Privacy Policy

Last updated: 27 April 2026

This Privacy Policy explains how The Blossom Residences collects, uses and protects personal data when you visit www.theblossom.eu, use our booking engine at bookingengine.ihaveadream.io, contact us, make an enquiry, request a reservation, or stay at one of our residences.

The website and accommodation services are operated by:

I HAVE A DREAM
trading as The Blossom Residences
25 Ariadnis Street
71202 Heraklion, Crete
Greece
Tel: +30 6975400009
Email: info@theblossom.eu

For the purposes of applicable data protection law, including the General Data Protection Regulation, I HAVE A DREAM is the data controller for the personal data processed through our website, booking engine and accommodation services.

1. Personal data we collect

We collect personal data only where necessary to operate our website, handle enquiries, manage reservations, provide accommodation services, comply with legal obligations, and protect our legitimate business interests.

Depending on how you interact with us, we may collect:

• name and surname
• email address
• phone number
• arrival and departure dates
• number of guests
• preferred residence or accommodation type
• booking details
• message content, requests or guest preferences
• information about companions, where necessary for a reservation
• payment method information, where relevant
• billing, tax or identification information, where required by law
• communication history with us
• technical information about your use of our website and booking engine

Please do not send us sensitive personal data unless it is strictly necessary for your request or stay.

2. Website and technical data

When you visit our website or booking engine, we may automatically collect limited technical data, including:

• IP address
• browser type and version
• device type
• operating system
• pages visited
• date and time of visit
• referring website
• approximate location based on technical data
• cookie and consent preferences
• security-related signals used to protect the website from spam, bots or misuse

This information is used to operate the website and booking engine, maintain security, improve performance, understand visitor behaviour and protect our services from abuse.

3. How we collect personal data

We may collect personal data when you:

• visit www.theblossom.eu
• use bookingengine.ihaveadream.io
• submit a contact form
• send us an enquiry
• contact us by email, phone or social media
• request or make a reservation
• stay at one of our residences
• communicate with us before, during or after your stay
• interact with third-party booking platforms through which our residences are listed

We may also receive booking-related data from third-party platforms or service providers, including availability and pricing systems connected to our booking process.

4. Booking engine and Hosthub

Our direct booking engine operates at:

bookingengine.ihaveadream.io

The booking engine connects with Hosthub for availability and pricing information.

When you use the booking engine, we may process the personal data necessary to check availability, calculate prices, receive your booking request, manage your reservation and communicate with you about your stay.

Hosthub may process data as a service provider or technology partner where necessary for availability, pricing, booking synchronisation and reservation management.

We do not currently collect online card payments through our website or booking engine. Payments are normally made by bank transfer or in cash, according to the booking terms communicated to you.

5. How we use personal data

We use personal data for the following purposes:

• to respond to enquiries
• to provide information about our residences, availability and prices
• to manage booking requests and reservations
• to communicate with guests before, during and after their stay
• to coordinate availability and pricing through our booking systems
• to issue receipts, invoices or other legally required documents
• to provide guest support
• to improve our website, booking engine and guest experience
• to maintain website and booking engine security
• to prevent spam, bots, fraud or misuse
• to measure website performance and understand how visitors use our website, subject to applicable consent requirements
• to comply with tax, accounting, legal and regulatory obligations
• to protect our legitimate business interests in case of disputes, misuse, damage, unpaid amounts or security incidents

We do not sell personal data.

6. Legal bases for processing

We process personal data only where we have a valid legal basis.

Depending on the context, we may process your data on the basis of:

• Contractual necessity, when processing is required to respond to a booking request, manage a reservation or provide accommodation services.
• Legal obligation, when we are required to keep records or provide information for tax, accounting, public authority or regulatory purposes.
• Legitimate interests, when we respond to enquiries, maintain website security, prevent abuse, improve our services, manage guest relationships or protect our business.
• Consent, where required for optional cookies, analytics, marketing communications or similar tools.

Where processing is based on consent, you may withdraw your consent at any time.

