Skip to main content

Privacy Policy

Chrysomare Beach Hotel & ResortAyia Napa

This Privacy Policy explains how Chrysomare Beach Hotel & Resort (“we”, “us”, “our”) collects, uses, and protects your personal data when you visit our website or make a booking. We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR) and applicable Cypriot data protection law.

Last updated: 2 April 2026

1. Data Controller

The data controller responsible for your personal data is: Chrysomare Beach Hotel & Resort, A. Tsokkos Hotels Public Limited, Pernera Street, Ayia Napa 5330, Cyprus.

Contact: reservations@tsokkos.com

For data protection inquiries, contact: reservations@tsokkos.com

2. Data We Collect

2.1 Booking Data

When you make a reservation, we collect: first name, last name, email address, phone number, country of residence, arrival and departure dates, number of guests, and any special requests you provide.

2.2 Contact Form Data

When you use our contact form, we collect: your name, email address, subject, and message content.

2.3 Technical Data

We automatically collect: IP address (anonymised), browser type, pages visited, time on site, and referral source. This data is used for analytics and security purposes.

2.4 Cookie Data

We use cookies and similar technologies. See our Cookie Policy for details.

2.5 Affiliate Tracking

If you arrive via an affiliate link (?ref= parameter), we store your affiliate reference code in a browser cookie to attribute your booking correctly. This code does not contain any personal information.

3. Legal Basis for Processing

We process your data on the following legal bases:

  • Contract performance — processing your booking and providing our services
  • Legitimate interests — website security, fraud prevention, and analytics
  • Consent — marketing communications and non-essential cookies (where applicable)
  • Legal obligation — compliance with Cypriot tax and tourism regulations

4. How We Use Your Data

  • Processing and confirming your reservation
  • Sending booking confirmation and pre-arrival information
  • Responding to your enquiries
  • Improving our website and services
  • Complying with legal and regulatory obligations
  • Processing payments securely

5. Data Retention

We retain your personal data for the following periods:

  • Booking records: 7 years (Cypriot tax law requirement)
  • Contact messages: 2 years from last contact
  • Analytics data: 26 months (anonymised)
  • Cookie consent records: 12 months

6. Your GDPR Rights

Under the GDPR, you have the following rights:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data (“right to be forgotten”)
  • Restriction — limit how we use your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — at any time, where processing is based on consent

To exercise any right, contact us at reservations@tsokkos.com. We will respond within 30 days.

7. Third-Party Services

We share data with the following trusted third parties:

SimpleBooking

Our booking engine processes reservation data (dates, guest count, room preferences). Legal basis: Art. 6(1)(b) GDPR (contract performance).

Stripe

Payment processing. Data shared: name, email, billing address, booking details. Card numbers are handled directly by Stripe (PCI-DSS compliant) and never reach our servers. Legal basis: Art. 6(1)(b) GDPR. Data transferred to USA under EU-U.S. Data Privacy Framework. Privacy: stripe.com/privacy

Anthropic (AI Concierge)

Our live chat AI assistant is powered by Claude (Anthropic). Chat messages, conversation context, and sentiment analysis data are processed by Anthropic servers. Legal basis: Art. 6(1)(a) GDPR (consent — by using the chat). Data transferred to USA under Standard Contractual Clauses. Privacy: anthropic.com/privacy

Sentry

Error monitoring to improve website stability. Data collected: anonymised error reports, IP addresses (for security), browser and device information. No names, emails, or form data are sent. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in system stability). Transfer mechanism: Standard Contractual Clauses (SCCs). Privacy: sentry.io/privacy

Google Analytics 4

Anonymised usage analytics with your consent. No personally identifiable information is sent to Google. Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner). Transfer mechanism: EU-U.S. Data Privacy Framework. Retention: 26 months.

Contentsquare

With your consent, we use session recording and heatmap analysis to improve website usability. Mouse movements, clicks, and scrolling behaviour are recorded. All personal information in forms (names, emails, phone numbers) is automatically masked. Recordings are retained for 365 days. You can opt out via Cookie Settings at any time. Legal basis: Art. 6(1)(a) GDPR. Privacy: contentsquare.com/privacy-center

Live Chat Data

Chat conversations are stored on our servers for 30–90 days to provide support continuity. Messages are processed by AI (see Anthropic above) for automated responses, conversation summaries, and quality improvement. Sentiment analysis is performed automatically. No chat data is used for advertising.

Resend (Email Delivery)

Booking confirmation and transactional emails are sent via Resend. Data shared: guest name, email address, and booking details. Legal basis: Art. 6(1)(b) GDPR (contract performance). Data transferred to USA under EU-U.S. Data Privacy Framework. Privacy: resend.com/legal/privacy-policy

Cloudflare (CDN & Security)

Content delivery, DDoS protection, and DNS services are provided by Cloudflare. Data processed: IP addresses and request metadata. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in website security and performance). Data processed across Cloudflare’s global network under Standard Contractual Clauses. Privacy: cloudflare.com/privacypolicy

Render (Hosting)

Website and API hosting is provided by Render. All data processed through the website passes through Render’s infrastructure. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable hosting). Data transferred to USA under Standard Contractual Clauses. Privacy: render.com/privacy

8. Automated Decision-Making & Profiling

Our website uses the following automated processing:

AI Concierge (Live Chat)

Our chat assistant uses artificial intelligence (Claude by Anthropic) to answer questions and assist with bookings. The AI does not make binding decisions — all bookings require explicit guest confirmation. Conversation sentiment is analysed for service quality improvement.

Guest Profiles

Booking data is automatically categorised to improve service (e.g., travel type: family/business/couple, interests based on selected extras). This profiling does not produce legal effects or similarly significant effects on you. You may object to this processing at any time.

Predictive Analytics

Google Analytics may use predictive audiences based on your browsing behaviour. This data is aggregated and does not identify you personally.

You have the right to obtain human intervention, express your point of view, and contest any automated decision by contacting us.

9. Complaints

If you are unsatisfied with how we handle your data, you may lodge a complaint with the Commissioner for Personal Data Protection (Cyprus): www.dataprotection.gov.cy

© 2026 Chrysomare Beach Hotel & Resort. All rights reserved.