Last updated: May 2026

Orfanos Estate is committed to protecting your personal data. This Privacy Policy describes what data we collect, for what purpose, how we protect it, and what your rights are – in full compliance with the General Data Protection Regulation (GDPR – EU Regulation 2016/679) and Greek Law 4624/2019.

1. Data Controller

The Data Controller for your personal data is:

2. What Data We Collect

We collect personal data only when you voluntarily provide it to us, through:

a) Contact Form

  • Full name
  • Email address
  • Message / Comment

b) Wine Tasting Booking Request Form

  • Full name
  • Email address
  • Phone number (if provided)
  • Number of guests
  • Preferred date and time of visit
  • Information on food allergies or dietary restrictions (if provided)

c) Browsing Data (Cookies & Server Logs)

  • IP address
  • Browser type and version
  • Pages visited and time spent on the Website
  • Cookie data (detailed in Section 6)

3. Purpose & Legal Basis for Processing

Purpose Legal Basis (GDPR)
Responding to enquiries and contact requests Art. 6(1)(b) – Performance of contract / Art. 6(1)(f) – Legitimate interests
Managing and confirming wine tasting bookings Art. 6(1)(b) – Performance of contract (service provision)
Processing allergy / dietary restriction information Art. 9(2)(a) – Explicit consent
Improving Website performance (analytics) Art. 6(1)(f) – Legitimate interests
Sending promotional communications (where you have opted in) Art. 6(1)(a) – Consent

4. Data Retention

We retain your personal data for the minimum period necessary:

  • Contact form data: Up to 12 months from the last communication, unless a longer retention period is required by law
  • Wine tasting booking data: Up to 2 years after the service has been provided, for documentation purposes
  • Cookie data: In accordance with the lifetime of each individual cookie (see Section 6)

After the retention period expires, data is securely deleted or anonymised.

5. Sharing Data with Third Parties

We do not sell, rent, or trade your personal data. We may share data only in the following circumstances:

  • Technical service providers: Hosting and website maintenance companies acting as Data Processors, bound by appropriate data processing agreements
  • Legal obligation: Where disclosure is required by law or court order

We do not transfer data to countries outside the EU/EEA without appropriate safeguards in place.

6. Cookies

The Website uses cookies — small text files stored on your device — for the following purposes:

Category Purpose Duration
Strictly Necessary Core Website functionality (session management, age verification) Session / 30 days
Analytics Traffic statistics (e.g. Google Analytics) – only with your consent Up to 2 years
Functional Remembering user preferences Up to 1 year

You can manage or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Website.

For information on Google Analytics cookies: policies.google.com/technologies/cookies

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. The Website uses SSL/TLS encryption for the secure transmission of data.

In the event of a data breach that may jeopardise your rights, we will notify you in accordance with the requirements of the GDPR.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Article 15): You may request a copy of the data we hold about you
  • Right to rectification (Article 16): You may request the correction of inaccurate or incomplete data
  • Right to erasure / “right to be forgotten” (Article 17): You may request deletion of your data, where no legitimate reason for its retention exists
  • Right to restriction of processing (Article 18): You may request that we limit how we use your data under certain conditions
  • Right to data portability (Article 20): You may receive your data in a structured, commonly used, machine-readable format
  • Right to object (Article 21): You may object to processing based on our legitimate interests
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without retroactive effect

To exercise any of the above rights, please contact us at info@ktimaorfanou.gr. We will respond to your request within 30 days.

9. Right to Lodge a Complaint

If you believe that the processing of your data violates the GDPR, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA):

  • Website: www.dpa.gr
  • Phone: +30 210 647 5600
  • Email: contact@dpa.gr
  • Address: 1-3 Kifissias Avenue, 115 23 Athens, Greece

10. Minors

This Website is intended exclusively for adults aged 18 or over. We do not knowingly collect personal data from minors. If we become aware that data from a minor has been collected inadvertently, we will delete it immediately.

11. Changes to This Privacy Policy

This Privacy Policy may be updated periodically to reflect changes in our practices or applicable law. The date of the last revision is indicated at the top of this document. In the event of significant changes, we will notify you with a prominent notice on the Website.

12. Contact

For any questions, requests, or comments regarding this Privacy Policy or the processing of your personal data: