Privacy Statement

Introduction

At DK Hospitality (hereinafter “DK Hospitality”, “we”, “our” or “us”), we respect the protection of your privacy and the personal data you disclose to us or that we otherwise collect through the smartphone application “Lobby Concierge” (hereinafter the “App”), or otherwise collected during your interactions with us. For this reason, and in the spirit of transparency required by applicable law, we have posted this Privacy Statement (hereinafter the “Statement”), where you will find all necessary information regarding your personal data that we collect, the manner in which we collect and process it, the purposes of processing, the measures we take to protect it, as well as your rights in relation to your personal data.

This Statement forms a single text together with the Terms of Service of the App, which together govern your use of the App and of our services.

For the purposes of this Statement, “personal data” means any information by which a natural person can be identified directly or indirectly, including, indicatively, name, residential address, email address, telephone number, as well as any other information associated with that person and falling within the definition of “personal data,” in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Law 4624/2019, as applicable, and any other relevant law or regulation.

Data Controller

The controller of your personal data, as defined in the GDPR, is:

• DK Hospitality P.C.
• Company no. 192322803000
• Pefkon 54 str., 14562, Kifissia
• Greece

You may contact the controller at any time on matters relating to the processing of your personal data by sending an email to: [email protected]

Minors

The App is not intended for use by minors. Therefore, we never knowingly collect personal data of minors under the age of 15, without the consent of their parent or guardian. If, however, you are a parent or guardian of a child under 15 years of age and you are concerned that your child may have provided us with personal data, please contact us.

Data Subjects

The personal information we collect and process concerns the following categories of data subjects:

• Users browsing the App
• Users who sign-up to the App in order to access the services provided;
• Customers to whom we provide our intermediary, booking and concierge services.

(hereinafter collectively “data subjects” or “Users”).

Categories of Personal Data

The personal data we process, or may process, in the case of individual Users includes:

• Full name
• Email
• Mobile phone number
• Travel documentation (passport, ID)
• Photos
• User account data, booking and preferences
• Browsing data
• User device identifiers and information

No processing of special categories of personal data is carried out in the App, or in the provision of our services in general.

How We Collect Your Data

As a rule, you provide your personal data yourself in order to sign-up on the App and use our services.

Additionally, we collect information about you as it arises from your use of the App, from our communications and interactions and from the provision of our services to you.

Purposes and Legal Bases of Processing

We will use your personal information for the following indicative purposes and under the corresponding legal bases (as outlined below):

• Creation of your account on the App and verification of the details you provide. — Performance of contract (Article 6 par. 1b GDPR)
• Provision of our services to you, such as the suggestion of options matching your preferences, the booking of the ones you choose and the provision of support throughout the process. — Performance of contract (Article 6 par. 1b GDPR)
• Management, execution, and processing of your payments. — Performance of contract (Article 6 par. 1b GDPR)
• Ensuring the security of transactions carried out on the App. — Legitimate interest (Article 6 par. 1f GDPR)
• Receiving and handling of your requests or complaints. — Legitimate interest (Article 6 par. 1f GDPR)
• Sending you commercial/promotional communications regarding our or third-party services and offers. — Consent (Article 6 par. 1a GDPR)
• Understanding and analyzing the results of our advertisements and promotional activities. — Legitimate interest (Article 6 par. 1f GDPR)
• Improvement of the App and of our services provided to you. — Legitimate interest (Article 6 par. 1f GDPR)
• Fulfillment of your rights in relation to your personal data. — Legal obligation (Article 6 par. 1c GDPR)
• Protection of the App from unlawful activities. — Legitimate interest (Article 6 par. 1f GDPR)
• Protection of our and/or of third-party rights and assets. — Legitimate interest (Article 6 par. 1f GDPR)
• Compliance with our legal obligations. — Legal obligation (Article 6 par. 1c GDPR)

Sharing with Third Parties

We may share your personal information with any of our employees, officers, or representatives, as well as with any subsidiary or affiliated company, as required for the purposes described in this Statement.

We never sell, disclose to third parties, or otherwise exploit for our own benefit the personal data you provide. However, we may disclose some of your personal data to third parties for specific legitimate purposes, such as:

• Hosting service providers
• Email service providers
• Analytics providers
• Marketing and e-commerce providers
• Advertising service providers
• Electronic payment processing providers
• Hosts, venues and other providers of the services that you book
• Technical, financial, and legal advisors
• Tax, police, prosecutorial, and other public authorities and services

In these cases, where third-party recipients act either as processors on our behalf, as joint controllers, or as independent controllers, we ensure, to the extent possible and within our responsibility as data controller, that they will maintain confidentiality regarding your personal data we share, adopt appropriate security measures, refrain from further disclosure, and comply with data protection legislation. In no case do we assume responsibility for any unlawful use or processing of your personal data by the above entities, which falls outside our responsibility, as defined by applicable law.

