Back

Privacy Policy

ΥΓΡΟΣ ΣΤΙΒΟΣ ΡΟΔΟΥ — Swimming Rhodes

Last updated: 30 April 2025

1. Who We Are

ΥΓΡΟΣ ΣΤΙΒΟΣ ΡΟΔΟΥ (trading as "Swimming Rhodes") is a swimming club and school based in Rhodes, Greece, operating at two facilities:

  • Apollo Beach Hotel, Λεωφόρος Καλλιθέας, Φαληράκι 85132, Rhodes
  • Republica, Λεωφόρος Ηρακλειδών 105, Ιαλυσός 85101, Rhodes

We operate the website https://swimmingrhodes.gr (the "Site"), which serves as a promotional platform for our swimming programs, an online shop ("eShop") for swimming equipment and merchandise, and a portal for accessing premium educational content such as seminars and training videos ("Promotional Content").

Data Controller: ΥΓΡΟΣ ΣΤΙΒΟΣ ΡΟΔΟΥ
Contact: info@swimmingrhodes.gr

2. Who This Policy Applies To

This Privacy Policy applies to adult users (18 years of age or older) who create an account on this website. Accounts on this Site are reserved for adults. We do not collect personal credentials or account data from individuals under the age of 18 through this website.

Parents and guardians who manage accounts on behalf of their family do so in their own name; the personal data processed is that of the adult account holder only.

3. Data We Collect

We limit data collection to what is strictly necessary:

3.1 Account Data

  • Email address — provided when you sign in. Used for authentication (passwordless magic link) and transactional communications (order confirmations, account notices).
  • Consent timestamp — the date and time you accepted this Privacy Policy, stored as required by GDPR Article 7(1).

3.2 Purchase Data (eShop)

  • Order records — items purchased, amounts, and timestamps.
  • Delivery details — name and shipping address, if you choose to have physical goods delivered. This information is provided by you at checkout and is not stored beyond the period required by Greek tax law.
  • Payment data — we do not store payment card details. Payments are handled entirely by our payment processor (Stripe), which is PCI-DSS compliant and has its own privacy policy.

3.3 Promotional Content Access

  • A record of which seminars or premium content items you have purchased or been granted access to, so we can display the correct content to you when you log in.

3.4 Technical Data

  • Standard server logs (IP address, browser type, pages visited) retained for security and abuse-prevention purposes only. These are not used for profiling or marketing.

4. Legal Basis for Processing

We process your personal data on the following legal grounds under GDPR:

  • Consent — Art. 6(1)(a): When you create an account, you explicitly consent to us processing your email address for authentication and account management. You may withdraw this consent at any time (see Section 7).
  • Contract performance — Art. 6(1)(b): Processing your order and delivery details is necessary to fulfil eShop purchases and to grant access to Promotional Content you have paid for.
  • Legal obligation — Art. 6(1)(c): We retain financial records (order amounts, invoice data) for the period required by Greek tax law (currently five years under Law 4308/2014).
  • Legitimate interests — Art. 6(1)(f): Maintaining security logs to protect our systems and users from unauthorised access or abuse.

5. How We Use Your Data

  • Sending you a magic-link email to authenticate you securely (no password)
  • Processing and fulfilling eShop orders
  • Granting and managing access to Promotional Content you have purchased
  • Sending transactional emails (order confirmations, access notifications)
  • Complying with legal and tax obligations
  • Protecting the security and integrity of the Site

We do not use your data for advertising, profiling, automated decision-making, or any purpose not listed above.

6. Data Sharing & Sub-processors

We do not sell or rent your personal data. We share it only with the following trusted service providers ("sub-processors") who process data on our behalf under written data processing agreements:

ProviderPurposeData location
VercelWebsite hosting & CDNEU / USA (standard contractual clauses)
SupabaseDatabase & authenticationEU — Frankfurt (AWS eu-central-1)
ResendTransactional email (magic links, receipts)EU / USA (standard contractual clauses)
StripePayment processingEU / USA (standard contractual clauses)

Transfers outside the EEA rely on the European Commission's Standard Contractual Clauses (SCCs) to ensure an adequate level of data protection.

7. Data Retention

  • Account data (email, consent record): retained for as long as your account is active. When you delete your account, this data is permanently erased within 30 days.
  • Order & financial records: retained for 5 years from the date of purchase, as required by Greek tax law (Law 4308/2014).
  • Security logs: retained for a maximum of 90 days, then deleted.

8. Your Rights (GDPR)

As a data subject, you have the following rights:

  • Right of access (Art. 15): receive a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): have inaccurate data corrected.
  • Right to erasure (Art. 17): request deletion of your account and personal data, subject to our legal retention obligations.
  • Right to restriction (Art. 18): ask us to pause processing while a dispute is resolved.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to withdraw consent (Art. 7(3)): withdraw consent at any time; this will close your account but will not affect processing carried out before withdrawal.
  • Right to object (Art. 21): object to processing based on legitimate interests.
  • Right to lodge a complaint: you may contact the Hellenic Data Protection Authority (ΑΠΔΠΧ / HDPA) at www.dpa.gr, Kifissias 1–3, 115 23 Athens, Tel: +30 210 6475600.

To exercise any of the above rights, email us at info@swimmingrhodes.gr. We will respond within 30 days.

9. Cookies & Session Data

We use only strictly necessary cookies to maintain your authenticated session while you are logged in. We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

Because we use only strictly necessary cookies, we do not require a cookie consent banner under the ePrivacy Directive. If this changes, we will update this section and inform registered users.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • TLS encryption for all data in transit
  • Encryption at rest on our database infrastructure
  • Passwordless authentication (no passwords to steal or leak)
  • Row-Level Security (RLS) in our database — users can only access their own data
  • Regular review of access controls and third-party service provider security practices

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email of any material changes at least 14 days before they take effect. The date at the top of this page always reflects the most recent update.

12. Contact

For any questions about this Privacy Policy or your personal data:

  • Email: info@swimmingrhodes.gr
  • Post: ΥΓΡΟΣ ΣΤΙΒΟΣ ΡΟΔΟΥ, Apollo Beach Hotel, Λεωφόρος Καλλιθέας, Φαληράκι 85132, Rhodes, Greece
Privacy Policy | Swimming Rhodes