Privacy Statement

Privacy Policy last revised and effective as of: May 15, 2026

I. General

College Year in Athens, Inc. (“CYA” or “we”) is a non-profit educational institution, based in Cambridge, Massachusetts, USA, 1035 Cambridge Street, Suite 1, MA 02141, that has been acting as a cultural and educational bridge between the U.S. and Greece for over half a century with a passionate commitment to the furtherance of international and intercultural understanding. CYA places great emphasis in the protection of the privacy and confidential nature of personal information and endeavors to take all reasonable precautions to maintain this privacy.  This privacy statement (“Privacy Statement” or “Statement”) sets out how CYA uses and protects any information collected through this CYA website at https://www.cyathens.org/ and any subdomains and any features and information available thereon, including the CYA blog located at https://cyathens.org/blog/ and information collected through the CYA student portal available at  https://cya-web.scansoftware.com/cafeweb/tl/login, as well as https://eclass.dikemes.edu.gr/login/index.php, and https://opac.dikemes.edu.gr/  (collectively, the “Site”) from the users of the Site (“Users” or “you”) as well as any other information you may provide to CYA when applying for a program and/or when expressing an interest in receiving more information about CYA’s programs and services or otherwise collected by CYA in connection with CYA’s programs and services.

II. Children’s privacy

CYA is committed to protecting the privacy of children. The Site is not designed for or directed to children under the age of 13. CYA does not collect personal data from any person it actually knows is under the age of 13.

III. Applicability of General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”)

CYA offers its programs through the Athens-based International Center for Hellenic and Mediterranean Studies (DIKEMES).
CYA collects, maintains and processes, as controller within the meaning of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the personal data of its students, applicants, and alumni graduates in connection with CYA-run study programs and services executed by DIKEMES in Greece. In certain circumstances, the GDPR may apply to our processing of your personal data.  For the avoidance of doubt, “personal data” as used in this Statement and defined in the GDPR means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

IV. Personal Data that can be processed- Purposes and legal bases

CYA may process the following personal data:

 

  1. Personal data that you provide to us, such as:
    • biographical data (full name, date and place of birth, ID or passport copies, gender, preferred pronoun, nationality, family status, mother’s and father’s name);
    • contact details (address, telephone number or mobile phone, email address, and CYA ID number);
    • academic background (prior and current schools, transcripts, school activities and disciplinary records);
    • financial information (general billing information and, for supplemental scholarship to aid applicants only, a copy of parents’/guardians’ last federal tax return, applicant’s last federal tax return; in addition, our third-party service provider that is responsible for billing and payment processing services (the “Payment Services Provider”) may collect your billing and credit card information from you directly);
    • emergency contact data (primary and secondary contact, next of kin contact details);
    • visa application details;
    • photographs,
    • in specific cases, health and dietary information, (e.g., medical conditions that may require additional accommodations or dietary preferences, food preferences/allergies) 
  • housing preferences (personal preferences, personality traits and habits, and to the extent voluntarily and upon your consent provided by you, sexual orientation for housing arrangements); 
  • data related to student’s studies at DIKEMES (e.g., enrollment data, academic records and grades received at DIKEMES, academic transcripts)
  • data provided when you fill out forms on the Site or when you submit your application, such as personal data included in your personal statement, WiFi or maintenance problem reports, and travel information.

Personal data collected by CYA automatically or from other sources, such as:

  • information collected through cookies and relevant technologies, as described in our Cookies Notice,
  • academic data, transferred by other institutions relevant to your academic curriculum for the purpose of transferring your credits,
  • contact information relating to alumni of CYA’s programs that is obtained from publicly available sources or from third parties in order to stay in touch with such alumni. 
  • log data The following data is recorded in log files upon each request on our server by the User’s browser: your IP address, which may be personal data, even if we cannot identify you on the basis of this information, the date and time of execution of each request for data transfer between browser and server (https request) for the operation of the https protocol, the server’s response code with the call parameters of the https protocol (https response), the server response time to each request and the type of browser through which the request was submitted.

