Effective Date: [22.01.2026]
| This Privacy Policy explains how EOS TOURS collects, uses, |
| stores, and protects your personal data in compliance with |
| the General Data Protection Regulation (EU) 2016/679 (GDPR) |
| and applicable Cyprus data protection legislation. |
| By using our services, you acknowledge that you have read |
| and understood this Privacy Policy. |
TABLE OF CONTENTS
This Privacy Policy describes how SPS EOS TOURS LTD, operating under the trade name EOS TOUR (“EOS TOURS”, “Company”, “we”, “us”, “our”), collects, uses, stores, shares, and protects personal data of our customers, website visitors, and other individuals who interact with our services.
We are committed to protecting your privacy and handling your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Cyprus Processing of Personal Data (Protection of the Individual) Law of 2018 (Law 125(I)/2018).
| DATA CONTROLLER |
| SPS EOS TOURS LTD |
| 15 Tombs of the Kings Avenue |
| Christofi Complex, Shop 5 |
| 8045 Paphos, Cyprus |
| Company Registration: HE317514 |
| Data Protection Contact: |
| Email: [email protected] |
| Phone: +357 99 247 900 |
This Privacy Policy applies to personal data collected through:
• Our website: www.eos-tour.com
• Bookings made directly with us (email, phone, in person)
• Bookings made through Online Travel Agencies (OTAs) such as Viator and GetYourGuide
• Participation in our tours and excursions
• Communications with us
When you make a booking or contact us, we collect:
| Data Category | Examples | Purpose |
| Identity Data | Full name | Booking identification, passenger lists |
| Contact Data | Email address, phone number | Booking confirmation, tour information, pick-up coordination |
| Location Data | Accommodation address | Pick-up point assignment and coordination |
| Booking Data | Tour selected, date, number of participants, preferences | Service delivery |
| Communication Data | Emails, messages, call records | Customer service, complaint handling |
EOS TOURS does NOT collect:
• Passport or ID document numbers
• Payment card details (processed securely by payment providers — see Section 5)
• Health data (unless voluntarily disclosed for accessibility needs)
• Biometric data
• Data revealing racial or ethnic origin, political opinions, religious beliefs, or sexual orientation
When you book through an Online Travel Agency (OTA), we receive:
• Your name
• Phone number
• Booking details (tour, date, number of participants)
We do NOT receive your email address or payment details from OTAs.
When you visit our website, we automatically collect:
| Data Type | Details |
| Technical Data | IP address, browser type and version, device type, operating system |
| Usage Data | Pages visited, time spent, click patterns, referring website |
| Location Data | Approximate geographic location (from IP address) |
| Cookie Data | See our Cookie Policy for details |
This data is collected using cookies and similar technologies. For detailed information, please see our Cookie Policy at: eos-tour.com/cookies
Under GDPR, we must have a valid legal basis to process your personal data. The table below explains how we use your data and the legal basis for each use:
| Purpose | Legal Basis (GDPR Article 6) |
| Processing and managing your booking | Contract performance (Art. 6(1)(b)) |
| Providing tour services | Contract performance (Art. 6(1)(b)) |
| Sending booking confirmations and tour information | Contract performance (Art. 6(1)(b)) |
| Coordinating pick-up logistics | Contract performance (Art. 6(1)(b)) |
| Communicating about changes, cancellations, or issues | Contract performance (Art. 6(1)(b)) |
| Handling complaints and disputes | Contract performance / Legitimate interest (Art. 6(1)(b)/(f)) |
| Complying with legal obligations (tax, licensing) | Legal obligation (Art. 6(1)(c)) |
| Improving our services and website | Legitimate interest (Art. 6(1)(f)) |
| Website analytics and performance | Consent (Art. 6(1)(a)) / Legitimate interest (Art. 6(1)(f)) |
| Marketing (if you opt in) | Consent (Art. 6(1)(a)) |
| Protecting against fraud or illegal activity | Legitimate interest (Art. 6(1)(f)) |
| Defending legal claims | Legitimate interest (Art. 6(1)(f)) |
Where we rely on “legitimate interest” as the legal basis, we have assessed that our interests do not override your rights and freedoms. Our legitimate interests include:
• Operating and improving our business
• Understanding how customers use our services
• Protecting our business from fraud
• Maintaining security of our systems
You have the right to object to processing based on legitimate interest (see Section 8).
EOS TOURS does NOT:
• Sell your personal data to third parties
• Use your data for automated decision-making or profiling that produces legal effects
• Send unsolicited marketing communications (unless you have opted in)
• Share your data with third parties for their marketing purposes
To deliver our tours, we share limited data with operational partners:
| Recipient | Data Shared | Purpose |
| Bus/coach operators | Name, pick-up location, phone number | Passenger list for pick-up and transport |
| Boat/vessel operators | Name, pick-up location, phone number | Passenger list for boarding |
| Tour guides | Name, pick-up location, phone number | Passenger list for tour management |
| Restaurants (where included) | Number of passengers, dietary requirements (if provided) | Meal arrangements |
These partners receive only the minimum data necessary to provide their services. They are contractually obligated to use this data solely for the specified purpose and to maintain appropriate security.
