BookNow.Direct
BookNow.Direct
English Greek
Start for Free

GDPR Compliance

Last updated: March 23, 2026

Data Controller: REACH.GR, VAT: EL 130637781

Data Processing Overview

BookNow.Direct processes personal data in two capacities:

  • Data Controller — for property owner accounts, billing, and platform analytics
  • Data Processor — for guest booking data processed on behalf of property owners

Data Protection Measures

  • Encryption at rest: Guest PII (name, phone, passport number) encrypted using CipherSweet with NaCl backend
  • Encryption in transit: All connections secured via TLS/SSL
  • Password security: Bcrypt hashing (12 rounds)
  • Access control: Role-based access (superadmin, owner, staff), tenant data isolation via database scoping
  • Session security: HTTPOnly cookies, SameSite Lax, 120-minute expiry
  • Payment security: PCI compliance delegated to Stripe; no full card numbers stored
  • Admin logging: All admin impersonation actions are logged

Sub-Processors

Sub-Processor Location Purpose Safeguards
Stripe, Inc. US/EU Payment processing DPF, SCCs
Mailgun (Sinch) EU/US Email delivery SCCs
Google LLC US Maps API DPF, SCCs

Data Subject Rights

We facilitate GDPR rights (access, rectification, erasure, restriction, portability, objection) for both property owners and their guests. Property owners can access, export, and delete guest data through their dashboard. Requests are processed within 30 days.

Data Protection Impact

Guest personal data is minimised to what is necessary for booking fulfilment and legal compliance. Sensitive fields are encrypted. Analytics use anonymised session identifiers. No profiling or automated decision-making is performed.

Breach Notification

In the event of a personal data breach, we will notify the Hellenic Data Protection Authority within 72 hours and affected data subjects without undue delay, as required by GDPR Art. 33–34.

Data Processing Agreement

Property owners using BookNow.Direct act as data controllers for their guest data. A Data Processing Agreement (DPA) is available upon request, covering Art. 28 GDPR obligations.

Contact

Data protection inquiries: [email protected]

Supervisory authority: Hellenic Data Protection Authority — www.dpa.gr