International Transfers

As a rule, we do not disclose your personal data to third parties located in countries without data protection legislation equivalent to that applicable within the European Economic Area (EEA). However, should such a transfer become necessary, we will take every possible measure, in accordance with relevant legislation and European Commission decisions, to ensure that your data is adequately protected.

Specifically, for the processing of your payments, we use the service Stripe, provided by Stripe, Inc., headquartered in the United States (510 Townsend Street, San Francisco, CA 94103, USA).

When making a payment through Stripe, certain personal data (such as payment details, IP address, technical information, and other related data) may be transferred and processed outside the EEA, including in the United States.

Stripe is certified under the EU-U.S. Data Privacy Framework (DPF), which is recognized by the European Commission as providing an adequate level of protection for personal data transfers to the U.S. More information can be found on Stripe’s page: https://stripe.com/privacy.

Data Retention

We will store and retain your personal data for as long as necessary to fulfill the purpose for which we collected and process it. For example, if you delete your DK Hospitality account, we will generally delete all your personal data we hold within a reasonable period.

However, we may retain certain personal data for a longer period if required to pursue legal claims or as imposed by applicable law (e.g., tax legislation).

Data Security

At DK Hospitality we implement appropriate technical and organizational measures to ensure the required level of security of your personal data against risks such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and any other form of unlawful processing.

For your safe browsing on the App and for the security of your transactions, DK Hospitality takes all appropriate measures, adopting high-quality modern security standards in line with market trends, such as high-level SSL (Secure Sockets Layer) encryption. Regarding storage, your personal data is kept in secure, encrypted media, with access restricted only to authorized DK Hospitality personnel or processors with sufficient guarantees.

With respect to payment security and integrity, all payments made through the App are conducted in partnership with reliable, licensed providers.

You understand and accept, however, that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data transmitted online. We do not assume responsibility and disclaim, to the maximum extent permitted by law, liability for damage caused by loss, misuse, or unauthorized access, disclosure, alteration, or destruction of your personal data, and we recommend you take all necessary precautions (e.g., secure browser settings, updated antivirus, effective firewall, avoiding doubtful software, strong passwords not shared with others).

Third-Party Websites

The App may contain hyperlinks to other websites, applications, or social media profiles. This Statement does not apply to your access to or browsing of such third-party websites or media. Please consult their privacy policies for details on how they handle your personal data.

We bear no responsibility for any unlawful use of your personal data connected with your access to or browsing of third-party websites to which the App may redirect you, as these are under the responsibility of the respective data controllers. Access to such websites and applications is solely at your own risk.

Commercial/Promotional Communication

We offer you the option, if you so wish, to receive advertising and/or informational communication (newsletter) to your email address regarding our services and offers. If you have already used our services, we may send you such promotional communication without your prior consent, in accordance with applicable law. Otherwise, your explicit consent will be requested before sending such communication.

In any case, you have the right at any time to request discontinuation of such communication by clicking the “unsubscribe” button at the end of each newsletter, or by contacting us at [email protected] with the subject line “NEWSLETTER UNSUBSCRIBE”.

Your Rights

Depending on the purpose and legal basis of processing, you may have some or all of the following rights in relation to your personal data:

• The right to request access to your personal data;
• The right to rectify any inaccurate or incomplete personal data;
• The right to request a copy of your personal data in electronic form, so you can transmit it to third parties, or request DK Hospitality to transfer it directly to one or more third parties;
• The right to object to the processing of your personal data;
• The right to erasure of your personal data when its retention is no longer required for the purposes for which it was collected;
• The right to restrict processing of your personal data where deletion is not possible;
• The right to withdraw your consent at any time, where it has been given, provided no other lawful basis exists for continuing processing.

To exercise any of the above rights or to request further information, please contact us at [email protected] Generally, your request will be satisfied within one (1) month of receipt, unless particular difficulties arise, in which case we will inform you accordingly.

If you believe that our processing of your personal data does not comply with applicable law, you have the right to lodge a complaint with the competent supervisory authority:

• Hellenic Data Protection Authority
• Kifisias 1-3, 115 23 Athens
• Tel.: +30 210 6475600
• https://www.dpa.gr/

Severability

If any provision of this Statement is deemed unlawful, invalid, or unenforceable, that provision shall be enforceable to the maximum extent permitted by applicable law, and the invalid part shall be considered not to form part of this Statement. Such characterization shall not affect the validity and enforceability of the remaining provisions.

Governing Law and Jurisdiction

This Statement is governed by Greek law, as shaped in accordance with the GDPR and the applicable national and European legislative and regulatory framework on data protection. Any disputes arising hereunder shall be resolved by the competent Courts of Athens.

Amendments

We reserve the right to revise this Statement at any time. For this reason, we encourage you to periodically visit this page to remain informed. The date on which this Statement was last revised is located at the top of this page.