Cookie Policy
Last updated: May 21, 2026
This Cookie Policy explains how Vivestia Vacation Rentals (hereinafter "Vivestia", "we", "us" or "our"), with registered office at Platonos 16-18, Kallithea, Athens, Greece, uses cookies and similar tracking technologies on the website vivestia.devateam.com and any subdomains, mobile views or booking flows operated by us (the "Website").
This Policy should be read together with our Privacy Policy, which explains how we process personal data more generally. Where there is any inconsistency between the two documents in relation to cookies or similar technologies, this Cookie Policy prevails.
1. Who we are and how to contact us
The data controller responsible for the processing of personal data through cookies on this Website is:
- Name: Vivestia Vacation Rentals
- Registered address: Platonos 16-18, 17671 Kallithea, Athens, Greece
- General contact: support@vivestia.com
- Telephone: +30 697 192 1706
- Privacy / data-protection requests: privacy@vivestia.com
Where a Data Protection Officer ("DPO") is appointed under Article 37 GDPR, you may reach them at the privacy email address above.
2. Legal framework
Our use of cookies and similar technologies is governed by:
- Regulation (EU) 2016/679 ("GDPR") — in particular Articles 4, 6, 7, 13 and 21, which govern the lawful basis for processing personal data, the conditions for valid consent, the information we must give you, and your right to object.
- Directive 2002/58/EC ("ePrivacy Directive") as amended by Directive 2009/136/EC, in particular Article 5(3), which requires your prior informed consent before storing information on, or accessing information already stored on, your terminal equipment, except where strictly necessary to deliver a service that you have explicitly requested.
- Greek Law 3471/2006 ("On the protection of personal data and privacy in the electronic telecommunications sector"), transposing the ePrivacy Directive into Greek law — particularly Article 4(5).
- Greek Law 4624/2019, which implements the GDPR in the Greek legal order and designates the Hellenic Data Protection Authority ("HDPA") as the supervisory authority.
- HDPA Recommendation 1/2020 on cookies and other tracking technologies, together with the EDPB Guidelines 05/2020 on consent and the Court of Justice of the European Union's judgment in Planet49 (C-673/17), which collectively confirm that consent must be active, specific, informed and freely given.
3. What cookies and similar technologies are
A "cookie" is a small text file that a website places on your computer, smartphone or other internet-enabled device when you visit. Cookies allow the website to recognise your device on subsequent visits, to remember choices you have made, and — in some cases — to build a profile of your interests across websites.
In this Policy, the term "cookies" also covers other technologies that achieve a comparable effect, including:
- Web beacons and tracking pixels (small transparent images used to detect that a page or email has been opened);
- Local storage and session storage in your browser, used to keep information on your device between visits or within a single visit;
- Software development kits (SDKs) embedded in third-party scripts;
- Device or browser "fingerprinting" techniques that combine information about your device, browser and network to identify you.
Cookies may be "first-party" (set by Vivestia under the domain you are visiting) or "third-party" (set by a service provider whose script we have integrated, such as Google or Meta). They may be "session" cookies (deleted automatically when you close your browser) or "persistent" cookies (which remain on your device for a defined period or until you delete them).
4. Legal basis for placing cookies
We rely on the following legal grounds, depending on the type of cookie:
- Strictly necessary cookies are placed under the exception in Article 5(3) of the ePrivacy Directive (as transposed by Article 4(5) of Greek Law 3471/2006), because they are indispensable for the provision of a service that you have explicitly requested (for example, logging in to your account or completing a booking). Where these cookies also involve the processing of personal data, we rely on Article 6(1)(b) GDPR (performance of the contract you have entered into with us) and, where applicable, Article 6(1)(c) GDPR (compliance with our legal obligations, including Greek tax-retention requirements).
- All other cookies (functional, analytics, marketing/advertising and social-media cookies) are placed only with your prior, freely given, specific, informed and unambiguous consent, in accordance with Article 4(5) of Greek Law 3471/2006 and Article 6(1)(a) GDPR.
Until you provide consent, only strictly necessary cookies will be active. Continuing to browse the Website does not constitute consent. You may give, withhold, change or withdraw your consent at any time using our cookie-preferences panel (see Section 9 below). Withdrawing consent does not affect the lawfulness of any processing that took place before you withdrew it.
