GDPR Data Protection Policy
Effective: April 2026 · Last updated: April 2026
1. Introduction
Anadelta Travel Agency ("Anadelta", "we", "us", "our") operates the platform at travel.anadelta.eu ("Platform"), a business-to-business travel management service for universities, research institutions, and other public or private organisations in Greece and the European Union.
This policy explains how we collect, use, store, share, and protect personal data in compliance with the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Greek Law 4624/2019 implementing the GDPR, and any other applicable data protection legislation. It applies to all users of the Platform, including travellers, project administrators, organisation administrators, and system administrators.
2. Data Controller
The data controller responsible for your personal data is:
For any questions or concerns regarding this policy or the processing of your personal data, please contact us at anadelta.greece@gmail.com.
3. Legal Bases for Processing
We process personal data under the following legal bases as defined in Article 6(1) of the GDPR:
| Legal Basis | Processing Activities |
|---|---|
| Contract performance Art. 6(1)(b) | Account registration, trip management, flight and hotel bookings, payment processing, financial record tracking, invoice generation, itinerary delivery |
| Legal obligation Art. 6(1)(c) | Retention of financial records (invoices, payment documentation, payment proof) under Greek tax legislation; compliance with anti-fraud regulations |
| Legitimate interest Art. 6(1)(f) | Platform security (rate limiting, circuit breakers, bot protection), error monitoring, fraud prevention, service improvement |
| Consent Art. 6(1)(a) | Non-essential cookies (where applicable), marketing communications (if any) |
4. Categories of Personal Data Collected
We collect and process the following categories of personal data:
| Category | Data Elements | Purpose |
|---|---|---|
| Account data | Full name, email address, phone number, preferred locale (EN/EL), job title, department, role (user / system_admin), hashed password, date of birth, gender, nationality, passport number, passport expiry, passport issuing country, tax ID, tax authority, billing address, IBAN | Account creation, authentication, communication, platform personalisation, flight ticket issuance (passport data shared with Duffel), invoicing (billing/tax data) |
| Organisation data | Organisation name, type (public/private), membership status (pending/approved), membership role (member/org_admin) | Organisational structure management, access control, budget oversight |
| Trip data | Destinations (origin/destination cities, airports), travel dates, trip type (flight/hotel/both), approval status, budget amounts, Greek funding codes (MIS, ADA, protocol number) | Trip request processing, approval workflows, budget management |
| Booking data | Flight booking details (via Duffel API), hotel booking details (via Ratehawk API), passenger information, reservation references | Completing travel bookings with external providers, itinerary generation |
| Financial data | Financial records (booking costs, service fees, applicable VAT), uploaded payment proof files, invoice records | Payment tracking, documentation, financial compliance with Greek tax law |
| Search session data | Flight search parameters, hotel search parameters, selected options, booking flow state | Persisting search and booking flow state across steps; automatically deleted after 7 days |
| Contact form data | Name, email address, phone number (optional), company name, organisation type, subject, message body | Responding to enquiries and support requests |
| Technical data | IP addresses (for rate limiting via sliding window algorithm), JWT session tokens, browser and device metadata, audit logs of user actions with IP addresses | Platform security, abuse prevention, session management, security auditing |
| Error tracking data | Application error reports (via Glitchtip, Sentry-compatible), production environment only, with PII filtering applied | Diagnosing and resolving platform issues, service reliability |
We do not collect special categories of data (Article 9 GDPR) such as health data, biometric data, political opinions, or religious beliefs. We do not process data relating to criminal convictions or offences (Article 10 GDPR).
5. How We Use Your Data
Your personal data is processed for the following purposes:
- Account management: Creating and maintaining your user account, authenticating sessions via JWT tokens, and managing your role-based access across the platform.
- Trip lifecycle management: Processing trip requests through the approval workflow (awaiting_approval → approved → booked → paid_confirmed), managing budget allocations, and enforcing organisation/project policies.
- Booking fulfilment: Searching for and booking flights (via Duffel) and hotels (via Ratehawk), persisting search session state, executing prebook price locks, and generating itinerary documents.
- Financial processing: Creating financial records, calculating applicable charges (booking cost + service fee + VAT), processing payment proof uploads, generating invoices, and tracking payment settlement.
- Communication: Sending transactional emails (trip approvals, booking confirmations, payment reminders at 7 days, 1 day, and 30 days overdue) in your preferred language.
- Platform security: Rate limiting critical endpoints (search, checkout, authentication, contact form), applying circuit breakers to external API calls, verifying session ownership on booking operations, and bot protection via Cloudflare Turnstile.
- Error monitoring: Tracking application errors in production via Glitchtip with automatic PII filtering to diagnose and resolve platform issues.
- Real-time notifications: Delivering server-sent events for trip approvals, payment confirmations, and booking status updates via Redis pub/sub.
6. Data Sharing and Sub-processors
We share personal data only when necessary to provide our services and only with the following categories of recipients. All sub-processors are bound by data processing agreements (DPAs) in accordance with Article 28 GDPR.
| Sub-processor | Location | Purpose | Data Shared |
|---|---|---|---|
| Duffel | United Kingdom | Flight search and booking | Passenger names, travel dates, destinations, booking references, passenger identity data (date of birth, gender, nationality, passport details) for ticket issuance |
| Ratehawk / Emerging Travel Group | Cyprus (EU) | Hotel search and booking | Guest names, stay dates, destinations, residency information, booking references |
| Google (Gmail SMTP) | EU / EEA | Transactional email delivery | Recipient email address, email content (trip updates, payment reminders, booking confirmations) |
| Google Cloud Platform | Belgium (europe-west1) | Infrastructure hosting | All platform data (stored encrypted at rest on GCP Compute Engine) |
| Cloudflare (Turnstile) | Global (EU-compliant) | Bot protection | IP address, browser metadata (used for challenge verification, not stored by Anadelta) |
We do not sell, rent, or trade personal data to any third party. Data is shared with your employing institution (organisation administrators) only to the extent necessary for trip approval, budget management, and payment reconciliation.
7. International Data Transfers
Our primary infrastructure is hosted within the European Union (GCP europe-west1-b, Belgium). We endeavour to keep personal data within the EU/EEA wherever possible.
Where data is transferred to a sub-processor outside the EU/EEA (namely Duffel in the United Kingdom), such transfers are protected by:
- The UK adequacy decision adopted by the European Commission (28 June 2021), which recognises the United Kingdom as providing an adequate level of data protection.
- Standard Contractual Clauses (SCCs) approved by the European Commission, where an adequacy decision is not available or has expired.
- Supplementary technical and organisational measures, including encryption in transit and at rest.
Cloudflare processes data globally but operates in compliance with EU data protection standards and maintains appropriate contractual safeguards.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following retention periods apply:
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data | Duration of active account + 30 days after deletion request | Contract performance |
| Search sessions | Automatically deleted after 7 days (daily cleanup at 03:00) | Data minimisation |
| Expired hotel prebooks | Cleaned hourly | Data minimisation |
| Booking and financial records | 5 years from transaction date | Greek tax law (Code of Tax Procedures, Art. 13) |
| Error tracking logs | 90 days | Legitimate interest (service reliability) |
| Rate limiting data | Ephemeral (sliding window, seconds to minutes) | Legitimate interest (security) |
When retention periods expire, data is securely deleted or anonymised. Financial records that must be retained under Greek tax law cannot be erased before the statutory retention period ends, even upon a data subject's request.
9. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Article 32 GDPR. These measures include:
- Encryption in transit: All data transmitted between your browser and our servers is protected by TLS/HTTPS, managed automatically via Caddy reverse proxy and Let's Encrypt certificates.
- Encryption at rest: Data stored on GCP Compute Engine uses Google's default encryption at rest (AES-256).
- EU-hosted infrastructure: All primary data processing occurs within GCP europe-west1-b (Belgium), ensuring data residency within the EU.
- Database security: PgBouncer connection pooling with a maximum of 200 client connections, transaction-mode isolation, and encrypted database connections.
- Rate limiting: Sliding-window rate limiting on all critical API endpoints (search: 30/min, checkout: 10/min, registration: 10/5min, contact: 5/hour) to prevent abuse.
