Privacy Policy
White Glove Group — 2025
Legal documentation
Privacy Policy
This Privacy Policy explains how White Glove Group collects, uses, stores, and protects your personal data. We are committed to handling your information with discretion, transparency, and full compliance with the GDPR and applicable Greek law. Please read this policy carefully.
This policy should be reviewed by a qualified Greek data protection lawyer before going live. The supervisory authority in Greece is the Hellenic Data Protection Authority (HDPA) at dpa.gr. WGG recommends registering as a data controller with the HDPA where required under Greek Law 4624/2019.
Who we are — the data controller
White Glove Group ("WGG", "we", "us", "our") is the data controller responsible for your personal data. We are a concierge and life management services company operating in southern Greece (Peloponnese region).
Data controller contact details
Company: White Glove Group
Location: Kalamata, Peloponnese, Greece
Email: info@wgg.gr
Website: whiteglovegroup.gr
Supervisory authority: Hellenic Data Protection Authority (HDPA) — dpa.gr
As data controller, WGG is responsible for advising on our obligations under the GDPR, monitoring compliance, and acting as the point of contact for data subjects and the supervisory authority.
Personal data we collect
We collect and process personal data that is necessary to provide our services. We follow the principle of data minimisation — we only collect what we genuinely need. The categories of data we collect depend on the services you use.
| Category | Examples | Who this applies to |
|---|---|---|
| Identity data | Full name, date of birth, nationality, passport / ID number | All members & providers |
| Contact data | Email address, phone number, WhatsApp number, postal address | All members & providers |
| Location data | Property address(es), service area, location in Greece | Customers & property owners |
| Financial data | Payment card details (tokenised), billing address, AFM (Greek tax number), invoicing history | All paying members |
| Health & medical data | Medical history, prescriptions, appointments, care needs — shared by you to enable medical or elder care services | Members using medical / elder care services |
| Legal & financial documents | Property deeds, contracts, tax filings, residency documents — shared by you for service delivery | Members using legal, tax, or property services |
| Provider credentials | Professional qualifications, references, years of experience, operational area, insurance details | Registered service providers |
| Communications data | Messages, emails, service requests, notes from conversations with WGG | All members & providers |
| Technical data | IP address, browser type, device type, login timestamps, platform usage data | All platform users |
| Account data | Username, password (hashed), account preferences, membership plan, verification status | All registered users |
WGG does not collect or process data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, biometric data for identification purposes, or data concerning sexual orientation, unless you voluntarily provide such information in the context of a specific service request and give explicit consent for its processing.
How we use your personal data
We use your personal data only for legitimate purposes directly related to the delivery of our services and the operation of our business. We do not sell your personal data. We do not use your data for automated decision-making or profiling that produces legal effects.
| Purpose | Data used | Legal basis |
|---|---|---|
| Providing concierge & coordination services | Identity, contact, location, health (where relevant), documents | Contract performance |
| Email verification & account security | Email address, identity, technical data | Contract performance · Legitimate interests |
| Processing payments & issuing invoices | Financial data, identity, AFM | Contract performance · Legal obligation |
| Communicating with you about your requests | Contact, communications data | Contract performance |
| Coordinating third-party service providers | Identity, location, health (where required), request details | Contract performance |
| Sending service notifications & alerts | Email, phone, WhatsApp | Contract performance · Legitimate interests |
| Compliance with Greek & EU legal obligations | Identity, financial, communications | Legal obligation |
| Improving our platform & services | Anonymised usage data, technical data | Legitimate interests |
| Sending marketing communications | Email, contact data | Consent (opt-in only) |
| Resolving disputes & enforcing our Terms | All relevant data | Legitimate interests · Legal obligation |
Legal basis for processing
Under the GDPR, we must have a valid legal basis for every type of personal data processing. WGG relies on the following legal bases:
The primary basis for processing your data is the performance of our service agreement with you. Processing your identity, contact, location, and request data is necessary for WGG to deliver the services you have subscribed to or requested.
We are required to process certain data to comply with Greek and EU law, including tax law (Greek Law 4308/2014 on accounting standards), anti-money laundering regulations, and data breach notification obligations under the GDPR.
We process certain data for our legitimate business interests, including improving our services, ensuring platform security, preventing fraud, and communicating operationally with members. We balance our interests against your rights and only rely on this basis where we are confident it does not override your interests.
Where we process data on the basis of consent — primarily for marketing communications and for certain special category data — we will seek your explicit consent before processing. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Special category data — health & medical information
Health and medical data is classified as "special category data" under Article 9 of the GDPR and requires an additional legal basis for processing beyond the standard Article 6 conditions.
