Privacy Policy

This privacy policy applies only to company-owned websites and excludes any information collected through other Internet websites.
The Company, as controller of your personal data, respects the privacy of individuals and takes all steps necessary to protect their personal data.

Therefore, the company informs each data subject (hereinafter: the “Data Subject”) who enters/uses the website www.vitabooking.com (hereinafter: the “Website”) that the processing of their personal data is subject to all applicable EU and national laws and all relevant decisions, directives and regulatory acts of the competent Supervisory Authorities.

This privacy policy describes how we collect and use the personal data you supply through our Website.  It further describes your options in relation to the use of your personal data and how you can monitor or become informed about their processing.  

We reserve the right to modify this Privacy Policy from time to time. If you wish to keep track of updates and amendments to this Privacy Policy, you are advised to access this website regularly.

Type of personal data collected
The personal data we collect includes the following information:

  • Your name, surname, email address, telephone and residential address.
  • Health and insurance information
  • User information, including medical services reservation dates, arrival / departure dates, any special requests for hotel/ticket reservations, comments on service preferences.
  • Access data: Whenever you enter our website, certain information such as your user name, password and IP address, is automatically collected for technical reasons as well as for Forum (server / data base / network) security reasons. At the same time, your browser software is identified for statistical purposes, along with information concerning your computer's operating system / version / language settings and other websites you may have accessed. If you are accessing the website through a mobile phone device, we may also collect your device’s identification information as well as information concerning particular settings of your device or other features, such as longitude/latitude data. Whenever you make a reservation, our systems records the means and websites used to perform the reservation. If you can be identified as a natural person on the basis of such information, then such information is considered to constitute personal data and it is subject to this privacy policy.

Why we collect and process your personal data - Legal bases of processing

We only use and process such personal data as is strictly necessary for us to provide you with the information and medical package reservation services you desire. That is, the legal basis of the processing of your personal data is the performance of a contract, as per Article 6(b) GDPR.

We use and process such personal data as is strictly necessary to provide you, at your preference, with information, and trip planning/ organisation services, in relation to the supply of other travel services that are offered and displayed on the platform by third-party associate providers. If you opt to make use of this type of services, we will use your data to complete your reservation. That is, the legal basis of the processing of your personal data is the performance of a contract, as per Article 6(b) GDPR.

User Account: By accessing our website, you can obtain information about the medical packages available by our associate HSPs and your options to plan/organise your trip utilising other travel services that are offered by third-party associate providers. To proceed to a reservation, however, in relation to such other services, you need to create a user account by disclosing your personal data and designating a user name and a password. To ensure proper registration and prevent unauthorised log-ins by third parties, you will receive an activation link by email as soon as the registration process is completed, in order to activate your account. As soon as your account is activated, you may log in using only your email address or user name / password. We use the data you share with us to create for you an account with several useful functionalities. Once your account is activated, you may submit a request for reservation of a medical package, along with all personal information required for implementation of the reservation service. Through your account, you can submit the medical documentation required for the processing of your request by the HSP. We have proper technical procedures in place to ensure the security of any special categories of personal data you share with us. Through your account you can also contact us for the purpose of managing your reservation. You may request us to plan your trip, in which case we will help you proceed with the necessary travel reservations (hotel/tickets/transport reservations). You can manage your reservations or other purchases, benefit from special offers and make future reservations easier.

Customer service: We may occasionally contact you by email, post, phone or text message, depending on the contact information you have supplied. This could happen for a number of reasons: to answer or process any requests we receive from you or to send you a reminder email in case you have not completed your online reservation. We believe this extra functionality is useful, as it allows you to resume your reservation without having to complete the required information from the beginning. We may use your contact details to send you an email and ask for feedback, after the healthcare and tourist services you have purchased are thoroughly completed. This helps other users / “health tourists” choose the healthcare / tourist package which is mostly appropriate for their needs.

The legal basis of the processing of these data is your consent as per Article 6(1)(a) GDPR  or the legitimate interests of the company as data controller, as per Article 6(1)(f) GDPR.

In certain situations we may need to use your data to manage or settle a legal dispute, or for regulatory research / compliance purposes or to ensure fair compliance with these ToU. We may use your personal data to prevent any fraudulent or other illegitimate or undesirable activities.

We may use your data to promote our legitimate interests, e.g. to provide you with the most appropriate website / email / newsletter content; improve our services and our website content; for analysis purposes or as part of our efforts to improve our services and user experience as well as the functionality and quality of our online reservation services.

How we share your personal data with third parties.

Third-party Healthcare Service Providers: We collaborate with third-party Healthcare Service Providers (hospitals, private physicians and medical centres), who provide you with the healthcare services you seek to obtain. These healthcare service providers are also, controllers of your data, offering adequate assurances of compliance with the applicable laws and having proper technical and organisational procedures in place, to ensure the legitimacy and secrecy of the processing, protect the privacy of data subjects and provide a proper level of security against risks.

Third-party providers of tourist or other services.

We collaborate with third-party suppliers/tourist service providers (travel agencies, hotels, car rental companies, translation agencies) to provide you with trip planning and organisation services. These service providers are also, controllers of your data, offering adequate assurances of compliance with the applicable laws and having proper technical and organisational procedures in place to ensure the legitimacy and secrecy of the processing, protect the privacy of data subjects and provide a proper level of security against risks.

Data processors:

We have assigned the management and support of our website to “Health Tourism Greece LTD.”, by means of a works contract www.vitabooking.com. The data processor has made available to us all information necessary to prove compliance with the requirements of these ToU.  They have also undertaken the obligation to assist us in relation to the exercise of the rights of customers/data subjects: right of information and access, right to rectification and erasure, right to restriction of processing, right to data portability, right to object.

