We'll keep this straightforward. Here's what we collect, why we collect it, and what you can do about it. Questions: support@gotouri.com.
Touri is operated by Go Touri Co., incorporated in Delaware, USA ("Touri", "we", "us"). We are the data controller for gotouri.com.
What we collect — and why
We only collect information we actually need to run Touri. Here's what that is:
When you create an account
| Data | Why we collect it |
|---|---|
| Name and email address | To create your account and communicate with you |
| Password (hashed) | To secure your account |
| Country | To tailor currency display and tax handling |
| Language preference | To set your default experience |
| Device type | To optimise how Touri works for you |
| Acquisition details (UTMs, referrer) | To understand which channels bring people to Touri |
| Signup context | To understand where on Touri users sign up |
| Terms acceptance | To record your agreement to our terms |
When you use Touri
| Data | Why we collect it |
|---|---|
| Tours viewed/interacted | To run the discovery experience |
| Offers and pricing | To process negotiations and calculate payouts |
| Bookings | To confirm and manage your bookings |
| Status and cancellations | To process refunds and manage disputes |
| Negotiation history | To calculate accurate payouts |
| Deal stats | To power the stats you see on your profile |
For security
We maintain an audit log of security-relevant events: login attempts, email address changes, password reset requests. These records include your IP address and are used solely to detect and investigate security incidents.
For guides (operators) — additionally
| Data | Why we collect it |
|---|---|
| Display name and photo | To show on listings |
| Stripe Connect ID | To process your payouts |
| Licenses, insurance and tax details | Regulatory, legal and tax compliance |
| Account status and invite code | Administration of Touri |
Waitlist — what we collect before you have an account
During our pre-launch period, we operate a traveler waitlist. If you submit your email via the waitlist form, we collect:
| Data | Why we collect it |
|---|---|
| Email address | To contact you when we open to travelers |
| Marketing consent (yes/no) + timestamp | Legal proof of explicit opt-in consent under GDPR |
| Privacy policy version | Records which version of this policy you consented to |
| Source and sign-up context | Analytics — which page or flow you used to join |
| One-way hash of IP address (SHA-256) | Abuse detection only. The raw IP address is never stored. |
We do not collect your name, phone number, or any other information. We have no legal basis to collect it before you're a registered user.
Waitlist data is retained until the earlier of: (a) you unsubscribe, (b) we open to travelers and your account is created, or (c) 12 months from the date we stop operating the waitlist. After that, waitlist entries are deleted within 90 days. You can request deletion at any time by emailing support@gotouri.com or using the unsubscribe link in any email we send you.
Legal basis for processing (GDPR)
If you're in the EU or UK, processing of your data is based on the following:
| Processing activity | Legal basis |
|---|---|
| Running account, bookings, payments | Contract — to provide the service |
| Security audit logs | Legitimate interests — fraud/security |
| Acquisition tracking | Legitimate interests — understanding growth |
| Analytics (PostHog with consent) | Consent — cookie banner opt-in |
| Marketing emails | Consent — opt-in at sign-up |
| Booking alerts and reminders | Contract — delivering the service |
| Processing activity | Legal basis |
|---|---|
| Running account, bookings, payments | Contract — to provide the service |
| Security audit logs | Legitimate interests — fraud/security |
| Acquisition tracking | Legitimate interests — understanding growth |
| Analytics (PostHog with consent) | Consent — cookie banner opt-in |
| Marketing emails | Consent — opt-in at sign-up |
| Booking alerts and reminders | Contract — delivering the service |
| Waitlist email (pre-launch) | Consent — explicit opt-in checkbox at submission |
Analytics
We use a consent-based analytics setup. If you accept at the banner, we track page visits and drop-offs to improve Touri. If you decline, no analytics data is collected. You can change your choice anytime at Cookies & analytics.
We do not use advertising analytics, tracking pixels, or any third-party ad networks. We do not sell or share your data for advertising purposes.
Cookies
We use very few cookies. We need to use these cookies:
| Cookie | Purpose | Duration |
|---|---|---|
sb-access-token | Keeps you logged in (HttpOnly). | Session |
Analytics consent is stored in your browser's localStorage (key touri_consent). We do not set advertising cookies.
Who we share your data with
- Guides. Confirmed booking info shared for coordination only.
- Payment processors. [] handles all payments; we don't store card details.
- Infrastructure providers. Supabase and Render host data as processing partners.
- Government and official agencies. Reporting required for legal, regulatory and tax reasons.
No one else. We don't sell data to advertisers, data brokers, or commercial third parties.
International data transfers
Touri is incorporated in Delaware. Our providers (Supabase, Render, PostHog, []) may process data in the US and/or the EU. Where transfers involving EEA/UK residents occur, we use standard contractual clauses (SCCs) to ensure safety.
How long we keep your data
| Data | How long | Why |
|---|---|---|
| Account data | Account duration + 2 years | Resolution of disputes |
| Bookings/Transactions | 7 years | For legal, regulatory and tax compliance |
| Negotiation history | 7 years | Financial integrity |
| Security audit logs | 12 months | Investigations |
| Consent records | Account duration | Proof of consent |
Your rights
You have rights to Access, Correction, and Deletion of your data, subject to legal retention rules.
EU and UK (GDPR)
Rights to restrict processing, portability, and to object to legitimate interests processing. Complain to the ICO or your local DPA.
Mexico (LFPDPPP)
Full ARCO rights (Acceso, Rectificación, Cancelación, Oposición). We respond in 20 business days.
California (CCPA / CPRA)
Right to know, delete, and correct. We do not sell or share personal information for advertising purposes.
Children
Touri is not intended for anyone under 18. We do not knowingly collect data from children.
Changes to this policy
Material changes will be notified by email. The "last updated" date reflects the current version.
Contact us
For privacy-related questions or formal data requests:
support@gotouri.com
Go Touri Co., 8 The Green STE B, Dover, DE, 19901, United States