Privacy policy

Last update: 13/07/2023

The company under the name FERRYHOPPER SA, having its registered office at 147 Thessalonikis street, 183 46, Moshato, Athens, Greece, with contact info +302102208496, and [email protected], acting as a data controller according to the definitions listed below (hereinafter referred to as “Ferryhopper”, “the Company”, “we”, “us”), ensures the secure processing of the personal data, being fully complied with the legal framework for the protection of personal data and in particular the General Regulation of Data Protection (EU) 2016/679 (“GDPR”), L. 4624/2019 and L. 3471/2006, as amended and apply.

Ferryhopper processes personal data as necessary to fulfill clear and lawful purposes, as described below. This Notice aims at informing the users of our website (hereinafter referred to as the “website” or the “online platform”) and our mobile application -iOSAndroid- (hereinafter referred to as the “application” or “app”) about the processing of their personal data.

A. Definitions

For the purposes of the present, the following terms have the following meaning according to the GDPR:

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Special categories of personal data” means personal data disclosing racial or ethnic origin, political views, religious or philosophical beliefs or trade union affiliation, as well as the processing of genetic data, biometric data, data relating to health or data relating to the sexual life of a natural person or sexual orientation.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Anonymization” means the processing of personal data in such a manner that the data can no longer be attributed to a specific natural person.

“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. For the purposes of the present, the Company acts as a Controller.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

“Data subject” means the natural person whose personal data are being processed.

“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Automated decision-making” means a decision based solely on automated processing, including profiling, which produces legal effects concerning a data subject or similarly significantly affects the data subject.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Applicable Legislation” means the applicable national and European legislation on the protection of personal data and particularly the GDPR, L. 4624/2019, L. 3471/2006, the case-law of the Court of Justice of the European Union, as well as decisions, guidelines, recommendations, opinions of the European Data Protection Board and the Hellenic Data Protection Authority (hereinafter “HDPA”).

Β. Processing of personal data through the website and the application

When you use our website and application (browsing, signing up/logging in, booking/ purchasing a ticket), we process the following personal data that are necessary for each lawful purpose pursued, such as to book a ticket or contact us. More particularly:

B1. When you browse on our website or use our application

1. Categories of personal data: Technical data, such as IP address, location, time zone, browser type and version, operating system, device and manufacturer name, device IMEI code, application version, visit information, browser/ usage programme and details.

Purposes(s): Operation of website and application, provision, test, improvement and update of the services and business via website and application, technical support of the users.

Legal basis: Processing is necessary for the purposes of the legal interests pursued by the Company (article 6 para 1f GDPR).

Retention time: Time necessary for the fulfillment of the purposes of processing, which cannot exceed seven (7) years.

Recipients: Web analytics providers, technical support providers.

2. Categories of personal data: Usage and advertisement data, such as visit data, visit duration, number of website views, navigation routes, information on time, frequency and pattern of services usage, reference source, sending of receiving of promotional material, user’s preference, user behavioural analysis within the platform or the application (such as recent history, usage frequency, frequency of purchasing similar services, user’s “clicks”, time on screen, source page via which the user visited our website or application).

Purposes(s): 1) Test, improvement and update of the services and business via website and application, 2) technical support of the users, 3) general statistics about the traffic and use of the website and application, 4) personalized information. If the data is retained for statistical purposes, the minimum necessary data is retained in pseudonymized form.

Legal basis: Processing is necessary for the purposes of the legal interests pursued by the Company (article 6 para 1f GDPR).

Retention time: Time necessary for the fulfillment of the purposes of processing, which cannot exceed seven (7) years.

Recipients: Web analytics, usability analytics, statistics analytics and technical support providers and advertising services providers.

B2. When you want to sign up or log in to our services via the website or the application

Categories of personal data: Sign up and login information, such as name, surname and email address.

Purposes(s): Processing of user’s request for registration/ login to the services provided via the website and application.

Legal basis: Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract (article 6 para 1b GDPR).

Retention time: By the time of deletion of the account.

Recipients: Web analytics and technical support providers.

B3. When you want to book and purchase a ticket

Categories of personal data: Booking, identification, payment and contact information, such as name, surname, booking number, password, in case you use our application upon registration or similar identifier via which you use the application as a guest (the term “user” refers both the registered user and the guest), date of birth, age, sex, passport or ID number, place of birth, nationality, expiration date of passport or ID, any discount voucher number (such as unique code of a Greek island resident or loyalty card number), address and name of hotel of stay (optional), telephone number, email address, invoice details, tax identification number, address, competent tax department. Only if you choose to save your bank card, we process pseudonymised information of your card with the only purpose being to provide better services during payment. Your bank card information is not stored by us but by the payment institution we partner with.

Purposes(s): 1) Processing of user’s request for ticket booking and purchase/ payment and for the communication about the booking, 2) We use some of the mentioned data (year of birth, age, sex, nationality) for statistical analysis for marketing purposes -the rest of the data is used pseudonymized for the same purpose, 3) We use your email and telephone number to inform you via electronic messages (email or Viber) about our services similar to those you have already purchased, provided you do not object to the relevant communication. You can object to such communication at any time by using the link at the bottom of each message we send you.

Legal basis: 1) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (article 6 para 1b GDPR), 2) Consent for the processing of pseudonymized data of the bank card (article 6 para 1a GDPR), 3) Processing is necessary for the purposes of the legal interests pursued by the Company (article 6 para 1f GDPR).

