Privacy Policy

Last updated: 17 May 2026

This Privacy Notice for Cyprus Hiking ("we", "us", or "our") describes how and why we collect, store, use, and share your personal information when you use our services, including when you visit our website at https://cyprus-hiking.com, book a hiking trip, or send us an info request.

Questions or concerns? If you do not agree with our policies and practices, please do not use our services. If you have any questions, contact us at [email protected].

Summary

• What we collect: name, email, phone, passport number, dietary requirements, emergency contact, and free-form messages — only when you submit a booking or info-request form.
• Why: to confirm and run your hiking trip, to keep you safe on the trail, to comply with Cypriot tax law, and to prevent spam.
• Who else sees it: the payment processor (Stripe), the email service (Brevo), our hosting and database providers, and your trip guide. Nobody else.
• How long we keep it: booking records for 7 years (tax law); info-request messages for 12 months.
• Your rights: you can ask us to access, correct, or delete your data at any time by emailing [email protected].

Table of contents

1. What information do we collect?
2. How do we use your information?
3. Legal bases for processing
4. When and with whom do we share your information?
5. Third-party websites
6. Cookies
7. How long do we keep your information?
8. How do we keep your information safe?
9. Children and minors
10. Your privacy rights
11. Do-Not-Track signals
12. Updates to this notice
13. How to contact us

1. What information do we collect?

We collect only the personal information you voluntarily provide when you submit a booking or info-request form. Specifically:

• Full name
• Email address
• Phone number
• Passport number (booking form only — for trip safety records)
• Dietary requirements (booking form only)
• Emergency contact name and phone (booking form only)
• Free-form message (info-request form only)

We also automatically log your IP address and browser user-agent string for the duration of your request, as part of standard spam protection. We do not link this to your booking record.

Payment data. Card numbers and security codes are entered directly into Stripe's hosted checkout page. We never see, collect, or store payment card data ourselves. Stripe is solely responsible for handling that information.

2. How do we use your information?

We process your information only when we have a valid legal reason to do so:

• To confirm and run your hiking trip — name, email, phone, passport, dietary requirements are all necessary to deliver the service you booked.
• To communicate with you — booking confirmations, info-request replies, and operational notices (weather changes, meeting points).
• For participant safety on the trail — emergency contact and dietary requirements are shared with your trip guide before departure.
• To comply with Cypriot tax and accounting law — financial records must be retained for several years.
• To prevent spam and fraud — IP and user-agent logging on the info-request form.

We do not use your information to send marketing emails or newsletters, build advertising profiles, or sell to third parties.

3. Legal bases for processing

Under the GDPR (and UK GDPR), we rely on the following legal bases to process your personal information:

• Performance of a contract (Art. 6(1)(b)): for everything required to book and deliver your trip — name, email, phone, passport, dietary, payment.
• Vital interests (Art. 6(1)(d)): for emergency contact details, in case of a serious incident on the trail.
• Legitimate interests (Art. 6(1)(f)): for IP-address logging to prevent spam, and basic operational logs for site reliability.
• Legal obligation (Art. 6(1)(c)): for retaining financial records to comply with Cypriot tax law.

4. When and with whom do we share your information?

We share your personal information only with a small number of third parties, and only when necessary:

• Stripe Payments Europe Ltd (Dublin, Ireland) — processes your card payment. Sees: name, email, amount. Stripe privacy policy.
• Brevo / Sendinblue SAS (Paris, France) — sends booking confirmation and info-request notification emails. Sees: name, email, rendered email body. Brevo privacy policy.
• Supabase Inc. (US, with EU-region data hosting) — operates the database where your booking record is stored.
• Render Services Inc. (US) — hosts the application server.
• Cloudflare Inc. (US) — provides DNS, content delivery, and edge security.
• Cloudinary Ltd (Israel) — hosts our trip photos. No customer data is sent to Cloudinary.
• Sentry GmbH (Berlin, Germany) — error monitoring. Personally identifiable information is deliberately disabled in our configuration; only error stack traces are sent.
• Your trip guide — receives your name, dietary requirements, and emergency contact details before the trip, to ensure your safety.

For transfers to non-EU service providers (Supabase, Render, Cloudflare, Cloudinary), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Israel has an EU adequacy decision.

We do not sell your personal information or share it with advertisers, data brokers, or marketing partners.

5. Third-party websites

Our site may link to third-party websites (e.g. Stripe's checkout page). We are not responsible for the privacy practices of those sites. We encourage you to read their privacy notices.

6. Cookies

We use only strictly-necessary cookies — for session management, anti-CSRF protection, and remembering your language preference. We do not use analytics or advertising cookies. See our Cookie Policy for details.

7. How long do we keep your information?

• Booking records (name, email, phone, passport, dietary, emergency contact, payment record): 7 years from the booking date. This is the minimum retention period for financial records under Cypriot tax law.
• Info-request messages: 12 months from submission, then automatically deleted.
• Error logs in Sentry: 90 days (Sentry's standard retention).
• Email delivery logs in Brevo: handled by Brevo under their retention policy.

When the retention period expires we delete the personal information, or anonymise it if deletion is not technically possible (e.g. in backup archives).

8. How do we keep your information safe?

We implement reasonable technical and organisational measures to protect your personal information, including:

• TLS encryption (HTTPS) for all traffic between you and our site.
• Encrypted-at-rest database storage at our hosting provider.
• Restricted admin access — only the business owner can read booking records.
• Industry-standard password hashing for any administrative accounts.

However, no system on the internet is 100% secure. We cannot guarantee that determined attackers will not defeat our safeguards.

9. Children and minors

We do not knowingly collect personal information from anyone under 18. Trip participants under 18 must be booked by a parent or legal guardian, who provides their own contact details. If you believe we have collected data from someone under 18 in error, please contact us at [email protected] and we will delete it.

10. Your privacy rights

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under applicable data protection law:

• The right to access the personal information we hold about you.
• The right to rectify inaccurate information.
• The right to erase your personal information (subject to legal retention obligations).
• The right to restrict or object to processing.
• The right to data portability — to receive your data in a structured, machine-readable format.
• The right to withdraw consent at any time, where processing is based on consent.
• The right to lodge a complaint with a supervisory authority. In Cyprus this is the Office of the Commissioner for Personal Data Protection. In other EU member states you can contact your national data protection authority. In the UK, the Information Commissioner's Office. In Switzerland, the Federal Data Protection and Information Commissioner.

To exercise any of these rights, email [email protected]. We will respond within one month, as required by GDPR.

11. Do-Not-Track signals

Most web browsers offer a "Do Not Track" (DNT) feature. No uniform technology standard exists for recognising and implementing DNT signals, so we do not currently respond to them. We don't track you across other websites anyway — we have no advertising or third-party analytics.

12. Updates to this notice

We may update this Privacy Notice from time to time, for example to reflect changes in the law or our practices. The "Last updated" date at the top of this page will indicate when it was most recently changed. We encourage you to review it occasionally.

13. How to contact us

Questions, requests, or complaints about this notice can be sent to:

Cyprus Hiking
116 Cromwell Road, Point West
London, England SW7 4XH
United Kingdom
Email: [email protected]