Privacy Policy

Last updated: April 21, 2026

This Privacy Policy explains how TourBookingPlatform (“we”, “us”) collects, uses, and shares personal data when you use our website and the TourBookingPlatform service (the “Service”). It also describes the rights you have under the EU and UK General Data Protection Regulations (“GDPR”).

We act as a controller for personal data about the account holders who sign up for the Service (our customers). When our customers use the Service to manage their own guests and bookings, we act as a processor on their behalf; in that case, the customer is the controller and you should contact them directly with privacy questions about their data.

1. Data we collect

We collect the following categories of data:

  • Account data: name, email address, hashed password, business name, role.
  • Billing data: subscription plan, billing address, and limited payment metadata returned by our payment provider. Full card numbers are handled by the payment provider and never stored on our servers.
  • Usage and device data: IP address, browser and device information, pages visited, timestamps, and basic diagnostics used to operate and secure the Service.
  • Support communications: the content of emails or messages you send us.
  • Customer Data: information that our customers upload to the Service about their tours, bookings, and guests. We process this data on our customers’ instructions under our Terms.

2. How we use data and our lawful basis

  • To provide the Service (contract, GDPR Art. 6(1)(b)): creating your account, authenticating you, running features you use.
  • Billing and fraud prevention (contract and legitimate interests, Art. 6(1)(b) and (f)).
  • Service emails (contract, Art. 6(1)(b)): password resets, billing notifications, product announcements that affect your account.
  • Security and abuse prevention (legitimate interests, Art. 6(1)(f)): rate limiting, logging, detecting misuse.
  • Legal compliance (Art. 6(1)(c)): tax, accounting, and responding to lawful requests.
  • Improving the Service (legitimate interests, Art. 6(1)(f)): diagnosing issues and understanding aggregate usage.

3. Who we share data with

We share personal data only with service providers that help us run the Service, under written data-processing agreements:

  • Supabase — database and authentication infrastructure.
  • Vercel — application hosting and CDN.
  • Resend — transactional email delivery (password resets, account notifications).
  • Stripe — payment processing for subscriptions and, where you enable it, for your guests’ bookings.

We do not sell personal data. We may disclose data to comply with law, enforce our Terms, or protect rights, property, or safety. If we are part of a merger, acquisition, or asset sale, personal data may be transferred; we will notify affected users.

4. International transfers

Some of our providers are based outside the European Economic Area. Where personal data is transferred outside the EEA or UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum.

5. Retention

We keep account and Customer Data for as long as your account is active. When an account is closed, we delete or anonymise Customer Data within a reasonable grace period (typically 30 days), except where longer retention is required by law (for example, tax records). Backups are rotated and overwritten on a normal schedule.

6. Your rights

If you are in the EU, UK, or EEA, you have the right to:

  • access the personal data we hold about you;
  • ask us to correct inaccurate data;
  • ask us to delete your data (“right to be forgotten”), subject to legal retention requirements;
  • ask us to restrict or object to certain processing based on legitimate interests;
  • receive a portable copy of data you provided to us;
  • withdraw consent at any time, where processing is based on consent, without affecting prior processing;
  • lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@tourbookingplatform.com. For Customer Data, contact the customer whose account holds the data; we will refer requests we receive directly to them.

7. Cookies

We use a small number of cookies that are strictly necessary to keep you signed in and to protect against abuse. We do not use advertising cookies. If we introduce analytics or marketing cookies in the future, we will ask for your consent first.

8. Security

We use industry-standard measures to protect personal data, including encryption in transit, hashed passwords, access controls, and logging. No method of transmission or storage is 100% secure; if we become aware of a breach that affects you, we will notify you and the relevant authority as required by law.

9. Children

The Service is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top shows when it last changed. If a change is material, we will give reasonable notice (for example, by email or in-product notice).

11. Contact

For privacy questions or to exercise your rights, contact us at privacy@tourbookingplatform.com.