Privacy Policy

We do not sell your personal data to third parties. We share your personal data only in the limited circumstances described below:

6.1 With Other Users

When our matching algorithm identifies a suitable match, we share relevant profile information:

• Tourist to Student Guide: Name, trip details, preferences, contact method preference, and any information you include in your booking request
• Student Guide to Tourist: Name, university affiliation, profile biography, languages, interests, and service offerings
• Contact Information: Email addresses and phone numbers (if provided) are shared only after both parties agree to connect

6.2 Service Providers and Data Processors

We engage trusted third-party service providers to assist with Platform operations. These processors have access to personal data only as necessary to perform their functions and are contractually obligated to protect your data in accordance with GDPR Article 28:

• Cloud Infrastructure: Vercel (hosting, CDN) – USA (Standard Contractual Clauses)
• Database Services: Vercel Postgres – USA (Standard Contractual Clauses)
• Email Delivery: Resend – USA (Standard Contractual Clauses)
• Authentication Services: NextAuth.js (self-hosted), Google OAuth, Microsoft OAuth – Various (Standard Contractual Clauses where applicable)
• Analytics: Google Analytics (if enabled with consent) – USA (Standard Contractual Clauses, anonymized IP addresses)
• Image CDN: Unsplash – USA (publicly available images, no personal data transmitted)

6.3 Legal Obligations and Safety

We may disclose personal data when required by law or when we believe in good faith that disclosure is necessary to:

• Comply with legal obligations, court orders, or lawful requests from government authorities
• Enforce our Terms of Service and other agreements
• Investigate potential violations of our policies
• Protect the rights, property, or safety of TourWiseCo, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues
• Respond to emergencies involving danger of death or serious physical injury

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal data may be transferred to the successor entity. We will notify you via email and/or a prominent notice on our Platform before your personal data is transferred and becomes subject to a different privacy policy.

6.5 With Your Consent

We may share personal data for purposes not described in this Privacy Policy when we obtain your explicit consent to do so.

6.6 Aggregated and Anonymized Data

We may share aggregated or anonymized data that cannot reasonably be used to identify you, such as statistical trends, platform metrics, or research findings. This data is not considered personal data under GDPR.

TourWiseCo operates in the European Union and United Kingdom. However, some of our service providers are located in countries outside the European Economic Area (EEA) and the United Kingdom, including the United States.

7.1 Safeguards for International Transfers

When we transfer personal data to countries that do not provide an adequate level of data protection as determined by the European Commission or UK authorities, we implement appropriate safeguards in accordance with GDPR Chapter V:

• Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses (also known as Model Clauses) for transfers to third countries. These clauses are legally binding commitments between data controllers and processors to protect your personal data.
• Adequacy Decisions: Where applicable, we rely on adequacy decisions issued by the European Commission recognizing that certain countries provide adequate data protection (e.g., under the EU-U.S. Data Privacy Framework, if applicable).
• Supplementary Measures: In addition to SCCs, we conduct transfer impact assessments and implement supplementary technical and organizational measures, such as encryption in transit and at rest, pseudonymization, and access controls.

7.2 Your Rights Regarding International Transfers

You have the right to obtain information about the safeguards we have in place for international transfers. You may request a copy of the relevant safeguard mechanisms by contacting us using the details in Section 14.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

8.1 Retention Periods

8.2 Retention Criteria

We determine retention periods based on:

• The purpose for which the data was collected
• Legal, regulatory, tax, accounting, or reporting requirements
• Statute of limitations for legal claims
• Pending or potential litigation
• Our legitimate business interests (security, fraud prevention, user safety)

8.3 Secure Deletion

When personal data is no longer required, we securely delete or anonymize it using industry-standard methods to prevent recovery or reconstruction. Backups containing deleted data are retained for disaster recovery purposes but are securely overwritten according to our backup rotation schedule (maximum 90 days).

We use cookies and similar tracking technologies in accordance with the ePrivacy Directive 2002/58/EC and GDPR.

9.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our Platform. They help us recognize you, remember your preferences, and improve your experience.

