Privacy Policy

1. Data Controller

Your Cyprus Holiday (“we”, “us”, or “our”) is the data controller responsible for the processing of your personal data collected through the yourcyprusholiday.com platform (“Platform”).

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Cyprus Law on the Protection of Natural Persons with Regard to the Processing of Personal Data (Law 125(I)/2018).

For any data protection enquiries, please contact us at privacy@yourcyprusholiday.com.

2. Information We Collect

2.1 Information You Provide Directly

• Account information: name, email address, phone number, and password when you create an account.
• Booking information: guest names, contact details, number of guests, check-in and check-out dates, and any special requests.
• Payment information: payment card details, which are collected and processed directly by Stripe. We do not store your full card number.
• Host information: property details, descriptions, photographs, pricing, bank account details (via Stripe Connect), and identification documents required for payment processing.
• Communications: messages sent through the Platform, customer support enquiries, and feedback.
• Reviews: ratings and written reviews you submit about properties.

2.2 Information Collected Automatically

• Usage data: pages visited, features used, search queries, and interaction patterns on the Platform.
• Device information: browser type and version, operating system, screen resolution, and device type.
• Network information: IP address, approximate location (country/region), and referring website.
• Cookies and similar technologies: see our Cookie Policy for details.

3. How We Use Your Data

We use your personal data for the following purposes:

• Providing our services: processing bookings, facilitating payments, and connecting Guests with Hosts.
• Account management: creating and managing your account, authenticating your identity, and providing customer support.
• Communications: sending booking confirmations, receipts, reminders, and service-related notifications via email (using our email provider, Resend).
• Platform improvement: analysing usage patterns to improve the Platform's functionality, user experience, and performance.
• Marketing: sending promotional communications about our services, but only with your explicit consent. You may opt out at any time.
• Legal compliance: fulfilling our legal obligations, including tax reporting requirements and responding to lawful requests from authorities.
• Safety and security: detecting and preventing fraud, unauthorised access, and other harmful activities.

4. Legal Basis for Processing

Under the GDPR, we process your personal data on the following legal bases:

• Performance of a contract (Article 6(1)(b)): Processing necessary to fulfil our contractual obligations, including processing bookings, facilitating payments, and providing our services to you.
• Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests, including improving our Platform, ensuring security, and conducting analytics. We balance these interests against your rights and freedoms.
• Consent (Article 6(1)(a)): Where you have given explicit consent, such as for marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal obligation (Article 6(1)(c)): Processing necessary to comply with our legal obligations under Cyprus and EU law.

5. Data Sharing

We do not sell your personal data. We share your information only in the following circumstances:

• With Hosts: When you make a booking, we share your name, contact information, and booking details with the Host so they can fulfil your reservation. Hosts are required to handle your data in accordance with applicable data protection laws.
• With Stripe: Payment information is transmitted directly to and processed by Stripe Inc., our payment processor. Stripe is certified under the EU-US Data Privacy Framework. For more information, see Stripe's Privacy Policy.
• With Resend: We use Resend as our email service provider to send transactional and service-related emails. Resend processes your email address and name for this purpose.
• With Supabase: Our Platform infrastructure is hosted by Supabase, which stores and processes data on our behalf as a data processor.
• Legal requirements: We may disclose your data if required by law, regulation, legal process, or governmental request, or to protect our rights, safety, or property.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data: retained for the duration of your account and for up to 12 months after account deletion, unless longer retention is required by law.
• Booking data: retained for 7 years after the completion of the stay, in accordance with Cyprus tax and accounting requirements.
• Payment records: retained for 7 years in accordance with financial record-keeping obligations.
• Marketing consent records: retained for as long as the consent is valid, plus 3 years after withdrawal.
• Usage and analytics data: retained in anonymised or aggregated form for up to 24 months.

7. Your Rights Under GDPR

As Cyprus is a member of the European Union, you have the following rights under the GDPR:

• Right of access: You have the right to request a copy of the personal data we hold about you.
• Right to rectification: You have the right to request correction of inaccurate or incomplete data.
• Right to erasure: You have the right to request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
• Right to restrict processing: You have the right to request restriction of processing in certain circumstances.
• Right to data portability: You have the right to receive your data in a structured, commonly used, and machine-readable format.
• Right to object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at privacy@yourcyprusholiday.com. We will respond to your request within 30 days.

You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection (Cyprus Data Protection Authority) if you believe your data protection rights have been infringed. The Commissioner can be contacted at www.dataprotection.gov.cy.

8. Cookies

We use cookies and similar technologies to enhance your experience on the Platform, remember your preferences, and analyse how the Platform is used.

For detailed information about the cookies we use, their purposes, and how to manage them, please see our Cookie Policy.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/HTTPS.
• Encryption of data at rest in our database.
• Secure authentication mechanisms, including hashed passwords.
• Access controls limiting data access to authorised personnel only.
• Regular review and updates to our security practices.

While we take every reasonable precaution to protect your data, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

10. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) by our service providers (such as Stripe and Supabase). Where such transfers occur, we ensure that appropriate safeguards are in place, including:

• Transfers to countries that the European Commission has determined provide an adequate level of data protection.
• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Certifications under recognised frameworks such as the EU-US Data Privacy Framework.

11. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@yourcyprusholiday.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the “Last updated” date and, where appropriate, notify you via email or a notice on the Platform. We encourage you to review this policy periodically.

13. Contact Information

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:

• Email: privacy@yourcyprusholiday.com
• General enquiries: info@yourcyprusholiday.com
• Website: yourcyprusholiday.com