Sally's Bar logo Sally's Bar

Sally's Bar · Skala · Kefalonia

Privacy Policy

Last updated: 2026-04-19

1. Who we are (Data Controller)

The data controller for personal data collected through this website is [Legal Name], Tax ID [VAT], GEMI [GEMI No.], with registered address at [Address], Skala, Kefalonia, Greece ("we", "us", "Sally's Bar"). Privacy contact: privacy@sallysbar.gr.

2. What data we collect

We collect only the data needed for each purpose:

  • Account: email, name, hashed password, phone, date of birth, country, gender, address, city, postal code, marketing consent.
  • Bookings & orders: date, time, party size, contact details, order contents, amounts, notes.
  • Loyalty & gamification: points, tier, visits, reward history, scratch cards, quest participation.
  • QR / Marketing campaigns: scan timestamp, country/region/city (from CDN headers), timezone, city-level coordinates, device/browser/OS, UTM tags, referrer, browser language, hashed IP (SHA-256 — raw IP is not stored).
  • Job applications: full name, email, phone, CV (file + text), role applied for.
  • Push notifications: push endpoint, public crypto keys, user-agent. We never send pushes without your explicit consent.
  • Phone calls & AI receptionist: When you call our numbers (+30 694 627 2083, +44 7441 475768, +1 207 503 7391), we log: your caller ID, timestamp, and duration. If the call is handled by our AI receptionist, we also record the audio and generate a written transcript for quality, staff training, and booking-evidence / dispute-resolution purposes. At the start of every AI call you will hear a clear spoken notice ("this call is recorded for quality and service purposes"). If you do not wish to be recorded you can say so immediately — the call will end or be transferred to a human on +30 694 627 2083, and no recording will be retained. You can also request transfer to a human at any point during the call.
  • Messenger / Instagram linking: If you choose to link your Messenger or Instagram account (e.g. for the +20 points bonus), we store the Page-Scoped ID (PSID) or IG-scoped ID that Meta provides to us via webhook. We use it only to send you messages when you have opted in.
  • Marketing messages & unsubscribe: If you have granted marketing consent, we log every message we send you (SMS, WhatsApp, Viber, Messenger, Instagram, Push, Email), its delivery status, and any reply you send. You can opt out at any time by replying "STOP" / "stop" (for SMS/WA) or clicking the unsubscribe link in emails — your consent is withdrawn automatically.
  • Clicks on shortened URLs (sallysbar.gr/s/xxxxx): We anonymously count clicks on each shortened URL we send in campaigns to measure performance. Not linked to your personal data.
  • Technical logs: error/request logs, retained for up to 30 days.

We do not process special-category data (health, beliefs, etc.) and will never ask you for it.

3. Legal basis & purpose

PurposeLegal basis (GDPR Art. 6)
Account, bookings, ordersContract (6.1.b)
Loyalty & gamificationContract (6.1.b)
Email/Push marketing, QR scansConsent (6.1.a) · Legitimate interest (6.1.f) for aggregated analytics
SMS/WhatsApp/Viber/Messenger/IG marketingConsent (6.1.a) — withdrawn via STOP reply
Inbound AI phone call (recording + transcript)Contract (6.1.b) · Legitimate interest for quality & booking-dispute resolution (6.1.f) — caller is notified at the start of the call
Messenger / Instagram account linkingConsent (6.1.a)
Fraud prevention / securityLegitimate interest (6.1.f)
Accounting / taxLegal obligation (6.1.c)
Job applicationsPre-contract steps (6.1.b) + consent for retention

4. Cookies & similar technologies

  • Essential cookies: login session (Supabase auth), language preference, CSRF. No consent required.
  • PWA local storage: service worker for offline + install. Cleared by uninstalling the app.
  • Marketing/analytics: we do not use Google Analytics or third-party tracking pixels on public pages. QR scan analytics are collected server-side only when you scan one of our QR codes.

5. Third-party subprocessors

We use the following providers acting as data processors under GDPR:

  • Supabase (EU, Frankfurt) — database, auth, file storage (CVs, recordings).
  • Cloudflare (EU edge) — hosting, CDN, DDoS, geo-IP headers for analytics.
  • Resend (EU/US) — transactional + marketing email (confirmations, campaigns, digests).
  • Vonage (UK/EU) — Messaging API (SMS, WhatsApp, Viber, Messenger, Instagram) and Voice API (inbound calls).
  • Vapi (US) — AI voice orchestration — connects STT + LLM + TTS in real time for AI phone calls. See their policy: vapi.ai/privacy.
  • OpenAI (US) — GPT-4o-mini for the AI receptionist and for AI campaign message generation. Call data is used only to produce the response; not used for model training.
  • ElevenLabs (US) — Text-to-Speech for the AI receptionist's voice (multilingual v2, EL + EN).
  • Deepgram (US) — Real-time Speech-to-Text for the AI receptionist (Nova-3 streaming).
  • Anthropic (Claude) (US) — admin content generation (events/jobs/quests). No customer personal data is sent.
  • Meta Platforms Ireland (EU) — Messenger & Instagram webhooks for account linking (PSID / IG-ID capture). Meta does not see our data beyond the normal messaging on your Page/IG.
  • Telegram — internal staff notifications for orders/bookings.
  • Photon / OpenStreetMap (EU) — address autocomplete (in place of Google Maps).

International transfers to the US rely on the EU–US Data Privacy Framework or Standard Contractual Clauses.

6. Data retention

  • Account: while active + 12 months after inactivity.
  • Orders / receipts: 10 years (tax obligation).
  • Bookings: 24 months.
  • QR scan logs: 24 months; aggregated analytics indefinitely.
  • Job applications: 12 months (or sooner on request).
  • AI phone-call recordings: up to 90 days (for quality & booking-dispute resolution), then auto-deleted. Recordings of calls that do not result in a booking are deleted after 30 days. Transcripts (text): 24 months. You may request immediate deletion at any time via privacy@sallysbar.gr.
  • Outbound marketing messages (marketing_log): 24 months — for dedup, analytics, consent audit trail.
  • Inbound customer replies (SMS/WA etc): 12 months.
  • Shortened-URL click analytics: 12 months, aggregated indefinitely.
  • Messenger/IG linking IDs: as long as your account is active.
  • Error logs: 30 days.

7. Your rights (GDPR)

You have the right to:

  • access your data (Art. 15)
  • rectification (Art. 16)
  • erasure / "right to be forgotten" (Art. 17)
  • restriction (Art. 18)
  • portability (Art. 20)
  • objection (Art. 21)
  • withdraw consent at any time

Email us at privacy@sallysbar.gr. We reply within 30 days.

You may also lodge a complaint with the Hellenic Data Protection Authority (dpa.gr) or your local supervisory authority.

8. Security

We use HTTPS everywhere, hashed passwords (bcrypt/argon), hashed IPs for analytics, role-based access, encryption in transit and at rest via Supabase and Cloudflare. In case of a breach, we notify the Hellenic DPA within 72 hours and you directly if materially affected.

8a. Automated decisions & AI

We do not make automated decisions with legal consequences for you. Our AI receptionist can capture a booking request, but every booking is confirmed by a human before a confirmation is issued — no fully automated decision affects you. You may request human intervention at any stage by calling +30 694 627 2083 or emailing info@sallysbar.gr.

9. Children

Our service is not directed to persons under 18. If you believe a child has provided us data without parental consent, contact us to delete it immediately.

10. Changes to this policy

We may update this policy. Material changes will be notified via email or an on-site banner.

For any question: privacy@sallysbar.gr