Please note that some of the personal data that CYA processes may constitute “special categories of personal data” as defined by the GDPR. Under the GDPR, this data is to be treated with particular sensitivity, and under the GDPR’s definition of “special categories of personal data” includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or bio-metric data, data concerning health or data concerning a person’s sex life or sexual orientation.

Purposes and legal bases for processing:

CYA will only use your personal data to the extent that the law allows us to do so. It is noted that CYA processes each time only the personal data which is necessary for the purposes that it collects them and uses them exclusively for these purposes. 

In particular, we will process your personal data as follows:

Types of personal data Purposes of processing Legal bases
Identification data, contact details, emergency contact data, academic background data Evaluation of student applications for CYA programs and/or services  – Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract (Article 6 (1) (b) GDPR);
Financial information   Evaluation of student applications for supplemental scholarship and to process payments Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract (Article 6 (1) (b) GDPR);

– Processing is necessary for the performance of a contract to which the data subject is party (Article 6 (1) (b) GDPR);
Identification data, contact details, travel documents (including visa application details) emergency contact data, photograph, academic history, data related to student’s studies at CYA (e.g., enrollment data, academic records and grades received at CYA, academic transcripts, student records), CYA ID number  Pre-departure preparation of students and provision of educational courses and programs (academic services) to students and student management (e.g., enrollment, implementation of programs, record keeping, etc.) – Processing is necessary for the performance of a contract to which the data subject is party (Article 6 (1) (b) GDPR);
Contact details, passport number and photocopy Creation of an “enrolled student record” in compliance with local laws. –  Processing is necessary for compliance with a legal obligation to which CYA is subject (Article 6(1)(c) GDPR)
Data related to student’s studies at CYA (e.g., enrollment data, academic records and grades received at CYA, academic transcripts, student records) Εvaluating student performance and qualification for educational credit – Processing is necessary for the performance of a contract to which the data subject is party (Article 6 (1) (b) GDPR);

– Processing is necessary for compliance with a legal obligation to which CYA is subject (Art. 6(1)(c) GDPR)
Identification data, contact details, travel documents (including visa application details) housing preferences Provision of travel and accommodation services to students, housing arrangements – Processing is necessary for the performance of a contract to which the data subject is party (Article 6 (1) (b) GDPR);

–  For special categories of data: explicit consent (Article 9 (2) (a) GDPR).
Health and dietary information (e.g., food preferences, allergies) Provision of support services (personal care services, including physical and mental health, insurance, or nutrition) – Processing is necessary for the performance of a contract to which the data subject is party (Article 6 (1) (b) GDPR)

