Privacy Policy and Data Protection

Last Updated: April 25, 2026

Cloudboat Booking System is an online service that provides an online booking platform for tour & boat rental agencies. Our websites, mobile properties, and related applications (collectively, "we" or "us") are part of ZanteWeb®, which is owned and operated by ZanteWeb It & Development P.C.

At ZanteWeb we recognize that privacy is important and providing information online involves a great deal of trust on your part. We take this trust very seriously, and make it a high priority to ensure the security and confidentiality of the personal information you provide us with, when you visit our Websites or use our services.

The Service includes an optional Google Calendar Integration feature that allows our account holders (boat captains and tour operators) to automatically synchronize their cruise schedules with their personal Google Calendar. Section 14 of this notice explains in detail how this integration works and how we handle your Google account data.

The basics we take seriously to protect your data:

We don't sell or share data or run clever programs to try and squeeze information out of you about what you are doing so we can sell you more stuff.
All our servers and applications run the same security protocols that banks use to transmit financial data.
We only hold your data because you have given it to us — if you don't want us to do that, we won't. You have control over how long we keep your data and when you want us to automatically delete it.
We comply with all the laws that apply to us — and expect the same from you.

1. General

ZanteWeb It & Development P.C. ("we" or "us") take the privacy of your information very seriously. Our Privacy and Data Protection Notice is designed to inform you, the user of our availability and booking service ("Service") about our practices regarding the collection, use and disclosure of personal and other information about you or your business that may be provided via this website or collected through our booking form.

This policy applies to information provided by our members and account holders ("members") and also applies to information which is processed by us when a person (referred to for convenience as a "Customer") makes a booking or submits data using our Service.

ZanteWeb It & Development P.C. is a Private Company trading under current Greek legislation and registered under the General Commercial Registry (GEMH), under registration number 146006224000.

Important Note: If you are using our Service to make a booking with our member or account holder ("account holder") please note that we are a processor of that data but we are not the data controller. We will pass the data you provide onto our account holder in accordance with this policy.

2. Our Policy

We aim to limit our interaction with your data wherever possible. We have a general policy relating to access to your data. We will generally only seek to access that data which is necessary in accordance to the privileges you have granted to the system. Automated processes may scan your data, but only for an explicit purpose to do with the management of your bookings or delivery of other services. We have systems in place which allow you to limit and control the access you allow to your booking data.

However, when working with data or content that was not collected by us and which originated elsewhere (e.g. private information you may have entered on your booking form) our policy is to only access and process a limited amount of outline data which we need to deliver the service to you. We will not review and analyse content. Occasionally, to assist with troubleshooting problems you are experiencing with the system, we will seek your permission to access your data.

3. Basis on which we process personal data

Personal data we hold about you will be processed either because:

You have consented to the processing for the specific purposes described in this notice;
The processing is necessary in order for us to deliver our Service (i.e. to comply with our obligations under the contract between us and our account holder); or
The processing is necessary in pursuit of a "legitimate interest". A legitimate interest in this context means a valid interest we have or a third party has in processing your personal data which is not overridden by your interests in data privacy and security.

4. Personal data we collect

We may collect and process the following personal information or data about you:

Log-in details and information you provide as an account holder when you register with the Service ("Log-In Information");
Contact information we collect from you as an account holder about you or your employees (names, addresses, telephone numbers, email addresses) ("Contact Information");
Any information which is contained in any third party account (e.g. Affiliate account) which you have linked with your Cloudboat account;
A record of the bookings made through the Service and information relating to each individual booking (title, pick-up/drop-off date time & location, vacation address or flight number etc.) ("Booking Information");
A record of any correspondence between you and us and other interactions with the Service or the Site ("Correspondence Information");
Information which may be provided to our account holder using an online booking form ("Booking Form Information");
Information relating to payment transactions (if required we may also collect credit card information which is only accessible from account holder for offline processing) ("Payment Information");
Information we may require from you when you report a problem or complaint ("Complaints Information");
Details of your visits to the Site, the resources and pages that you access and any searches you make ("Technical Information");
OAuth Token Information: If you are an account holder who connects your Google Calendar via our Google Calendar Integration feature, we collect and securely store OAuth 2.0 access tokens and refresh tokens issued by Google, along with the email address associated with the authorized Google account, the token expiration timestamp, and the date of authorization ("OAuth Token Information"). See Section 14 for full details.

We only collect such information when you choose to provide it to us. You do not have to provide any personal information to us and you may withdraw your consent or request that we restrict our processing.

Information may also be gathered through the Site without you actively providing it, through technologies and methods such as Internet Protocol (IP) addresses and cookies. We use your IP address to diagnose problems with our server, report aggregate information, and determine the fastest route for your computer to use in connecting to our site.

5. How we use your personal data

Please see the table below which sets out the manner in which we will process the different types of personal data we hold. Please note that some of this data (including Booking Information and Booking Form Information) is processed by us as a 'processor' and our account holder will be the 'data controller' (please see Section 9, Data Processing).

Purpose / Activity	Type of data	Lawful basis for processing
When you (or your employer) register with us to provide the Service to our account holder.	Log-in Information Contact Information	Performance of a contract. Necessary for our legitimate interests.
When you use the Service as an account holder to take, manage or administer bookings.	Log-in Information Contact Information Booking Information Booking Form Information Payment Information	Performance of a contract. Necessary for our legitimate interests.
When you use the Service as a Customer to make a booking.	Contact Information Booking Information Booking Form Information Payment Information	Performance of a contract. Necessary for our legitimate interests.
When you (as an account holder) authorize Google Calendar Integration to automatically sync your cruise schedule with your Google Calendar.	OAuth Token Information Booking Information Contact Information (email associated with Google account)	Explicit consent (granted via Google's OAuth 2.0 consent screen). Performance of a contract (to provide the calendar synchronization feature you have requested). You may withdraw consent at any time by revoking access in your Google Account settings.
To manage our relationship with our account holder (notifications, reviews, complaints).	Log-in Information Contact Information Booking Information Technical Information Communication Information	Performance of a contract. Necessary to comply with a legal obligation. Necessary for our legitimate interests.
To use data analytics to improve the Service, marketing, customer relationships and experiences.	Technical Communications	Necessary for our legitimate interests.

6. Sharing your information

We do not disclose any information you provide to any third parties other than as follows:

If you are an account holder we will share information contained in any booking form or other content created by you with anyone who is seeking to make a booking using the Service;
If you are a Customer making a booking we will supply any information you provide to us to our account holder;
Payment information may be provided to our payment processors;
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation;
In order to enforce any terms and conditions or agreements for our Services that may apply;
To protect the rights, property, or safety of ZanteWeb It & Development P.C., our account holders, or any other third parties;
To our technical support & software maintenance partners.

Other than as set out above, we shall not disclose any of your personal information unless you give us permission to do so.

Your data is not sent outside the EU with the exception of hosting service providers located in countries with an adequacy decision.

Google API data: Information received from Google APIs (specifically your Google Calendar data accessed via OAuth) is never sold, transferred to third parties, or used for advertising purposes. See Section 15 (Limited Use Disclosure) for full details.

7. How we protect your information

We want you to feel confident about using Cloudboat Booking System, and we are committed to protecting the information we collect. While no website can guarantee security, we have implemented appropriate administrative, technical, and physical security procedures to help protect the personal information you provide to us.

In order to safeguard the information we collect from you, we took all reasonable steps to ensure that:

Our servers are protected by security mechanisms and can only be administered via strictly controlled public/private cryptographic keys;
Our data processing storage facilities are sited in secure locations to prevent unauthorised access;
All communication with our servers is encrypted through SSL/TLS;
Regular security assessments of our infrastructure are performed (web vulnerability scans, dependency vulnerability scans, static code analysis, rule-based OS inspection and manual assessments);
We employ firewalls and intrusion detection systems to help prevent unauthorized access;
We use a state-of-the-art login system with two-step authentication for all our account holders;
OAuth tokens obtained for Google Calendar Integration are stored encrypted at rest in our secure database, with access strictly limited to the automated processes that need them.

8. Children's privacy

Cloudboat Booking System is a general audience site and does not offer services directed to children. Should an individual whom we know to be a child under age 18 send personal information to us, we will delete or destroy such information as soon as reasonably possible.

