The Travel Cube
Accommodation Rentals Transfers Tours Dining Beaches Villages Monuments Blog
GDPR

GDPR

Last updated: April 17, 2026

This page explains how TheTravelCube complies with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and how you can exercise your rights as a data subject.

1. Data Controller

The controller of your personal data is TheTravelCube, reachable at hello@thetravelcube.com. For detailed questions you can address your correspondence to "Data Protection — TheTravelCube" at the same address.

2. Your Rights Under the GDPR

If you are a data subject in the EU, EEA, or UK, you have the following rights:

  • Right of access (Art. 15) — obtain confirmation of whether we process your data and, if so, receive a copy of that data along with information about the processing.
  • Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
  • Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data where the legal conditions are met (e.g., the data is no longer necessary, you withdraw consent, or you object to processing).
  • Right to restriction of processing (Art. 18) — request that processing be limited in certain circumstances (e.g., while accuracy is contested).
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to object (Art. 21) — object to processing based on legitimate interests or direct marketing; in the case of direct marketing, we will stop processing your data without exception.
  • Rights in relation to automated decision-making (Art. 22) — we do not currently make decisions with legal or similarly significant effects on you based solely on automated processing.
  • Right to withdraw consent — where processing is based on consent (newsletter subscription, optional cookies), you can withdraw at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
  • Right to lodge a complaint — file a complaint with your local supervisory authority. In Greece, this is the Hellenic Data Protection Authority (www.dpa.gr).

3. How to Exercise Your Rights

Send a request to hello@thetravelcube.com. We may need to verify your identity before acting on the request. We aim to respond within one month of receipt; this may be extended by up to two additional months where the request is complex, in which case we will inform you within the first month.

You will not be charged a fee for exercising your rights, unless the request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse to act (Art. 12(5) GDPR).

4. Lawful Bases for Processing

We process personal data only where we have a lawful basis under Art. 6 GDPR:

  • Consent (Art. 6(1)(a)) — newsletter subscription, optional/analytics/marketing cookies.
  • Contract (Art. 6(1)(b)) — providing the service you have requested, such as responding to a contact-form inquiry.
  • Legal obligation (Art. 6(1)(c)) — compliance with tax, accounting, or other statutory requirements.
  • Legitimate interests (Art. 6(1)(f)) — maintaining the security of our systems, preventing abuse, conducting aggregate analytics. Our interests are balanced against your rights and freedoms.

5. Categories of Personal Data

See our Privacy Policy for a detailed description of the categories of personal data we collect, the sources of that data, and how we use it.

6. Recipients of Data

Personal data is accessed only by authorized personnel and by trusted processors who assist us in operating the Service (hosting, email delivery, analytics). All processors are bound by data-processing agreements in line with Art. 28 GDPR.

7. International Transfers

If we transfer personal data outside the EU/EEA, we rely on safeguards approved under Chapter V of the GDPR — typically Standard Contractual Clauses (Art. 46) or, where applicable, an adequacy decision by the European Commission (Art. 45). You can request a copy of the relevant safeguards by contacting us.

8. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law. Specific retention periods are described in our Privacy Policy.

9. Data Breach Notification

In the event of a personal-data breach likely to result in a risk to the rights and freedoms of data subjects, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR). Where the breach is likely to result in a high risk, we will also inform affected data subjects without undue delay (Art. 34 GDPR).

10. Data Protection Impact Assessments

Where processing is likely to result in a high risk to the rights and freedoms of individuals — especially when using new technologies — we carry out a Data Protection Impact Assessment (DPIA) in accordance with Art. 35 GDPR before the processing begins.

11. Changes to This Page

We may update this page to reflect changes in law, our processing activities, or regulator guidance. The "Last updated" date reflects the most recent revision.

12. Contact

For any GDPR-related question or request, please contact hello@thetravelcube.com.

We use cookies to enhance your experience. By continuing to visit this site you agree to our use of cookies. Learn more