Transfer and taxi services in Santorini

Privacy Policy

1. Information on the data controller

«STONE TRAVEL», having its seat in Santorini, Greece registered in the General Commercial Registry (GEMI) with number 152735138000, takes your data protection rights and its legal obligations seriously.

 2. Personal data we collect about you and purposes of processing

Depending on the purpose for which we may need to process your data from time to time, we will process on a case-by-case basis certain categories of personal data, which will in general be as follows:

  • your basic identity data (for example your first and last name, etc.);
  • your contact details relating to the services that we provide (for example phone number, email address, etc.);
  • transactions information necessary for the provision of our services (for example, your payment or card data, information on the services you requested, etc.);
  • commercial information (for example, if you have subscribed to our newsletter),
  • information about your tastes and preferences; and

Remember that, when we ask you to fill in your personal data to afford you access to any functionality, we will mark certain fields as mandatory, since these are the minima that we need to be able to provide the service. Please take into account that, if you decide not to make such data available to us, you may be unable to complete your user registration or may not be able to enjoy those services.

2.1 Payment

You can pay for transfer rides hailed through us either in cash or by using the pay-by-app function (i.e. by credit card or Paypal). By entering your credit card and/or Paypal account details you will be able to pay for your ride without cash. We will then debit the amount to your specified means of payment. If your credit card details are provided, they will be transmitted directly to the payment service provider engaged by us via an encrypted connection and without any further disclosure of credit card information to us except for the last four digits of your credit card which are transmitted to us and in a pseudonymized form for security reasons. We store such pseudonymized information for the purposes of identification and verification.

In the context of payment, the following personal data will be processed in accordance with Article 6(1.)(b) GDPR for the performance of the contract:

First and last name, address, start and destination coordinates of your ride, country, language, email address, mobile phone number, credit card key, last four digits of the credit card number, the email address of your PayPal account if applicable, and information about your terminal equipment (device ID, etc.).

2.3 Fraud prevention and non-payment

Since «STONE TRAVEL» bears the risk of non-payment in the event that payments made by credit card or Paypal are not honored, an assessment of the risk of non-payment is made automatically using a software algorithm by a trust third party fraud scoring service, based on a number of personal information, payment means the use of the application and device data, so as to protect «STONE TRAVEL» legitimate interests in accordance with 6(1.)(f) of the GDPR.

For this purpose, the following personal data is processed:

First and last name, pick up and drop off addresses of a ride, mobile phone number, email address, payment mean, the last four of a card, the name on the card, expiration dates of the card, the card issuer, the email address of the PayPal account (if applicable), information about the terminal equipment (device type and ID, operating system etc.).

This personal data is not used or processed for any other purpose.

A specially trained employee of «STONE TRAVEL» periodically reviews the fraud scoring. Accordingly, the decision is not made fully automatically in such cases.

To protect you against overpaying for “transfer’’ rides or scheduled excrusions (tours), the driver’s mobile phone transmits GPS location data to us at short intervals during a ride, enabling us to map the entire journey. We do this because we want to ensure the driver does not extend the route intentionally to earn higher remuneration.

3. Disclosure of your personal data to drivers and other third parties

We disclose some of your personal data to the ‘’transfer’’ drivers or bus drivers.

To hail your bus, we need to share your location information with the bus driver that will provide his/her services to you. We request from drivers to use this information solely for the provision of the requested transportation service, and not to store this information for purposes beyond the service they provide. Please remember that this Privacy Policy applies only on the processing of personal data we collect from you.

When we disclose information to bus drivers, the usage and disclosure restrictions contained in this Privacy Policy will not apply to them. Although we encourage bus drivers to comply with the applicable data protection legislation, we do not control and are not responsible for any privacy practices, privacy policies or third party actions, including bus drivers. Any complaints or queries regarding the use of your personal data by the driver should be directed directly to the driver. Certain bus drivers may also operate their own websites. «STONE TRAVEL»  is not responsible for how drivers may independently collect and process your personal information through their own websites. For more information on how a driver may collect and process your personal data through his/her website, please refer to the respective website’s privacy policy.

Furthermore, in order to achieve the purposes described in this Privacy Policy, we may also disclose or grant access to your personal data to third parties that provide us with support in the services that we offer you, e.g.:

  • financial institutions,
  • anti-fraud detection and prevention entities,
  • technology service providers,
  • providers of customer support related services,
  • advertising and marketing related partners and service providers,

who assist us in providing the services we offer, processing transactions, fulfilling requests for information, receiving and sending communications, updating marketing lists, analyzing data, providing support services or performing other tasks, from time to time.

Your personal data will be accessible by «STONE TRAVEL» authorized personnel and service providers acting on our behalf,on a need-to-know basis.

For service efficiency purposes, some of these providers are located in territories outside the European Economic Area that do not offer a level of data protection comparable to that of the European Union.

We may also share your personal data with third parties in connection with the potential or actual sale of our company or any of our assets, or those of any associated company, in which case personal data held by us about our users may be one of the transferred assets.