7. Contact forms

When you use a contact form on our website, we collect the information you provide, such as your name, email address, phone number and message.

We use this information to respond to your enquiry and, where relevant, to take steps before entering into a reservation or accommodation agreement with you.

Contact forms may be protected by security tools, including Cloudflare Turnstile, to prevent spam, bots and misuse.

8. Cookies and similar technologies

Our website and booking engine may use cookies and similar technologies.

Cookies are small files stored on your device that help the website function properly, remember preferences, measure performance and understand visitor behaviour.

We may use:

• Essential cookies, which are necessary for the website and booking engine to work.
• Security cookies or signals, used to protect forms and booking functions from spam, bots and misuse.
• Analytics cookies, used to understand how visitors use the website.
• Preference cookies, used to remember choices such as cookie settings.
• Marketing cookies, only where such tools are active and where legally permitted.

Non-essential cookies are used only where permitted by law and, where required, after your consent.

You can manage your cookie preferences through the cookie banner and cookie settings tool on the website. You can also control cookies through your browser settings.

9. Google Tag Manager

We use Google Tag Manager to manage website tags and scripts.

Google Tag Manager is a tag management system. It helps us control which scripts are loaded on the website, including analytics and other website tools.

Where tags loaded through Google Tag Manager involve non-essential analytics or marketing processing, such processing takes place only where legally permitted and, where required, after your consent through the website's cookie banner.

10. Google Analytics 4

We use Google Analytics 4 to understand how visitors use our website, measure website performance and improve our content, navigation and guest experience.

Google Analytics 4 may collect information such as pages visited, interactions with the website, device and browser information, approximate location, referral information and other usage data.

Google Analytics 4 is used only where legally permitted and, where required, after your consent through the website's cookie banner.

11. Hotjar

We use Hotjar to better understand how visitors interact with our website and to improve usability, navigation and content structure.

Hotjar may collect usage information such as page interactions, clicks, scrolling behaviour, device type, browser information and similar website behaviour data. Hotjar is not intended to collect information entered into sensitive fields.

Hotjar is used only where legally permitted and, where required, after your consent through the website's cookie banner.

12. Cloudflare Turnstile

We use Cloudflare Turnstile to protect our website forms and booking-related functions from spam, bots and automated abuse.

Cloudflare Turnstile may process technical signals such as IP address, browser and device information, user-agent data, interaction data and other security-related signals necessary to determine whether a request is made by a human user or an automated system.

The legal basis for this processing is our legitimate interest in protecting our website, booking engine, forms and guests from spam, fraud, abuse and security threats.

Cloudflare may process data outside the European Economic Area. Where required, such transfers are protected by appropriate safeguards under applicable data protection law.

13. Analytics and marketing tools

We may use analytics or marketing tools to understand website traffic, improve performance and evaluate the effectiveness of our content or campaigns.

At present, the website uses Google Tag Manager, Google Analytics 4 and Hotjar. Non-essential analytics or marketing tools are used only where legally permitted and, where required, after your consent through the website's cookie banner.

We may occasionally send marketing communications to people who have chosen to receive them or where we are otherwise permitted to do so by law.

You may unsubscribe from marketing communications at any time by contacting us at info@theblossom.eu or by using the unsubscribe link where available.

Even if you unsubscribe from marketing communications, we may still send transactional or administrative messages relating to a reservation, enquiry or stay.

14. Payments

We do not currently process online card payments through our website or booking engine.

Payments are normally made by:

• bank transfer
• cash

Where payments are made by bank transfer, the relevant banks and payment institutions may process transaction data according to their own legal obligations and privacy policies.

We may keep payment-related records where necessary for accounting, tax, legal or dispute-resolution purposes.

15. Third-party service providers

We may share personal data with trusted third-party service providers only where necessary for the purposes described in this Privacy Policy.

