Privacy Policy
Last updated: April 2026
This Privacy Policy explains how Georgios Karaviotis Law Firm (“we”, “the firm”) processes personal data through the website karaviotislaw.gr, in line with the GDPR and Greek Law 4624/2019.
The website is informational. We do not provide user accounts. We do not deploy advertising technologies from our own application code. For cookies and similar technologies, see our Cookies Policy.
1. Data Controller
Georgios Karaviotis Law Firm
Address: Minas Georgiadou 17, 71306 Heraklion, Crete, Greece
Phone: +30 698 2670 708
Email: info@karaviotislaw.gr
2. Who this policy applies to
This policy applies to website visitors and people who contact us via the contact form, email, or phone. It does not replace tailored privacy notices provided to clients in the context of a specific engagement.
Important notice: Contacting us through the website does not automatically create an attorney–client relationship. Please avoid sending sensitive information (e.g. health data or criminal conviction data) through the contact form unless it is strictly necessary.
3. Processing activities – purposes, data, legal basis
| Activity | Data categories | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Contact form enquiries | Name, email, phone (optional), subject, message content | Receive and respond to your enquiry | Consent (Art. 6(1)(a)) and/or legitimate interests in handling enquiries (Art. 6(1)(f)) |
| Email delivery via provider | The same contact-form data | Deliver your enquiry to the firm and (where enabled) send an automated acknowledgement email | Legitimate interests (Art. 6(1)(f)) and/or steps at your request prior to engagement (Art. 6(1)(b)), depending on the case |
| Website delivery and security (Cloudflare) | IP address, request metadata (URL, headers, user-agent), technical metadata, potential security cookies | Security and abuse prevention, DDoS protection, performance and availability | Legitimate interests (Art. 6(1)(f)) |
| Accessibility preferences (in your browser) | UI settings (e.g. font scale, contrast) stored in localStorage | Improve readability and accessibility | Your choice/consent through use of the feature (Art. 6(1)(a)), where applicable |
4. Is providing data required?
To submit a contact-form message, the fields marked as required must be provided (e.g. name, email, subject, message). If you do not provide them, we cannot process the request via the form. You can still contact us by phone or email.
5. Recipients and processors
We do not sell personal data and we do not disclose it for advertising purposes. We use the following service providers for the operation of the website and handling enquiries:
- Cloudflare (CDN, security, anti-abuse). Role: processor for technical delivery and security.
- Resend (email delivery) for contact-form email handling. Role: processor.
- Google as a content provider for Google Maps (embedded map) and Google Fonts (fonts), where your browser connects directly to Google infrastructure.
6. International transfers
Some providers (e.g. Cloudflare, Google, Resend) may process data outside the European Economic Area depending on routing and infrastructure. Where required, transfers rely on GDPR mechanisms (e.g. adequacy decisions or Standard Contractual Clauses (SCCs)) and supplementary measures where appropriate. You may request further information by contacting us.
7. Cloudflare: accuracy and practical limits
We use Cloudflare services for security, DDoS/abuse prevention, and performance optimisation. Cloudflare may receive technical data such as IP address and request metadata and, in some cases, set security cookies that are strictly necessary for protecting the site.
Critical clarification for access requests: We do not maintain visitor profiles or identifiers that allow us to reliably link a specific person to specific Cloudflare technical logs. Our access is mainly operational/aggregated for security and uptime. As a result, for many requests it is not technically feasible to provide a personalised “Cloudflare dataset” for an individual visitor.
8. Data retention
- Contact-form messages / email enquiries: up to 12 months after the communication is concluded, unless a matter continues or longer retention is required for legal obligations or for the establishment, exercise or defence of legal claims.
- Infrastructure/security data (Cloudflare): retained for a limited period according to provider configuration and availability of logging tools. We do not export and store long-term visitor-level datasets from these logs.
- Accessibility preferences (localStorage): until you clear site data in your browser.
9. How we handle data subject access requests (DSAR)
You can request access, rectification, erasure, etc. (see section 10). In practice:
- We do not have user accounts or persistent visitor identifiers.
- The data we can usually locate is what you provided to us directly (e.g. your email enquiry), not independent infrastructure logs.
- For security/infrastructure data (Cloudflare), personalised exports linked to an individual may not be feasible.
Where we cannot identify your data, we will explain why and provide an informational response describing the processing we perform and what information we can provide.
10. Your rights
Subject to the conditions of the GDPR, you have the right of access, rectification, erasure, restriction, data portability, and objection, as well as the right to withdraw consent where processing is based on consent.
Automated decision-making / profiling: We do not carry out automated decision-making or profiling through the website.
To exercise your rights: info@karaviotislaw.gr or +30 698 2670 708. We aim to respond within one (1) month, with lawful extensions for complex requests where applicable.
11. Right to complain
You may lodge a complaint with the Hellenic Data Protection Authority (HDPA): 1–3 Kifisias Ave., 115 23 Athens, Greece; tel. 210 6475600; contact@dpa.gr; www.dpa.gr.
12. Security
We use encryption in transit (HTTPS) and restrict access to personal data to authorised persons/providers to the extent necessary for operation and security.
13. Third-party links
The website may include links to third parties (e.g. LinkedIn, Google Maps). We do not control those third parties’ processing.
14. Updates
We may update this policy. The “Last updated” date at the top indicates when it was last revised.