Privacy Policy

Version: v2.0 · Last updated: 2026-05-09 · PDF / Print PL EN

This Privacy Policy explains what personal data CyprusBooker.com (the Service) collects, for what purpose, on what legal basis, who we share it with, how long we retain it and your rights under the General Data Protection Regulation (GDPR — EU Regulation 2016/679).

In short: we process data solely to deliver booking services for accommodation, villas, cars, activities and long-term rentals in Cyprus. Payments are handled by Stripe Connect (90/10 split — see §5). Your data is not sold to third parties.

1. Data controller

Cyprus Booker Ltd — Cyprus company, HE 412385.
Registered office: Cyprus Booker Ltd, Paphos, Cyprus (full address available on written request to legal@cyprusbooker.com).
VAT (CY): to be confirmed (registration in progress).
Privacy contact: privacy@cyprusbooker.com.
Data Protection Officer (DPO): not appointed (organization does not meet GDPR art. 37 criteria).

2. Data we collect

2.1. Customer account data

First name, last name, e-mail (link-verified), password (bcrypt hash — never plain).
Phone (optional), preferred language and currency.
IP address, User-Agent, session cookies.
Account creation date, last login, login history.

2.2. Social login (OAuth) data

Signing in via Google, Facebook (Meta) or LinkedIn we receive: OAuth identifier, e-mail, first/last name, avatar. Scope limited to openid email profile. You can disconnect OAuth at any time (see /data-deletion.php).

2.3. Partner account data

Company name, registration number, address, city.
VAT number.
Contact-person name, phone, e-mail.
Tourism licence numbers (Cyprus Deputy Ministry of Tourism), vehicle-rental licence (RTD), insurance policies.
Stripe Connect payout data (see §5).

2.4. Booking data

Stay / rental dates, number of guests / passengers, selected offering.
Lead guest's name and other guests' names (if required by the Partner).
Billing address (if VAT invoice elected).
Special requests.
For car rental: driving licence number (passed to Partner for verification).
Status, change history, correspondence.

2.5. Payment data

Payments are processed by Stripe (Stripe Payments Europe Ltd., Ireland) and optionally PayPal (Luxembourg). We do NOT store full card numbers (PCI DSS Level 1). We receive: last 4 digits, card type, issuing country, Stripe/PayPal transaction ID, payment status.

2.6. Technical data (logs)

IP address, User-Agent, request timestamp.
URL, HTTP status, referrer.
Security logs: failed login attempts, suspicious events, session IDs.

2.7. Analytics data

Anonymous Service-usage data (pages, time, device). Details in Cookies (§10).

3. Purposes & legal basis (GDPR)

Purpose	Basis	Period
Booking services	Art. 6(1)(b) — contract performance	Term + 3 years
Payments (Stripe Connect)	Art. 6(1)(b) + 6(1)(c) tax	Min. 5 years
Login + persistent session (cookie)	Art. 6(1)(b)	90 days / 365 days "remember me"
OAuth (Google/Meta/LinkedIn)	Art. 6(1)(b) — at your request	Until OAuth disconnected
E-mail marketing	Art. 6(1)(a) — opt-in consent	Until consent withdrawn
Security, anti-fraud, reCAPTCHA	Art. 6(1)(f) — legitimate interest	12 months
Analytics	Art. 6(1)(f)	14 months (anonymised)
Legal obligations (accounting, AML, tax)	Art. 6(1)(c)	5–10 years

4. Recipients

Partners for your Bookings — minimal scope (name, dates, contact). Shared only after Booking confirmation.
Payment processors: Stripe Payments Europe Ltd. (IE), PayPal (Europe) S.à r.l. (LU).
OAuth providers (at your request): Google LLC, Meta Platforms Ireland Ltd., LinkedIn Ireland.
SMTP: OVH SAS (FR) — server book@cyprusbooker.com.
Hosting: OVH SAS — Strasbourg, FR.
Anti-bot: Google reCAPTCHA (Google Ireland Ltd.).
Maps: Google Maps Platform (Google Ireland Ltd.).
Public authorities — only where required by law.

We do not sell data to marketers.

