • Consent: Medical data, analytics cookies, Terms of Service acceptance (we record the date of signature for paper consents and the date of email or phone consent).

  • Performance of a Contract: Dive training, bookings, course delivery.

  • Legal Obligations: Safety regulations, accounting, insurance.

  • Legitimate Interests: Service improvement and operational communication. We conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms; details are available upon request.

We do not engage in automated decision‑making or profiling.

​

​

5. How We Use Your Data

​

  • Purpose: Communicate about bookings, courses, and services | Legal Basis: Performance of a contract

  • Purpose: Process diving certifications with SSI | Legal Basis: Performance of a contract

  • Purpose: Comply with safety and legal obligations | Legal Basis: Legal obligation

  • Purpose: Provide diving insurance through DAN or DiveAssure | Legal Basis: Legal obligation / Contract

  • Purpose: Manage our bookings and operations | Legal Basis: Performance of a contract

  • Purpose: Improve user experience through anonymized analytics | Legal Basis: Legitimate interest (balancing test available on request)

​​

6. Sharing of Data
​

We may share your data with the following third parties:

​

  • SSI (Scuba Schools International): Training registration.

  • DAN and DiveAssure: Insurance purposes.

  • Wix: Website hosting and performance.

  • Stripe and VivaWallet: Secure online payments.

  • Google (Analytics, G Suite, Maps): Communication, tracking, and map display—IP‑anonymization is enabled via Wix.

  • Apple Calendar: Booking organization (data may be stored outside the EU under Standard Contractual Clauses).

  • GetYourGuide: External booking platform.

  • Review Platforms (Google Reviews, TripAdvisor): Data hosted by them under their own policies.

  • Social Media (Facebook, Instagram): Data voluntarily provided via direct messaging.

​

Third‑Party Cookies: A detailed cookie table is available on our website showing which cookies fire by default. You may also review cookies via your browser’s developer tools or the consent banner’s cookie settings.

​

For international transfers, we rely on the European Commission’s Standard Contractual Clauses (SCCs) or other valid safeguards. Copies are available upon request.

​

7. Children and Minors
​

We process children’s data only with verified parental or guardian consent. Under Greek Law 4624/2019, the minimum age for valid consent is 15. For minors under 15, we collect:

​

  • Full name, date of birth, gender

  • Emergency contacts

  • Diving participation details

  • Medical declarations

​

All youth data collection forms require a parental or legal guardian’s signature at the bottom. We have conducted a Data Protection Impact Assessment (DPIA) for the processing of children’s and medical data (Art 35 GDPR).

​

8. Data Retention
​

  • Website inquiries: Retained for 1 year after the date of last contact (email or phone).

  • Medical Questionnaires: 3 years for certified divers, 10 years for training participants (per SSI regulations).

  • Course and Client Data: Retained for 10 years for SSI course participants.

​

Retention clocks start from the date on the signed form or the date of last electronic contact. Paper documents are stored securely: locked in our office for the first year, then in secure offsite storage. We review our retention schedule annually to ensure compliance with Art 5(1)(e) GDPR.

​

9. Communication With Users
​

We may contact you to:

  • Follow up on inquiries

  • Manage bookings

  • Resolve service‑related issues

  • Collect feedback or share relevant updates

​

We do not send marketing communications or promotional newsletters. Contact methods include email, phone, WhatsApp, SMS, or postal mail, depending on the information you provide.

​

10. Your Rights Under GDPR
​

You have the right to:

​

  • Access your personal data

  • Rectify inaccurate or incomplete data

  • Erase your data (under certain conditions)

  • Restrict or object to processing

  • Data portability

  • Withdraw consent at any time (without affecting prior processing)

​

To exercise these rights, or to object to processing based on legitimate interests, please contact us strictly via email at scuba@scubakreta.gr. Requests are free of charge; we may request proof of identity only if necessary. We will respond within one month, as required by Article 12(3) GDPR.

