Skip to main content
Transformational Tourism

Privacy Policy

Effective date: July 9, 2026

1. Who is responsible for your data (Controller)

The controller responsible for personal data processed on this website is:

Stephan Christopher Kuehn
Achlada Maleviziou 157
715 00 Heraklion, Crete
Greece
Email: me [at] stevenkeen [dot] com

A Data Protection Officer is not required for a website of this nature and has not been appointed. You can contact the controller directly at the address above on any data-protection matter.

2. Scope

This policy applies to personal data processed through this website, transformationaltourism.com. Other websites have their own privacy policies.

3. What data we collect, why, and on what legal basis

a) Newsletter (your email address). If you subscribe to our newsletter, we collect your email address in order to send you updates about transformational tourism. We use a double opt-in process—you will receive a confirmation email and must confirm before being added. Our newsletter provider also records standard delivery statistics—whether a letter was opened and which links were clicked—which we look at only in aggregate, to judge whether the letters are worth your inbox; we do not use them to build individual profiles. As proof of your consent, our newsletter provider records the date, time, and IP address of that confirmation.
Legal basis: your consent (Article 6(1)(a) GDPR). You may withdraw consent at any time (see §8 and the unsubscribe link in every email); withdrawal does not affect processing carried out beforehand.

b) Server log files (technical access data). When you visit the site, our hosting and security providers automatically process technical data such as your IP address, browser and device type, the pages requested, and the date and time of access. This is necessary to deliver the website reliably and to protect it against attacks and misuse.
Legal basis: our legitimate interest in the secure and stable operation of the website (Article 6(1)(f) GDPR).

c) Website analytics (Umami). We use Umami, a privacy-friendly analytics tool that we host ourselves, to understand aggregate visitor traffic—such as page views, the websites that referred you, and your approximate region at country level. Umami does not use cookies, does not store your IP address, and does not collect any information that identifies you personally; the data is aggregated and anonymous.
Legal basis: our legitimate interest in understanding how our content is used so that we can improve it (Article 6(1)(f) GDPR). Because no cookies are set and no personal data is stored, no consent is required.

d) Contact by email. If you email us, we process your email address and the contents of your message solely to reply to you, and for no other purpose.
Legal basis: our legitimate interest in answering inquiries (Article 6(1)(f) GDPR)—or, where your message aims at a contract, Article 6(1)(b) GDPR. Correspondence is deleted once the matter is closed, unless a statutory retention duty applies.

4. Cookies

This website uses only strictly necessary cookies, and only for security and basic functionality. Because the site is routed through Cloudflare (our DNS, content-delivery, and security provider), Cloudflare may set a strictly necessary cookie to tell trusted visitors apart from malicious traffic and keep the site secure. Such cookies do not require consent, are not used to track you, and are not used to build a profile. We do not use advertising cookies. Our website analytics (see §3(c)) are provided by Umami, which is cookieless—it sets no cookies of any kind. If you reach the site through a campaign link, its parameters (so-called UTM tags) appear in the page address and are used only as anonymous, cookieless context attached to the aggregate visit statistics described in §3(c). They are not stored on your device and are not used to identify or profile you. Because nothing on this site tracks you, no cookie-consent banner is required.

5. Who we share your data with (recipients/processors)

We do not sell your personal data. We share it only with service providers (“processors”) that help us operate the website and newsletter, each under a data-processing agreement:

  • Newsletter delivery: Mailchimp (The Rocket Science Group LLC)—United States.
  • Website hosting: Mittwald CM Service GmbH & Co. KG—Germany (EU).
  • DNS, content delivery, and security: Cloudflare, Inc.—United States.

Our website analytics run on Umami, which we host ourselves on our own server at Mittwald in Germany (EU)—no third-party analytics company receives your data.

6. International data transfers

Some providers are located in the United States (Mailchimp, Cloudflare), so your data may be transferred there. We rely on the following safeguards:

  • Mailchimp and Cloudflare are certified under the EU-U.S. Data Privacy Framework, which the European Commission recognizes as providing an adequate level of protection, and additionally maintain the European Commission’s Standard Contractual Clauses as a fallback safeguard.
  • Mittwald processes data within the EU, and our self-hosted analytics run on that same EU infrastructure; no transfer outside the EEA takes place for hosting or analytics.

You may request a copy of the relevant safeguards by emailing me [at] stevenkeen [dot] com.

7. How long we keep your data

  • Newsletter email address: until you unsubscribe or ask us to delete it, after which it is removed from our active mailing list without undue delay.
  • Server log data (hosting): retained for 60 days, then deleted.
  • Analytics data: Umami stores only aggregated, anonymous statistics with no IP address and no identifier, so it does not constitute personal data; it is retained to allow long-term analysis of how the site is used.

8. Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you (Art. 15);
  • have inaccurate data corrected (Art. 16);
  • have your data erased (Art. 17);
  • restrict processing in certain circumstances (Art. 18);
  • receive your data in a portable format (Art. 20);
  • object to processing based on legitimate interests (Art. 21); and
  • withdraw consent at any time where processing is based on consent (Art. 7(3)).

To exercise any of these, email me [at] stevenkeen [dot] com.

9. Right to lodge a complaint

If you believe your data has been processed unlawfully, you have the right to lodge a complaint with a supervisory authority—in particular in the EU country where you live or work. The authority competent for the controller is:

Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα)
Kifissias Avenue 1-3, 115 23 Athens, Greece—www.dpa.gr

10. Automated decision-making

We do not use your data for automated decision-making or profiling within the meaning of Article 22 GDPR.

11. Changes to this policy

We may update this policy to reflect changes in our practices or the law. The current version is identified by the effective date above.