Payment service providers

We collaborate with Braintree by Paypal, who has undertaken to provide an electronic payments mechanism  (Virtual Point of Sales or EFT/POS). If either you or the holder of the credit card that was used for your reservation request(s) a refund, we may need to share some of your reservation information with the payment service provider and the relevant financial institution, for the purpose of managing the refund process. Such information may include a copy of your reservation confirmation or the IP address you used to make your reservation. We may also share information with the relevant financial institutions, where we consider this imperative for fraud identification / prevention purposes.

Competent authorities: We share your personal data with law enforcement authorities, insofar as this is (i) required by the law, or (ii) essential for the prevention / identification / prosecution of fraud or other crimes. We may also need to disclose your personal data to the competent authorities for the purpose of securing or defending our own legitimate rights / property or those of our business partners.

Security procedures applied to protect your personal data

We fully comply with all requirements of the applicable legislation on the protection of individuals from unauthorised data processing, i.e. with the requirements of the newly-enacted General Data Protection Regulation. We have proper technical and organisational procedures in place to ensure the legitimacy and secrecy of the processing, protect the privacy of data subjects and provide a proper level of security against risks. By way of indication, such procedures include data encryption mechanisms; procedures ensuring the integrity / availability/ reliability of processing systems on an ongoing basis; prompt data availability and access restoration procedures in case of disruption due to physical / technical causes; procedures allowing us to test / assess / evaluate the effectiveness of our technical and organisational measures to ensure the security of the processing.

We have fair procedures in place as per the applicable regulations, to prevent any unauthorised access to or use of your personal data.  We have adequate operating systems and procedures in place to protect and secure the personal data you share with us. We also apply proper security procedures and technical / natural restrictions of access and use of personal data on our servers. Access to personal data is only granted to the authorised staff of the data controller and the data processor, and only for the stipulated purpose. The above persons are liable to treat your personal data as strictly confidential throughout the term of the relevant Agreement as well as after its expiry. To ensure the effective protection of your personal data against random or illicit destruction, accidental loss, falsification, unauthorised disclosure or any other form of unauthorised processing, we have assigned this task to properly qualified professionals who offer adequate assurances in terms of technical skills and personal integrity. You should, however, be cautious at all times, as data security may not be fully guaranteed on the Internet.

Before making a reservation for a medical package on our website, please read the data protection policies carefully to understand how our business partners manage your personal data.

If you have any questions as to the type or level of security offered through the Website, please contact us by email at [email protected]          

Personal Data Retention

We keep your personal data only for as long as it is necessary for us to: provide our services, comply with the applicable regulations, settle any disputes with third parties, or for any other purpose we may consider imperative in the context of our business activities. All personal data you share with us is subject to this privacy statement.  We keep record of all processing activities and we collaborate with the competent Supervisory Authority to maintain processing security, especially in the context of the following processes: (i) notification of data infringements to the Hellenic Data Protection Authority, (ii) notification of data infringements to the data subjects, (iii) data protection impact assessment, and (iv) prior consultation  with the Authority in relation to processing activities.

Right of Information / Access / Rectification / Restriction / Data Portability / Erasure

Data subjects have a right of information / access / rectification / erasure (“right to be forgotten”), a right to restriction of processing, a right to data portability and a right to object, as per the provisions of Articles 13-21 GDPR.

You have a right to inspect your personal data which is in our possession, any time. You may demand to review your personal data, by submitting a request to that effect by email at [email protected].

You can inform us of any changes to your personal data or request us to rectify your data, any time.

In certain situations, you may request us to erase / prevent / restrict the processing of your personal data or object to particular uses of your data. Following a request on your part to that effect, we will delete your account, in which case your data will be no longer accessible in any manner. You may request the deletion of your account here [email protected]. We retain your personal data on our systems for the sole purpose of settling any legal disputes which may arise in the context of these ToU or preventing risks of fraud. Your data is retained for a limited period of time, in line with the applicable regulations.

In certain situations you may also request us to forward the personal data you have supplied us to third parties.

In any situations where use of your data is subject to your consent, you have a right to withdraw your consent any time, as per the applicable regulations. Moreover, in any situations where we process your personal data on the basis of a legitimate legal interest or a public interest, you have a right to object to such use of your data any time, as per the applicable regulations.

We trust that you will ensure that your data remains complete, accurate and updated at all times. Please inform us of any changes or errors in your personal data, at [email protected]. We will process your request as per the applicable regulations.
You may exercise the above rights by sending us an email to [email protected] the email address that was used to submit the electronic communication form. This will allow us to identify you as a data subject.

If you feel that the integrity of your data is howsoever jeopardised, you can address the Data Protection Commissioner’s Office.
Given that this statement and the data protection terms included herein are subject to amendment, we recommend you to review the contents of this statement regularly, in order to keep track of changes.

Please feel free to contact us if you need any clarifications or information in relation to this Policy.

Use of the Website by minors

According to Article 8 GDPR, children below the age of sixteen (16) years are not allowed to share with us any personal data through the Website. In relation to children below the age of 16 years, the processing of personal data is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Controller of the personal data supplied through vitabooking.com

If you have any proposals or comments in relation to this privacy statement, please contact us by email at [email protected]. We will get back to you as soon as possible.

The controller of all personal data supplied through vitabooking.com is “HTB HEALTH TOURISM BOOKING LIMITED”.