ΝΑΥΤΑΘΛΗΤΙΚΟΣ ΟΜΙΛΟΣ ΜΑΡΙΟΥΠΟΛΙΤΩΝ ΘΕΣΣΑΛΟΝΙΚΗΣ (Ν.Ο.ΜΑ.Θ.)
Website: yalrowingr.com

Last updated: 24-Nov-2025

1. Who we are and how to contact us

The data controller for the purposes of this Privacy Policy is:

ΝΑΥΤΑΘΛΗΤΙΚΟΣ ΟΜΙΛΟΣ ΜΑΡΙΟΥΠΟΛΙΤΩΝ ΘΕΣΣΑΛΟΝΙΚΗΣ (Ν.Ο.ΜΑ.Θ.)
(non-profit sports association operating under Greek law and its Statute)

Address:
Floor 3, Ermou 18,
54624 Thessaloniki, Greece

Tax / VAT ID: 996400291

Website: yalrowingr.com

E-mail for data protection matters: (info@yalrowingr.com)
Phone: +306934501958

You can contact us using the above details for any questions about how we process personal data and to exercise your rights described in this Policy.

2. Scope of this Policy

This Privacy Policy explains how Ν.Ο.ΜΑ.Θ. collects and processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Greek data protection laws.

This Policy applies to:

• visitors of the website yalrowingr.com;

• individuals who complete online application forms for participation in our sports programmes
  (Maximum, Yal + Yacht, Yal + Jeeps, Jacht + Jeeps, Only Yal, Only Jeeps, Only Yacht), including
  both group programmes and Private programmes (private participation of an individual or a closed group/company);

• individuals applying to become members of the association and/or to participate in trainings;

• members of the association;

• individuals taking part in events and sports activities organised by Ν.Ο.ΜΑ.Θ.;

• individuals making payments (membership fees, participation fees, donations, etc.),
  whether they are members or non-members.

This Policy covers both data collected online (via website forms, e-mail, messaging tools) and offline (paper forms signed before the start of programmes/trainings).

3. Categories of data subjects

We may process personal data relating to the following categories of individuals:

1. Membership applicants and members of Ν.Ο.ΜΑ.Θ.

2. Participants in rowing trainings (members and non-members).

3. Participants in sports programmes and events (Maximum, Yal + Yacht, etc.).

4. Individuals submitting online forms on the adventure-programs page (group and Private forms).

5. Individuals making payments for participation, membership, trainings, and/or donations
   (via Stripe, bank transfer or in cash).

6. Website visitors and individuals contacting us via contact forms, email or phone.

7. Where applicable, parents/legal guardians of minors who participate in our programmes or trainings.

4. Personal data we collect

We only collect the personal data that are necessary for our purposes as a non-profit sports association and for fulfilling our obligations.

4.1 Data you provide to us

Depending on the situation, we may process:

• Identification data:
  first name, last name, and where required for membership and accounting purposes – tax ID, address of residence, date of birth and other data required under Greek law and our Statute.

• Contact details:
  phone number, e-mail address, postal address and your preferred contact method.

• Membership-related data:
  status (member / non-member), date of joining and leaving, participation in general meetings, participation in specific trainings and programmes, membership fees (amount, status of payment).

• Programme and training data:
  selected programme (Maximum, Yal + Yacht, etc.), date and place of participation, type of participation (group / Private), group composition, preferences for dates/times, experience level, and any comments (e.g. route preferences or additional options).

• Payment-related information (limited):
  we do not process and do not store payment card data on our website.
  We may receive and store:

  • information that a payment has been made (amount, date, currency, payment purpose);

  • payment method (Stripe, bank transfer, cash);

  • transaction or payment ID in Stripe or the bank;

  • information needed to issue receipts/invoices and keep accounting records under Greek law.

• Health-related data (minimised, where necessary):
  as a rule, we do not request or collect medical documents via the website.
  In specific cases, where required to assess whether participation in a programme or training is safe and appropriate (for example, a medical certificate, information about contraindications), such data will be processed strictly on a limited basis, for the protection of your vital interests and safety and/or on the basis of your explicit consent, in accordance with Article 9 GDPR.

• Communication data:
  correspondence by e-mail, messages sent via the website or messaging tools, notes about phone calls, your feedback and comments.

4.2 Data collected automatically when you visit the website

When you visit our website, some technical data may be collected automatically, such as:

• IP address;

• date and time of access;

• browser type and version;

• device type and operating system;

• URLs of pages visited on our website.

These data are used to ensure the proper functioning of the website, information security and statistical analysis of visits (based on our legitimate interest).