– For special categories of data: explicit consent (Article 9 (2) (a) GDPR)
Lifestyle preferences Provision of housing arrangements – Processing is necessary for the performance of a contract to which the data subject is party (Article 6 (1) (b) GDPR)
Emergency contact data  Management of student emergency situations – Processing is necessary in order to protect the vital interests of the data subject or of another natural person (Article 6 (1) (d) GDPR)
Information related to learning difficulties and disabilities (e.g., dyslexia) Supporting the learning experience and providing the appropriate care to students with learning difficulties and disabilities  – Explicit consent
(Article 6 (1) (a) and 9 (2) (a) GDPR)
Data related to student’s studies at DIKEMES Monitoring and reporting on student progress in order to provide scholarships and financial aid as well as to support students’ educational endeavors – Legitimate interest of CYA (Article 6(1)(f) GDPR)
Student/alumni reviews Assessing the quality of CYA’s educational services – Legitimate interest of CYA (Article 6(1)(f) GDPR)
Data requested in each Site form (e.g., identification and contact data, service of interest, etc.) Managing information requests (through “Request info” form, email and/or other means), requests in relation to academic studies (e.g., request for transcript form), or other requests (Alumni Returning to Athens” form  – Consent (Article 6 (1) (a) GDPR)
Login credentials (username, password)  Management of “My CYA Portal” account and provision of account services – Processing is necessary for the performance of a contract to which the data subject is party (Article 6 (1) (b) GDPR)
Image and voice data (photographs, videos) student/alumni reviews  Promotion of CYA’s business and services  – Consent (Article 6 (1) (a) GDPR)
Email address Subscription to Owl Newsletter  – Consent (Article 6 (1) (a) GDPR)
“Submit a Class Note”: Full name, address, email address, news shared (e.g., marriage, birth, death announcement), personal experiences shared in blog posts Sharing student news and experiences in the Owl Newsletter or CYA blog – Consent (Article 6 (1) (a) GDPR)
Donation amount, affiliation to CYA, last name, payment/billing information, designation, dedication Managing donations to CYA – Processing is necessary for the performance of a contract to which the data subject is party (Article 6 (1) (b) GDPR)
Data collected through CYA Alumni Networking Survey (full name, email, CYA Term/Year, LinkedIn profile, industry field, current employment/title and location) Improving CYA alumni networking – Consent (Article 6 (1) (a) GDPR)
Name, email, subject, comment Managing comments/feedback from CYA alumni and friends – Consent (Article 6 (1) (a) GDPR)
Data collected through CYA “Alumni – Volunteer interest” form (full name, CYA Class Year, email address, current city/state, type of volunteer interest) Managing CYA alumni volunteers – Consent (Article 6 (1) (a) GDPR)
Data collected through CYA T-shirts order form (name, mailing address, email) Managing CYA T-shirts orders Processing is necessary for the performance of a contract to which the data subject is party(Article 6 (1) (b) GDPR)

Consent (Article 6 (1) (a) GDPR)

Legitimate interest of CYA (Article 6(1)(f) GDPR)
Log files, including your IP address, the server’s response code with the call parameters of the https protocol (https response), the server response time to each request and the type of browser through which the request was submitted. Monitoring the security of the Site and its services, ensuring the availability, integrity, and confidentiality of information and data from accidental, illegal, or malicious acts or incidents, investigating online attacks and incidents Legitimate interest of CYA (Article 6(1)(f) GDPR)
Name, title, name of institution, business email address, business telephone number, and business address of representatives of educational institutions with whom CYA contracts in connection with CYA’s programs and services. Promotion of CYA’s business and services  Legitimate interest of CYA (Article 6(1)(f) GDPR)
Name; email address; permanent address; telephone number; and home institution name of faculty of CYA’s educational institution customers Promotion of CYA’s business and services Legitimate interest of CYA (Article 6(1)(f) GDPR)

Unless prohibited by applicable law, unless you “opt out”, CYA may use personal data collected so that CYA and third parties acting on CYA’s behalf can contact you about products and services that may be of interest to you.

Media

If you upload images to the Site, you should avoid uploading images with embedded location data (EXIF GPS). You can download and extract any location data from images on the Site.

V. Recipients of Personal Data

CYA does not intend to sell, swap, share or otherwise disclose the information you provide, unless it is obliged or entitled to disclose, by law or regulation or court order or in the context of fulfilling the purpose for which you provide your personal data or as otherwise set forth in this Statement or as specifically authorized by you. In any case, CYA shall use reasonable efforts intended to ensure that only those who need to have access to your personal data are indeed granted access to such data and only in connection with and for the purposes relating to the performance of their obligations.