- Circuit breakers: Automatic failover protection on external API calls (Duffel, Ratehawk, SMTP) preventing cascading failures from compromising data integrity.
- Role-based access control: Four-tier permission system (user, project admin, organisation admin, system admin) with session ownership verification on all booking operations.
- Bot protection: Cloudflare Turnstile on public-facing forms to prevent automated attacks and abuse.
- Error tracking with PII filtering: Glitchtip error monitoring in production filters personally identifiable information before logging, including Prisma transient errors and browser noise.
- Encrypted backups: Database and file backups are GPG-encrypted and can be stored offsite in GCP Cloud Storage.
- Self-approval prevention: Trip creators cannot self-approve requests (except system administrators), enforcing separation of duties.
10. Your Rights Under the GDPR
As a data subject, you have the following rights under the GDPR. You may exercise any of these rights by contacting us at anadelta.greece@gmail.com. We will respond within 30 days of receiving your request.
- Right of access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with information about the purposes, categories, recipients, and retention periods.
- Right to rectification (Art. 16): You have the right to request correction of inaccurate personal data and completion of incomplete data. You can update your account information (name, email, phone, locale) directly through the Platform.
- Right to erasure (Art. 17): You have the right to request deletion of your personal data when it is no longer necessary for the purposes collected, you withdraw consent, or there is no overriding legitimate ground. Note: financial records required under Greek tax law (5-year retention) cannot be erased before the statutory period expires.
- Right to restriction (Art. 18): You have the right to request restriction of processing where you contest the accuracy of data, the processing is unlawful, we no longer need the data but you need it for legal claims, or you have objected pending verification.
- Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON), and to have that data transmitted to another controller where technically feasible.
- Right to object (Art. 21): You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
- Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated (see Section 14 below).
We will not charge a fee for handling your request unless it is manifestly unfounded or excessive. In such cases, we may charge a reasonable fee or refuse to act on the request, providing reasons.
11. Automated Decision-Making
The Platform does not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you within the meaning of Article 22 GDPR. All trip approvals are made by human administrators (project admins or organisation admins). Pricing calculations are rule-based and transparent, not algorithmically determined based on personal characteristics.
12. Cookies and Tracking
The Platform uses the following categories of cookies:
- Strictly necessary cookies: Session authentication token (JWT). These are essential for Platform functionality and do not require consent under Article 5(3) of the ePrivacy Directive.
- Functional cookies: Locale preference cookie (EN/EL), which remembers your language selection across visits.
- Security cookies: Cloudflare Turnstile challenge tokens on public forms (contact, registration). These are necessary for security purposes.
We do not use analytics tracking cookies, advertising cookies, or third-party marketing pixels. For more details, please see our Cookie Policy.
13. Children's Data
The Platform is a business-to-business service for professional use by researchers, academic staff, and administrative personnel. We do not knowingly collect or process personal data from children under the age of 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly.
14. Supervisory Authority
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority. For data subjects in Greece, the supervisory authority is:
Hellenic Data Protection Authority (HDPA)
Kifisias 1-3, 115 23 Athens, Greece
Phone: +30 210 6475 600
Website: www.dpa.gr
Email: contact@dpa.gr
You also have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
15. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will:
- Notify the Hellenic Data Protection Authority within 72 hours of becoming aware of the breach, as required by Article 33 GDPR.
- Where the breach is likely to result in a high risk to your rights and freedoms, notify affected data subjects without undue delay, as required by Article 34 GDPR.
- Document all breaches in an internal breach register, including the facts, effects, and remedial actions taken.
16. Changes to This Policy
We may update this GDPR Data Protection Policy from time to time to reflect changes in our data processing practices, legal obligations, or regulatory requirements. Material changes will be communicated via email to registered users and through a notice on the Platform. The "Last updated" date at the top of this page indicates when the latest revision took effect.
We encourage you to review this policy periodically. Continued use of the Platform after a material change constitutes acknowledgement of the updated policy.
17. Contact Us
For any questions, concerns, or requests regarding this policy or your personal data, please contact us:
This policy is governed by Greek law and the GDPR. Any disputes shall be subject to the exclusive jurisdiction of the courts of Athens, Greece.