This Privacy Policy explains how DMC Nexus Hospitality Ltd ("we", "us", "our") collects, uses, and protects your personal data when you use the Chef's Kiss website (chefskiss.com.cy).
We are the data controller for the personal data described in this policy.
Our contact details:
- DMC Nexus Hospitality Ltd
- 111, Nissi Avenue, Ayia Napa, 5330, Cyprus
- Email: info@chefskiss.com.cy
What data do we collect?
We collect the following personal data:
From workshop attendees (the person making the booking):
- Full name
- Email address
- Phone number
- Number of attendees in the booking
- A reference to the payment transaction processed by our payment provider (we do not collect or store card details; see "Third parties" below)
From vendor and workshop host applicants:
- Full name of the contact person
- Email address
- Phone number
- Business name
- Business Instagram handle
- A copy of the business licence (uploaded file)
From administrators:
- Email address (for sign-in via Google)
Automatically collected:
- Technical information required for the site to function (e.g., session cookies for signed-in administrators). See our Cookie Policy. for details.
How do we collect your data?
You provide most of this data directly when you:
- Book a workshop through our website
- Submit a vendor or workshop host application
- Sign in as an administrator
Some data is collected automatically when you visit the site (for example, session cookies for signed-in users).
Why we use your data and the legal basis
We use your data for the following purposes:
- To process workshop bookings, including sending booking confirmations and event communications. Legal basis: performance of a contract.
- To link your booking to the payment processed by our payment provider. Legal basis: performance of a contract.
- To review vendor and workshop host applications and communicate with applicants. Legal basis: performance of a contract or taking steps at your request prior to entering into a contract.
- To operate and secure the website, including administrator authentication. Legal basis: legitimate interests (running the service).
- To comply with legal obligations, including tax and accounting record-keeping requirements. Legal basis: legal obligation.
We do not currently send marketing emails. If we decide to do so in the future, we will ask for your consent first, and you will be able to opt out at any time.
Who we share your data with (third parties)
We use the following service providers to operate the website. Each of these providers acts as a data processor on our behalf and processes your data only according to our instructions:
- Vercel Inc. — website hosting.
- Neon Inc. — database hosting (where your booking and application information is stored).
- Resend — sending transactional emails (for example, booking confirmations).
- Payabl.one — processing payments for workshop bookings. When you make a payment, you are directed to Payabl.one's hosted payment page. Your card details are collected and processed directly by Payabl.one under their own privacy policy; we do not see or store them. We receive only a transaction reference and a confirmation that the payment succeeded.
- UploadThing — hosting files uploaded to the site (such as vendor business licences and images displayed on the site).
- Google LLC — providing sign-in (OAuth) for administrators only. Public visitors do not use Google sign-in.
Some of these providers may transfer or store data outside the European Economic Area. Where they do, they rely on legally recognised safeguards for international data transfers (such as the EU Standard Contractual Clauses).
We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.
We may also share data where we are legally required to do so (for example, in response to a lawful request from a public authority).
How long we keep your data
- Workshop booking records (including your name, email, phone, number of attendees, and the payment transaction reference): approximately one year after the festival event, with the exception of information required to meet our tax and accounting obligations, which we keep for six years as required by Cyprus law.
- Vendor and workshop host applications: approximately one year after the application is submitted.
- Uploaded files (e.g., business licences): kept for the same period as the application they were submitted with.
- Administrator account data: for the duration of the administrator's involvement with the festival.
Card and payment-network data is retained separately by Payabl.one under their own retention policy; we do not store or control it.
After the applicable period expires, we delete or anonymise the data.
How we protect your data
We store your data on infrastructure provided by the processors listed above, which apply industry-standard security practices. We restrict administrator access to the system using email-based allow-listing and Google-authenticated sign-in.
We take reasonable technical and organisational measures to protect your data, but no system is completely secure. If we become aware of a data breach that affects your personal data, we will notify you and the relevant authorities as required by law.
Your data protection rights
Under the EU General Data Protection Regulation (GDPR), you have the following rights:
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct data that is inaccurate or incomplete.
- Right to erasure — you can ask us to delete your data, subject to certain exceptions (for example, where we are legally required to keep it).
- Right to restrict processing — you can ask us to limit how we use your data in certain circumstances.
- Right to object — you can object to our processing of your data on grounds relating to your particular situation.
- Right to data portability — you can ask us to provide your data in a portable format, or to transfer it to another organisation.
- Right to withdraw consent — where we rely on your consent, you can withdraw it at any time.
To exercise any of these rights, email us at info@chefskiss.com.cy. We will respond within one month.
You also have the right to lodge a complaint with the Cyprus data protection authority, the Office of the Commissioner for Personal Data Protection (www.dataprotection.gov.cy), if you believe we have not handled your data lawfully.
Cookies
For information about the cookies we use, please see our Cookie Policy.
Links to other websites
Our website may contain links to other websites (for example, the social media pages of vendors). This Privacy Policy applies only to our site. If you click through to another site, please read their privacy policy.
Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically.
How to contact us
If you have any questions about this Privacy Policy or how we handle your data, please email us at info@chefskiss.com.cy.