We use third-party services to operate our business:
| Provider Type | Purpose | Data Location |
| Booking system (Bokun) | Booking widget, reservation management | EU/EEA |
| Server hosting (Contabo) | Website and CRM hosting | Germany (EU) |
| Payment processors (Stripe, PayPal) | Secure payment processing | See Section 5 |
| Analytics (Google Analytics) | Website analytics | USA (with safeguards) |
| Advertising (Meta/Facebook Pixel) | Advertising performance | USA (with safeguards) |
If you book through Viator, GetYourGuide, or another OTA:
• The OTA is an independent data controller for data collected through their platform
• We receive limited data from them (name, phone, booking details)
• We may share booking status updates with them
• Please refer to the OTA’s own privacy policy for how they handle your data
We may disclose your data when required by law or to:
• Comply with legal obligations or court orders
• Respond to requests from law enforcement or regulatory authorities
• Protect our rights, property, or safety
• Defend against legal claims
If EOS TOURS is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.
EOS TOURS uses third-party services to handle bookings and payment transactions:
• Bokun (bokun.io) — Booking management platform that provides the booking widget on our website
• Stripe (stripe.com) — Payment processor integrated with Bokun to process card payments
• PayPal (paypal.com) — Alternative payment method
When you make a booking through our website, the Bokun widget collects your booking details and passes payment information directly to Stripe for secure processing. EOS TOURS does not have access to your full payment card details at any point.
| IMPORTANT: PAYMENT CARD SECURITY |
| EOS TOURS does NOT store, process, or have access to your |
| full payment card details. |
| • Credit/debit card numbers |
| • Card expiry dates |
| • CVV/security codes |
| When you book through our website, payment data is collected |
| by the Bokun booking widget and passed directly to Stripe |
| for processing using secure, PCI-DSS compliant systems. |
| Your card details never touch our servers. |
When you make a booking, you provide your details to services that have their own privacy policies:
• Bokun Privacy Policy: bokun.io/privacy-policy
• Stripe Privacy Policy: stripe.com/privacy
• PayPal Privacy Policy: paypal.com/privacy
After a successful payment, we receive only:
• Confirmation that payment was successful
• Transaction reference number
• Last 4 digits of card (for reference only)
• Billing name and address (if provided)
Your personal data is primarily stored and processed within the European Economic Area (EEA):
• Our CRM system: Hosted in Germany (Contabo GmbH)
• Booking system (Bokun): EU-based
• Operational data: Cyprus
Some of our service providers are based outside the EEA, particularly in the United States:
• Google (Analytics) — USA
• Meta/Facebook (Pixel) — USA
• Stripe — USA
• PayPal — USA
When data is transferred outside the EEA, we ensure appropriate safeguards are in place:
| Safeguard | Description |
| EU-US Data Privacy Framework | For US companies certified under the framework |
| Standard Contractual Clauses (SCCs) | EU-approved contract terms ensuring adequate protection |
| Adequacy Decision | For countries deemed by the EU Commission to provide adequate protection |
| Binding Corporate Rules | For transfers within corporate groups with approved rules |
You may request information about the specific safeguards applied to your data by contacting us.
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Type | Retention Period | Reason |
| Booking and customer data | 2 years after last tour | Service delivery, customer service, potential claims |
| Financial/tax records | 6 years | Cyprus tax law requirements |
| Complaints and disputes | 3 years after resolution | Legal limitation periods |
| Website analytics | 26 months | Google Analytics default, anonymised after |
| Marketing consent records | Until withdrawal + 1 year | Proof of consent |
| Cookie consent | 12 months | Then re-consent required |
When the retention period expires, we will:
• Securely delete your personal data; or
• Anonymise it so you can no longer be identified
We may retain data longer if:
• Required by law
• Needed for ongoing legal proceedings or disputes
• You have given consent for extended retention
Under GDPR, you have the following rights regarding your personal data:
| Right | Description |
| Right to Access | Request a copy of the personal data we hold about you |
| Right to Rectification | Request correction of inaccurate or incomplete data |
| Right to Erasure (“Right to be Forgotten”) | Request deletion of your data in certain circumstances |
| Right to Restrict Processing | Request limitation of how we use your data |
| Right to Data Portability | Receive your data in a structured, machine-readable format |
| Right to Object | Object to processing based on legitimate interest or for direct marketing |
| Right to Withdraw Consent | Withdraw consent at any time where processing is based on consent |
| Rights Related to Automated Decisions | Not be subject to decisions based solely on automated processing |
You can request a copy of all personal data we hold about you. We will provide:
• The categories of data we process
• The purposes of processing
• Recipients or categories of recipients
• Retention periods
• Your rights
• Source of data (if not collected from you)
We will respond within one month of your request.
