Legal
Privacy Policy
Last updated: 1 April 2018
This Privacy Policy sets out how the Company collects, stores and uses information about you when you use or interact with our website, and where we otherwise obtain or collect information about you.
The short version
- We collect what you give us when you enquire or book (name, contact details, billing and payment information) plus the usual website data (IP address, cookies, device and usage information).
- We use it to handle your bookings and messages, run and improve the website, meet our legal obligations, and send marketing you have agreed to.
- We do not sell your information.
- AI systems help us with bookings, pricing, guest messages and documents, always under our instruction. A human stays responsible for decisions that affect you legally, and you can ask for human review at any time.
- We share it only with the service providers who keep the business running, where the law requires it, or to enforce our legal rights.
- You can ask to see, correct, delete or receive a copy of your information, object to how we use it, and opt out of marketing at any time.
This summary is here to help, but it is not the full picture. The complete sections below are what apply.
On this page
Who we are
Cyprus Villa Retreats is the trading name of Tripingo LTD (referred to in this policy as the Company, "we", "our" and "us"), a company registered in Cyprus.
- Registered address: Ulysses House, 67 Spyrou Araouzou Avenue, 3600 Limassol, Cyprus
- Company registration number: HE440838
- VAT number: 10440838L
- Email: [email protected]
- Phone: +44 20 4525 7287
This policy explains how the Company collects, stores and uses information about you when you use our website, and where we otherwise obtain or collect information about you. If you have any questions about it, please contact us using the details above.
The data controller in respect of our website is Guy Bullerwell.
The information we collect
Depending on how you use our website, we may collect:
- Your name and contact details
- Payment information, such as your credit or debit card details, when you book
- Your billing address
- Company or business name and VAT number, where applicable
- Your IP address and information from cookies
- Information about your computer or device, such as device and browser type
- Information about how you use our website, such as the pages you view, when you view them and what you click on
- The approximate geographical location you access our website from, based on your IP address
We collect this information in three ways:
- When you give it to us directly, for example by contacting us, booking a stay or signing up to our newsletter
- From your use of our website, using cookies and similar technologies
- Occasionally, from third parties
We do not sell your information to third parties, other than as part of a business sale, purchase or similar event (see section 10).
When you visit our website
Server logs
Our website server automatically logs your IP address along with other information about your visit: the pages you access, the information you request, the date and time of the request, the source of your visit (for example the website or link that referred you) and your browser version and operating system.
Security
Our hosting provider collects and stores server logs to keep the network, server and website secure: analysing log files helps identify and prevent unauthorised access, malicious code, denial of service attacks and other cyber attacks by detecting unusual or suspicious activity. Unless we are investigating suspicious or potentially criminal activity, neither we nor our hosting provider attempt to identify you from server log information.
Legal basisCompliance with a legal obligation (Article 6(1)(c) GDPR): we are required to take appropriate technical and organisational security measures. Also our and our hosting provider's legitimate interests (Article 6(1)(f) GDPR) in network and information security.
Improving our website
We use server log information to analyse how visitors interact with our website and its features, for example the number of visits and unique visitors, when and where visits happen, and which operating systems and browsers are used. We use this analysis to improve the content and structure of our website.
Legal basisOur legitimate interests (Article 6(1)(f) GDPR): improving our website for our visitors and understanding their preferences so the website better meets their needs.
Our website was hosted by Bluehost on servers located in the USA.
When you contact us
By email
When you email us, we collect your email address and anything else you include in the email, such as your name, telephone number and the information in any signature block.
By contact form
When you use our contact form, we collect your name, email address, IP address and the information you complete. If you do not provide the mandatory fields, the form cannot be submitted and we will not receive your enquiry. If you leave out optional fields such as a phone number, we simply will not be able to respond by that method.
By phone
When you call us, we collect your phone number and any information you give us during the conversation. We do not record phone calls.
By post
We collect any information you include in postal communications you send us.
Legal basisOur legitimate interests (Article 6(1)(f) GDPR): responding to enquiries and messages and keeping records of correspondence. Where your message relates to us providing you with services, or steps you ask us to take before entering a contract, the basis is performance of a contract (Article 6(1)(b) GDPR).
Messages you send us by email or via our forms were stored on our email and hosting providers' servers in the USA. Our email provider was Google and our hosting provider was Bluehost.
When you book and pay
Information you must provide
When you book a stay on our website, we collect your name, email address, billing address, and your company name and VAT number where applicable. Without this information you cannot book with us or enter into a contract with us.
Legal basisPerformance of a contract (Article 6(1)(b) GDPR): we need this information to establish who the contract is with and to fulfil our obligations, including sending you receipts and booking confirmations. Also compliance with a legal obligation (Article 6(1)(c) GDPR): we must issue invoices where you are VAT registered and keep accounting records of transactions.
Optional information
We also collect optional information, such as your phone number and how you heard about us, and we ask whether you would like to receive marketing communications. If you do not provide a phone number, we will not be able to contact you by phone.
Legal basisOur legitimate interests (Article 6(1)(f) GDPR): improving how we advertise and being able to contact you about your booking where necessary. For optional information you choose to give us, your consent (Article 6(1)(a) GDPR).
Processing your payment
Payments are processed by a third party payment processor via a payment gateway, which collects, uses and processes your information, including payment information, in accordance with its own privacy policy. Our payment processor was Stripe, located in the USA, and information relating to your payment was stored on its servers there.
Legal basisPerformance of a contract (Article 6(1)(b) GDPR): fulfilling your obligation to pay for the services you have booked.
Marketing and our newsletter
Our newsletter
When you sign up for our e-newsletter, or opt in to receive news, offers and information from us, we collect the information needed to contact you by your preferred method, along with your name and requirements.
Legal basisYour consent (Article 6(1)(a) GDPR): you consent by signing up. You can withdraw it at any time (see section 14).
Marketing about similar services
If you book with us, we may send you marketing about our services that are similar to those you booked, unless you opt out. You can opt out at any time by email.
Legal basisOur legitimate interests (Article 6(1)(f) GDPR): direct marketing of our own services.
Marketing you opt in to
Beyond that, we only send you marketing about our services if you opt in, which you can do by email, phone, post or via the forms on our website, including the booking and contact forms.
Legal basisYour consent (Article 6(1)(a) GDPR).
How marketing emails are measured
We use technologies such as web beacons (small graphic files) and Google Analytics in the emails we send, to measure delivery rates, open rates and click-through rates.
Our mailing list was administered by Mailchimp, and information you submitted when subscribing was stored on its servers in the USA.
How to stop marketing
- Click the unsubscribe link at the bottom of any marketing email we send you
- Email us asking us to stop, or include the words "OPT OUT"
Automated decisions, profiling and AI
We use automated decision making and profiling on our website. We do not consider that this has any legal effect on you or similarly significantly affects you. You have the right to object to it (see below).
Artificial intelligence (AI) systems
We use AI systems in parts of our business, and your personal data may be processed by them. Specifically, AI may be involved in:
- Booking operations and pricing: helping us manage reservations, availability and the pricing of stays
- Guest messaging: handling and routing your messages, including drafting AI-assisted replies that our team reviews and sends
- Document handling: reading, organising and generating booking-related documents such as confirmations and invoices
- Service improvement: analysing how our services are used so we can improve them
These systems process your data under our instruction and on our behalf only. We do not sell your data, and we do not allow it to be used to train third party AI models for other companies' purposes. A human remains responsible for any decision that has a legal or similarly significant effect on you, and you can ask at any time for a human to review anything an AI system has done with your information or any reply it has helped produce. Just contact us using the details in this policy.
Legal basisPerformance of a contract (Article 6(1)(b) GDPR) where AI assists in delivering your booking and related services. Our legitimate interests (Article 6(1)(f) GDPR) in running our business efficiently and improving our services.
Display advertising
We use cookies to automatically display advertisements for our services on other websites you visit, based on the fact that you have visited our website. The logic involved: automating this is more efficient than displaying advertisements manually. What it means for you: unless you have blocked the relevant cookies, they will recognise that you visited our website in order to show you advertisements, and will collect information about your online behaviour.
Web analytics
Our analytics service, Google Analytics, collects information such as your approximate location (from your IP address) and your behaviour on our website (from cookies), including the pages you visit and what you click on. We only process information from analytics cookies if you have consented to them. Once collected, the information is anonymised and stored on an aggregate basis. The logic involved: analysing visitor location, behaviour and devices helps us understand what visitors want, improve the website and market our services. We may target advertisements based on visitor interest and behaviour.
Marketing emails
We use web beacons in marketing emails to analyse who opens them and what they click on, so we can improve the content and effectiveness of our emails.
Legal basisOur legitimate interests (Article 6(1)(f) GDPR): helping you find the content you are interested in, and analysing the engagement and effectiveness of our marketing.
How to object
- Opt out of the relevant cookies using our cookie control tool or your browser settings
- For marketing email profiling: contact us by email, form or phone
- If you do not want us to process your actual IP address when you visit our website, you can use a Virtual Private Network (VPN) or a free service such as Tor
Information we receive from third parties
Generally, we do not receive information about you from third parties, although it is possible that third parties we have had no prior contact with may provide us with information about you. Information obtained this way will usually be your name and contact details, plus whatever else they provide to us.
Legal basisPerformance of a contract (Article 6(1)(b) GDPR) where the information is passed on so we can provide you with services. Your consent (Article 6(1)(a) GDPR) where you asked the third party to share your information with us. Our legitimate interests (Article 6(1)(f) GDPR) in other cases, for example performing our obligations under a sub-contract, or investigating a potential infringement of our legal rights.
If we receive information about you from a third party in error, or we have no legal basis for processing it, we will delete it.
Transfers outside the EEA
Your information will be transferred and stored outside the European Economic Area (EEA) in the circumstances set out below. We will also transfer your information outside the EEA where required to comply with legal obligations. Wherever we do so, we ensure appropriate safeguards and protections are in place.
- Server logs:stored on our hosting provider's servers in the USA
- Email and on-site forms:stored on our email provider's servers in the USA
- Newsletter sign-ups:stored on our mailing list provider's servers in the USA
- Google Analytics:your IP address and actions on our website, stored on Google's servers in the USA
The USA is not subject to an adequacy decision by the European Commission. The safeguard relied on at the time this policy was written was each provider's self-certified compliance with the EU-US Privacy Shield.
How long we keep your information
- Server logs: 30 days
- Booking and order information: six years following the end of the financial year in which you booked, in line with our legal obligation to keep records for tax purposes
- Correspondence and enquiries: as long as it takes to respond to and resolve your enquiry, and for several months afterwards, after which it is deleted
- Newsletter: for as long as you remain subscribed, or until we cancel the newsletter service, whichever comes first
In any other circumstances, we keep your information for no longer than necessary, taking into account: the purpose and use of the information now and in the future; any legal obligation or legal basis we have to continue processing it; how valuable it is; relevant agreed industry practice; the risk, cost and liability of continuing to hold it; how hard it is to keep it up to date and accurate; and any relevant surrounding circumstances, such as the nature of our relationship with you.
How we protect your information
We take appropriate technical and organisational measures to secure your information and protect it against unauthorised or unlawful use and accidental loss or destruction, including:
- Sharing and providing access to your information only to the minimum extent necessary, subject to confidentiality restrictions where appropriate, and anonymised wherever possible
- Storing your information on secure servers
- Verifying the identity of anyone who requests access to information before granting it
- Using SSL encryption for any information you submit via our forms and for payment transactions made on or via our website
- Transferring your information only via closed or encrypted systems
Transmission of information over the internet is never entirely secure. If you submit information to us over the internet, whether by email, via our website or any other means, you do so at your own risk, and we cannot be responsible for any loss or damage you suffer as a result of choosing to transmit information to us by such means.
Your rights
Subject to certain limitations, you have the following rights in relation to your information, which you can exercise by writing to us or emailing [email protected]:
- Access: to request access to your information and details of how we use and process it
- Correction: to have your information corrected or completed
- Deletion: to have your information deleted
- Restriction: to restrict our use of your information
- Portability: to receive the information you provided to us in a structured, commonly used, machine-readable format (such as a CSV file) and to have it transferred to another data controller
- Objection: to object to our processing of your information where we rely on a task in the public interest or our legitimate interests, including any profiling based on those grounds, and to object at any time to processing for direct marketing, including related profiling
- Withdrawing consent: to withdraw your consent at any time where we rely on it, without affecting the lawfulness of processing before withdrawal
- Automated decisions: not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you
You also have the right under Article 77 GDPR to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or the place of an alleged infringement. The previous policy named the UK Information Commissioner's Office (ICO) as the supervisory authority.
These rights are summarised here and certain limitations apply to many of them. Further detail is in Articles 12 to 22 and 34 GDPR.
Verifying your identity
Where you request access to your information, we are required by law to take all reasonable measures to verify your identity first, to protect your information and reduce the risk of identity fraud or unauthorised access. Where we hold appropriate information about you on file, we will attempt to verify you against it. If that is not possible, we may require original or certified copies of certain documents, and we will confirm exactly what we need when you make your request.
Sensitive information, children and Do Not Track
Sensitive personal information
Sensitive personal information is information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or is genetic or biometric data, or concerns health, sex life or sexual orientation. We do not knowingly or intentionally collect it, and you must not submit it to us. If you do transmit sensitive personal information to us, inadvertently or intentionally, you will be considered to have explicitly consented to us processing it under Article 9(2)(a) GDPR, and we will use and process it only for the purpose of deleting it.
Children's privacy
We comply with the Children's Online Privacy Protection Act of 1998 (COPPA). We do not knowingly contact or collect information from persons under the age of 18, and our website is not intended to solicit information of any kind from them. If we are notified that we have received information about a person under 18 through the fraud or deception of a third party, we will, where required by law, obtain the appropriate parental consent to use it or, failing that, delete it. To notify us, please email us.
California Do Not Track disclosure
"Do Not Track" is a privacy preference you can set in your web browser, which sends a message to websites requesting that they do not track you.
Changes to this policy
We update and amend this policy from time to time. For minor changes, we will update the policy with a new effective date, and our processing of your information will be governed by the new version from that date. For major changes, or where we intend to use your information for a new or different purpose than the one we collected it for, we will notify you by email where possible, or by posting a notice on our website, before the change takes effect, and where required we will obtain your prior consent.
Contact us
For anything related to this policy or your information:
- Email: [email protected]
- Phone: +44 20 4525 7287
- Post: Tripingo LTD, Ulysses House, 67 Spyrou Araouzou Avenue, 3600 Limassol, Cyprus