In particular, CYA might disclose your personal data to the following recipients:

  • to other universities and/ or institutions with which CYA collaborates and where CYA’s students are enrolled for the provision of its programs and services, such as the Athens-based International Center for Hellenic and Mediterranean Studies (DIKEMES) and your home institution,
  • to third-party service providers, such as
    • (i) travel agents regarding booking of tickets for your trips or educational excursions in which you participate,
    • (ii) insurance companies regarding your health insurance plan,
    • (iii) thirdparty lessors regarding the accommodation that CYA provides you,
    • (iv) transport company that CYA uses for the transport of their students,
    • (v) IT services providers, and
    • (vi) the Payment Services Provider, to provide credit card processing and fraud screening services.
  • to the competent regulatory and supervisory authorities and/ or public entities. Without limitation of the foregoing, CYA may disclose your personal data if it believes in good faith that it is required to do so in order to comply with an applicable statute, regulation, rule or law, a subpoena, a search warrant, a court or regulatory order, lawful requests by public authorities, including to meet national security or law enforcement requirements, or other valid legal process. CYA may disclose personal data in special circumstances when CYA has reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating a contract with CYA, to detect fraud, for assistance with a delinquent account, or to protect the safety and/or security of CYA’s students and Site users, CYA’s programs, or the general public.
  • to third-party commercial partners who may directly collect personal data about CYA’s Site users’ online activities over time and across different websites; these third parties to which we may provide or who may independently directly collect information may include providers of products or services (including vendors and website tracking services), merchants, affiliates and other actual or potential commercial partners, and other similar parties; please note in particular that a portion of the Site may use Google Analytics, including its data reporting features. Information collected by Google Analytics includes but is not limited to web metrics. For information on how Google Analytics collects and processes data, please see the site “How Google uses data when you use CYA’s partners’ sites or apps”, currently located at https://www.google.com/policies/privacy/partners/. For information on opting out of Google Analytics, CYA encourages you to visit Google’s website, including its list of currently available opt-out options presently located at https://tools.google.com/dlpage/gaoptout.
  • to CYA’s Corporate Affiliates, if any. For purposes of this Statement: “Corporate Affiliate” means any person or entity which directly or indirectly controls, is controlled by or is under common control with CYA, whether by ownership or otherwise; and “control” means possessing, directly or indirectly, the power to direct or cause the direction of the management, policies or operations of an entity, whether through ownership of fifty percent (50%) or more of the voting securities, by contract or otherwise. Any information relating to you that CYA provides to its Corporate Affiliates will be treated by those Corporate Affiliates in accordance with the terms of this Statement.

It is hereby noted that when CYA entrusts the processing of personal data to third parties acting on behalf of CYA, they must comply fully with CYA’s instructions in accordance with the relevant contractual agreements.
CYA further reserves the right to transfer your personal data to a third party in connection with a sale, merger or other transfer of all or substantially all of the assets of CYA or any of its Corporate Affiliates, or that portion of CYA or any of its Corporate Affiliates to which CYA’s programs relate, or in the event that CYA discontinues its business or files a petition or has filed against it a petition in bankruptcy, reorganization or similar proceeding, provided that the third party agrees to adhere to the terms of this privacy statement.

VI. Do Not Track

The term “Do Not Track” refers to a HTTP header offered by certain web browsers to request that websites refrain from tracking the user. CYA takes no action in response to automated Do Not Track requests. However, if you wish to stop such tracking, please contact CYA with your request, using CYA’s contact details provided below.

VII. Security

CYA has put in place appropriate physical, technical, and administrative procedures intended to safeguard and secure the information it collects against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access. While CYA makes reasonable efforts to protect the information that is provided to it, CYA cannot provide an absolute guarantee as to the security of data transmitted over a network.

VIII. Links to Other Websites

This Site may include hyperlinks to other websites which are under the responsibility of third parties (natural or legal persons) and are subject to the privacy statements of those websites. Therefore, CYA is not responsible for the privacy practices or the content of such websites and this privacy statement does not apply to such websites. CYA encourages you to read the privacy policies or statements of each such website or service.

