​Last updated: June 30, 2025

 

1. ABOUT THIS POLICY

This Privacy Policy explains how Mystakidis Tours LLC ("we," "us," or "our") collects, uses, and protects your personal information when you use our website at https://www.mystakidistours.com or our services.

• Data Controller: Mystakidis Tours LLC

• Address: 30 N Gould St Ste N, Sheridan, WY 82801, USA

• Phone: +1 (646) 475-7994

• Email: privacy@mystakidistours.com

2. INFORMATION WE COLLECT

Personal Information You Provide

• Identity Information: Full name, date of birth, passport/ID details, nationality

• Contact Information: Email address, phone number, mailing address, preferred language

• Travel Information: Destination preferences, travel dates, group size, special requirements

• Payment Information: Billing address, payment method details (processed securely by our payment processors)

• Special Categories: Health conditions, dietary restrictions, religious preferences, mobility needs (with your explicit consent)

Information Collected Automatically

• Device Information: IP address, browser type and version, operating system

• Usage Data: Pages visited, time spent on site, referring websites, clickstream data

• Location Data: General location based on IP address

• Cookies and Tracking: See Section 8 for detailed information

Information from Third Parties

• Travel suppliers (airlines, hotels) may share booking confirmations and service updates

• Payment processors provide transaction confirmations

• Social media platforms if you interact with our social content

3. HOW WE USE YOUR INFORMATION

Legal Bases for Processing (GDPR Article 6)

• Contract Performance (Article 6(1)(b))

• Processing booking requests and travel arrangements

• Issuing travel documents and confirmations

• Coordinating with travel suppliers

• Providing customer support

• Legal Obligation (Article 6(1)(c))

• Tax and accounting compliance

• Regulatory reporting requirements

• Anti‑money laundering checks

• Legitimate Interest (Article 6(1)(f))

• Website analytics and improvement

• Fraud prevention and security

• Business communications

• Service personalization

• Consent (Article 6(1)(a))

• Marketing communications

• Non‑essential cookies

• Personalized advertising

• Special Category Data (Article 9(2)(a))

• Health, dietary, and religious information (explicit consent only)

Specific Uses

• Travel Services: Arrange flights, accommodations, tours, and related services

• Communication: Send booking confirmations, travel updates, and support messages

• Marketing: Share travel offers, newsletters, and promotional content (with consent)

• Analytics: Understand website usage and improve our services

• Legal Compliance: Meet regulatory and tax obligations

4. INFORMATION SHARING AND DISCLOSURE

Travel Service Providers

• Airlines: Passenger names, passport details, contact information for bookings and manifests

• Hotels: Guest names, arrival/departure dates, room preferences, special requests

• Tour Operators: Participant details, emergency contacts, dietary/mobility requirements

• Insurance Providers: Coverage details and claim‑related information

• Ground Transportation: Pickup details, passenger counts, special needs

Service Providers

• Web Hosting: Site operation and maintenance

• Email Services: Communication delivery and management

• Payment Processors: Secure transaction processing (PCI‑DSS compliant)

• CRM Systems: Customer relationship management

• Analytics Partners: Google Analytics 4 (IP anonymized), Adobe Analytics

Marketing Partners (with consent)

• Google Ads: Conversion tracking and remarketing

• Meta/Facebook: Custom audiences and lookalike targeting

• Email Marketing: Campaign delivery and performance tracking

Legal Requirements

• Court orders or legal proceedings

• Government investigations

• Border control and immigration authorities

• Tax and regulatory compliance

Business Transfers

In case of merger, acquisition, or asset sale, your information may transfer to the new entity under equivalent privacy protections.

5. INTERNATIONAL DATA TRANSFERS

Some of our travel suppliers and service providers are located outside the European Economic Area (EEA), including:

• Israel and Jordan: Hotel and tour operators

• United States: Cloud hosting and analytics services

Transfer Safeguards:

• EU Standard Contractual Clauses

• Adequacy decisions where available

• Article 49(1)(b) GDPR for contract performance

• Encryption in transit and at rest

6. DATA RETENTION

We retain personal information only for as long as necessary or required by law. Typical retention periods include:

• Booking records and invoices – 10 years (US and Greek tax requirements)

