Privacy Policy

Our Company (hereinafter “CRETAN PEAKS”) attaches great importance to the lawful processing, security, and protection of your personal data, regardless of the function you communicate or cooperate with us. Please read these terms carefully. By using our website and signing the relevant declaration of acceptance, you unconditionally accept the practices described herein. The terms described herein govern the contractual relationship between us and are incorporated into the terms of use of our service.

1.What is your personal data?

Your personal data includes all information on paper or electronic media, which may lead, either directly or in combination with others, to your identification or identification as a natural person. This may include information such as your name, postal and e-mail addresses, your 

mobile phone, your device or your web browsing history, and any other information that signifies your unique identification according to the provisions of the  General Data Protection Regulation  (GDPR 679 /2016), law 4624/2019, the current Greek legislation and the decisions of the Greek Data Protection Authority.

2. What data do we collect, for what purpose and on what legal basis?

Our principles for processing personal data are:

  • Fairness and lawfulness. When we process personal data, the individual rights of the Data Subjects must be protected. All personal data must be collected and processed in a legal and fair manner.
  • Restricted to a specific purpose. The personal data of Data Subject must be processed only for specific purposes.
  • Transparency. The Data Subject must be informed of how his/her data is being collected, processed and used.

CRETAN PEAKS collects several different types of personal data for various purposes.

To be able to provide our services we collect data only for lawful processing purposes (according to articles 6 and 9 of the General Data Protection Regulation).




Legal Basis

Registration Data for participation in the tour

·     Name/Surname

·     Email

·     Country

·     Phone

·     Gender (for rooms’ allocation)

·     Age 

·     Food intolerance (Lactose, Gluten, Vegan, etc)

·     Allergies

Applying and/or performing a contract or a pre-contractual relationship with the Company


Login to the website

·     IP address, date and time of access

·     URL,

·     Referrer URL, Access provider,

·     Browser

·     Operating system

Providing services for proper connection creation, security, and system’s stability

Legal interest, in the context of making the Company’s website available to the public and providing services to it. Please read our Cookies’ Policy carefully to learn more about Cookies and how they are used.

3. Minimize, store, and delete data

The Company will always require the minimum necessary personal data for your participation in the trip.

The Company keeps your personal data stored only for as long as it is required by the contractual terms, in combination with the period required by the current legislation.

4. Data concerning underaged persons

Our Company does not process personal data of persons who have not reached the age of 18 and reserves the right in case it is found that any underaged person has provided his data to the Company, without the consent of his legal representative, to delete the specific data. If you notice that an underaged person has provided his / her data to us without the consent of his / her legal representative, please contact us.

5. Recipients of User data

As a rule, our Company does not transmit your personal data to third parties, besides it is required by law or for the performing our services.

More specifically, the personal data collected by the company in the context of the services provided are processed by:

  1. a) the authorized and properly trained staff of the Company which is bound by contracts and strict confidentiality clauses. Access is graded according to the role and responsibilities of each staff member.
  2. b) associates of our Company, to whom the Company according to art. 28 GDPR entrusts the execution of specific tasks on its behalf (performers of processing) and with which it has ensured the processing in accordance with GDPR for the protection of your data, by signing contracts and committing to comply with adequate measures, in accordance with the relevant provisions of GDPR(nos. 28, 32), such as, but not limited to, hosting service providers, legal, accounting, technical companies in the context of website management and service provision.

(c) public bodies and authorities, such as public services and bodies, independent authorities, regulators, police, competent authorities, prosecutors, other administrative services, etc., when required to do so by the applicable legal framework.

In addition, our Company does not transmit personal data to third countries or international organizations which do not ensure an adequate level of protection.

6. Communication with the website

The communication with our website is done by sending an e-mail to the address:

Only the Managing Director has access to the messages we receive on our platform, who is contractually bound by confidentiality clauses.

We do not forward messages to third parties, which we receive on our platform, without the explicit consent of the sender.

Exceptions are the cases in which the forwarding to third parties or non-deletion of the electronic messages we receive is necessary for the fulfillment of our obligations deriving from the law or for the establishment, exercise, or support of legal claims and always in accordance with the Regulation for the Assurance of Confidentiality in Electronic Communications 

7. Security of your personal data – Technical and Organizational measures

Our Company considers, among other things, to take adequate and appropriate technical and organizational measures in order to ensure the appropriate level of security against the risks during processing, especially from accidental or illegal destruction, loss, alteration, unauthorized disclosure, or access to personal data that transmitted, stored or otherwise processed as well as the preservation of both technical and physical safety in accordance with Article 32 of the GDPR. It applies relevant Policies and generally adheres to the principles of processing in accordance with the principles of GDPR (art. 5 GDPR), to ensure the availability, integrity, and confidentiality of your data.

