Y-Concierge Property operations for short-stay teams
Product Features Workflow Pricing
  • English
  • Ελληνικά
Sign in Start free trial

Legal

Privacy Policy

Last updated: 20 April 2026.

Version: 2026.2  |  Last Updated: 20 April 2026  |  Effective Date: 20 April 2026

1. About This Privacy Policy

1.1 This Privacy Policy explains how YDEA TECHNOLOGIES SINGLE MEMBER P.C. (“Company,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal data in connection with the Y-Concierge platform and the websites y-concierge.com and app.y-concierge.com (collectively, the “Service”).

1.2 This Policy is published under Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”) and Greek Law 4624/2019.

1.3 Capitalised terms not defined here have the meaning given in our Terms of Service.

1.4 If you do not agree with this Policy, please do not use the Service.

2. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
  • “Processing” means any operation performed on Personal Data, as defined in Article 4(2) GDPR.
  • “Controller” means the entity that determines the purposes and means of Processing.
  • “Processor” means an entity that Processes Personal Data on behalf of a Controller.
  • “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
  • “Customer” means the entity or natural person that subscribes to the Service — typically a vacation rental manager, hotel operator, or hospitality business.
  • “Guest” means an individual whose Personal Data is entered into the Service by the Customer in connection with the Customer’s hospitality operations (for example, a reservation holder).
  • “Authorised User” means an individual whom a Customer permits to access the Service under its Account.
  • “Sub-processor” means a third party engaged by us to Process Personal Data on our behalf as a Processor.
  • “HDPA” means the Hellenic Data Protection Authority (Αρχη Προστασíας Δεδομενων Προσωπικου Χαρακτηρα), the competent supervisory authority in Greece.

3. Data Controller

3.1 The Controller of Personal Data described in this Policy is:

YDEA TECHNOLOGIES SINGLE MEMBER P.C.

Arkadiou 2, Cholargos, Athens, 15562, Greece

GEMI registration number: 191139501000

VAT (AFM): 803166068

Privacy contact: privacy@ydea-tech.com

3.2 Data Protection Officer. We do not currently designate a Data Protection Officer under Article 37 GDPR because, as of the Effective Date of this Policy, we do not consider the Company to fall within the mandatory appointment criteria. You may direct all privacy-related enquiries to the email address above.

4. Scope of This Policy

4.1 This Policy applies to Personal Data we Process in connection with:

  • (a) visits to our marketing website at y-concierge.com;
  • (b) demo requests, sales enquiries, and other pre-contractual communications;
  • (c) registration for and use of the Y-Concierge application at app.y-concierge.com;
  • (d) billing, support, and other customer relationship activities.

4.2 This Policy does not apply to Personal Data that third parties — including Customers, Guests, channel partners, and external service providers — collect or Process outside the Service. Please refer to their own privacy notices where applicable.

5. Our Roles: Controller and Processor

5.1 We are Controller with respect to Personal Data for which we determine the purposes and means of Processing, including:

  • (a) Personal Data of marketing site visitors;
  • (b) Personal Data of individuals who submit a demo request or other enquiry;
  • (c) Personal Data of Customers and their Authorised Users;
  • (d) billing and account administration data relating to Customers;
  • (e) aggregated, de-identified, or technical usage data used for security, operations, analytics, and product improvement, provided such data does not identify an individual.

5.2 We are Processor with respect to Personal Data that a Customer enters into, imports into, or generates through the Service in the course of operating its hospitality business — in particular, Guest Personal Data. In that context, the Customer is the Controller and determines the purposes of Processing, including the applicable lawful basis under Article 6 GDPR.

5.3 Processor Obligations. Our Processing of Guest Personal Data on behalf of a Customer is governed by a Data Processing Agreement (“DPA”) executed between the Company and the Customer. The DPA implements our obligations under Article 28 GDPR and forms part of the Terms of Service. The provisions of the present Policy describing Personal Data collection, retention, and rights apply to Guest Personal Data only to the extent compatible with the Customer’s instructions under the DPA and our role as Processor.