5. Purposes and legal bases of processing

We process personal data only where there is a lawful basis under Articles 6 and, where relevant, 9 GDPR.

5.1. Conclusion and performance of contracts / participation in activities

We process data in order to:

• process applications for participation in trainings and sports programmes;

• create participant lists, organise groups and Private programmes;

• confirm bookings and participation, clarify details (date, time, location, weather conditions, etc.);

• establish membership in Ν.Ο.ΜΑ.Θ. and manage membership fees;

• issue receipts or other financial documents.

Legal basis: necessity for the conclusion and performance of a contract (Article 6(1)(b) GDPR).

5.2. Compliance with legal obligations

We process data to:

• keep accounting and tax records;

• issue financial documents (receipts, invoices, tax documents);

• retain documents for the period required by Greek law.

Legal basis: compliance with a legal obligation (Article 6(1)(c) GDPR).

5.3. Legitimate interests of the association

We process data to:

• organise and manage the activities of the non-profit sports association;

• ensure safety during trainings and programmes (including contacting you or your emergency contacts in urgent situations);

• protect our rights and legitimate interests in the event of disputes or claims;

• compile basic statistics and analyse participation (number of participants, programme demand, etc.);

• store information on past events and participation for internal statistics and reporting.

Legal basis: our legitimate interests (Article 6(1)(f) GDPR), balanced against your rights and freedoms.

5.4. Consent

We may process data based on your consent in order to:

• send you information about our trainings, programmes and events;

• use certain photos or videos in which you are identifiable, for the purpose of presenting our activities (website, social media and similar), where consent is required by law;

• process special categories of personal data (e.g. health-related data) when the legal basis is your explicit consent.

Legal basis: your consent (Article 6(1)(a), and for special categories – Article 9(2)(a) GDPR).

You can withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

6. Programme and training regulations

To participate in our sports programmes (Maximum, Yal + Yacht, Yal + Jeeps, Jacht + Jeeps, Only Yal, Only Jeeps, Only Yacht), as well as in regular trainings, participants are required to read and accept the Programme Regulations and the Training Regulations, which are available on our website.

The personal data you provide in application forms and declarations may also be used to:

• record the fact that you have read and agreed to the Regulations;

• confirm that you declare you are in a suitable health condition for participation and that you accept and will follow safety instructions and rules;

• document your participation in a specific programme/training in case of disputes.

7. Online forms (Baserow) and Private programmes

The online participation forms for programmes (both group and Private) on the page yalrowingr.com/adventure-programs are technically implemented using the Baserow.io service. After you click “Submit”, your data (name, surname, e-mail, phone and information about the selected programme) are transmitted to and stored in our administrator panel in Baserow.

• Ν.Ο.ΜΑ.Θ. remains the data controller for these personal data.

• Baserow acts as a data processor, processing the data on our behalf under a data processing agreement and its own data protection terms.

Private programmes.
When you fill in a form for a Private programme (private group/company), we use this data to:

• contact you and clarify the composition of the group, dates, schedule and format of the programme;

• prepare an individual offer and, where accepted, confirm participation and programme details for the entire group;

• communicate with you before, during and after the programme as needed for organisation and safety.

8. Payments and Stripe

We use the international payment system Stripe to accept online payments for participation in programmes, trainings, for membership fees and donations.

When you pay via Stripe:

• you are redirected to secure payment pages of Stripe;

• your payment card data are processed directly by Stripe;

• Ν.Ο.ΜΑ.Θ. does not receive and does not store your full card details (card number, CVC code, etc.).

In our Stripe administrator panel we may see limited information, such as: payer’s name, e-mail, amount and date of payment, payment status, transaction ID and other details necessary for accounting and reconciliation.

Stripe acts as an independent data controller in relation to payment information and processes it in accordance with its own Privacy Policy and legal terms. You are strongly encouraged to read Stripe’s privacy documentation on its website (e.g. stripe.com/privacy).

For payments made in cash or by bank transfer, we process only the data necessary to register and document the payment (name, amount, date, purpose of payment, and where required – tax ID and address for the receipt/invoice).

9. Data sharing and recipients

We may share your personal data only to the extent necessary for the purposes described above, with:

1. IT and hosting providers – for website hosting, maintenance and related IT services.

2. Payment service providers – in particular Stripe (online payments) and banks (bank transfers).

3. Baserow.io – as the platform used to store and manage programme applications.

4. Accountants and auditors – to comply with our accounting and tax obligations.

5. Competent public authorities – where required by law (e.g. tax authorities, sports authorities).

6. Insurance companies and legal advisors – where necessary for the protection of our legal rights (for example, in the event of an insurance claim or legal dispute).

