BOOK NOW
BOOK NOW

Privacy Policy

 

Unified GDPR Privacy Policy
Full legal English version
Internal Reference Code: GDPR-WB-2026-01-EN-LEGAL
Last updated: March 2026
Controller: Filippos G. Lamprinos S.A. (Sirens Beach and Village)
Address: Tsagkaraki Street, Malia 70007, Prefecture Heraklion, Crete, Greece
DPO:  dpo@premiuminfosys.com

 

 

1. Introduction and Scope

 

This Privacy Policy describes how Filippos G. Lamprinos S.A., operating as Sirens Beach and Village, collects, uses, stores, shares, and protects personal data in connection with the operation of our resort, website, booking systems, Wi-Fi network, mobile application, in-room digital services, CCTV systems, and all related hospitality services. We are committed to processing personal data lawfully, fairly, and transparently, in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the ePrivacy Directive, Greek Law 4624/2019, and all other applicable data protection legislation.

This unified policy applies to all processing activities carried out by the resort, whether online or offline, and covers all interactions you may have with us before, during, and after your stay. It explains what personal data we collect, why we collect it, how long we keep it, who we share it with, and what rights you have under the GDPR.

By interacting with our website, making a booking, using our services, or staying at our resort, you acknowledge that you have read and understood this Privacy Policy.

2. Identity of the Controller

The controller responsible for processing your personal data is:

Filippos G. Lamprinos S.A.
Sirens Beach and Village
Tsagkaraki Street
Malia 70007, Heraklion, Crete
Greece
Email: info@sirenshotels.gr
Telephone: +30 28970 35100

As the controller, we determine the purposes and means of processing your personal data and ensure that all processing activities comply with applicable data protection laws.

3. Data Protection Officer (DPO)

We have appointed an external Data Protection Officer to oversee our compliance with data protection laws and to act as your point of contact for any questions or concerns regarding your personal data.
Data Protection Officer:
George Sainidis
Email: dpo@premiuminfosys.com
Telephone: +359 87 891 1820
You may contact the DPO at any time regarding the processing of your personal data or your rights under this policy.

4. Who This Policy Applies To

This Privacy Policy applies to all individuals whose personal data we process, including:

• Guests and prospective guests
• Website visitors
• Individuals making bookings on behalf of others
• Users of our Wi-Fi network
• Mobile application users
• Users of in-room tablets or Smart TVs
• Newsletter subscribers
• Individuals captured by CCTV cameras
• Individuals providing special category data (e.g., health or accessibility needs)
• Individuals contacting us via email, telephone, or contact forms

This policy applies regardless of whether you interact with us as a guest, visitor, employee of a corporate client, or in any other capacity.

5. Categories of Personal Data We Process

We process different categories of personal data depending on how you interact with us.
These categories include, but are not limited to, the following:

5.1 Identification and Contact Data
• Full name
• Postal address
• Email address
• Telephone number
• Nationality
• Passport or ID number (where required by law)
• Date of birth (where required for legal or booking purposes)

5.2 Booking and Stay Information
• Booking dates
• Room type and preferences
• Number of guests
• Arrival and departure times
• Special requests
• Loyalty or membership information
• Communication history related to your stay

5.3 Payment Information
• Cardholder name
• Tokenized or masked card details
• Transaction identifiers
• Billing address

• Payment status

We do not store full credit card numbers; these are processed securely by certified payment processors.

5.4 Technical and Device Data
• IP address
• Browser type and version
• Device identifiers
• Operating system
• Log files
• Cookie identifiers
• Wi-Fi MAC address
• Connection timestamps

5.5 Mobile App Data
• Device identifiers
• App usage logs
• Diagnostic information
• Optional permissions (e.g., location, notifications)

5.6 In-Room Tablet / Smart TV Data
• Device usage logs
• Content interactions
• Technical diagnostics
• Service requests submitted through the device5.7 CCTV Footage
• Video recordings of individuals in public areas
• Date and time of recording
• Camera location

5.8 Special Category Data (Article 9 GDPR)
• Allergies or dietary restrictions
• Mobility or accessibility needs
• Medical information necessary to fulfill a request
• Spa or wellness-related information

Processed only with explicit consent.

6. Purposes of Processing

We process personal data only for specific, explicit, and legitimate purposes, including:

6.1 Accommodation and Hospitality Services
• Managing reservations
• Processing payments
• Providing guest services
• Handling special requests
• Communicating before, during, and after your stay

6.2 Website Operation and Security
• Displaying content
• Preventing fraud
• Ensuring system integrity
• Improving performance

6.3 Booking Management
• Confirming reservations
• Managing cancellations
• Preventing duplicate or fraudulent bookings

6.4 Communication and Customer Support
• Responding to inquiries
• Managing complaints
• Maintaining communication records

6.5 Marketing and Newsletters
• Sending promotional communications
• Measuring engagement

6.6 Wi-Fi Network Operation
• Authenticating users
• Ensuring network security
• Preventing misuse

6.7 Mobile App Functionality
• Providing app features
• Sending push notifications
• Improving app performance

6.8 In-Room Tablet / Smart TV Services
• Providing digital guest services•Managing entertainment content
• Processing service requests

6.9 CCTV Monitoring
• Ensuring safety
• Protecting property
• Investigating incidents

6.10 Legal Compliance
• Tax and accounting obligations
• Police or judicial requests
• Public health requirements

7. Legal Bases for Processing

We rely on the following legal bases:

Contract (Art. 6(1)(b))
Legal obligation (Art. 6(1)(c))
Legitimate interests (Art. 6(1)(f))
Consent (Art. 6(1)(a))
Vital interests (Art. 6(1)(d))
Explicit consent for special category data (Art. 9(2)(a))

8. Cookies and Tracking Technologies

We use:
• Strictly necessary cookies
• Functional cookies•Analytics cookies
• Advertising cookies (only with consent)

Analytics tools may collect anonymized IP addresses, device information, and usage patterns.
You may manage cookie preferences at any time

9. Booking Engine and Contact Forms

Data collected
• Name
• Contact details
• Booking details
• Payment-related information
• Special requests
• Communication content

Purposes
• Managing reservations
• Responding to inquiries
• Preventing fraud

Legal bases
• Contract
• Legitimate interests
• Legal obligation
• Consent (for health-related requests)

10. Newsletter and Marketing Communications

Data collected

• Name
• Email address
• Subscription preferences
• Interaction data

Legal basis
•Consent

You may unsubscribe at any time.

11. Wi-Fi Network Privacy Notice

Data collected
• MAC address
• IP address
• Connection timestamps
• Authentication logs
• Device type

Purposes
• Network security
• Authentication
• Troubleshooting

Legal bases
• Contract
• Legitimate interests
• Legal obligation

12. Mobile App Privacy Notice

Data collected

• Device identifiers
• Usage logs
• Diagnostics
• Optional permissions

Purposes
• App functionality
• Notifications
• Performance improvement

Legal bases
• Contract
• Consent
• Legitimate interests

13. In-Room Tablet / Smart TV Privacy Notice

Data collected
• Usage logs
• Content interactions
• Technical diagnostics

Purposes
• Digital guest services
• Entertainment
• Service requests

Legal bases
• Contract
• Legitimate interests

14. CCTV Monitoring

Data collected
• Video footage
• Date and time
• Camera location

Purposes
• Safety
• Security
• Incident investigation

Legal bases
• Legitimate interests
• Legal obligation

15. Special Category Data

Data collected
• Allergies
• Accessibility needs
• Medical information

Legal basis
• Explicit consent

16. Retention Periods

• Booking records: up to 10 years
• Communication records: up to 3 years
• Payment data: up to 10 years
• Wi-Fi logs: 30–90 days•App/device logs: up to 12 months
• CCTV footage: 15–30 days
• Special category data: only as long as needed
• Marketing data: until consent is withdrawn

17. Categories of Processors

We use processors for:
• Website hosting
• Email hosting
• Booking engine
• PMS
• Channel manager
• Payment processing
• Email marketing
• Analytics
• Cloud backup
• Wi-Fi services
• CCTV systems
• IT support
• Security services
• Mobile app development
• Smart TV/tablet services

All processors operate under GDPR-compliant agreements.

18. International Transfers

Where data is transferred outside the EU/EEA, we use:

• Adequacy decisions
• Standard Contractual Clauses (SCCs)
• Transfer Impact Assessments
• Additional safeguards

19. Security Measures

We implement:
• Encryption
• Access controls
• Firewalls
• Monitoring
• Staff training
• Secure storage
• Regular audits

20. Automated Decision-Making and Profiling

We do not use automated decision-making with legal or significant effects.
Limited profiling may occur for marketing analytics, based on consent.

21. Your Rights

You have the right to:
• Access
• Rectification
• Erasure
• Restriction
• Objection•Data portability
• Withdraw consent
• Lodge a complaint with the Hellenic DPA

Contact the DPO to exercise your rights.

22. Definitions

Personal data: information relating to an identifiable person
Processing: any operation performed on personal data
Controller: entity determining purposes and means of processing
Processor: third party processing data on behalf of controller
Special category data: sensitive data requiring explicit consent
Consent: freely given, specific, informed, unambiguous indication of wishes