We will also respond to requests for personal data where required by to do so by law, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, request from a regulator or any other legal process served on us.

4. Your rights

You have the following rights with respect to your personal data:

  • Right to withdraw consent – where applicable, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right of access, rectification, and erasure – you have the right to request access to any of your personal data that we may hold, to request correction of any inaccurate data relating to you and, under certain circumstances, to request the deletion of your personal data.
  • Right of data portability – Under certain conditions, you have the right to receive all such personal data which you have provided to us in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.
  • Right to restriction of processing – you have the right to restrict our processing of your personal data where:
    • you contest the accuracy of the personal data until we have taken sufficient steps to correct or verify its accuracy;
    • the processing is unlawful but you do not want us to erase the data;
    • we no longer need your personal data for the purposes of the processing, but you require such data for the establishment, exercise or defence of legal claims; or
    • you have objected to processing justified on legitimate interest grounds (see below) pending the verification as to whether we have overriding compelling legitimate grounds to continue the processing.

Where personal data is subject to restrictions in this way, we will only process it with your consent or for the establishment, exercise or defense of legal claims.

  • Right to object to the processing – provided that the conditions of the law are met, you have the right to object to the processing of your personal data. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms or where we need to process the data for the establishment, exercise or defense of legal claims.

You also have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes applicable law. In Greece that is the

Hellenic Data Protection Authority,

1-3 Kifissias Ave., 115 23 Athens, Greece

Phone: +30-210 6475600

Fax: +30-210 6475628


For further information regarding your rights, to exercise any of your rights, or if you have any questions regarding the processing of your personal data please contact

Please note that we may request proof of identity, and we reserve the right to charge a fee where permitted by law, for instance, if your request is manifestly unfounded or excessive. We will endeavor to respond to your request within all applicable timeframes.

5. Minimum Age

Protecting the safety and privacy of children is very important to us. We do not accept registrations submitted by, and will not knowingly collect or use personal data from anyone under the age of sixteen (16) years.  

6. Data security

«STONE TRAVEL» uses appropriate technical, physical, legal and organizational measures, which comply with data protection laws to keep your personal data secure.

As most of the personal data we hold is stored electronically we have implemented appropriate IT security measures to ensure this personal data is kept secure, including the use of strong encryption, access restriction and extensive logging and auditing functionality in our production systems. We have procedures in place at our premises to keep any hard copy records physically secure. We also train our staff regularly on data protection and information security.

When «STONE TRAVEL» engages a third party as a data processor (including our service providers) to collect or otherwise process personal data on our behalf, such processor will be selected carefully and required to use sufficient guarantees, in particular in terms of expert knowledge, reliability and resources as well as appropriate technical and organisational measures which will meet the requirements of the General Data Protection Regulation, including those referring to the security of processing.

Unfortunately, no data transmission over the Internet or any electronic data storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any personal data you might have sent to us has been compromised), please immediately notify us.

7. Retention period

We will retain your personal data for as long as is necessary for the purposes for which we collect it during the performance of our contract, always taking into consideration each time applicable statute of limitations.

For example:

  • where we hold your personal data to comply with a legal obligation (including your security and avoidance of fraudulent behavior), we will keep the information for at least as long as is required to comply with that obligation;
  • where we hold your personal data in order to provide you with a service we will keep the information for at least as long as we provide the service, and for a number of years thereafter, as appropriate.

We will retain your data for a period of five years after termination of the contractual relationship at your request or by us for cause (e.g. non-payment). Moreover, statutory provisions (e.g. retention periods under tax legislation) require that we retain data for six years and under conditions, up to twenty years.

8. Changes to the Privacy Policy

We review this Privacy Policy regularly and reserve the right to make changes at any time to take account of changes in our business activities, legal requirements, and the manner in which we process personal data.

9. Closed Circuit Television (CCT) equipment

For security reasons, “STONE TRAVEL” has installed and operates a security system, using surveillance and recording cameras and equipment for Indoor Closed Circuit Television (CCT) equipment.

Camera positions:

The positions of the cameras are: 4 in the office.

Installation License – Supplier – Maintenance

Recording cameras are on a continuous basis and retain data for a period not exceeding ten (10) days, beyond which they are automatically and permanently erased without recovery and the magnetic recording medium is recycled and newer data is recorded thereon. Only authorized security guards have access to cameras with password-controlled and classified access. Cameras are only used if a serious security incident occurs. According to the relevant ASCP directive, cameras generally record locations and do not record specific features and movements of specific persons and employees.

The recording system where the camera logs are stored is in a supervised area with graduated access.

The supplier company that provides the support of the security and logging system can only access the cameras and logs at our invitation to repair damage and always under the supervision of our authorized employee. Recorded data is not outside our company premises by any means and for any reason, except with the written order of the police authorities, to investigate unlawful acts or serious security incidents, for a specified period of time and always with the written permission of the Supervisory Committee. of the security system.

In accordance with the ASCPF guidelines for the use of cameras in public places, information signs have been posted at each monitored site. As long as foreign language visitors pass through the places under surveillance, the sign is also in English.