8. Your rights

The Company applies the principles of processing of GDPR 2016/679 (legality, objectivity, transparency, limitation of purpose, data minimization, accuracy, limitation of storage time, integrity, confidentiality, and accountability). The Company protects and secures your Rights regarding the use of your Personal Data.

Specifically, you have the following rights regarding your personal data protection.

  • Right to information

You have the right to be informed about the collection and use of your personal data.

  • Right of access

You have the right to receive confirmation, whether your personal data is being processed and, if so, you have the right to access your personal data in a concise, comprehensible, transparent, and easily accessible form.

  • Right of correction

You can request and we will ensure that without undue delay, we will correct inaccurate or incomplete personal data, including through a supplementary statement.

  • Right to delete

You have the right to require the deletion of the personal data that concern you, without undue delay and we will proceed with the deletion, under the conditions set by law.

  • Right to restrict processing

You have the right to require the restricted processing of data for limited and specific purposes only, under the conditions set by law.

  • Right of objection

You have the right to object, at any time and for reasons related to your situation, to the processing of your personal data. We will then no longer process your personal data, unless there are compelling and legitimate reasons for processing that override your interests, rights and freedoms or the establishment, exercise or uphold of legal claims.

  • Right to data portability

You have the right to receive your personal data, which you have provided to ‘’CRETAN PEAKS’’, in a structured, commonly used, and machine-readable format, as well as the right to request the transfer of such data to another processor without objection from the Company under the conditions set by law.

  • Right to human intervention

The above applies non-discriminatory and is imposed on all processes carried out by the Company and for all services provided as well.

If you have any questions regarding the privacy policy or would like to request clarification or would like to exercise any of your rights, please contact us at

We will respond to your request within thirty (30) days of receipt. In the event that an extension of the above deadline is required in order to investigate and / or process your request, you will be informed about, explaining to you the reasons why it is necessary to extend the deadline.

In any case, if you feel that the protection of your personal data has been violated in any way, you have the right to file a complaint to the Hellenic Personal Data Protection Authority (

9. Special statements of the Company:

The Company is not responsible for any damage direct, indirect, material, or consequential

that may be caused to the user due to the website or its use. The user is solely responsible for protecting his system from viruses and other malware. 

In addition, the company is not creating a profile or making any decisions based on automated processing of your data. 

Finally, it is clearly stated that no other use of the User’s personal data will be made for purposes other than those mentioned herein, without prior notice and, where required, his consent.

10. Useful information:

Processor Details:


Address: HERAKLION           

Phone: +306949594691 – +306972377732 



Details of the Hellenic Data Protection Authority:

Address: 1 – 3 Kifissias Avenue, PC 115 23, Athens

Call Center: +30 210 6475600

Fax: +30 210 6475628



11. Changes in policy and information

Effective protection of users’ personal data requires systematic monitoring of company’s policies and procedures. At the same time, the Company’s desire to provide better and up-to-date services means that it is constantly striving to improve practices and introduce new ones, always with respect for personal data.

Therefore, this Privacy Policy is subject to change at any time without prior notice. Guided by the principle of transparency, our Company is committed to informing you of any significant change in this Policy. In any case, you should check our policy at regular intervals, as the use of our services always requires your consent.

12. Policy Validity

This Policy was published by the Company on 22 / 11 / 2021


5 rides

~500 km

7-11 February 2024

Peak Pack 1690 €

5 rides

~500 km

6-10 march 2024

Peak Pack 1690 €

5 rides

~500 km

10-14 april 2024

Peak Pack 1690 €

5 rides

~500 km

22-26 May 2024

Sold out!

5 rides

~500 km

10-14 July 2024

Peak Pack 1690 €

5 rides

~500 km

11-15 September 2024

Peak Pack 1690 €

5 rides

~500 km

9-13 October 2024

Peak Pack 1690 €

5 rides

~500 km

13-17 November 2024

Peak Pack 1690 €

5 rides

~500 km

11-15 December 2024

Peak Pack 1690 €


3-6 rides

custom km

Custom Dates

Ride-only Pack

2-6 rides

custom km

Custom Dates

Team Pack (min 5 riders)

min 2 rides

custom km

Custom Dates

Tourist Pack