Greek Beaches

    Privacy Policy

    How we handle strictly necessary tech and cookieless analytics

    Last updated: 2026-06-02

    We value your privacy. This page explains which technologies are strictly necessary for the website to function and how our optional analytics work.

    Strictly necessary (always on)

    These technologies are essential for core functionality and are not used for advertising or user profiling:

    • Single Page App runtime: routing, UI rendering, accessibility features
    • Service Worker: offline caching and reliable asset delivery
    • Local storage for consent choice (analytics_consent) so your preference persists
    • Supabase authentication session (admin area only) - session cookies are only set when accessing admin features
    • Security headers and HTTPS to protect data in transit

    Analytics (optional)

    We use privacy-friendly analytics provided by Umami Cloud (cookieless) and Google Analytics 4 (cookies only after you opt in) to understand how the site is used and to improve features. Analytics only runs if you explicitly opt in from the consent banner or the Privacy preferences link in the footer.

    Providers

    • Umami Cloud – cookieless analytics hosted in the EU, focused on aggregated usage metrics.
    • Google Analytics 4 – cookies are set only after you grant consent; IP addresses are anonymized before storage using GA4's built-in controls.

    What we track

    When enabled, we track page views and usage to measure traffic and content performance. Our analytics implementation is documented in src/lib/analytics.ts and uses events to record key actions (e.g., search interactions, map engagement, session summaries).

    Data collected by Umami Cloud

    • Page views (URL path) and navigation paths
    • Referrer URL (the page you came from), where available
    • Anonymous events such as searches, map interactions, and filter usage
    • Non-identifying context such as timestamp and a random session identifier
    • Technical metadata like browser, operating system, device type, viewport size, and language
    • UTM parameters for campaign attribution when present
    • Approximate location derived from IP at request time for aggregated statistics; IP addresses are not stored by our implementation

    Data collected by Google Analytics 4

    • Page views, navigation flows, and engaged sessions
    • Event data (searches, map interactions, filter usage) with the same payloads noted above
    • Technical metadata such as browser, operating system, device category, and screen size
    • Approximate geolocation (country/region) derived from IP; IP anonymization is enforced prior to storage
    • UTM parameters and campaign metadata when present
    • Consent status so we can demonstrate opt-in tracing

    What we do not collect

    • No personal identifiers (no names, emails, precise location)
    • No marketing cookies and no cross-site tracking
    • No Google Analytics advertising features (ad_storage remains denied)
    • No third-party advertising or profiling

    Purpose and legal basis

    The purpose is to understand website traffic and content performance so we can improve features and reliability. The legal basis under the GDPR is your consent (Article 6(1)(a)), which you may withdraw at any time. Google Analytics cookies are only created when you grant consent; advertising storage remains disabled.

    Data retention

    We retain analytics data for up to 12 months in Umami and 14 months in Google Analytics 4 (current GA minimum for aggregated reporting). Retention is configurable; if we change these windows, we will update this page. We do not sell or share analytics data for advertising.

    Change or withdraw your consent

    You can change your analytics preference at any time by clicking the Privacy preferences link in the site footer. Turning analytics off will stop further analytics events from being sent.

    Your rights (GDPR)

    • Access your personal data
    • Request deletion (erasure) of your personal data
    • Correct inaccurate data
    • Restrict or object to processing
    • Data portability
    • Withdraw consent at any time (does not affect prior lawful processing)
    • Lodge a complaint with your local supervisory authority

    Data controller and processor

    The data controller is Beaches of Greece. Umami Cloud provides analytics services as our data processor.

    International transfers

    Depending on your location and service infrastructure, analytics data may be processed outside your country. We rely on appropriate safeguards offered by our service providers.

    Children

    This site is not directed to children under 13, and we do not knowingly collect personal data from them.

    Changes to this policy

    We may update this policy from time to time. The “Last updated” date above reflects the latest changes.

    Contact

    Questions about this policy? Contact us at hello@beachesofgreece.com.