5. Categories of cookies we use
5.1 Strictly necessary cookies
These cookies are essential for the Website to function. They enable core functions such as authentication, session management, security (including protection against Cross-Site Request Forgery attacks), load balancing, fraud prevention, and the operation of the booking and payment process. They cannot be disabled through our cookie-preferences panel, because the Website would not work without them. They do not store information that identifies you for marketing purposes.
5.2 Functional / preference cookies
These cookies allow the Website to remember choices you make (such as language, currency, recently viewed properties, or your saved Trip Plan) so that we can offer you a more personalised experience. If you reject functional cookies, some features may behave less conveniently — for example, you may need to re-enter preferences on each visit.
5.3 Analytics / statistics cookies
These cookies help us understand how visitors use the Website — for example, which pages are most popular, how visitors arrive at the Website, and which booking steps cause friction. The information is used to improve the Website and our services. We use Google Analytics 4 to collect this information in aggregated form. Where possible, IP addresses are truncated before storage and identifiers are not used to recognise you across other unrelated services.
5.4 Marketing / advertising cookies
These cookies are used to deliver advertisements that are more relevant to you, to limit how often you see an advertisement, to measure the effectiveness of advertising campaigns, and — where permitted by your consent — to build a profile of your interests so that we and our advertising partners can show you tailored advertising on other websites and platforms. They are typically set by third parties such as Meta (Facebook / Instagram) and Google.
6. Cookies in detail
The tables below distinguish between cookies that are currently active on the Website and cookies that may be activated in the future if and when we enable the relevant integrations. We are committed to keeping this Policy aligned with what is actually set on your device; when a new integration goes live, this Policy and our cookie-preferences panel are updated before the integration is enabled in production.
6.1 Cookies currently set on this Website
| Cookie / token | Provider | Category | Purpose | Duration |
|---|---|---|---|---|
thevivestia_session |
Vivestia (first-party) | Strictly necessary | Maintains your session across pages so that you remain logged in and your cart / Trip Plan is preserved. | Session (2 hours) |
XSRF-TOKEN |
Vivestia (first-party) | Strictly necessary | Protects against Cross-Site Request Forgery (CSRF) attacks on forms and authenticated actions. | Session (2 hours) |
remember_web_* |
Vivestia (first-party) | Strictly necessary | Set only when you tick "Remember me" at login, so that you do not need to authenticate on every visit. | Persistent (up to 5 years; deleted on logout) |
cookieConsent (localStorage) |
Vivestia (first-party) | Strictly necessary | Records the cookie-consent choices you have made so that we do not display the banner on every visit and so that we respect your selections. | Persistent (until you clear browser storage or revoke consent) |
__stripe_mid, __stripe_sid |
Stripe Payments Europe Ltd (Ireland) / Stripe Inc. (USA) | Strictly necessary (payment / fraud prevention) | Set only on pages where the Stripe.js library is loaded (checkout, profile payment methods). Allow Stripe to process card payments securely and detect fraud. | __stripe_mid: 1 year — __stripe_sid: 30 minutes |
| Viva Wallet checkout cookies | Viva Payment Services S.A. (Greece) | Strictly necessary (payment) | Set only when you choose Viva Wallet as the payment method, to complete and reconcile the transaction on Viva's hosted checkout. | Session / up to 1 year, depending on the cookie |
6.2 Cookies that may be activated in the future
We may at a later date enable the following integrations, subject in each case to your prior consent through the cookie-preferences panel. They are not currently active on the Website; should we activate them, this Policy will be updated before they are placed on your device.
| Cookie / token | Provider | Category | Purpose | Duration |
|---|---|---|---|---|
_ga, _ga_*, _gid, _gat |
Google Ireland Ltd (parent: Google LLC, USA) | Analytics | Google Analytics 4 — would be used to distinguish unique visitors, measure how the Website is used and identify friction in booking flows. | Up to 2 years |
_fbp, _fbc, fr, tr |
Meta Platforms Ireland Ltd (parent: Meta Platforms, Inc., USA) | Marketing | Meta Pixel — would be used to measure the effectiveness of advertising on Facebook and Instagram and to deliver targeted advertising to people who have visited the Website. | Up to 90 days |
| Mailchimp newsletter tracking pixel | Intuit Mailchimp (USA) | Marketing (email tracking) | If you subscribe to our newsletter, a small tracking pixel may be embedded in our marketing emails so that we know whether the email was delivered and opened. | Per email; until you unsubscribe |
The cookies listed in the second table will only be placed on your device if (a) we activate the integration in production, and (b) you grant the corresponding category of consent through our cookie-preferences panel. The exact set of cookies actually placed depends on the pages you visit and the features you use.