9.2 Types of Cookies We Use

Strictly Necessary Cookies (No consent required)

These cookies are essential for the Platform to function and cannot be disabled:

• Authentication cookies: Keep you logged in and manage your session
• Security cookies: Detect and prevent fraudulent activity
• CSRF tokens: Protect against cross-site request forgery attacks
• Load balancing cookies: Ensure Platform stability and performance

Functional Cookies (Consent required)

These cookies enhance functionality and personalization:

• Preference cookies: Remember your language, location, and display settings
• UI state cookies: Preserve your navigation and form input state

Analytics Cookies (Consent required)

These cookies help us understand how users interact with the Platform:

• Google Analytics: Tracks page views, user journeys, and engagement metrics
• Performance monitoring: Identifies technical issues and slow-loading pages

Analytics cookies are only placed with your explicit consent. IP addresses are anonymized. You can withdraw consent at any time through our cookie preference center.

Marketing Cookies (Consent required)

We do NOT currently use marketing or advertising cookies. Should this change in the future, we will obtain your explicit consent before placing such cookies.

9.3 Third-Party Cookies

When you use OAuth authentication (Google, Microsoft), these providers may set their own cookies subject to their privacy policies:

• Google OAuth: https://policies.google.com/privacy
• Microsoft OAuth: https://privacy.microsoft.com/

9.4 Managing Cookies

You can control cookies through:

• Cookie Preference Center: Accessible through the banner displayed on your first visit or through Platform settings
• Browser Settings: Most browsers allow you to refuse or delete cookies. Instructions vary by browser:
  • Chrome: Settings → Privacy and security → Cookies
  • Firefox: Options → Privacy & Security → Cookies
  • Safari: Preferences → Privacy → Cookies
  • Edge: Settings → Privacy, search, and services → Cookies

Blocking strictly necessary cookies will prevent you from using certain essential features of the Platform.

9.5 Other Tracking Technologies

In addition to cookies, we may use:

• Local storage: Stores data locally on your device to improve performance
• Session storage: Temporary storage that expires when you close your browser
• Pixels and web beacons: May be used in emails to track delivery and open rates (with consent)

We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

11.1 Technical Measures

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS)
• Encryption at rest: Database and file storage use AES-256 encryption
• Password security: Passwords are hashed using bcrypt with salt before storage; plain-text passwords are never stored
• Access controls: Role-based access control (RBAC) restricts employee access to personal data on a need-to-know basis
• Network security: Firewalls, intrusion detection systems, and DDoS protection
• Secure authentication: Multi-factor authentication (MFA) for administrative access
• Regular security testing: Vulnerability scanning, penetration testing, and security audits

11.2 Organizational Measures

• Data protection policies and procedures
• Employee confidentiality agreements
• Privacy and security training for staff
• Data breach response plan and incident management procedures
• Regular review and update of security measures
• Vendor security assessments and due diligence

11.3 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)
• Provide clear information about the nature of the breach, likely consequences, and measures taken to address it

11.4 Limitations

While we implement robust security measures, no system is completely secure. You are responsible for:

• Keeping your account credentials confidential
• Using strong, unique passwords
• Logging out of shared or public devices
• Promptly notifying us of any unauthorized access

Our Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 18. Users must be at least 18 years old to create an account or use our Services.

If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete such data from our systems.

If you believe we have collected data from a child under 18, please contact us immediately using the contact information in Section 14.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons.

When we make material changes to this Privacy Policy, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email (to the email address associated with your account)
• Display a prominent notice on the Platform
• Where required by law, obtain your consent to the updated Privacy Policy

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes are posted constitutes your acceptance of the updated Privacy Policy, unless additional consent is required by law.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• By contact form: Available on our Platform (preferred method)
• Data Protection Officer: You may contact our Data Protection Officer through the Platform contact form, marking your message "Attn: Data Protection Officer"

TourWiseCo
Operating in Paris, France and London, United Kingdom

We will respond to all legitimate requests within one month, as required by GDPR Article 12(3). In complex cases, we may extend this period by an additional two months and will inform you of such extension.

15.1 Legal Basis Summary

This section summarizes the legal bases under which we process different categories of personal data:

15.2 Representative for UK GDPR

TourWiseCo operates in the United Kingdom and is directly subject to UK GDPR. Our London operations serve as the point of contact for UK data protection matters.

15.3 Cross-Border Data Sharing Within EEA/UK

Data may be transferred between our operations in France and the United Kingdom. Such transfers within the EEA and between the EEA and UK benefit from adequacy protections and do not require additional safeguards.