Privacy Policy
What data is processed when you visit sumac.gr, why it is used, who receives it, and the choices available to you.
Data controller
SUMAC HOSPITALITY P.C., trading as Sumac, is the data controller for this website and is established at 20 Arachovis Street, Athens 106 80, Greece. Privacy enquiries can be sent to hello@sumac.gr.
Business identifiers
- Legal form: Private Company
- General Commercial Registry (GEMI): 123456789000
- VAT number: 012345678
Personal data we process
| Data | Purposes | Legal bases | Recipients | Retention |
|---|---|---|---|---|
| IP address; browser, device, and operating-system information; requested URL; request date and time; referrer and basic network, performance, and security metadata where available | Deliver the requested pages and assets; maintain availability and security; detect abuse; diagnose technical faults | Article 6(1)(f) GDPR — legitimate interests in operating, securing, and troubleshooting the website | Cloudflare, Inc. and its authorised subprocessors | This static site creates no application-level access-log database. Cloudflare retention follows the production service configuration and applicable agreement, which must be verified before this policy is approved. |
| Google Maps category choice; choice status; choice timestamp; consent-configuration version | Remember, apply, and demonstrate the privacy choice made in this browser | Article 6(1)(f) GDPR — legitimate interests in respecting privacy choices and documenting the consent state | No third party receives the preference record from this implementation | The first-party cookie expires after 180 days. The matching local-storage record remains until it is overwritten by a later choice or deleted through browser settings; a record for an older configuration version is ignored. |
| IP address and request timestamp; browser, device, and operating-system information; the map coordinates requested; map interactions and Google identifiers or account information depending on the visitor’s Google state and settings | Display and operate the interactive map of the Sumac location | Article 6(1)(a) GDPR — consent to load the Google Maps iframe; Google describes its own legal bases in its Privacy Policy | Google LLC, Google Ireland Limited where applicable, and Google service providers | Sumac removes the iframe when consent is withdrawn or the page is left. Google controls the retention of request, interaction, account, cookie, and similar data under its settings and policies. |
Providing data
- Network and request data are transmitted automatically when you request a page; without them the website cannot be delivered.
- Making a choice is optional, but the preference record is needed if you want the site to remember that choice. Rejecting Google Maps does not restrict the rest of the website.
- Loading the map is optional. If you do not consent, the restaurant address and a direct Google Maps link remain available.
Recipients of personal data
Depending on how you use the website, personal data may be processed by:
- Cloudflare, Inc. and its authorised subprocessors
- No third party receives the preference record from this implementation
- Google LLC, Google Ireland Limited where applicable, and Google service providers
International transfers
Cloudflare, Inc. and its subprocessors may process personal data outside the European Economic Area, including in the United States. Cloudflare states that, where applicable, it relies on European Commission adequacy decisions, including the EU–US Data Privacy Framework, and on the EU Standard Contractual Clauses together with supplementary measures where required.
Google LLC, Google group companies, and Google service providers may process service data outside the European Economic Area. Google states that, where applicable, it relies on European Commission adequacy decisions, including the EU–US Data Privacy Framework, and on the EU Standard Contractual Clauses.
Your rights
- request access to personal data concerning you;
- request correction of inaccurate or incomplete data;
- request erasure or restriction where the legal conditions are met;
- object to processing based on legitimate interests;
- receive data you provided in a portable format where portability applies;
- withdraw consent at any time where processing is based on consent, without affecting earlier lawful processing;
- lodge a complaint with the competent supervisory authority.
The relevant supervisory authority is Hellenic Data Protection Authority.
Automated decision-making
This website does not carry out automated decision-making that produces legal or similarly significant effects.
Optional content and external services
Google Maps is the only optional third-party content embedded by this website. Its iframe is not created and no request is sent to Google until you consent. Links to Google Maps, efood, and Instagram do not load those services inside this website; their providers process data under their own terms when you choose to follow a link.
How the website is protected
The site is built as static content, served over HTTPS in production, and uses browser security and referrer controls. Optional third-party content is blocked until consent. Access to hosting and deployment systems must be limited to authorised people. No internet service can guarantee absolute security.
Policy updates
We may update this Privacy Policy when website functionality, providers, or processing practices change. The revision date at the top identifies the current version.

