Consent Management

1. Why this page exists

Under GDPR (Art. 7) and the ePrivacy Directive, we must obtain valid consent before placing non-essential cookies or sending you marketing. “Valid” means freely given, specific, informed, unambiguous, and as easy to withdraw as it is to give. This page documents how we meet that standard.

2. The four cookie categories

1. Strictly necessary — required for the site to function (session, CSRF token, the cookie that stores your consent choice). Always on; cannot be disabled.
2. Analytics & performance — help us understand which pages and routes travellers use, where they get stuck, where pages are slow. Opt-in.
3. Functional & preferences — remember non-essential choices (preferred language, last search route, recently-viewed destinations). Opt-in.
4. Marketing & personalised content — advertising-effectiveness measurement, retargeting, personalised offers. Opt-in. Off by default.

3. How we ask

On your first visit, a banner appears at the bottom of every page with three balanced options:

• Accept all — enables all four categories.
• Reject non-essential — enables only strictly-necessary.
• Customise — opens a preferences modal where you can toggle each non-essential category individually.

None of the three options is visually preferred over another; rejection is as prominent as acceptance, per Greek DPA guidance.

4. Where we record your choice

Your preferences are stored locally in your browser under the key luxi_cookie_consent_v1. The record includes the prefs (which categories are on), a timestamp, and a schema version. No server-side identifier is created at the point of consent.

The cookie itself is classified as strictly necessary (it’s the record of your choice, without which we couldn’t respect that choice).

5. How to change your choice

You can change your cookie preferences at any time by clicking the Cookie Settings link in the footer of every page. The settings modal reopens with your current state pre-loaded; saving applies the new choice immediately and fires a cookie-consent-updated event that disables any newly-removed tracking.

To clear your record entirely (e.g. to be re-prompted with the banner), clear site data for luxi.gr in your browser.

6. Marketing email consent

We do not send marketing emails by default. Subscribing is an explicit opt-in action (separate from booking). Every marketing email contains a one-click unsubscribe link in the footer; the link works without login. Unsubscribe is processed immediately; you may continue to receive transactional emails (booking confirmations, support replies) which are not marketing under GDPR and require no consent.

7. Withdrawing consent

• Cookies: reopen the consent modal from the footer link.
• Marketing email: click unsubscribe in any email, or email [email protected].
• Account data: request deletion at [email protected] per the GDPR Policy.

Withdrawal does not affect the lawfulness of processing prior to withdrawal.

8. Children

Luxi services are intended for adults (booking parties may of course include children). We do not knowingly collect personal data from children under 16. If we discover such data has been submitted, we delete it without delay.

9. Audit trail

For each consent given, withdrawn or modified we retain a record (anonymous identifier + timestamp + categories) for 12 months. This is used solely to demonstrate compliance under Art. 7(1) GDPR; it is not used for profiling or marketing.

See also: GDPR Policy, Privacy Policy, Data Retention Policy. Open the cookie settings directly.