6.3 Browser storage (localStorage and sessionStorage)
In addition to HTTP cookies, the Website uses your browser's localStorage and sessionStorage to keep small pieces of information on your device. Under Article 5(3) of the ePrivacy Directive (as transposed by Article 4(5) of Greek Law 3471/2006), these technologies are legally equivalent to cookies and we therefore disclose them here.
| Storage key | Type | Category | Purpose | Lifetime |
|---|---|---|---|---|
cookieConsent |
localStorage | Strictly necessary | Records your cookie-consent choices (categories, policy version, timestamp) so we do not display the banner on every visit and so that we respect your selections. | Persistent (re-prompted after 12 months or on a policy update) |
vivestiaVisitorToken |
localStorage | Strictly necessary | Pseudonymous identifier used to link the consent decisions you make across visits, so we can demonstrate consent as required by Article 7(1) GDPR. | Persistent (until you clear browser storage) |
chat_session_id |
localStorage | Strictly necessary | Guest chat session identifier so your conversation with our support is preserved while you browse. | Persistent (cleared automatically on browser close and on login) |
chat_auto_open_tab |
localStorage | Strictly necessary | Coordinates which open browser tab handles auto-opening the chat widget when a new message arrives, so the chat does not open in every tab simultaneously. | Transient (cleared when the chat widget is closed) |
vivestia_notifications |
localStorage | Strictly necessary | Authenticated-user notification cache so the in-app bell shows without a network round-trip. | Persistent (set only when logged in) |
vivestia_search_preferences |
localStorage | Functional / preference | Remembers your last search filters (dates, destination, guests) so you do not have to re-enter them. | Persistent (until you clear browser storage) |
vivestia_search_view_preference |
localStorage | Functional / preference | Remembers whether you prefer the list, map or grid view on search results. | Persistent (until you clear browser storage) |
facility_tour_type_{property_id}_{facility_id} |
localStorage | Functional / preference | Remembers your preferred virtual-tour viewing mode for a specific facility. | Persistent (until you clear browser storage) |
vivestia_session_active |
sessionStorage | Strictly necessary | Marker used to distinguish a fresh browser session from a page reload (so guest chat history clears appropriately on browser close). | Session (cleared when the browser tab closes) |
| Property-management wizard keys | sessionStorage | Strictly necessary (authenticated only) | Form state used by property managers and administrators when creating or editing a property listing through our multi-step wizard. Includes amenities, rate details, room images, virtual-tour configuration. Set only for authenticated property managers / administrators. | Session (cleared when the tab closes) |
All entries listed in this section are first-party — they are written and read only by code served from this Website. None of them contain personal data beyond what is functionally required for the feature in question, and none are used for advertising or cross-site tracking.
6.4 Cookies set via embedded content (Matterport, YouTube)
On some pages — in particular property listings and virtual tours — we embed external content from third parties such as Matterport (immersive 3D tours) and YouTube (property videos). When that content loads, the third party places its own cookies on your device. We do not control these cookies; the third party acts as a separate (or, depending on the cookie, joint) controller. Under the Court of Justice of the European Union's Fashion ID judgment (Case C-49/17), embedding the content on our pages makes us a joint controller for the placement of those cookies, and we therefore disclose them here.