These may include:

• website hosting providers
• website maintenance and technical support providers
• booking engine providers
• Hosthub, for availability, pricing and reservation management
• email and communication providers
• accounting or tax advisors
• analytics and tag management providers, including Google Analytics 4 and Google Tag Manager
• website behaviour analytics providers, including Hotjar
• website security providers, including Cloudflare
• public authorities, where required by law

These providers may process personal data only to the extent necessary to provide their services to us or to comply with applicable legal obligations.

16. Booking platforms and external websites

Our residences may also be listed on third-party booking platforms.

If you make a reservation through a third-party platform, that platform may process your personal data under its own privacy policy. We may receive the personal data necessary to manage your reservation and provide your stay.

We are not responsible for the privacy practices of third-party websites, booking platforms, social media platforms or external services linked from our website.

17. Social media

If you interact with us through social media, the relevant platform may process your personal data according to its own privacy policy.

We may process the information you choose to send us through social media in order to respond to your message or enquiry.

18. CCTV and property security

For security and safety reasons, CCTV cameras may operate in external shared areas of certain properties.

CCTV is used to help protect guests, visitors, staff, property and the security of the premises. CCTV is not used inside private accommodation areas.

Where CCTV is in operation, appropriate signage should be displayed in the relevant areas.

CCTV footage may be reviewed only where necessary for security, safety, incident investigation, legal compliance or the establishment, exercise or defence of legal claims.

CCTV footage is normally kept for up to 7 days, unless a longer retention period is necessary due to an incident, legal obligation, dispute or request by a competent authority.

19. International transfers

Some of our service providers, including technology, security, analytics or communication providers, may process data outside the European Economic Area.

Where personal data is transferred outside the EEA, we rely on appropriate safeguards where required by law, such as adequacy decisions, Standard Contractual Clauses or other lawful transfer mechanisms.

We do not rely on the former EU-US Privacy Shield framework.

20. How long we keep personal data

We keep personal data only for as long as necessary for the purpose for which it was collected.

In general:

• enquiry and contact form data is kept for as long as necessary to respond and follow up
• booking and guest data is kept for as long as necessary to manage the reservation and stay
• accounting, tax and transaction records are kept for the period required by applicable law
• website and booking engine technical logs are kept for a limited period necessary for security and operation
• CCTV footage is normally kept for up to 7 days, unless needed for an incident, legal claim or authority request
• marketing contact data is kept until you unsubscribe, withdraw consent or object, unless further retention is legally required

When personal data is no longer needed, we delete it or anonymise it, unless we are required to keep it by law.

21. Your rights

Under applicable data protection law, you may have the right to:

• request access to your personal data
• request correction of inaccurate or incomplete data
• request deletion of your personal data
• request restriction of processing
• object to processing based on legitimate interests
• request data portability, where applicable
• withdraw consent where processing is based on consent
• lodge a complaint with a supervisory authority

In Greece, the competent supervisory authority is the Hellenic Data Protection Authority.

To exercise your rights, contact us at:

info@theblossom.eu

or by post at:

The Blossom Residences
I HAVE A DREAM
25 Ariadnis Street
71202 Heraklion, Crete
Greece

We may need to verify your identity before responding to your request.

22. Data security

We use reasonable technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration or disclosure.

However, no website, booking engine, email system or online transmission is completely secure. You should avoid sending highly sensitive information by email unless necessary.

23. Children's privacy

Our website and booking engine are not directed at children and we do not knowingly collect personal data from children through the website without appropriate parental or guardian involvement.

Where information about children is provided as part of a reservation, we process it only as necessary to manage the booking and provide accommodation services.

24. Links to other websites

Our website or booking engine may contain links to external websites or services.

We are not responsible for the privacy practices, security or content of those third-party websites. You should review their privacy policies before providing personal data.

25. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our website, booking engine, services, legal obligations or data practices.

The updated version will be published on this page with a revised "Last updated" date.

26. Contact

For questions about this Privacy Policy or how we handle personal data, please contact:

The Blossom Residences
I HAVE A DREAM
25 Ariadnis Street
71202 Heraklion, Crete
Greece
Tel: +30 6975400009
Email: info@theblossom.eu