IX. Cookies

The Site uses cookies and similar technologies (collectively, “Cookies”). For more information about the use of Cookies by CYA, please see the Cookies Notice

X. Transfers to Third Countries Outside the EEA

When offering its programs, CYA may transfer/receive personal data to and/or from its collaborating universities and/ or institutions located outside the EEA throughout the world, such as the United States, as well as interconnect specific files if necessary, including transfers to and from countries that may not provide the same level of protection for personal data. The said transfer or interconnection will be carried out based on appropriate data transfer mechanisms under the GDPR, including adequacy decisions, data transfer agreements that incorporate Standard Contractual Clauses or based on the explicit consent of the data subject, etc. CYA ensures, through appropriate procedures, that the required procedures are carried out in order to ensure the safe processing of personal data transmitted or interlinked. In particular, CYA may:

  1. process and disclose such personal data (including special categories of personal data) in accordance with this Statement;
  2. transfer such personal data (including special categories of personal data) throughout the world to countries that do not ensure adequate protection for personal data (as determined by the European Commission); and
  3. disclose such personal data (including special categories of personal data) to comply with lawful requests by public authorities, including to meet national security or law enforcement requirements. If you are accessing the Site from a jurisdiction with laws or regulations governing personal data collection, use, and disclosure that differ from those of the United States, please be advised that all aspects of the Site are governed by the internal laws of the United States and the Commonwealth of Massachusetts, USA, regardless of your location.

XI. Data Retention

CYA will retain your personal data only for so long as is necessary for the purpose for which it was collected. To determine the appropriate retention period for personal data, CYA considers the amount, nature, and sensitivity of that information, the potential risk of harm from unauthorized use or disclosure, the purposes for which it processes your personal data and whether it can achieve those purposes through other means, and the applicable legal requirements.

XII. Data Subject Rights

Following the verification of your identity, you, as a data subject, may have the following rights under applicable law:

  • Right of Access
    You have the right to obtain from CYA confirmation as to whether or not personal data of yours are being processed, and, if so, you have the right to access your personal data and to obtain a copy.
  • Right to Rectification
    You have the right to obtain without undue delay the rectification of inaccurate or incomplete personal data of yours and the right to have incomplete personal data completed.
  • Right to Erasure
    You have the right to obtain from CYA the erasure of your personal data, which can be met if certain conditions are met.
  • Right to Restriction
    You have the right to obtain from CYA restriction of processing under certain conditions.
  • Right to Obtain Human Intervention
    You have the right to ask from CYA not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
  • Right to Portability
    You have the right to ask from CYA and receive your personal data that you have provided in a structured, commonly-used and machine-readable format or to ask CYA to transmit those data to another controller.
  • Right to withdraw consent

If you have provided CYA with your consent to process data, you have the right to withdraw your consent at any time.

You also have the right to object, at any time, to processing of personal data concerning you (Right to Object). CYA shall then no longer process your personal data unless it demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of yours or for the establishment, exercise or defense of legal claims.

To exercise the aforementioned rights in relation to the protection of your personal data, please contact: [email protected]

In case that you consider that the protection of your data is in any way affected or if your right has not been satisfied, you have the right to lodge a complaint with the data protection supervisory authority in your EU country of residence. In Greece, the competent authority is the Hellenic Data Protection Authority (HDPA). You may lodge a complaint with the HDPA electronically through its web portal “https://eservices.dpa.gr/” by filling in the corresponding online form depending on the type of complaint (instructions available at: “https://www.dpa.gr/el/syndesi/prosvasi”).

In case you wish to contact the CPVO for any other reason:

1-3 Kifissias Street, P.O. Box 115 23, Athens

tel. +30 210 6475600

e-mail: [email protected]

XIII. Update – Amendment on the Privacy Statement

CYA reserves the right to update, supplement and / or amend this Statement in accordance with the applicable regulatory and legislative framework. In this case, the updated Statement will be posted on the CYA’s Site (https://www.cyathens.org/).

XIV. Contact Us

For any clarification about this privacy statement, please contact: [email protected]