| Cookie | Domain | Category | Purpose | Lifetime |
|---|---|---|---|---|
ajs_anonymous_id |
matterport.com | Analytics | Random pseudonymous identifier used by Matterport's analytics layer (Segment) to count unique tour viewers. | 1 year |
ajs_user_id, ajs_group_id |
matterport.com | Analytics | Set to null unless you are logged in to Matterport directly. Used by Matterport to attribute tour interactions if you have a Matterport account. | Persistent |
VISITOR_INFO1_LIVE |
youtube.com | Marketing | Used by YouTube to estimate bandwidth for the embedded player and to deliver targeted advertising. | 8 months |
YSC |
youtube.com | Functional | Counts views of embedded YouTube videos within a single session. | Session |
CONSENT, PREF, GPS |
youtube.com | Functional / preference | Store your YouTube cookie-consent state, your player preferences (language, captions, autoplay) and an anonymous GPS hint for some video features. | Up to 20 years (CONSENT), 8 months (PREF), 1 hour (GPS) |
NID, 1P_JAR, OGPC, OTZ |
google.com | Marketing | Used by Google to deliver targeted advertising, measure ad effectiveness, and improve the relevance of Google services across sites. | 6 months / 2 months / 1 month / 1 month |
APISID, HSID, SAPISID, SID, SIDCC, SSID |
google.com | Marketing / authentication | Set if you are logged in to a Google account in the same browser. Link your YouTube viewing on our Website to your Google account, which Google may use for personalisation and advertising. Only relevant when you are signed into Google. | Up to 2 years |
_ga (set via the embedded YouTube player) |
youtube.com | Analytics | YouTube uses Google Analytics to collect anonymous information about how visitors use embedded players. | 2 years |
For full information about cookies set by these third parties, please consult their own privacy policies: Matterport Privacy Policy, Google Privacy Policy, YouTube data practices.
6.5 Real-time chat and notification service
Our in-page chat widget and the in-app notification bell are powered by a first-party real-time service (the "Socket Server") operated by Vivestia. The Socket Server is a Vivestia-controlled endpoint; it is not a third-party service.
The Socket Server does not place any cookies on your device. However, when your browser
opens the real-time connection it transmits our strictly-necessary first-party cookies — namely
thevivestia_session, XSRF-TOKEN and (where set) remember_web_* —
to the Socket Server, so it can recognise your session and verify the request. Where the Socket Server is
hosted on a separate subdomain in production (for example a sub-domain such as socket.vivestia.com),
those cookies are configured with SameSite=None; Secure for the sole purpose of letting them
reach the Socket Server. They remain accessible only to Vivestia.
For guest visitors (who are not logged in), the chat widget identifies the conversation using the
chat_session_id entry in your browser's localStorage, not a cookie (see Section 6.3
above). The connection itself is a WebSocket (or HTTP long-polling fallback) handled by the Socket.IO
library; the legacy io sticky-session cookie that Socket.IO supports is disabled in our
configuration and is not set on your device.
The legal basis for this processing is Article 5(3) of the ePrivacy Directive (strictly necessary for a service you have explicitly requested — the chat / notification feature) and Article 6(1)(b) GDPR (performance of the customer-support service).
7. Third-party recipients and joint controllership
Some of the cookies described above are set by third parties whose technologies we have integrated into the Website. Those parties act as independent controllers, joint controllers (in particular Meta with respect to its tracking pixel — see CJEU, Fashion ID, C-49/17) or processors, depending on the specific service. Their own privacy policies apply in addition to ours:
- Google Analytics: policies.google.com/privacy
- Meta (Facebook / Instagram): facebook.com/privacy/policy
- Stripe: stripe.com/privacy
- Viva Wallet: vivawallet.com/gr_en/privacy-policy
- Intuit Mailchimp: intuit.com/privacy/statement
8. International data transfers
Several of our third-party providers (in particular Google, Meta and Mailchimp) are headquartered in the United States. Where cookies set by those providers result in personal data being transferred outside the European Economic Area, we rely on the following safeguards under Chapter V GDPR:
- Adequacy decision: the European Commission's EU–US Data Privacy Framework adequacy decision of 10 July 2023, where the recipient is self-certified under the Framework;
- Standard Contractual Clauses: the European Commission's Standard Contractual Clauses (Decision 2021/914) for transfers to recipients outside the Framework, supplemented where appropriate by the technical and organisational measures recommended by the European Data Protection Board following the CJEU's Schrems II judgment (C-311/18).
You may obtain a copy of the safeguards in place, where legally possible, by contacting us at privacy@vivestia.com.
