Privacy Policy
Data controller
The data controller is Omnia Vincit Amor Single Member P.C., trading as Bandanna Mykonos, at Bandanna Mykonos, Ano Mera, 84600 Mykonos, Cyclades, Greece.
For privacy requests you can contact us at [email protected] or +30 22890 71800.
Personal data we process
Please do not include special-category data or unnecessary personal information in free-text fields unless it is necessary for the specific request, for example an allergy or accessibility need relevant to your reservation.
- Identification and contact data you provide, including first name, last name, email address, phone number, party size, requested date and time, and message contents.
- Reservation and hospitality data, including booking requests, special requests, dietary notes, event enquiries, and communications needed to manage your visit.
- Technical data generated by website use, such as IP address, browser and device information, requested pages, date and time of access, referrer information, and basic security logs.
- Data submitted through third-party reservation infrastructure, including Formspree and the non-blocking reservation-intake endpoint used to help the team receive reservation details.
- Data processed when external content or links are used, including Google Maps embeds and links to social platforms such as Facebook, Instagram, Spotify, YouTube, and WhatsApp.
- Data relating to privacy requests or legal communications you send to us.
Purposes and legal bases
- To respond to reservation, contact, private-event, and general information requests: Article 6(1)(b) GDPR for pre-contractual steps requested by you and Article 6(1)(f) GDPR for our legitimate interest in handling hospitality communications.
- To manage bookings, seating, guest preferences, service notes, and operational follow-up: Article 6(1)(b) GDPR and, where applicable, Article 6(1)(f) GDPR.
- To protect the website, prevent abuse, maintain service continuity, and troubleshoot technical issues: Article 6(1)(f) GDPR.
- To comply with legal, accounting, tax, regulatory, or authority requests: Article 6(1)(c) GDPR.
- To establish, exercise, or defend legal claims: Article 6(1)(f) GDPR.
- Where a specific processing activity requires consent, such as optional marketing or non-essential tracking introduced in the future, Article 6(1)(a) GDPR. Consent can be withdrawn at any time.
Providing data
Providing the data marked or requested as necessary in forms is required if you want us to review and answer your request. If you do not provide that data, we may be unable to respond, confirm a booking, or process the request.
Providing optional information in free-text fields is voluntary.
Recipients of personal data
Personal data may be processed by authorized personnel and by service providers acting on our behalf or supporting the website and reservation workflow.
These recipients process data under contractual or legal confidentiality obligations and only to the extent necessary for the relevant purpose. We do not sell personal data.
- hosting, infrastructure, website maintenance, and technical support providers;
- email, phone, messaging, and hospitality-operations providers;
- reservation-form providers, including Formspree;
- the non-blocking reservation-intake service currently hosted on Vercel;
- map and external-content providers, including Google when the map embed is loaded;
- social platforms when you follow outbound links or interact with their services;
- professional advisors, public authorities, or legal advisors where disclosure is required by law or necessary to protect rights.
International transfers
The website is intended mainly for users in Greece, Italy, and the European Union. Some providers may process personal data outside the European Economic Area. Where that happens, we rely on a lawful transfer mechanism under Chapter V GDPR, such as an adequacy decision or the European Commission Standard Contractual Clauses, together with supplementary measures where required.
You may request information about applicable transfer safeguards by contacting [email protected], unless those safeguards are already made available directly by the relevant provider.
Retention periods
- reservation, contact, and event requests are kept for the time needed to manage the request and for a reasonable period afterwards, generally up to 12 months after the last relevant contact unless a longer period is required by law or needed for legal claims;
- technical logs and security events are kept for the period reasonably necessary to ensure security, investigate incidents, and meet legal obligations;
- data connected to accounting, tax, or legal obligations is kept for the period required by applicable law;
- data connected to legal claims may be kept for the limitation period applicable to the claim.
Your rights
Under GDPR, where the legal conditions are met, you may have the right to access your personal data, request rectification, request erasure, request restriction, object to processing based on legitimate interests, receive data portability, withdraw consent, and lodge a complaint with a supervisory authority.
To exercise your rights, contact [email protected].
- In Greece, the supervisory authority is the Hellenic Data Protection Authority.
- In Italy, the supervisory authority is the Garante per la protezione dei dati personali.
Automated decision-making
This website does not carry out automated decision-making that produces legal or similarly significant effects under Article 22 GDPR.
Security measures
We adopt technical and organizational measures reasonably designed to protect personal data against unauthorized access, accidental loss, alteration, or unlawful disclosure.
Policy updates
We may update this Privacy Policy from time to time. The date shown at the top of this page indicates the latest revision.