5.4 Guest Notice. Customers are responsible for providing Guests with a compliant privacy notice and establishing a lawful basis for processing Guest Personal Data through the Service. If you are a Guest and have questions about how your data is Processed, please contact the Customer (the property manager, hotel, or operator) you made a reservation with.

6. Personal Data We Collect

6.1 Marketing Site Visitors

6.1.1 When you visit y-concierge.com, our infrastructure and security providers may Process limited technical data — including IP address, user agent, referring URL, and request metadata — in order to deliver the site, mitigate attacks, and protect against abuse.

6.1.2 We currently use Cloudflare Web Analytics in a privacy-oriented, cookieless configuration intended to measure aggregate traffic patterns, such as page views, approximate geography, and referrers, without tracking visitors across sites.

6.1.3 As of the Effective Date of this Policy, we do not intentionally deploy advertising trackers, session replay tools, third-party analytics SDKs, or tag managers on the marketing site.

6.2 Demo Requests

6.2.1 If you submit a demo request form, we collect:

  • (a) your full name;
  • (b) your work email address;
  • (c) optionally, a short description of your portfolio or use case;
  • (d) the date and time of submission.

6.2.2 Demo request submissions are delivered to our sales inbox via our email service provider. We do not currently store demo submissions in a separate marketing automation platform.

6.3 Account Registration

6.3.1 When you register for a trial or paid Account, we collect:

  • (a) your name;
  • (b) your email address;
  • (c) a password, stored as a salted cryptographic hash rather than in plain text;
  • (d) your organisation name and, where applicable, VAT identifier and registered address;
  • (e) your role within the organisation;
  • (f) optionally, a phone number;
  • (g) your preferred language and locale.

6.3.2 If additional Authorised Users are invited to your Organisation, we Process their name, email address, and assigned role for the purpose of provisioning and administering their access.

6.4 Subscription and Billing

6.4.1 Our payment provider, Stripe, collects and Processes payment method details (such as card numbers, expiry dates, CVC, or bank account details) directly. We do not receive or store full payment card numbers on our servers.

6.4.2 From Stripe and related billing workflows, we may receive and store:

  • (a) a Stripe customer identifier;
  • (b) limited payment method metadata such as card brand and last four digits;
  • (c) billing address information where provided;
  • (d) subscription status, invoice history, and payment outcomes.

6.5 Use of the Service

6.5.1 When you use the Service, we automatically collect technical and usage data, including:

  • (a) IP address, device type, browser type, operating system, and similar technical metadata;
  • (b) pages viewed, features used, actions taken within the Service, and timestamps;
  • (c) session identifiers and authentication tokens stored in cookies or equivalent browser storage as necessary to operate the Service securely;
  • (d) audit records of security-relevant events, such as logins, permission changes, and data exports;
  • (e) error reports and diagnostic data via our error-monitoring provider, configured to reduce or scrub known sources of Personal Data where reasonably practicable.

6.6 Communications with Us

6.6.1 If you contact us by email, through an in-app message, or via a support ticket, we retain the content of your message, your contact details, and any attachments you provide, for the purpose of responding and maintaining a record of the exchange.

6.6.2 Incoming support communications may be Processed through automated tooling to assist with routing, summarisation, or draft generation. A human reviewer remains responsible for substantive decisions and responses.

6.7 Guest Personal Data Entered by Customers

6.7.1 In operating the Service, Customers may enter Personal Data about Guests, including:

  • (a) name, email address, phone number, country, and language preferences;
  • (b) address and identification data, including, where applicable under local law, passport or national ID details required for statutory reporting;
  • (c) VAT number and billing address, where the Guest is a business customer;
  • (d) booking history, preferences, and stay-related notes;
  • (e) communication records and reservation metadata received from integrations or channel partners enabled by the Customer.

6.7.2 As described in Section 5, we Process Guest Personal Data solely as a Processor on behalf of the Customer, in accordance with the DPA and the Customer’s documented instructions.

6.8 Sources of Personal Data

6.8.1 We may obtain Personal Data:

  • (a) directly from you;
  • (b) from the Customer organisation that created or administers your Account;
  • (c) from integrations, booking channels, or channel-management tools enabled by a Customer;
  • (d) from payment, security, and infrastructure providers involved in delivering the Service.

7. How We Use Personal Data — Purposes and Legal Bases

7.1 We Process Personal Data for the purposes and on the legal bases set out below. Where more than one basis applies to a given purpose, each basis is identified.

  • (a) Providing and operating the Service — for Customers: performance of a contract (Art. 6(1)(b) GDPR). For Authorised Users invited by a Customer: our legitimate interests in operating and securing the Service for our Customers (Art. 6(1)(f)).
  • (b) Responding to demo requests, sales enquiries, and pre-contractual communications — steps taken at the request of the Data Subject prior to entering a contract (Art. 6(1)(b)) and our legitimate interests in operating our sales function (Art. 6(1)(f)).
  • (c) Billing, invoicing, and payment administration — performance of a contract (Art. 6(1)(b)) and compliance with legal obligations under tax and accounting law (Art. 6(1)(c)).
  • (d) Security, fraud prevention, abuse detection, and service integrity — our legitimate interests (Art. 6(1)(f)) and, where applicable, compliance with legal obligations (Art. 6(1)(c)).
  • (e) Customer support and incident response — performance of a contract (Art. 6(1)(b)) and our legitimate interests (Art. 6(1)(f)).
  • (f) Product improvement, service analytics, and operational reporting — our legitimate interests in understanding how the Service is used and improving it, using the least identifiable data reasonably necessary (Art. 6(1)(f)).
  • (g) Service-related communications (for example, security notices, billing notifications, and material changes to the Service or legal terms) — performance of a contract (Art. 6(1)(b)) and our legitimate interests (Art. 6(1)(f)).
  • (h) Marketing communications to existing Customers regarding similar products or features — our legitimate interests (Art. 6(1)(f)), subject to your right to object and unsubscribe at any time, and subject to applicable electronic marketing rules.
  • (i) Marketing communications to prospects — consent (Art. 6(1)(a)), where required, or our legitimate interests (Art. 6(1)(f)) where permitted under applicable law. Any consent may be withdrawn at any time.
  • (j) Compliance with legal obligations (for example, tax, accounting, and lawful requests from authorities) — Art. 6(1)(c).
  • (k) Establishing, exercising, or defending legal claims — our legitimate interests (Art. 6(1)(f)).

7.2 Balancing Tests. Where we rely on legitimate interests, we consider the nature of the data, the context of the Processing, the reasonable expectations of the Data Subject, and the impact of the Processing on those rights and freedoms. You may request further information about this assessment by contacting us at privacy@ydea-tech.com.

7.3 No Special Category Data. We do not intentionally require special categories of Personal Data (Article 9 GDPR) for ordinary operation of the Service. Customers are contractually required not to upload special category data about Guests unless they have established an appropriate legal basis and have provided any notices required by law.

8. Recipients, Service Providers, and Sub-processors

8.1 We share Personal Data only to the extent reasonably necessary for the purposes described in this Policy, including with the following categories of recipients:

  • (a) Sub-processors and service providers involved in hosting, infrastructure, security, communications, support tooling, and product functionality;
  • (b) Professional advisers such as lawyers, accountants, auditors, and insurers bound by confidentiality obligations;
  • (c) Competent authorities, where we are required or permitted to disclose Personal Data by law, court order, or lawful request;
  • (d) Acquirers, investors, or successors, in connection with a merger, acquisition, financing, reorganisation, or sale of assets, subject to appropriate safeguards and notice where required.

8.2 Sub-processors for Customer Data. Where we Process Personal Data on behalf of Customers, we currently engage the following Sub-processors or equivalent service providers for relevant Service functions:

  • DigitalOcean, LLC — hosting of application infrastructure and managed database services.
  • Cloudflare, Inc. — content delivery, DNS, web application firewall, DDoS protection, and privacy-oriented web analytics for the marketing site.
  • Twilio Inc. / SendGrid — transactional email delivery, inbound email handling, and demo-form relay.
  • Functional Software, Inc. (Sentry) — application error monitoring and diagnostics.
  • Channex Ltd. — channel management integrations with online travel agencies, where enabled by the Customer.
  • Anthropic, PBC — AI-assisted product features and optional support tooling, where enabled or used within the Service.
  • Openprovider B.V. — domain registration services where a Customer purchases or manages a domain through the relevant Service feature.