​

If you are not satisfied, you may lodge a complaint with the Hellenic Data Protection Authority (HDPA) via:

Website: www.dpa.gr
Postal address: Kifissias Avenue 1‑3, P.C. 11523, Athens, Greece
Telephone: +30 210 6475600

​

11. Data Security
​

We implement technical and organizational measures to protect your personal data, including:

​

  • Encryption in transit and at rest (Art 32(1)(a))

  • Password‑protected systems and restricted access controls

  • Secure handling and storage of paper documents (locked, limited access)

  • Regular penetration tests and security audits (Art 32(1)(d))

​

In the event of a data breach, we will notify affected individuals and the HDPA as required by Articles 33 and 34 GDPR.

​

12. Cookie Policy
​

Our website uses cookies to ensure site functionality, analyze traffic, personalize user experience, and manage third-party content.

​

  • Cookie Name: _ga_XFJB6CNCZQ | Provider: google.com | Controller: Google LLC | Purpose: Distinguishes users for Google Analytics | Category: Analytics | Duration: ~2 years

  • Cookie Name: _ga_9R1M4QJF1C | Provider: google.com | Controller: Google LLC | Purpose: Distinguishes users for Google Analytics | Category: Analytics | Duration: ~2 years

  • Cookie Name: _ga | Provider: google.com | Controller: Google LLC | Purpose: Distinguishes users for Google Analytics | Category: Analytics | Duration: ~2 years

  • Cookie Name: _gid | Provider: google.com | Controller: Google LLC | Purpose: Distinguishes users for Google Analytics | Category: Analytics | Duration: 24 hours

  • Cookie Name: _gat_gtag_UA_141030410_1 | Provider: google.com | Controller: Google LLC | Purpose: Throttles request rate to Google Analytics | Category: Analytics | Duration: ~1 minute

  • Cookie Name: _gcl_au | Provider: google.com | Controller: Google LLC | Purpose: Google AdSense experiment tracking | Category: Marketing | Duration: ~3 months

  • Cookie Name: bSession | Provider: wix.com | Controller: Wix.com | Purpose: Identifies a visitor’s business session | Category: Essential | Duration: Session

  • Cookie Name: consent-policy | Provider: wix.com | Controller: Wix.com | Purpose: Stores your cookie-consent preferences | Category: Functional | Duration: ~1 year

  • Cookie Name: hs | Provider: wix.com | Controller: Wix.com | Purpose: Session identifier for Wix/third-party widgets | Category: Functional | Duration: Session

  • Cookie Name: server-session-bind | Provider: wix.com | Controller: Wix.com | Purpose: Routes you to the same server instance | Category: Essential | Duration: Session

  • Cookie Name: ssr-caching | Provider: wix.com | Controller: Wix.com | Purpose: Improves page-load via server-side rendering cache | Category: Functional | Duration: Session

  • Cookie Name: svSession | Provider: wix.com | Controller: Wix.com | Purpose: Identifies your overall site session | Category: Essential | Duration: ~2 years

  • Cookie Name: XSRF-TOKEN | Provider: wix.com | Controller: Wix.com | Purpose: Protects against cross-site request forgery attacks | Category: Essential | Duration: Session

​

You can change your cookie preferences at any time via the cookie banner’s ‘Settings’ link or through your browser settings.

​

13. Non-Agency Disclaimer (SSI)

​

Scubakreta Diving Holidays operates independently from SSI (Scuba Schools International). While we follow SSI training standards, SSI has its own privacy policy and data protection practices. We are not responsible for SSI’s processing of your data and do not control their activities. You may request copies of your SSI data directly from SSI under their policies.

​

14. Contact Us
​

For any privacy questions, requests, or concerns, please contact:

Email: scuba@scubakreta.gr
Postal Address: Inside Nana Golden Beach Resort, Crete 70014, Greece

​

​

15. Policy Updates

​

We may update this Privacy Policy from time to time. The latest version, with an updated "Effective Date," will be posted on our website.

Last reviewed and approved on: 1st of April 2025.

​

Thank you for trusting Scubakreta Diving Holidays!

bottom of page