Where you use WGG's elder care or medical services coordination, we may process health-related information — including medical history, prescriptions, care needs, appointment records, and medical correspondence — that you voluntarily share with us.
We process this data on the following basis under Article 9(2) GDPR:
- Explicit consent (Article 9(2)(a)): You have given explicit, specific, informed consent for us to process your health data for the purpose of coordinating medical or elder care services on your behalf. This consent is sought separately and clearly at the point of service registration.
- Vital interests (Article 9(2)(c)): In emergency situations where the data subject is unable to consent, we may process health data to protect vital interests.
Health data is shared only with the specific medical or care professionals engaged to assist you. It is not shared with any other third parties and is handled with the highest level of security and discretion within WGG.
You have the right to withdraw consent for health data processing at any time. However, withdrawal may mean we are unable to provide medical or elder care services that require that information.
Under Greek Law 4624/2019, the processing of special categories of personal data (including health data) is subject to additional conditions beyond the GDPR's baseline requirements. WGG complies with these additional requirements in full.
Who we share your data with
WGG does not sell, rent, or trade your personal data. We share your data only where necessary to deliver services on your behalf or to comply with legal obligations.
To coordinate services for you, we share relevant data with vetted third-party professionals including lawyers, accountants, medical practitioners, contractors, carers, and other service providers. We share only the minimum data necessary for each engagement. All third-party providers are required to maintain confidentiality.
We use technology partners to operate our platform, including cloud hosting (data stored within the EU/EEA), email delivery services (for verification and notifications), and payment processors. These providers act as data processors under our instruction and are bound by data processing agreements compliant with Article 28 GDPR.
We may be required to disclose personal data to Greek government authorities, courts, tax authorities (AADE), or regulatory bodies where required by law. We will always seek to notify you of such disclosure requests unless we are legally prohibited from doing so.
In the event of a merger, acquisition, or transfer of WGG's business, your data may be transferred as part of that transaction. We will notify you in advance and ensure your rights are protected in any such transfer.
We never share your financial, medical, legal, or property data with any party that is not directly involved in delivering a service you have requested. Every sharing arrangement is documented and governed by appropriate confidentiality and data processing obligations.
International data transfers
WGG is based in Greece (an EU member state) and processes data primarily within the EU/EEA. Where data is transferred outside the EU/EEA — for example, to cloud service providers with servers in non-EEA countries — we ensure that appropriate safeguards are in place, including:
- Adequacy decisions: Transfers to countries recognised by the European Commission as providing an adequate level of data protection (e.g., the UK, Switzerland, and the US under the EU-US Data Privacy Framework);
- Standard contractual clauses (SCCs): EU Commission-approved standard contractual clauses incorporated into our agreements with international service providers;
- Binding corporate rules: Where applicable for multinational service providers.
You may request details of the specific safeguards in place for any international transfer by contacting info@wgg.gr.
Transfer of personal data to the US is now possible if the data importer has signed up to the EU-US Data Privacy Framework, which provides businesses in the EU and the US with a mechanism to comply with data protection requirements when transferring personal data.
How long we keep your data
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. Our retention periods are as follows:
| Data type | Retention period | Reason |
|---|---|---|
| Account & identity data | Duration of membership + 5 years | Legal obligation, dispute resolution |
| Financial & billing records | 10 years from transaction date | Greek tax law (Law 4308/2014) |
| Service request records | 5 years after last service | Contractual claims, quality assurance |
| Communications & messages | 3 years from date of communication | Legitimate interests, dispute resolution |
| Health & medical data | Duration of service + 3 years, or as required by Greek medical records law | Legal obligation, care continuity |
| Legal & property documents | Duration of membership + 7 years | Legal obligation, contractual claims |
| Marketing consent records | Until consent is withdrawn + 3 years | Compliance evidence |
| Technical & log data | 12 months | Security monitoring |
| Deleted account data | 30 days (portal access) then deleted | Account recovery window |
At the end of the applicable retention period, data is securely deleted or anonymised. You may request early deletion subject to our legal retention obligations (see Section 9 — Your Rights).
Your rights under the GDPR
Under the GDPR and Greek Law 4624/2019, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to exceptions, but WGG will always respond to your request within 30 days and explain any limitations.
Right of access
You have the right to request a copy of all personal data we hold about you, along with information about how we use it (a "Subject Access Request").
Right to rectification
You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
Right to erasure
You have the right to request deletion of your personal data ("right to be forgotten") where there is no legitimate reason for us to continue processing it.
Right to restriction
You have the right to request that we restrict processing of your data in certain circumstances — for example, while you contest its accuracy.
Right to portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to object
You have the right to object to processing based on our legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.
