Anadelta Travel Agency
FeaturesHow It WorksFAQContact
Log in
FeaturesHow It WorksFAQContact
Log in

Privacy Policy

Effective date: 1 April 2026

1. Who We Are

Anadelta Travel Agency (“we”, “us”, “our”) is a business-to-business travel service operated by Anadelta, based in Athens, Greece. We provide travel booking and management services to universities, research institutions, and other public-sector organisations under a “travel now, pay later” model.

For the purposes of the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”), Anadelta Travel Agency is the data controller responsible for your personal data. You can reach us at:

  • Email: anadelta.greece@gmail.com
  • Website: travel.anadelta.eu
  • Parent company: anadelta.eu
  • Location: Athens, Greece

2. What Data We Collect

We collect and process the following categories of personal data in connection with our services:

Account Data

  • Full name, email address, and phone number
  • Language/locale preference
  • Organisational affiliation (university, research institution, or other entity)
  • Job title and department
  • Account credentials (passwords are stored in hashed form only)

Passport & Identity Data

  • Date of birth, gender, and nationality
  • Passport number, passport expiry date, and passport issuing country

Collected for flight booking purposes and transmitted to our flight provider (Duffel) for ticket issuance.

Billing & Tax Data

  • Tax ID (AFM) and tax authority
  • Billing address (street, city, postal code, country)
  • IBAN

Trip & Booking Data

  • Travel details: destinations, travel dates, passenger information, trip type (flight, hotel, or both)
  • Flight booking records including fare selections and itineraries
  • Hotel booking records including room selections and rates
  • Trip approval status and associated project or funding codes

Payment & Financial Data

  • Financial records tied to your institution’s bookings
  • Payment proof documents uploaded by travellers or administrators
  • Invoice and payment records

Search Sessions

  • Temporary search data generated when you search for flights or hotels, including search parameters, results viewed, and selections made

Contact Form Submissions

  • Name, email address, phone number (optional), company name, organisation type, subject, and message content submitted through our contact and inquiry forms

Technical Data

  • IP address, browser type, and device information collected automatically via server logs and error-tracking tools
  • Audit logs of user actions (including IP address) retained for security auditing purposes

3. How We Use Your Data

We process your personal data for the following purposes:

  • Service delivery: creating and managing your account, processing trip requests, and facilitating the approval workflow between travellers, project administrators, and organisation administrators
  • Booking management: searching for and reserving flights and hotels on your behalf through our integrated travel suppliers
  • Invoicing and payments: processing payments, generating documentation, and managing financial records for your institution
  • Communication: sending booking confirmations, trip status updates, payment reminders, and responding to your enquiries
  • Platform security: rate limiting, error tracking, and monitoring to protect the platform against abuse and ensure service reliability
  • Legal compliance: retaining financial records as required by Greek tax legislation and responding to lawful requests from authorities

4. Legal Basis for Processing

We rely on the following legal bases under Article 6 of the GDPR:

  • Contractual necessity (Art. 6(1)(b)): processing required to perform the travel booking and management services you or your institution have engaged us to provide, including account creation, trip processing, booking execution, and invoicing
  • Legitimate interest (Art. 6(1)(f)): platform security, fraud prevention, error tracking, and service improvement, where our interests do not override your fundamental rights
  • Legal obligation (Art. 6(1)(c)): retention of financial and booking records as required under Greek tax and commercial law
  • Consent (Art. 6(1)(a)): where applicable, such as for optional communications or cookie usage beyond strict necessity. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal

5. Data Sharing

We share personal data only to the extent necessary to deliver our services. We never sell your personal data to third parties.

  • Duffel (flight bookings): passenger names, contact details, travel dates, and passenger identity data (date of birth, gender, nationality, passport details) are transmitted to Duffel to search for, reserve, and issue flight tickets
  • Ratehawk (hotel bookings): guest names, contact details, and stay dates are transmitted to Ratehawk to search for, reserve, and confirm hotel accommodations
  • Your institution: trip details, approval records, and financial information are shared with the organisation or project administrators designated by your institution
  • Service infrastructure providers: hosting (Google Cloud Platform, EU region), error tracking (self-hosted Glitchtip), and email delivery (SMTP) -- all operating under appropriate data processing agreements

Our infrastructure is hosted within EU data centres provided by Google Cloud Platform. Where personal data is transferred to the United Kingdom (Duffel, for flight bookings), such transfers are protected by the EU-UK adequacy decision adopted by the European Commission on 28 June 2021.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law:

  • Account data: retained for the duration your account remains active. Upon account deletion, personal data is removed within 30 days, except where retention is required by law
  • Search sessions: automatically deleted after 7 days. Expired hotel prebook data is cleared on an hourly basis
  • Booking and financial records: retained for a minimum of 5 years following the completion of the relevant transaction, as required by Greek tax legislation (Law 4174/2013 and applicable amendments)
  • Contact form submissions: retained for up to 12 months, after which they are deleted unless an ongoing business relationship exists
  • Error logs and technical data: retained for up to 90 days for debugging and security purposes

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: request a copy of the personal data we hold about you
  • Right to rectification: request correction of inaccurate or incomplete personal data
  • Right to erasure: request deletion of your personal data where there is no compelling reason for continued processing
  • Right to data portability: receive your personal data in a structured, commonly used, machine-readable format
  • Right to object: object to processing based on legitimate interests, including for direct marketing purposes
  • Right to restrict processing: request limitation of processing under certain circumstances
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at anadelta.greece@gmail.com. We will respond within 30 days as required by the GDPR.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):

  • Website: www.dpa.gr
  • Address: Kifisias 1-3, 115 23 Athens, Greece
  • Phone: +30 210 6475600

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

  • Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS (HTTPS), with certificates automatically managed and renewed
  • Encryption at rest: data stored on our servers is encrypted at the disk level via Google Cloud Platform’s default encryption
  • EU-hosted infrastructure: all services, databases, and backups are hosted within EU data centres (Google Cloud, europe-west1 region)
  • Database security: connection pooling via PgBouncer limits exposure, database access is restricted to internal services only, and all administrative ports are bound to localhost
  • Access control: role-based permissions ensure users only access data relevant to their organisational role. Password credentials are stored using secure one-way hashing
  • Rate limiting: automated abuse prevention on authentication, search, and booking endpoints
  • Encrypted backups: database backups are GPG-encrypted before storage

9. Cookies

Our platform uses cookies and similar technologies to maintain your session, remember your language preference, and ensure proper functionality. For detailed information about the specific cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy.

10. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will update the “Effective date” at the top of this page and, where appropriate, notify you via email or a prominent notice on our platform. We encourage you to review this page periodically.

11. Contact

If you have questions or concerns about this privacy policy or our data practices, please contact us:

  • Email: anadelta.greece@gmail.com
  • Website: travel.anadelta.eu
  • Anadelta Travel Agency, Athens, Greece
Anadelta Travel Agency

The enterprise travel management platform. Employees book. Managers approve. We handle the rest.

Athens, Greece
anadelta.greece@gmail.com

Platform

  • Features
  • How It Works
  • FAQ
  • Contact

Company

  • About Anadelta
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • GDPR

© 2026 Anadelta Travel Agency. All rights reserved.

All systems operational
EU Hosted