• Customer service correspondence – 3 years after last contact

• Marketing consents – Until withdrawal + 30 days

• Website analytics – 26 months, then aggregated

• SMS communications – 12 months

• Payment transaction logs – 7 years

7. DATA SECURITY

Technical Measures

• Encryption: HTTPS/TLS 1.3 for all data transmission

• Payment Security: PCI‑DSS compliant processors; no card data stored

• Access Controls: Role‑based permissions with multi‑factor authentication

• Infrastructure: Regular security updates and penetration testing

• Backups: Encrypted, geographically distributed backups

Organizational Measures

• Staff training on data protection

• Incident response procedures

• Regular security audits

• Data Processing Agreements with all processors

• 72‑hour breach notification procedures (GDPR Article 33)

8. COOKIES AND TRACKING TECHNOLOGIES

Essential Cookies (Always Active)

• XSRF‑TOKEN: Session security (session duration)

• session_id: User session management (24 hours)

• cart_contents: Shopping cart functionality (7 days)

Analytics Cookies (Opt‑in Required)

• _ga: Google Analytics visitor identification (2 years)

• _ga_*: Google Analytics 4 measurement (2 years)

• _gid: Google Analytics session identification (24 hours)

Marketing Cookies (Opt‑in Required)

• _fbp: Facebook Pixel browser identification (90 days)

• _gcl_au: Google Ads conversion tracking (90 days)

• NID: Google Ads personalization (6 months)

Functional Cookies (Optional)

• lang_pref: Language preference (6 months)

• currency_pref: Currency display preference (6 months)

Managing Cookies: Use our Cookie Settings panel or your browser settings to control cookie preferences.

9. YOUR PRIVACY RIGHTS

European Economic Area (EEA) and UK Residents

• Access: Obtain a copy of your personal data we hold

• Rectification: Correct inaccurate or incomplete information

• Erasure: Request deletion of your personal data ('right to be forgotten')

• Restriction: Limit how we process your data

• Portability: Receive your data in a machine‑readable format

• Objection: Object to processing based on legitimate interest

• Consent Withdrawal: Withdraw consent without affecting prior lawful processing

• Complaint: File complaints with supervisory authorities

Supervisory Authority: Hellenic Data Protection Authority (dpa.gr) or your local authority

California Residents (CPRA)

• Know: What personal information we collect, use, and disclose

• Delete: Request deletion of your personal information

• Correct: Request correction of inaccurate personal information

• Opt‑out: Opt out of 'sale' or 'sharing' of personal information (we do not sell data)

• Limit: Limit use of sensitive personal information

• Non‑discrimination: Equal service regardless of privacy choices

Other US States

Residents of Virginia, Colorado, Connecticut, and Utah have similar rights under their respective state privacy laws.

Exercising Rights:

• Email: privacy@mystakidistours.com

• Phone: +1 (646) 475‑7994

• Response Time: 30 days (60 days for complex requests)

• Verification: We may require identity verification for security

10. MARKETING COMMUNICATIONS

Email Marketing

• Opt‑in: Required for promotional emails

• Unsubscribe: Click unsubscribe in any marketing email

• Content: Travel offers, destination guides, company updates

SMS Marketing

• Opt‑in: Required with explicit consent

• Opt‑out: Reply STOP to any message

• Help: Reply HELP for assistance

Personalized Advertising

• Retargeting: Show relevant ads based on website visits

• Custom Audiences: Match your information with social platforms

• Opt‑out: Use cookie settings or platform ad preferences

11. CHILDREN'S PRIVACY

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we discover we have collected such information without parental consent, we will delete it promptly.

12. AUTOMATED DECISION‑MAKING

We do not use automated decision‑making or profiling that significantly affects you. Any automated processing (such as fraud detection) includes human oversight and the right to request manual review.

13. THIRD‑PARTY LINKS

Our website may contain links to airlines, hotels, social media, and other third‑party websites. We are not responsible for their privacy practices. Please review their privacy policies before providing personal information.

14. DATA BREACH PROCEDURES

• Assess the risk to your rights and freedoms

• Notify supervisory authorities within 72 hours if required

• Inform affected individuals without undue delay for high‑risk breaches

• Take immediate steps to contain and remedy the breach

15. POLICY UPDATES

• Post the revised version on our website

• Update the 'Last updated' date

• Notify you of material changes via email or website banner

• Provide 30 days' notice for significant changes

16. CONTACT INFORMATION

• Privacy Officer: Mystakidis Tours LLC

• Email: privacy@mystakidistours.com

• Phone: +1 (646) 475‑7994

• Address: 30 N Gould St Ste N, Sheridan, WY 82801, USA

• Data Subject Requests: privacy@mystakidistours.com

• Marketing Opt‑out: unsubscribe@mystakidistours.com

• Security Issues: security@mystakidistours.com​
  
  © 2025 Mystakidis Tours LLC. All rights reserved.