We'll keep this straightforward. Here's what we collect, why we collect it, and what you can do about it. Questions: support@gotouri.com.
Touri is operated by Go Touri Co., incorporated in Delaware, USA ("Touri", "we", "us"). We are the data controller for gotouri.com.
What we collect — and why
We only collect information we actually need to run Touri. Here's what that is:
When you create an account
| Data | Why we collect it |
|---|---|
| Name and email address | To create your account and communicate with you |
| Password (hashed) | To secure your account |
| Country | To tailor currency display and tax handling |
| Language preference | To set your default experience |
| Device type | To optimise how Touri works for you |
| Acquisition details (UTMs, referrer) | To understand which channels bring people to Touri |
| Signup context | To understand where on Touri users sign up |
| Terms acceptance | To record your agreement to our terms |
When you use Touri
| Data | Why we collect it |
|---|---|
| Tours viewed/interacted | To run the discovery experience |
| Offers and pricing | To process negotiations and calculate payouts |
| Bookings | To confirm and manage your bookings |
| Status and cancellations | To process refunds and manage disputes |
| Negotiation history | To calculate accurate payouts |
| Deal stats | To power the stats you see on your profile |
| Confirmation codes (Touri Direct) | To let the guide verify your booking |
For security
We maintain an audit log of security-relevant events: login attempts, email address changes, password reset requests. These records include your IP address and are used solely to detect and investigate security incidents.
For guides (operators) — additionally
| Data | Why we collect it |
|---|---|
| Display name and photo | To show on listings |
| Stripe Connect ID | To process your payouts |
| Licenses, insurance and tax details | Regulatory, legal and tax compliance |
| Account status and invite code | Administration of Touri |
Waitlist — what we collect before you have an account
During our pre-launch period, we operate a traveler waitlist. If you submit your email via the waitlist form, we collect:
| Data | Why we collect it |
|---|---|
| Email address | To contact you when we open to travelers |
| Marketing consent (yes/no) + timestamp | Legal proof of explicit opt-in consent under GDPR |
| Privacy policy version | Records which version of this policy you consented to |
| Source and sign-up context | Analytics — which page or flow you used to join |
| One-way hash of IP address (SHA-256) | Abuse detection only. The raw IP address is never stored. |
We do not collect your name, phone number, or any other information. We have no legal basis to collect it before you're a registered user.
Waitlist data is retained until the earlier of: (a) you unsubscribe, (b) we open to travelers and your account is created, or (c) 12 months from the date we stop operating the waitlist. After that, waitlist entries are deleted within 90 days. You can request deletion at any time by emailing support@gotouri.com or using the unsubscribe link in any email we send you.
Legal basis for processing (GDPR)
If you're in the EU or UK, processing of your data is based on the following:
| Processing activity | Legal basis |
|---|---|
| Running account, bookings, payments | Contract — to provide the service |
| Security audit logs | Legitimate interests — fraud/security |
| Acquisition tracking | Legitimate interests — understanding growth |
| Analytics (PostHog with consent) | Consent — cookie banner opt-in |
| Marketing emails | Consent — opt-in at sign-up |
| Booking alerts and reminders | Contract — delivering the service |
| Waitlist email (pre-launch) | Consent — explicit opt-in checkbox at submission |
| Relaying offer and booking details to guides via WhatsApp (Touri Direct) | Contract — making your booking work |
Analytics
We use a consent-based analytics setup. If you accept at the banner, we track page visits and drop-offs to improve Touri. If you decline, no analytics data is collected. You can change your choice anytime at Cookies & analytics.
We do not use advertising analytics, tracking pixels, or any third-party ad networks. We do not sell or share your data for advertising purposes.
Cookies
We use very few cookies. We need to use these cookies:
| Cookie | Purpose | Duration |
|---|---|---|
sb-access-token | Keeps you logged in (HttpOnly). | Session |
Analytics consent is stored in your browser's localStorage (key touri_consent). We do not set advertising cookies.
Who we share your data with
- Guides. Confirmed booking info shared for coordination only. For Touri Direct tours, your offer and booking details are relayed to the guide over WhatsApp.
- Payment processors. [] handles all payments; we don't store card details. Touri Direct bookings are paid directly to the guide — no payment data flows through Touri or our processor.
- Infrastructure providers. Supabase and Render host data as processing partners. Twilio delivers our WhatsApp messages to guides for Touri Direct tours (offer and booking details, your confirmation code).
- Government and official agencies. Reporting required for legal, regulatory and tax reasons.
No one else. We don't sell data to advertisers, data brokers, or commercial third parties.
Touri Direct bookings
For Touri Direct tours, payment happens directly between you and the guide — so we never receive, process, or store any payment information for these bookings, and we don't record whether or when you paid.
To make the booking work, we relay your offer and booking details (tour, date, group size, agreed price, and your confirmation code) to the guide over WhatsApp, delivered via Twilio, and we show you the guide's WhatsApp number. When you message the guide on WhatsApp, that conversation happens on WhatsApp under Meta's terms — you're sharing your own phone number with the guide directly, outside Touri.
International data transfers
Touri is incorporated in Delaware. Our providers (Supabase, Render, PostHog, Twilio, []) may process data in the US and/or the EU. Where transfers involving EEA/UK residents occur, we use standard contractual clauses (SCCs) to ensure safety.
How long we keep your data
| Data | How long | Why |
|---|---|---|
| Account data | Account duration + 2 years | Resolution of disputes |
| Bookings/Transactions | 7 years | For legal, regulatory and tax compliance |
| Negotiation history | 7 years | Financial integrity |
| Security audit logs | 12 months | Investigations |
| Consent records | Account duration | Proof of consent |
Your rights
You have rights to Access, Correction, and Deletion of your data, subject to legal retention rules.
EU and UK (GDPR)
Rights to restrict processing, portability, and to object to legitimate interests processing. Complain to the ICO or your local DPA.
Mexico (LFPDPPP)
Full ARCO rights (Acceso, Rectificación, Cancelación, Oposición). We respond in 20 business days.
California (CCPA / CPRA)
Right to know, delete, and correct. We do not sell or share personal information for advertising purposes.
Children
Touri is not intended for anyone under 18. We do not knowingly collect data from children.
Changes to this policy
Material changes will be notified by email. The "last updated" date reflects the current version.
Contact us
For privacy-related questions or formal data requests:
support@gotouri.com
Go Touri Co., 8 The Green STE B, Dover, DE, 19901, United States