5. Stripe Connect — payment data flow

We use Stripe Connect (destination charges) to automatically split payments 90% Partner / 10% CyprusBooker (see Terms §9). In this model:

Customer enters card details on a hosted Stripe form (Elements / Payment Sheet) — card data NEVER touches CyprusBooker servers.
CyprusBooker creates a PaymentIntent with application_fee_amount (10% of Total) and transfer_data[destination] (Partner's Stripe ID).
Stripe automatically routes 90% to the Partner's Stripe account; 10% stays on the CyprusBooker account.
Partner (as connected account) has its own relationship with Stripe — manages payouts, KYC, Stripe invoices.

Customer card data is processed only by Stripe (PCI DSS Level 1). CyprusBooker and the Partner see only: last 4 digits, card type (Visa/MC/Amex), issuing country, transaction ID.

Customer data passed to the Partner for a Booking: first/last name, e-mail, phone (if provided), dates, amount. Card number is NOT shared.

6. iCal calendar synchronisation

Partners may sync availability with other platforms (Booking.com, Airbnb, Vrbo) using iCalendar (.ics) files. From CyprusBooker:

Outbound calendar (export): we generate an .ics file per listing containing only BUSY/FREE markers with dates — no guest names, no amounts, no personal data. Just "this date is taken".
Inbound calendar (import): we poll an .ics file from another platform every 5–15 minutes and block matching dates in the Service. We import only date ranges; any personal fields are ignored.

This means guest personal data does not leak via iCal in either direction.

7. Non-EEA data transfers

Some providers (Google, Meta) operate in the USA. Transfer is based on:

European Commission decision of 10 July 2023 — EU–US Data Privacy Framework (Google and Meta are certified).
Standard contractual clauses (SCC) as a backstop.

8. Retention periods

Account: until deletion + 90 days (soft-delete).
Bookings, invoices: 5 years (CY/EU tax).
Sessions (cookies): 90 / 365 days "remember me".
Security logs (audit_log): 12 months.
Error logs: 30 days.
E-mail correspondence: 36 months from last contact.
Marketing: until consent withdrawn.

9. Your GDPR rights

Right of access (Art. 15) — copy within 30 days.
Right of rectification (Art. 16).
Right to erasure (Art. 17) — see instructions.
Right to restriction (Art. 18).
Right to data portability (Art. 20) — JSON export.
Right to object (Art. 21).
Right to withdraw consent.
Right to lodge a complaint: Cyprus Data Protection Commissioner; UK: ICO; Polish residents: UODO.

Requests: privacy@cyprusbooker.com. We respond within 30 days.

10. Cookies and similar technologies

Name	Purpose	Lifetime	Category
`PHPSESSID`	PHP session — needed for login, cart, CSRF.	Session	Necessary
`cyprusbooker_session`	"Remember me" — persistent session, HttpOnly+Secure+SameSite=Lax.	90 / 365 days	Necessary (after opt-in)
`cb_anon_favs`	Favourites for guests not signed in.	180 days	Functional
`cb_lang` / `cb_curr`	Language and currency.	365 days	Functional
`_ga`, `_ga_*`	Google Analytics — anonymised.	2 years	Analytics (opt-in)
reCAPTCHA	Bot protection (Google).	6 months	Necessary (security)

Disabling necessary cookies prevents login and bookings. Analytics and marketing cookies can be disabled in the consent banner or browser settings. We respect the DNT header.

11. Minors under 16

The Service is not directed at persons under 16. If your child shared data with us without your consent — write to privacy@cyprusbooker.com and we will delete it immediately.

12. Changes

Any material change is announced 30 days before taking effect — by e-mail, banner and in-account. The "Last updated" field shows the latest version date.

13. Contact / DPO

E-mail: privacy@cyprusbooker.com
Address: Cyprus Booker Ltd, Paphos, Cyprus (full address available on legal@cyprusbooker.com), Paphos, Cyprus.
DPO: not appointed (organization does not meet GDPR art. 37 criteria)

Privacy Policy v2.0, last updated: 2026-05-09. Available in PL and EN — in case of discrepancy the English version prevails.