Privacy Policy
Effective date: March 23, 2026
1. Introduction
This Privacy Policy describes how Relyo processes personal data in connection with the use of the Relyo platform, available at https://relyohq.com.
Relyo is operated by Rafail Dimitrios Diftopoulos & Nikolaos Dimitrios Touratzidis, based in Greece.
The platform is provided exclusively to hotels and hospitality organisations. Individual users, including employees, access the platform only following an invitation issued by their employer or affiliated organisation.
Because the Service operates in a business-to-business structure with invitation-based user access, our role under data protection law varies depending on the specific processing activity.
2. Roles Under Data Protection Law
2.1 When the Tenant Is the Data Controller
For personal data relating to employees and other individuals processed within a Tenant environment for housing allocation, inspections, administrative management, and related operational purposes, the relevant Tenant acts as the data controller.
In these cases, Relyo acts as a data processor and processes personal data solely on documented instructions of the Tenant and in accordance with the applicable Data Processing Agreement.
If you are an employee invited by your employer to use the platform, your employer is the primary data controller for your housing-related personal data.
2.2 When Relyo Acts as Data Controller
Relyo acts as an independent data controller for processing that is necessary to operate and secure the platform, including account authentication, system security, fraud prevention, audit logging, billing, contractual management with Tenants, and compliance with legal obligations.
3. Categories of Personal Data
Depending on your role, we may process the following categories of data:
Account Information
- Full name, email address, and password (hashed)
- Profile photo (optional)
- Phone number
- Preferred language
Employee Housing Data
- Date of birth and gender (for housing allocation)
- Shift type and department assignment
- Housing preferences: vehicle ownership, smoking status, pet ownership
- Spoken languages
- Housing assignment history and inspection records
Organisation Data
- Hotel/organisation name, address, and contact details
- Property information (addresses, room configurations, amenities)
- Billing and financial data related to housing (rent, utilities)
Technical Data
- IP address and browser user agent (for security and rate limiting)
- Authentication tokens and session data
- Error reports and performance metrics
4. Legal Bases for Processing
Where Relyo acts as data processor, the legal basis for processing is determined by the relevant Tenant in its capacity as data controller.
Where Relyo acts as data controller, processing is based on one or more of the following legal grounds under Regulation (EU) 2016/679 (GDPR) and applicable Greek data protection legislation, including Law 4624/2019:
- Contractual necessity (Art. 6(1)(b)) — Processing necessary to perform the housing management services contracted by the Tenant.
- Legitimate interest (Art. 6(1)(f)) — Ensuring platform security, fraud prevention, and service reliability.
- Consent (Art. 6(1)(a)) — Where required, such as for optional profile photos. Consent may be withdrawn at any time without affecting prior lawful processing.
- Legal obligation (Art. 6(1)(c)) — Where we are required to retain data for regulatory or tax compliance.
5. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy:
- Active account data— retained for the duration of the account or the Tenant's subscription, plus 30 days after a deletion request to allow for secure deletion or reactivation.
- Employee housing records — retained for the duration of the seasonal employment period, plus up to 24 months for historical reference and dispute resolution.
- Inspection and damage reports — retained for up to 36 months after the inspection date for legal and liability purposes.
- Audit logs and security events — retained for up to 12 months for security monitoring.
- Financial records— retained as required by applicable tax and accounting regulations (typically 7–10 years).
At the end of the applicable retention period, data is securely deleted or anonymised.
6. Sub-processors and International Transfers
We use the following service providers to support the operation of the platform:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage | EU (Frankfurt) |
| Vercel | Application hosting and deployment | EU / Global CDN |
| Resend | Transactional email delivery | US |
| Upstash | Rate limiting and caching | EU (Frankfurt) |
| Sentry | Error tracking and performance monitoring | US |
| Mapbox | Map display for property locations | US |
| Google reCAPTCHA | Bot protection on authentication forms | US |
Where personal data is transferred outside the European Economic Area, appropriate safeguards are implemented, including Standard Contractual Clauses approved under European Union law.
You may request further information regarding these safeguards by contacting us.
7. Cookies and Similar Technologies
The platform uses strictly necessary cookies and similar technologies required for the operation and protection of the Service:
- Authentication cookies — Session tokens to keep you signed in securely. These are strictly necessary and cannot be disabled.
- Locale preference — Stores your language selection for a consistent experience.
- Google reCAPTCHA cookies — Set during login and signup to prevent automated abuse, subject to cookie consent. See Google's Privacy Policy.
We do not use advertising cookies, behavioural tracking cookies, or analytics trackers.
8. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest
- Row-level security policies ensuring strict tenant isolation
- Rate limiting on authentication and sensitive endpoints
- Comprehensive audit logging
- Regular security reviews and dependency scanning
Access to personal data is restricted to authorised personnel and service providers bound by confidentiality obligations.
9. Your Rights
Under applicable data protection law, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your personal data, subject to legal retention requirements.
- Restriction — request that we limit how we process your data in certain circumstances.
- Objection — object to processing based on legitimate interest.
- Data portability — request your data in a structured, machine-readable format.
If Relyo acts as data processor for your data, we may refer your request to the relevant Tenant, as your employer or organisation is the primary data controller.
To exercise your rights, please contact raphael@relyohq.com. We will respond within 30 days.
You also have the right to lodge a complaint with a competent supervisory authority.
10. Data Protection Contact
For any data protection inquiries, please contact:
Rafail Dimitrios Diftopoulos & Nikolaos Dimitrios Touratzidis
Greece
Email: raphael@relyohq.com
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to Tenant administrators and, where appropriate, to users via email or in-application notification.
The "Effective date" at the top of this page indicates the latest revision.