Privacy Policy

Last updated: April 2026

1. Introduction

Book and Explore (“we”, “us", or “our") is a marketplace platform operated by ΣΠΥΡΟΣ ΛΑΜΠΟΣ ΔΗΜΗΤΡΗΣ, a sole proprietorship (ατομική επιχείρηση) registered in Greece with ΑΦΜ 136394810, located at ΘΕΣΗ ΦΛΟΚΑ 0 - ΖΑΚΥΝΘΟΣ, 29100, Greece.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website www.bookandexplore.com and our services. We comply with the General Data Protection Regulation (GDPR) and Greek data protection laws. This platform is available to customers worldwide; all transactions are processed in EUR (€) and are subject to Greek law.

2. Data Controller

The data controller responsible for your personal data is:

  • Name: ΣΠΥΡΟΣ ΛΑΜΠΟΣ ΔΗΜΗΤΡΗΣ
  • Business Name: ΣΠΥΡΟΣ ΛΑΜΠΟΣ ΔΗΜΗΤΡΗΣ
  • Address: ΘΕΣΗ ΦΛΟΚΑ 0 - ΖΑΚΥΝΘΟΣ, 29100, Greece
  • ΑΦΜ: 136394810
  • Email: hi@bookandexplore.co
  • Phone: +30 6947490427

3. What Data We Collect

We collect and process the following categories of personal data:

3.1 Customers (Guests)

When you make a booking, we collect:

  • First and last name
  • Email address
  • Phone number
  • Booking details (dates, times, service selected, quantity, price)
  • Any notes or special requests you provide

Note: You do not need to create an account to make a booking. We do not store passwords or login credentials for customers.

3.2 Providers

When we onboard a service provider, we collect:

  • For individuals: first name, last name, VAT number (ΑΦΜ), personal email, personal phone, ID card number
  • For companies: legal name, trade name, registration number, VAT number (ΑΦΜ), company email, company phone
  • Representative contact details (name, email, phone, title)
  • Business address (country, region, city, street address, postal code)
  • Business description and website
  • Uploaded documents (business licenses, insurance policies, certificates)

Banking data: Provider payout details (IBAN, bank name) are collected and stored directly by Stripe through the Stripe Connect Express onboarding process. We do not store provider bank account details in our own database.

3.3 Payment Data

Payment processing is handled by Stripe. We do not store full credit card numbers. We receive from Stripe:

  • Payment intent ID, charge ID, and transfer ID
  • Transaction amount and currency (EUR)
  • Payment status (succeeded, failed, refunded, etc.)
  • Card country and inferred customer currency (for record-keeping only)

3.4 Google Calendar Data (Providers Only)

If a provider connects their Google Calendar for availability sync:

  • Google user ID and email
  • Calendar IDs and event data related to bookings
  • OAuth access and refresh tokens (encrypted at rest)

3.5 Technical & Log Data

  • IP address (for rate limiting and security)
  • Browser type and version
  • Pages visited and interaction timestamps
  • Error logs and failed booking attempt records

4. How We Use Your Data

We use personal data for the following purposes:

  • To process bookings: Creating and managing reservations, sending confirmation emails
  • To process payments: Charging customers, transferring funds to providers, handling refunds
  • To communicate: Booking confirmations, reminders, updates, and support responses
  • To onboard providers: Verifying identity, setting up Stripe Connect accounts, enabling calendar sync
  • To comply with legal obligations: Tax reporting to AADE/myDATA, invoicing, accounting records
  • To ensure security: Fraud prevention, rate limiting, dispute handling
  • To improve our service: Analyzing usage patterns and fixing errors

5. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Contract performance: Processing necessary to fulfill your booking or provider agreement
  • Legal obligation: Tax compliance, invoicing, and regulatory reporting to Greek authorities
  • Legitimate interests: Fraud prevention, platform security, and dispute resolution
  • Consent: For optional features like Google Calendar sync (providers can disconnect anytime)

6. Cookies & Local Storage

We use a single, strictly necessary temporary cookie and localStorage entry during the provider onboarding process. These store the provider ID so we can maintain state across the multi-step onboarding form. They are deleted immediately upon completion of onboarding or when the browser session ends. We do not use tracking cookies, advertising cookies, or analytics cookies at this time.

7. Third-Party Services

We share data with the following trusted third-party services solely for operational purposes:

  • Stripe, Inc. — Payment processing, provider payouts, and fraud detection
  • Google LLC — Authentication (Google Sign-In) and calendar synchronization
  • Vercel, Inc. — Website hosting and infrastructure
  • Neon, Inc. — Cloud database hosting
  • Upstash, Inc. — Redis caching and rate limiting
  • Inngest, Inc. — Background job processing (emails, payouts, invoicing)
  • UploadThing — File and image storage
  • Resend, Inc. — Transactional email delivery
  • AADE / myDATA (Greek Tax Authority) — Invoice submission and tax compliance

All third-party providers are bound by data processing agreements and comply with GDPR. We do not sell or rent your personal data to any third party.

8. Data Retention

We retain personal data for the following periods:

  • Booking and payment records: 5 years (Greek tax and accounting requirements, per ΚΦΔ)
  • Customer contact details: 2 years after last booking, unless you request deletion earlier
  • Provider data: Duration of the provider relationship plus 5 years for tax compliance
  • Google Calendar tokens: Until the provider disconnects their calendar or deletes their account
  • Failed booking attempts: 90 days for debugging, then automatically deleted
  • Server logs: 30 days

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS/HTTPS), encrypted database storage, access controls, and regular security audits. Provider Google Calendar tokens are encrypted at the application layer before storage.

10. Your Rights (GDPR)

Under GDPR, you have the following rights:

  • Right to access: Request a copy of your personal data
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure (“right to be forgotten”): Request deletion of your data, subject to legal retention requirements
  • Right to restrict processing: Limit how we use your data
  • Right to data portability: Receive your data in a structured format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw consent for optional processing (e.g., Google Calendar sync)

To exercise any of these rights, contact us at hi@bookandexplore.co. We will respond within 30 days.

11. International Transfers

Some of our third-party providers (Stripe, Google, Vercel, Resend) are based outside the EEA. All transfers are protected by Standard Contractual Clauses (SCCs) or adequacy decisions approved by the European Commission, ensuring GDPR-compliant data protection.

12. Children’s Privacy

Our platform is not intended for children under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. For significant changes, we will notify you by email or through a prominent notice on our website.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

  • Email: hi@bookandexplore.co
  • Phone: +30 6947490427
  • Address: ΘΕΣΗ ΦΛΟΚΑ 0 - ΖΑΚΥΝΘΟΣ, 29100, Greece