1. Who we are (the Controller)
Luxi is the data controller for personal data collected through luxi.gr. Registered address: Athens, Greece. Contact: [email protected]. We have not appointed a Data Protection Officer; for all data-related queries please use the privacy address above.
2. What personal data we process
- Identification — your name, email, phone number, billing address (when booking).
- Travel data — pickup and drop-off addresses, dates, party size, flight number, special requirements you provide.
- Payment data — processed by our PCI-DSS-compliant payment provider; we do not store full card numbers.
- Technical data — IP address, browser type, device identifiers, pages visited (analytics cookies, opt-in only).
- Communications — messages you send via the contact form, quote-request notes, support emails.
- Account data — if you register, your password hash and account preferences.
3. Why we process it — legal bases
- Contract performance (Art. 6(1)(b)) — to deliver the transfer you booked, share necessary details with the Driver, send confirmation emails.
- Legal obligation (Art. 6(1)(c)) — to issue VAT invoices, retain accounting records for 5+ years per Greek tax law, comply with anti-money-laundering checks where applicable.
- Legitimate interest (Art. 6(1)(f)) — to prevent fraud, secure the platform, improve service quality. We balance this against your rights and freedoms.
- Consent (Art. 6(1)(a)) — for non-essential cookies (analytics, marketing), for marketing emails. You can withdraw at any time.
4. Who we share data with
- The Driver who accepts your booking — receives your name, phone, pickup details, flight number.
- Payment processor — receives card details directly (we never see them).
- Email delivery, hosting and analytics providers — bound by data processing agreements under Art. 28.
- Greek tax authorities — only the invoice data they require.
We do not sell personal data. We do not transfer data outside the EEA unless an adequacy decision exists or appropriate safeguards (Standard Contractual Clauses) are in place.
5. How long we keep your data
Summary — full schedule in our Data Retention Policy:
- Booking records: 7 years (Greek tax requirement)
- Account data: while account is active + 12 months after closure
- Marketing-consent records: until consent withdrawn + 12 months for audit
- Support communications: 3 years
- Server access logs: 90 days
6. Your rights under GDPR
You have the right to:
- Access — receive a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure (“right to be forgotten”) — ask us to delete your data, subject to legal-retention overrides.
- Restriction — pause processing while a dispute is resolved.
- Portability — receive your data in a structured, machine-readable format and have it transmitted to another controller.
- Objection — object to processing based on legitimate interest (we will stop unless we have compelling grounds).
- Withdraw consent — for any processing based on consent, at any time.
- Not be subject to automated decisions with legal effects — we do not engage in such processing.
7. How to exercise your rights
Email [email protected] with your request. We respond within 30 days (extendable by 60 days for complex cases, with notification). Requests are free of charge except for repeated or excessive requests, where a reasonable fee may apply per Art. 12(5).
To verify your identity we may ask for the email address associated with your bookings or other reasonable verification. We will never ask for your password.
8. Right to complain
If you believe we have not handled your data lawfully, you may lodge a complaint with the Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα): www.dpa.gr. You may also complain to the supervisory authority in your country of residence.
9. Changes to this policy
We review this policy at least annually and after any material change to our processing activities. Material changes are notified by email to registered users and by banner on luxi.gr for at least 30 days.
See also: Privacy Policy, Data Retention Policy, Information Security Policy, Consent Management.