8.3 Independent Controllers or Separate Controllers. Certain third parties may receive Personal Data as independent or separate Controllers for their own regulated purposes. For example, Stripe may Process billing and payment information as a payment services provider in accordance with its own legal and regulatory obligations and privacy notice.

8.4 AADE myDATA. Where a Customer uses the Service’s tax-reporting features to submit documents to the Greek Independent Authority for Public Revenue (AADE), the Customer — not the Company — is the Controller in that relationship, and submissions are transmitted using the Customer’s own credentials or authorisations. AADE is not our Sub-processor for that purpose.

8.5 Tourist Police or Similar Statutory Reporting. Where the Customer uses the Service to facilitate statutory reporting to public authorities, the Customer is the Controller with respect to that submission and is responsible for the accuracy, lawfulness, and legal basis of the report.

8.6 Changes to Sub-processors. We maintain a current list of Sub-processors. We will provide Customers with prior notice of the addition of a new Sub-processor where required under the DPA, together with an opportunity to object on reasonable data protection grounds in accordance with that DPA.

9. International Data Transfers

9.1 We primarily host and administer the Service using infrastructure intended to store customer data within the European Economic Area (“EEA”). Certain service providers listed in Section 8 may, however, access or Process Personal Data in the United States or other jurisdictions outside the EEA.

9.2 Where Personal Data is transferred outside the EEA to a country that the European Commission has not recognised as providing an adequate level of protection, we rely on one or more safeguards under Chapter V GDPR, which may include:

  • (a) the European Commission’s Standard Contractual Clauses (2021/914);
  • (b) where applicable, the recipient’s participation in the EU–U.S. Data Privacy Framework or a successor adequacy mechanism;
  • (c) supplementary technical and organisational measures, such as encryption, access controls, and data minimisation, where appropriate in light of the relevant transfer.

9.3 You may request further information about the safeguards relevant to a particular transfer by contacting us at privacy@ydea-tech.com.

10. Data Retention

10.1 We retain Personal Data only for as long as reasonably necessary for the purposes for which it was collected, including to comply with legal, accounting, tax, reporting, contractual, and security obligations.

10.2 Unless a longer period is required or permitted by law, the following retention periods generally apply:

  • (a) Demo-request submissions — retained for up to 24 months from submission or until the related commercial purpose has ended, whichever occurs earlier.
  • (b) Account, profile, and organisation administration data — retained for the duration of the Account and generally deleted or anonymised within 90 days after termination of the Subscription, except where a longer retention is required for legal, billing, dispute-resolution, or security reasons. This period is intended to align with the post-termination export window described in the Terms.
  • (c) Invoices, billing records, tax documents, and core financial records — retained for the period required by applicable law, including Greek tax and accounting law, and in any case for not less than the minimum mandatory retention period then in force.
  • (d) Customer Data and Guest Personal Data processed on behalf of a Customer — retained in accordance with the DPA and the Customer’s documented instructions, and deleted or returned within the period specified there after termination, subject to limited residual retention in backups and as otherwise required by law.
  • (e) Application logs, security logs, and audit trails — generally retained for up to 12 months, unless longer retention is reasonably necessary for security investigations, fraud prevention, or legal claims.
  • (f) Error-monitoring events — retained in accordance with our configured retention settings with the relevant provider, typically around 90 days.
  • (g) Marketing consent records, suppression lists, and unsubscribe records — retained for as long as necessary to honour the preference and for the duration of applicable limitation periods.
  • (h) Support correspondence — generally retained for up to 36 months from the last interaction, unless longer retention is justified for account history, dispute resolution, or legal claims.
  • (i) Backups — encrypted database backups are retained on a short rolling basis, currently targeted at approximately 7 days. Personal Data deleted from production systems will ordinarily be removed from backups through routine rotation within that period.

10.3 Where deletion is requested or otherwise required, certain data may nevertheless be retained to the extent necessary to comply with legal obligations, resolve disputes, enforce agreements, maintain financial records, or preserve the security and integrity of the Service.