9. Managing your cookie preferences
You have several ways to control cookies on this Website:
9.1 Our cookie-preferences panel
When you visit the Website for the first time, we display a consent banner that lets you accept all cookies, reject all non-essential cookies, or customise your choices by category. You can change those choices at any time by clicking the "Cookie preferences" link in the footer of the Website. Withdrawing consent is as easy as giving it.
9.2 Browser settings
Most browsers let you view, manage, delete and block cookies. The procedure varies; helpful guides are available from the major browser vendors:
Please note that blocking strictly necessary cookies through your browser may prevent the Website (or individual features such as login or checkout) from working at all.
9.3 Direct opt-outs and industry tools
You can also opt out of certain analytics and advertising cookies directly with the relevant provider:
- Google Analytics: install the official browser add-on at tools.google.com/dlpage/gaoptout.
- Google advertising: manage personalised advertising at adssettings.google.com.
- Meta: manage advertising preferences in your Facebook settings, or at facebook.com/help/568137493302217.
- Industry opt-outs: youronlinechoices.eu (European Interactive Digital Advertising Alliance).
9.4 "Do Not Track" signals
Our Website does not currently respond to "Do Not Track" browser signals because there is no agreed industry or legal standard for how to interpret them. Your choices in the cookie-preferences panel are the authoritative expression of your consent.
10. How long we keep the information
Each cookie has its own lifetime, set out in the table in Section 6. Once a cookie expires, it is automatically deleted by your browser. Where cookies result in the collection of personal data on our servers (for example analytics aggregates linked to a pseudonymous identifier), we keep that data for no longer than is necessary for the purposes for which it was collected, in line with our Privacy Policy.
Information stored in our payment-events audit trail and accounting records is kept for ten (10) years in order to comply with the Greek Tax Procedure Code; this retention period does not apply to optional analytics or marketing cookies.
11. Your rights
Where cookies result in the processing of your personal data, you have the following rights under the GDPR:
- Right of access (Article 15) — to obtain confirmation of, and a copy of, the personal data we process about you;
- Right to rectification (Article 16) — to have inaccurate personal data corrected;
- Right to erasure (Article 17), commonly known as the "right to be forgotten", subject to legal retention obligations;
- Right to restriction (Article 18) of processing in certain circumstances;
- Right to data portability (Article 20), where processing is based on consent or on a contract and is carried out by automated means;
- Right to object (Article 21) to processing based on legitimate interests, including profiling;
- Right to withdraw consent (Article 7(3)) at any time, without affecting the lawfulness of processing carried out before withdrawal;
- Right not to be subject to fully automated decisions with legal or similarly significant effects (Article 22).
To exercise any of these rights, please write to us at privacy@vivestia.com. We will respond within the time limit prescribed by Article 12(3) GDPR (one month, extendable by two further months for complex requests).
12. Complaints to the supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA / Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα) or with the supervisory authority of the EU/EEA Member State in which you reside, work, or in which the alleged infringement took place.
- Hellenic Data Protection Authority
- Kifissias Avenue 1-3, 11523 Athens, Greece
- Telephone: +30 210 6475 600
- Email: contact@dpa.gr
- Website: www.dpa.gr
13. Children
The Website is not directed at children under the age of 15 (the digital-consent age set by Article 8 GDPR and Article 21 of Greek Law 4624/2019). We do not knowingly place non-essential cookies on the devices of children without the consent of a holder of parental responsibility. If you believe that a child has used the Website without the appropriate consent, please contact us so that we can take appropriate action.
14. Changes to this Policy
We review this Policy at least once a year and whenever there is a material change in the cookies we use, the law that applies, or the guidance issued by the HDPA or the European Data Protection Board. The "Last updated" date at the top of this page reflects the date of the most recent revision. Where the changes are material, we will draw them to your attention through the consent banner or by another appropriate means.
15. Contact us
If you have any questions about this Cookie Policy, the cookies we use, or how to exercise your rights, please contact us at:
- Email: privacy@vivestia.com
- General support: support@vivestia.com
- Postal address: Vivestia Vacation Rentals, Platonos 16-18, 17671 Kallithea, Athens, Greece
Unlock Exclusive Offers &
Curated Travel Inspiration
Subscribe for curated luxury offers, last-minute deals, and travel tips delivered to your inbox. Let Vivestia help plan your next escape with special perks for our insiders.