9. Data Processing

Certain information we collect we hold as a 'data processor', this includes Booking Information and Booking Form Information. Our account holder is the data controller for this data. Our terms require that our account holder process this data in accordance with applicable data legislation.

In our Terms of Use this is defined as "Subscriber Personal Data" and in our Terms of Use we set out, in accordance with the GDPR, our obligations to the account holder in relation to the Subscriber Personal Data we process.

10. Data Retention

We keep your data only for the time required to fulfill the purpose for which we have collected them, unless a time extension is required due to our legal claims or legal obligations.

Specifically for OAuth Token Information (Section 14): tokens are retained as long as the integration remains active. Upon revocation by the user (via Google Account settings) or upon the user's explicit request, OAuth tokens are deleted from our database within 24 hours.

11. Your privacy rights

The GDPR gives you the following rights in respect of personal data we hold about you:

The right to be informed	You have a right to know about our personal data protection and data processing activities.
The right of access	You have the right to request information about the personal data we hold about you.
The right to correction	Please inform us if information we hold about you is incomplete or inaccurate. We will update our records within one month.
The right to erasure	Please notify us if you no longer wish us to hold personal data about you. Unless we have reasonable grounds to refuse, we will delete the data within one month.
The right to restrict processing	You can request that we no longer process your personal data in certain ways.
The right to data portability	You have the right to receive copies of personal data we hold about you in a commonly used format.
The right to object	You may object to us using your personal data if you feel your fundamental rights and freedoms are impacted, or if used for direct marketing.
Right to withdraw consent	If we are relying on your consent, you have the right to withdraw your consent at any time. For Google Calendar Integration specifically, you can revoke access at any time via your Google Account Permissions.

You can exercise your rights by sending your request to ZanteWeb It & Development P.C., Floka Gaitani, 29100 Zakynthos, Greece or via email to dpo@zanteweb.com.

In case the response you have received is not satisfactory or your issue has not been resolved, you can contact the Greek Data Protection Authority (www.dpa.gr).

12. Other websites

Our Site may contain links and references to other websites. Please be aware that this Privacy Policy does not apply to those websites. We cannot be responsible for the privacy policies and practices of sites that are not operated by us.

13. Notification of changes to our Privacy Notice

We will post details of any changes to our Privacy Notice on the Site to help ensure you are always aware of the information we collect, how we use it, and in what circumstances, if any, we share it with other parties. The "Last Updated" date at the top of this notice indicates when these terms were most recently revised.

14. Google Calendar Integration

14.1 Overview

Cloudboat offers an optional Google Calendar Integration feature that allows our account holders (boat captains and tour operators) to automatically synchronize their cruise schedules with their personal Google Calendar. When a cruise is booked through the Service and assigned to a captain, a calendar event is automatically created in that captain's Google Calendar. This feature is entirely optional and requires explicit consent through Google's OAuth 2.0 authorization flow.

14.2 Who can authorize this integration

Google Calendar Integration is offered only to account holders (boat captains, tour operators, and their authorized employees who manage cruises within the platform). End customers who book cruises do not connect their Google Calendar to our system; this feature is operator-side only.

14.3 How it works

When an account holder chooses to enable Google Calendar Integration:

The account holder is invited via email to activate the integration.
Clicking the activation link directs them to our dedicated authentication server at auth.zanteweb.com.
From there, they are redirected to Google's secure OAuth 2.0 consent screen.
Google displays exactly which permissions Cloudboat is requesting.
The account holder explicitly authorizes Cloudboat to access their Google Calendar.
Upon successful authorization, OAuth tokens are securely stored in our database, and the integration becomes active.

14.4 Data we access via Google APIs

When you authorize Google Calendar Integration, we request access to the following Google API scopes:

https://www.googleapis.com/auth/userinfo.email — to identify the Google account being authorized;
https://www.googleapis.com/auth/userinfo.profile — to display your name in the admin interface;
https://www.googleapis.com/auth/calendar.events — to create, read, update, and delete calendar events related to your Cloudboat bookings.

Important: We do not access, read, or process any calendar events that are unrelated to Cloudboat bookings. We do not scan, index, profile, or analyze your personal calendar content.