Right to withdraw consent
Where processing is based on consent (including marketing and health data), you may withdraw consent at any time. Withdrawal does not affect lawfulness of prior processing.
Right to complain
You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) at dpa.gr if you believe we have handled your data unlawfully.
How to exercise your rights: Submit your request in writing to info@wgg.gr. We will respond within 30 days. We may need to verify your identity before fulfilling your request. There is no charge for exercising your rights, unless requests are manifestly unfounded or excessive.
Under Article 40(1) of Greek Data Protection Act 2019, lawsuits against data controllers for violations of the GDPR may be brought before the civil court of the district in which the controller has its establishment or in which the data subject usually resides.
Cookies & tracking technologies
Our website and platform use cookies and similar technologies. The Hellenic DPA's cookie consent guidelines require that users are given a clear choice to accept or reject non-essential cookies, with an equally prominent option to decline as to accept.
We use the following types of cookies:
You may manage your cookie preferences at any time via the cookie settings panel on our website, or by adjusting your browser settings. Disabling essential cookies will affect your ability to use the platform.
Under Greek Law 3471/2006, which transposes the ePrivacy Directive, electronic direct marketing and the use of non-essential cookies require the prior explicit consent of the recipient, consistent with the GDPR's definition of consent.
Data security
WGG takes the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:
- Encrypted data transmission (HTTPS / TLS) across all platform communications;
- Hashed and salted password storage — passwords are never stored in plain text;
- Email verification (OTP) to protect account creation and access;
- Role-based access controls — staff access only the data necessary for their role;
- Confidentiality agreements binding all WGG staff and affiliated providers;
- Regular security reviews and updates to our platform;
- Secure document storage with per-client access isolation.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, WGG will notify the Hellenic Data Protection Authority within 72 hours of becoming aware of the breach, as required under the GDPR. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.
No data transmission over the internet or electronic storage is 100% secure. While we use all commercially reasonable measures to protect your data, we cannot guarantee absolute security.
Children's data
WGG's services are intended for adults aged 18 and over. We do not knowingly collect personal data from children under the age of 15. Under Greek Law 4624/2019, children's consent is required for the processing of their personal data in relation to information society services directly to them when they have reached the age of 15. Below that age, consent of a legal representative is required.
If you believe we have inadvertently collected data from a person under 15 without parental consent, please contact us immediately at info@wgg.gr and we will delete it promptly.
Where elder care services involve collecting data about elderly individuals who may lack full capacity, we will work with designated family members or legal guardians and process data on the basis of vital interests or legitimate interests, with appropriate safeguards in place.
Marketing communications
WGG will only send you marketing communications if you have explicitly opted in to receive them. We do not send unsolicited commercial emails.
When you register, you will have the option to subscribe to our newsletter and service updates. This is entirely optional and separate from service-related communications (which we may send regardless, as they are necessary for the performance of your contract with us).
You may unsubscribe from marketing communications at any time by:
- Clicking the unsubscribe link in any marketing email;
- Updating your preferences in your WGG portal account settings;
- Contacting us at info@wgg.gr.
Under Greek Law 3471/2006, email addresses legitimately acquired in the context of a previous transaction may be used for marketing purposes even without fresh consent, on condition that the recipient is given a clear opt-out option at every communication. We apply this rule conservatively and will always provide an easy way to opt out.
Changes to this privacy policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email at least 30 days before the changes take effect and update the "Effective date" at the top of this page.
Non-material changes (such as corrections or clarifications) may be made without prior notice. We encourage you to review this policy periodically.
Your continued use of WGG's services after the effective date of any updated policy constitutes acceptance of the revised policy. If you do not accept the changes, you may close your account in accordance with our Terms of Use.
The Hellenic Data Protection Authority (HDPA) is responsible for supervising the application of the GDPR and Greek Law 4624/2019. Any material changes to this policy that affect how we process your data will be reviewed for compliance with HDPA guidance before taking effect.
Contact us & how to complain
For any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us:
Privacy contact
Email: info@wgg.gr
General enquiries: info@wgg.gr
Response time: We aim to respond to all privacy requests within 30 days as required by GDPR.
Postal: White Glove Group, Kalamata, Peloponnese, Greece
If you are unhappy with how we have handled your personal data and we have not been able to resolve your concern, you have the right to lodge a complaint with the supervisory authority:
Hellenic Data Protection Authority (HDPA)
Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα
Website: www.dpa.gr
Address: Kifissias 1-3, PC 115 23, Athens, Greece
Phone: +30 210 647 5600
Email: [email protected]
You may also submit a complaint through the European Commission's Online Dispute Resolution platform at ec.europa.eu/odr.