Privacy Policy

Welcome to CityTourWalks ("we," "us," or "our").

We respect your privacy and are committed to protecting your data.

This policy explains what information we collect, how we use it, and your rights under global privacy laws (including the GDPR).

If you have any questions, please contact sp@citytourwalks.com.

1. What We Collect

Tour Data

When you create a walking tour, we store:

• City and country
• Your tour preferences (interests, walking pace, accessibility options)
• Generated tour content (locations, descriptions, tips)
• Tour creation date and a unique ID

➡️ We do not collect your name, email, IP address, or other personally identifiable data when you create a tour with CityTourWalks.

Payment Data

Payments are handled securely by LemonSqueezy. Please check their privacy policy for more details.

They collect your name, email, billing address, and payment method to complete the purchase.

We only receive:

• Order ID
• Customer email (used once to send your tour link)
• Purchase amount and payment status

Your email is used only for delivery via Resend.com. We receive your email from LemonSqueezy solely for one-time delivery and delete it immediately after sending.

Only your purchase record (Order ID and tour link) remains in our database.

Technical Data

To protect our site from bots, we use Cloudflare Turnstile, which may temporarily process your IP and browser details for verification.

We don't store this information.

Emails

We send only transactional messages — for example, your tour link or a support reply.

We never send marketing or promotional emails.

2. How We Use Your Data

We use your data solely to:

• Generate your personalized walking tour
• Process secure payments through LemonSqueezy
• Deliver purchased tours via email using Resend.com
• Respond to support requests
• Prevent spam and abuse
• Improve overall service reliability (in an anonymized way)

We do not:

• Sell or share your data with third parties
• Track your browsing behavior
• Use advertising cookies or analytics trackers
• Profile or market to users

3. Trusted Service Providers

We use a few reputable providers to make CityTourWalks possible:

AI & Generated Content

CityTourWalks uses generative AI (Google Gemini) to create walking tours and related narrative content. When you generate a tour, we transmit only your non-identifying inputs (such as city, interests, walking pace, and accessibility preferences) to Gemini for processing.

Legal basis: We process these inputs to provide the service you request. Where applicable under the GDPR, this is based on our legitimate interest in delivering and improving the service (Art. 6(1)(f) GDPR), and/or the performance of a contract or pre-contractual steps (Art. 6(1)(b) GDPR) when you purchase a tour.

Data minimization: We do not send your name, email address, or other direct identifiers to Gemini as part of tour generation.

Retention: Gemini processes the inputs to produce an output. We do not intentionally submit personal data in prompts, and we do not use Gemini to build user profiles or for marketing.

Accuracy note: AI-generated content is provided for planning support and inspiration and may not always reflect last-minute changes (e.g., opening hours, temporary closures, local events). Please verify critical details before visiting.

4. Cookies

We only use essential cookies required for functionality:

• Session cookie: keeps your tour in progress
• Turnstile token: verifies you're human (temporary)
• Preview ID: displays your generated tour

We do not use advertising, tracking, or analytics cookies (no Google Analytics, no Facebook Pixel).

5. Data Retention

6. Your Rights (GDPR and Equivalent Laws)

If you are in the EU, UK, or other regions with similar protections, you have the right to:

• Access your stored data
• Delete your purchased tour
• Correct inaccurate information
• Export your data (JSON or PDF)
• Object to processing

To exercise these rights, contact sp@citytourwalks.com with your tour link or order ID.

We'll respond within the legal timeframe.

7. Data Security

We take security seriously and use industry-standard measures:

• Encrypted HTTPS connections
• Supabase encryption at rest
• PCI-DSS-compliant payment handling (LemonSqueezy)
• Unguessable tour access links
• Cloudflare protection and rate-limiting
• Regular software updates and monitoring

8. Children's Privacy

Our service is not directed at children under 16.

We do not knowingly collect personal data from minors.

If you believe a child has provided data, please contact us for removal.

9. International Data Transfers

Some service providers (Supabase, Google, Cloudflare) may process data outside the EU, including in the United States.

We rely on GDPR-approved Standard Contractual Clauses and/or other valid transfer mechanisms (where applicable) to protect these transfers.

10. Other Privacy Laws

We follow the same privacy principles globally.

This means we extend the same protections to all users, including those covered by:

• CCPA/CPRA (California, USA)
• UK GDPR (United Kingdom)
• LGPD (Brazil)
• PIPEDA (Canada)

We do not sell, rent, or share personal data.

All users, regardless of location, have equal rights to access or delete their data.

11. Updates to This Policy

We may update this policy occasionally.

If we make significant changes, we'll announce them on our website.

Continued use of CityTourWalks means you accept the updated version.

12. Legal Disclaimer

This policy is provided for transparency and is not legal advice; consult a professional for your specific situation.

13. Contact Us

Questions or privacy requests:

• 📧 sp@citytourwalks.com
• 🌍 citytourwalks.com/contact