You can request deletion of your data when:
• Data is no longer necessary for the original purpose
• You withdraw consent (and no other legal basis applies)
• You object to processing and there are no overriding legitimate grounds
• Data was unlawfully processed
• Data must be erased to comply with law
We may refuse erasure if data is needed for:
• Exercising the right of freedom of expression
• Compliance with legal obligations
• Establishment, exercise, or defence of legal claims
You have the right to object to:
• Processing based on legitimate interest — we will stop unless we can demonstrate compelling legitimate grounds
• Processing for direct marketing — we will stop immediately upon your objection
To exercise any of these rights, contact us:
• Email: [email protected]
• Subject line: “DATA PROTECTION REQUEST — [Your Name]”
• Include: Your full name, email address used for booking, specific request
We may request proof of identity before processing your request.
We will respond within one month. If your request is complex, we may extend this by up to two months (we will notify you).
There is no fee for most requests. We may charge a reasonable fee for manifestly unfounded or excessive requests.
Cookies are small text files placed on your device when you visit a website. They help websites function, improve user experience, and provide information to website owners.
Our website uses the following types of cookies:
| Cookie Type | Purpose | Consent Required |
| Strictly Necessary | Essential for website operation (e.g., session management) | No |
| Functional | Remember your preferences (e.g., language) | Yes |
| Analytics | Understand how visitors use our site (Google Analytics) | Yes |
| Marketing | Track advertising effectiveness (Meta/Facebook Pixel) | Yes |
We use:
• Google Analytics — to analyse website traffic and usage patterns
• Meta (Facebook) Pixel — to measure advertising effectiveness
These services may set their own cookies and collect data about your online activity.
You can control cookies through:
• Our cookie consent banner (when you first visit our site)
• Your browser settings (to block or delete cookies)
• Specific opt-out tools provided by Google and Meta
Note: Blocking certain cookies may affect website functionality.
For detailed information about specific cookies we use, please see our Cookie Policy at: eos-tour.com/cookies
We implement appropriate technical and organisational measures to protect your personal data against:
• Unauthorised access
• Accidental loss, destruction, or damage
• Unlawful processing
Our security measures include:
• SSL/TLS encryption for data in transit
• Secure server infrastructure within the EU
• Access controls (data accessible only to authorised personnel)
• Regular security updates and patches
• Secure payment processing through PCI-DSS compliant providers
Our staff who handle personal data are trained on data protection obligations and the importance of protecting customer data.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
• We will notify the Commissioner for Personal Data Protection within 72 hours
• If the breach is likely to result in high risk, we will notify you directly
• We will document all breaches and the actions taken
To help protect your data:
• Keep your booking reference confidential
• Use secure networks when accessing our services
• Contact us immediately if you suspect unauthorised access to your account
EOS TOURS does not systematically photograph customers during tours. We do not employ photographers or require photos for operational purposes.
On occasion, tour guides or staff may take photographs of groups or scenery that may incidentally include customers. These photos may be used for:
• Social media posts
• Website content
• Marketing materials
If you do not wish to be photographed or to have your image used:
• Inform your guide at the start of the tour
• If you see a photo of yourself on our website or social media that you would like removed, contact us at [email protected] and we will remove it promptly
Customers are free to take photographs during tours for personal use. Please be respectful of other participants who may not wish to be photographed.
Our tours are open to families including children. When a booking includes children (under 18 years of age), the booking must be made by a parent or legal guardian.
For child participants, we collect only:
• Name (for passenger list)
• Age category (for pricing, where applicable)
• Special requirements (if provided by parent/guardian)
By booking on behalf of a child, the parent or legal guardian consents to the collection and processing of that child’s data as described in this Privacy Policy.
Parents/guardians may exercise data protection rights on behalf of their children by contacting us.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
If we make significant changes, we will:
• Post the updated policy on our website
• Update the “Effective Date” at the top of this policy
• For material changes that affect how we use your data, we may notify you by email (if we have your email address)
Your continued use of our services after changes are posted constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.
| DATA PROTECTION CONTACT |
| SPS EOS TOURS LTD |
| Attn: Data Protection |
| Address: |
| 15 Tombs of the Kings Avenue |
| Christofi Complex, Shop 5 |
| 8045 Paphos, Cyprus |
| Email: [email protected] |
| Phone: +357 99 247 900 |
| Please include “DATA PROTECTION” in the subject line |
| of any email regarding privacy matters. |
If you have concerns about how we handle your personal data, please contact us first. We take all privacy concerns seriously and will investigate and respond promptly.
You have the right to lodge a complaint with a data protection supervisory authority. In Cyprus, this is:
| COMMISSIONER FOR PERSONAL DATA PROTECTION |
| (Επίτροπος Προστασίας Δεδομένων Προσωπικού Χαρακτήρα) |
| Address: |
| 1 Iasonos Street |
| 1082 Nicosia, Cyprus |
| Phone: +357 22 818 456 |
| Fax: +357 22 304 565 |
| Email: [email protected] |
| Website: www.dataprotection.gov.cy |
If you are resident in another EU Member State, you may also complain to the supervisory authority in your country of residence.
— End of Privacy Policy —
Last updated: [22.01.2026]
Version 1.1