10.4 Following expiry of the applicable retention period, we securely delete or irreversibly anonymise Personal Data.

11. Your Rights as a Data Subject

11.1 Subject to the conditions, limitations, and exceptions set out in the GDPR, you have the following rights:

  • (a) Right of access (Art. 15) — to obtain confirmation of whether we Process your Personal Data and, if so, a copy of that data and related information.
  • (b) Right to rectification (Art. 16) — to have inaccurate Personal Data corrected and incomplete data completed.
  • (c) Right to erasure (Art. 17) — to have your Personal Data deleted in the circumstances set out in the GDPR.
  • (d) Right to restriction (Art. 18) — to request that we limit Processing in certain circumstances.
  • (e) Right to data portability (Art. 20) — to receive Personal Data you have provided, in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
  • (f) Right to object (Art. 21) — to object to Processing carried out on the basis of our legitimate interests or for direct marketing. Where you object to direct marketing, we will stop that Processing.
  • (g) Right not to be subject to solely automated decision-making (Art. 22) — see Section 17 below.
  • (h) Right to withdraw consent (Art. 7(3)) — where Processing is based on consent, to withdraw that consent at any time, without affecting the lawfulness of Processing before withdrawal.

11.2 Guest Rights. If you are a Guest and wish to exercise rights with respect to Personal Data held by us on behalf of a Customer, please contact the relevant Customer directly. We will assist the Customer as required under the DPA. If you contact us directly, we may, where appropriate and feasible, refer your request to the relevant Customer or inform you how to contact them.

12. Exercising Your Rights

12.1 You may exercise the rights set out in Section 11 by contacting us at privacy@ydea-tech.com.

12.2 We will respond without undue delay and, in any event, within one (1) month of receipt. That period may be extended by up to two further months where necessary, taking into account the complexity and number of requests; if so, we will inform you within the first month.

12.3 Identity Verification. To protect Personal Data and prevent unauthorised disclosure, we may request information sufficient to verify your identity before actioning a request. Where we cannot reasonably verify identity, we may decline to act on the request in accordance with Article 12(6) GDPR.

12.4 No Fee. Exercising your rights is generally free of charge. We may charge a reasonable fee, or refuse to act, where a request is manifestly unfounded or excessive, in particular because of its repetitive character (Art. 12(5) GDPR).

13. Right to Lodge a Complaint

13.1 You have the right to lodge a complaint with a supervisory authority. The competent authority for the Company is the Hellenic Data Protection Authority:

Hellenic Data Protection Authority (HDPA)

Αρχη Προστασíας Δεδομενων Προσωπικου Χαρακτηρα

Kifisias 1-3, 115 23 Athens, Greece

Tel: +30 210 6475600

Email: contact@dpa.gr

Website: www.dpa.gr

13.2 You may also lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work, or alleged infringement.

13.3 We would appreciate the opportunity to address your concerns directly first, where possible. You may contact us at privacy@ydea-tech.com.

14. Cookies and Similar Technologies

14.1 Marketing Site. As of the Effective Date of this Policy, the marketing site is intended to operate without non-essential cookies or cross-site advertising trackers. Traffic measurement is currently performed using Cloudflare Web Analytics in a cookieless configuration intended to provide aggregate statistics rather than user-level behavioural tracking.

14.2 Application. The Y-Concierge application (app.y-concierge.com) uses technologies reasonably necessary to operate the Service securely and effectively, including:

  • (a) Strictly necessary cookies — including session cookies, authentication-related cookies, CSRF-protection cookies, and load-balancing or security-related identifiers where applicable. These are used to provide the Service requested by the user.
  • (b) Functional browser storage — limited use of local or session storage to retain user preferences and interface state, such as selected organisation or UI preferences.
  • (c) No intentional deployment of advertising cookies or third-party analytics identifiers within the application as of the Effective Date.

14.3 Consent and Controls. Based on the configuration described above, we do not currently present a cookie consent banner for the marketing site. You may nevertheless control cookies and similar technologies through your browser settings. Disabling strictly necessary cookies or storage may prevent authentication or impair use of the Service.

15. Security

15.1 We implement technical and organisational measures designed to protect Personal Data against unauthorised access, disclosure, alteration, loss, and destruction, in accordance with Article 32 GDPR. These measures include, as appropriate to the nature of the Service and the risks involved:

  • (a) encryption of data in transit and encryption or other protection of sensitive data and backups at rest where reasonably appropriate;
  • (b) role-based access controls, least-privilege principles, and tenant- or organisation-scoped access restrictions;
  • (c) secure password hashing and secure handling of authentication credentials and tokens;
  • (d) logical controls intended to support separation between customer environments within the Service;
  • (e) rate limiting, firewalling, monitoring, and other abuse-prevention mechanisms;
  • (f) security patching and maintenance of operating-system and application dependencies;
  • (g) logging and auditing of security-relevant events;
  • (h) routine encrypted backups with limited retention;
  • (i) internal policies governing confidentiality, access management, and incident response;
  • (j) written agreements with relevant service providers imposing data protection and confidentiality obligations.

15.2 Personal Data Breach Notification. In the event of a Personal Data breach likely to result in a risk to the rights and freedoms of Data Subjects, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to Data Subjects, we will also communicate the breach to affected Data Subjects without undue delay, in accordance with Articles 33 and 34 GDPR.

15.3 No Absolute Guarantee. Despite these measures, no system is completely secure. You are responsible for keeping your Account credentials confidential and for notifying us promptly of any suspected unauthorised access or misuse.

16. Children

16.1 The Service is intended for business users and is not directed to children under the age of sixteen (16). We do not knowingly seek to collect Personal Data directly from children for our own purposes.

16.2 If you become aware that a child has provided Personal Data to us directly in circumstances not contemplated by the Service, please contact us at privacy@ydea-tech.com and we will take reasonable steps to investigate and, where appropriate, delete that data.

16.3 We understand that reservation and hospitality records may incidentally include information relating to minors, for example where a child is included in a family booking. In such cases, the relevant Customer is responsible for ensuring an appropriate lawful basis and providing any notices required by law.

17. Automated Decision-Making and AI Features

17.1 We do not intentionally carry out solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

17.2 AI-Assisted Features. The Service may include AI-assisted features, including optional drafting, summarisation, or support tooling. These features are designed to be assistive in nature. In particular:

  • (a) outputs are presented to a human Authorised User, who decides whether and how to act on them;
  • (b) we seek to configure supported AI provider integrations using privacy-protective settings, including no-training or zero-retention handling where contractually available and enabled for our account;
  • (c) such features may be configurable or disabled at the Customer level where the relevant functionality permits.

17.3 We do not sell Personal Data. We do not use Personal Data processed on behalf of Customers to train our own general-purpose AI models or third-party foundation models.

18. Changes to This Privacy Policy

18.1 We may update this Policy from time to time. When we do:

  • (a) we update the “Version” identifier and “Last Updated” date at the top;
  • (b) for material changes, we will provide notice by email, in-app notice, or other reasonable means before the change takes effect, where required by law or contract;
  • (c) for non-material changes (such as clarifications, formatting updates, or contact-detail changes), the revised Policy may take effect upon posting.

18.2 We may maintain an archive of prior versions and make earlier versions available on request where appropriate.

19. Contact

19.1 For questions, concerns, or requests relating to this Policy or to your Personal Data, please contact us:

YDEA TECHNOLOGIES SINGLE MEMBER P.C.

Arkadiou 2, Cholargos, Athens, 15562, Greece

GEMI: 191139501000  |  VAT (AFM): 803166068

Privacy enquiries: privacy@ydea-tech.com

General legal enquiries: legal@ydea-tech.com

19.2 We will respond to enquiries within the timeframes described in Section 12.

Navigation Product Features Workflow Pricing
Support Request a walkthrough Frequently asked questions support@y-concierge.com
Account Sign in Start free trial
Company Ydea Technologies Athens, Greece

© Y-Concierge. All rights reserved.

Privacy Policy | Terms of Service
  • English
  • Ελληνικά