14.5 How we use this access

We use the calendar.events permission strictly for the following purposes:

CREATE events: When a cruise is booked and assigned to you, we create a calendar event containing the tour/rental name, booking reference, date and time, meeting point location, and customer contact information.
READ events: Only to verify that a Cloudboat-created event already exists (to prevent duplicates) and to display synchronization status in the admin interface.
UPDATE events: When a booking is modified (time change, date change, cancellation by customer, etc.), we update the corresponding calendar event so it stays accurate.
DELETE events: When a booking is cancelled, the associated calendar event is automatically removed.

14.6 OAuth 2.0 authentication and security

Calendar integration uses Google's OAuth 2.0 protocol for secure authentication. This means:

We never receive or store your Google password.
Access is granted through secure, revocable tokens issued by Google.
OAuth tokens are encrypted at rest in our MySQL database.
Authentication is handled on a dedicated, hardened server (auth.zanteweb.com), separated from the booking engine for security reasons.
All communications between your browser, our servers, and Google's APIs are encrypted using SSL/TLS.

14.7 Token storage and lifecycle

OAuth tokens are stored in our secure database and are subject to:

Encryption at rest;
Strict access controls (no human reads them in normal operation);
Automatic refresh using the standard OAuth 2.0 refresh-token flow;
Automatic deletion within 24 hours after you revoke access via Google Account Permissions or request deletion from us directly.

14.8 Your control and how to revoke access

You maintain full control over the integration at all times. You can disconnect Cloudboat from your Google Calendar at any moment by:

Visiting https://myaccount.google.com/permissions;
Locating "Cloudboat Calendar Integration" in the list of connected apps;
Clicking "Remove Access".

Upon revocation, all OAuth tokens associated with your account are automatically deleted from our database within 24 hours. Please note: calendar events that were already created in your Google Calendar before revocation will remain there — you maintain ownership of your calendar data and can delete those events manually if you wish.

14.9 Multi-domain architecture

Our Google Calendar Integration operates across multiple domains owned and operated by ZanteWeb It & Development P.C.:

cloudboat.gr — product information and presentation site;
*.cloudboat.eu — tenant-specific booking engines used by individual tour operators;
admin23.cloudboat.eu — administrative control panel where account holders manage captains and bookings;
auth.zanteweb.com — dedicated OAuth 2.0 authentication server (this is the domain you will see during the Google consent flow).

This separation enhances security by isolating the authentication layer from the booking engines while maintaining a seamless user experience.

14.10 Opt-out

Google Calendar Integration is entirely optional. You can use the Service in full without ever connecting your Google account. Connecting and disconnecting can be done at any time without affecting any of your bookings or other Service features.

15. Limited Use Disclosure (Google API Services User Data Policy)

Cloudboat's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we commit to the following:

We use Google user data only to provide and improve the Google Calendar Integration feature described in Section 14. No data obtained via Google APIs is used for any other purpose.
We do not transfer Google user data to third parties, except as strictly necessary to provide or improve the integration, to comply with applicable law, or as part of a merger/acquisition/sale of Cloudboat assets (in which case we will require comparable privacy protections from the acquiring party and notify affected users).
We do not use Google user data, or transfer it, for serving advertisements (including retargeting, personalized advertising, or interest-based advertising).
We do not allow humans to read Google user data unless: (a) we have obtained your explicit consent to read specific data; (b) it is necessary for security purposes (such as investigating abuse); (c) it is necessary to comply with applicable law; or (d) the data is aggregated and used for internal operations in a manner that complies with the Limited Use requirements.

These commitments apply to all data accessed via the Google Calendar API as part of the Cloudboat Calendar Integration, including OAuth tokens, calendar event data, and any associated profile information.

16. How you can contact us

If you have any questions about this Privacy Policy, or any inquiry related to your personal data, please contact us:

Company	ZanteWeb It & Development P.C.
Registration	GEMH: 146006224000
Address	Floka Gaitani Zakynthos, TK 29100 Greece
Telephone	+30 26950 27447
Email (Data Protection Officer)	dpo@zanteweb.com
Website	https://www.cloudboat.gr/
Terms of Service	terms.php
Greek Data Protection Authority	www.dpa.gr

Last Updated: April 25, 2026