Retention time: By the time limitation period starts for the enforcement of any claims of the parties, except if specific legal provisions require retention of the data for a longer period.

Recipients: Business partners, such as ferry companies, technical or commercial supply providers, hotels, car rental companies, courier companies, depending on the service you choose payment institutions we partner with. Web analytics, commercial development-marketing services and technical support providers.

B4. When you sign up to receive our news

Categories of personal data: Data we collect when you sign up to our newsletter, such as email address.

Purposes(s): Sending of information and marketing material for the provided travel services.

Legal basis: Consent of the data subject (article 6 para 1a GDPR).

Retention time: By the time of withdrawal of consent.

Recipients: Web analytics, commercial development-marketing services and technical support providers.

B5. When you want to contact us

Categories of personal data: Νame, surname, email address, subject, booking number (optional), message content.

Purposes(s): Processing of user’s communication request.

Legal basis: Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract (article 6 para 1b GDPR).

Retention time: If a ticket is booked, the data is retained as described above. If there is only communication, the data is retained for seven (7) years from the last communication with you or from the time any legal claims were raised, except if specific laws require its retention for a longer period.

Recipients: Web analytics, commercial development-marketing services and technical support providers. In case of ticket booking, the additional business partners as described above.

B6. When you want to register or log in as an affiliate

Categories of personal data: Registration and login information of affiliates, such us username, email address, registration/ access password.

Purposes(s): Processing of affiliate’s request for registration/ access.

Legal basis: Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract or for the performance of the contract (article 6 para 1b GDPR).

Retention time: By the time of the deletion of the account, or by the time limitation period starts for the enforcement of any claims of the parties.

Recipients: Web analytics, commercial development-marketing services and technical support providers.

B7. When someone else is booking a ticket for you

If a ticket is booked by a third person, that third person must have proper authorization to share the data with the Company. Also, that person must take due care of the accuracy of this data for which this person is responsible and accountable. The Company has no means to cross check the third person’s personal data and cannot be held accountable for any inaccuracies.

B8. Processing of personal data of minors

Regarding browsing and use of our website and application, in principle we do not directly or indirectly process any personal data of minors. However, we may process personal data of minor fellow travelers while processing a request for booking/ purchasing a ticket. In such cases, the user that provides the minor’s personal data must be the minor’s guardian or act upon proper authorization. Αs it is impossible for us to cross-check and verify the age of people browsing or using our website and application as well as if people do have proper authorisaton to book a ticket for a minor, the users that provide the data of the minors must have proper authorization and take due care of the accuracy of the data.

We recommend that parents and guardians of minors contact us immediately if they notice any unauthorized disclosure of personal data of the minors for whom they are responsible. The user that provides minor’s data is solely responsible for the accuracy of this data, while the Company cannot be held responsible for this.

B9. Do we pursue “automated decision-making” when processing your personal data?

We inform you that we do not pursue any automated decision-making, including profiling, when processing your personal data, which you provide to us by using our website and application and the services provided therein.

B10. Do we transfer your personal data outside the European Economic Area (EEA)?

When your personal data is stored within the EEA, there is a high level of protection according to the Applicable Legislation. In principle, we do not transfer your personal data to third countries or international organizations, except if this is strictly necessary for lawful and clearly defined purposes and if one of the following conditions is met:

a) The European Commission has issued an adequacy decision for the third country to which the transfer is pursued (article 45 GDPR),

b) The data importer has offered the appropriate guarantees for the data transfer (article 46 GDPR),

c) For any specific situation outlined in article 49 of the GDPR, the conditions of one of the derogations are met.

B11. Your rights regarding your personal data

You have the following rights under the Applicable Legislation, the satisfaction of which depends on the fulfillment of the specific legal requirements each time:

a) Right of access to your personal data we retain;

b) Right to rectification of inaccurate or incomplete personal data;

c) Right to withdraw your consent if the legal basis of processing is consent;

d) Right to erasure your personal data;

e) Right to restrict processing;

f) Right to portability;

g) Right to object to processing.

You may exercise any of these rights or submit any query regarding the processing of your personal data by email to [email protected]. We commit that we will respond immediately to your request or query, and in any case within a month upon its receipt. This deadline may be extended for another two (2) months at the maximum. We will always inform you in writing of the progress of your request or extension of the deadline. If, for any reason, you find our response to your query or request insufficient, you may contact the HDPA.

B12. What happens when you visit third party websites or widgets through Feryhopper?

Our website includes third party links (e.g. Facebook, Instagram, Twitter, LinkedIn, Google Play, App Store, Recruitee), the use of which creates a digital fingerprint. For this digital fingerprint, we and the third party act as joint data controllers for the processing of your personal data, to the extent that each determines the purposes and means of processing. The processing of personal data by the Company is based on the fulfillment of purposes of legitimate interests (article 6f GDPR) which include the improvement the functionality of the website and the services provided therein as well as the analysis of the website traffic and the interoperability with affiliated applications. We do not join, control and are not responsible for any processing of personal data performed by the third parties from the time you start to use their websites, nor for its content and the data protection policy they implement. This notice does not concern nor apply to the websites of any third party. For more information about their data protection notice we recommend that you read their privacy/ data protection notices which are available on their websites.

C. Updates of this notice

This notice provides all necessary information according to articles 13 and 14 of the GDPR, and may be updated if there is any change, or if this is required by the Applicable Legislation. If necessary, we may inform you personally or by any other appropriate means for a specific amendment of this notice. In any case, we recommend that you always refer to the updated version of this notice for your information.