We do not sell your personal data and do not share them with third parties for their own independent marketing purposes unrelated to the activities of Ν.Ο.ΜΑ.Θ.

10. Transfers of data outside the EU / EEA

Some of our service providers may be located outside the European Economic Area (EEA) or may store data on servers outside the EEA (for example, Stripe).

In such cases we seek to ensure that appropriate safeguards, as required by GDPR, are in place, such as:

• an adequacy decision by the European Commission for the relevant country; or

• standard contractual clauses (SCCs) and, where necessary, supplementary protection measures.

More detailed information on such transfers and the safeguards used can be obtained by contacting us using the contact details in section 1.

11. Data retention periods

We retain personal data only for as long as necessary for the purposes for which they were collected, taking into account legal retention requirements.

Indicative periods:

• Membership data: for the entire duration of membership and for at least 5–10 years after it ends (depending on financial and sports law requirements).

• Training and programme participation data: for at least 5 years after participation (for reporting, statistics and potential legal defence).

• Accounting and tax data (receipts, invoices, payment documents): for the period required by Greek tax law (usually at least 10 years).

• Correspondence and inquiries: up to 3 years from the end of communication, unless a longer retention is necessary (e.g. in case of a dispute).

• Newsletter/communication data processed based on consent: until you unsubscribe or withdraw your consent.

After the retention periods expire, data are deleted or anonymised, unless there is another lawful basis for continued storage.

12. Cookies and similar technologies

Our website may use cookies and similar technologies to:

• ensure the proper technical functioning of the website (strictly necessary cookies);

• improve user experience;

• collect statistical information about website usage (for example, via analytics tools).

When you first visit the website, you may see a cookie notice and, where required, will be asked to give your consent for non-essential cookies.

You can manage cookies in your browser settings (including blocking or deleting them). Please note that disabling cookies may affect certain functionalities of the website.

13. Photos and videos

During trainings, sports programmes and events we may take photos and video recordings that reflect the sports activity and atmosphere of our events.

• Such material may be used to document and present our activities, for example on our website, in our social media accounts and in reports.

• Where required by law (for example, if identifiable images of individuals are used in certain promotional contexts), we will obtain additional consent.

• You may contact us if you do not wish certain photos/videos showing you to be used or to continue to be used, and we will consider your request in accordance with the law.

For minors, participation in photo/video recordings is only allowed with the consent of their parents or legal guardians.

14. Minors

Our programmes and trainings may be open to both adults and children/young people.

• Applications for participation of minors are generally signed by their parent or legal guardian.

• We may process personal data of parents/legal guardians (name and contact details) for communication and legal responsibility.

• When processing personal data of minors we apply enhanced safeguards and always act in the best interests of the child.

15. Your rights

Under GDPR, you have the following rights regarding your personal data:

1. Right of access – to obtain confirmation as to whether we process your data and to receive a copy of those data.

2. Right to rectification – to have inaccurate or incomplete data corrected.

3. Right to erasure (“right to be forgotten”) – in cases provided by law (for example, where data are no longer necessary for the purposes for which they were collected and there are no legal grounds for further processing).

4. Right to restriction of processing – to request that processing is limited in certain cases (for example, while accuracy is being verified).

5. Right to data portability – to receive a subset of your data in a structured, commonly used and machine-readable format and to transmit those data to another controller, where technically feasible and where processing is based on consent or contract and carried out by automated means.

6. Right to object – to object to processing based on our legitimate interests, including profiling (if any), on grounds relating to your particular situation; and separately, to object at any time to processing for direct marketing purposes.

7. Right to withdraw consent – where processing is based on consent, you may withdraw your consent at any time.

To exercise your rights, please contact us using the details in section 1. We may ask you to provide proof of identity to protect your data from unauthorised access.

You also have the right to lodge a complaint with the Hellenic Data Protection Authority if you believe that your data are processed in violation of GDPR.

16. How we protect your data

We take appropriate technical and organisational measures to protect personal data against:

• accidental or unlawful destruction;

• loss, alteration, unauthorised disclosure;

• unauthorised access.

Such measures include, among others:

• restricting access to personal data to authorised persons only;

• using passwords and, where possible, two-factor authentication;

• protecting devices and systems used for data processing;

• confidentiality obligations for staff, volunteers and partners;

• selecting service providers that comply with data protection requirements.

17. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our activities or in applicable legislation.

The current version of the Policy is always available on yalrowingr.com. The date of the last update is indicated at the top of the document. Where changes are substantial, we will, where reasonably possible, provide additional notice (for example via the website, by e-mail or in another appropriate manner).

Privacy Policy