Privacy Policy
Last updated: November 4, 2025
Welcome to CityTourWalks ("we," "us," or "our").
We respect your privacy and are committed to protecting your data.
This policy explains what information we collect, how we use it, and your rights under global privacy laws.
If you have any questions, please contact sp@citytourwalks.com.
1. What We Collect
Tour Data
When you create a walking tour, we store:
- City and country
- Your tour preferences (interests, walking pace, accessibility options)
- Generated tour content (locations, descriptions, tips)
- Tour creation date and a unique ID
➡️ We do not collect your name, email, IP address, or any personally identifiable data when you create a tour with CityTourWalks.
Payment Data
Payments are handled securely by LemonSqueezy. Please check their privacy policy for more details.
They collect your name, email, billing address, and payment method to complete the purchase.
We only receive:
- Order ID
- Customer email (used once to send your tour link)
- Purchase amount and payment status
Your email is used only for delivery via Resend.com. We receive your email from LemonSqueezy solely for one-time delivery and delete it immediately after.
Only your purchase record (Order ID and tour link) remains in our database.
Technical Data
To protect our site from bots, we use Cloudflare Turnstile, which may temporarily process your IP and browser details for verification.
We don't store this information.
Emails
We send only transactional messages — for example, your tour link or a support reply.
We never send marketing or promotional emails.
2. How We Use Your Data
We use your data solely to:
- Generate your personalized walking tour
- Process secure payments through LemonSqueezy
- Deliver purchased tours via email using Resend.com
- Respond to support requests
- Prevent spam and abuse
- Improve overall service reliability (in an anonymized way)
We do not:
- Sell or share your data with third parties
- Track your browsing behavior
- Use advertising cookies or analytics trackers
- Profile or market to users
3. Trusted Service Providers
We use a few reputable providers to make CityTourWalks possible:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Securely stores tour data and purchase records (encrypted) | View |
| LemonSqueezy | Handles payments and billing | View |
| Google Gemini AI | Generates tours using Google Maps data | View |
| Cloudflare Turnstile | Protects against bots | View |
| Resend | Sends transactional emails (tour links) | View |
| Google Maps Platform | Provides map and location data | View |
AI Data Usage
When generating tours, we send your city and preferences to Google Gemini, which processes them temporarily to create content. No personal data is included, and Google does not retain your inputs beyond the session.
4. Cookies
We only use essential cookies required for functionality:
- Session cookie: keeps your tour in progress
- Turnstile token: verifies you're human (temporary)
- Preview ID: displays your generated tour
We do not use advertising, tracking, or analytics cookies (no Google Analytics, no Facebook Pixel).
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Free tour previews | 30 days |
| Purchased tours | Stored indefinitely for access |
| Payment data | Managed by LemonSqueezy |
| Email delivery logs | 90 days (support purposes) |
6. Your Rights (GDPR and Equivalent Laws)
If you are in the EU, UK, or other regions with similar protections, you have the right to:
- Access your stored data
- Delete your purchased tour
- Correct inaccurate information
- Export your data (JSON or PDF)
- Object to processing
To exercise these rights, contact sp@citytourwalks.com with your tour link or order ID.
We'll respond within the legal timeframe.
7. Data Security
We take security seriously and use industry-standard measures:
- Encrypted HTTPS connections
- Supabase encryption at rest
- PCI-DSS-compliant payment handling (LemonSqueezy)
- Unguessable tour access links
- Cloudflare protection and rate-limiting
- Regular software updates and monitoring
8. Children's Privacy
Our service is not directed at children under 16.
We do not knowingly collect personal data from minors.
If you believe a child has provided data, please contact us for removal.
9. International Data Transfers
Some service providers (Supabase, Google, Cloudflare) may process data outside the EU, including in the United States.
We rely on GDPR-approved Standard Contractual Clauses to protect these transfers.
10. Other Privacy Laws
We follow the same privacy principles globally.
This means we extend the same protections to all users, including those covered by:
- CCPA/CPRA (California, USA)
- UK GDPR (United Kingdom)
- LGPD (Brazil)
- PIPEDA (Canada)
We do not sell, rent, or share personal data.
All users, regardless of location, have equal rights to access or delete their data.
11. Updates to This Policy
We may update this policy occasionally.
If we make significant changes, we'll announce them on our website.
Continued use of CityTourWalks means you accept the updated version.
12. Legal Disclaimer
This policy is not legal advice; consult a professional for your specific situation.
13. Contact Us
Questions or privacy requests: