Privacy & Data
Policy

01 Who We Are

TourGuys Live is an on-demand tour booking platform operated by TourGuys Live B.V., a company registered in the Netherlands. Our platform connects tourists with local guides for real-time, location-based tour experiences — primarily via our mobile app and website.

For the purposes of the EU General Data Protection Regulation (GDPR), TourGuys Live B.V. is the data controller of personal data collected through our services.

02 Data We Collect

We collect personal data in different ways depending on whether you use TourGuys Live as a tourist or as a local guide. Below is a full overview of the data we may collect.

2.1 Data you provide directly

• Account information: name, email address, phone number, password (hashed), profile photo.
• Guide profile data: biography, spoken languages, tour specialties, bank account details (via Stripe, for payouts).
• Booking information: tour type selected, number of persons, pickup location, booking date and time.
• Payment information: processed via Stripe. We do not store card numbers. We retain transaction records (amount, date, reference).
• Reviews and ratings: star ratings and written feedback you submit after a tour.
• Chat messages: messages you send through our in-app chat to a guide or tourist.
• Support communications: emails or messages you send to our support team.
• Identity verification (guides only): government-issued ID document, processed via Stripe Identity. We do not store ID documents directly.

2.2 Data we collect automatically

• Location data: your real-time GPS location, used to show nearby guides on the map and to enable live tracking during a tour. Collected only when the app is active and you have granted permission.
• Device information: device type, operating system, app version, unique device identifier, IP address, browser type.
• Usage data: pages and screens visited, buttons tapped, features used, session duration, crash reports.
• Log data: server logs including timestamps, request types, and error logs.

2.3 Data from third parties

• Google / Apple login: if you sign in using Google or Apple, we receive your name and email address from that provider.
• Stripe: we receive confirmation of payment status and guide identity verification results.
• Google Maps: map tiles and location services; Google's own privacy policy applies to their SDK.

03 How We Use Your Data

04 Legal Basis for Processing (GDPR)

Under the GDPR, we must have a legal basis for processing your personal data. Below is an overview of the bases we rely on.

05 Who We Share Your Data With

We only share your personal data with third parties where it is necessary to operate the platform, comply with the law, or where you have given explicit consent. We do not share data for advertising purposes.

5.1 Service Providers (Data Processors)

These companies process data on our behalf under a Data Processing Agreement (DPA):

5.2 Between Users of the Platform

When you make a booking, certain information is shared between tourist and guide to enable the service:

• The tourist's first name and profile photo are shared with the assigned guide.
• The guide's full profile (name, photo, rating, bio) is shown to the tourist browsing or booking.
• Real-time location of both tourist and guide is shared only during an active tour session.
• Chat messages are visible to both parties in the conversation.

5.3 Legal Disclosure

We may disclose personal data if required to do so by law, court order, or competent authority — including the Dutch Autoriteit Persoonsgegevens — or where we believe in good faith that disclosure is necessary to protect our legal rights, prevent fraud, or protect the safety of users.

5.4 Business Transfer

In the event of a merger, acquisition, or sale of TourGuys Live B.V., your personal data may be transferred as part of that transaction. We will notify affected users in advance and ensure the receiving party is bound by equivalent data protection obligations.

06 International Data Transfers

TourGuys Live B.V. is based in the Netherlands and we store your primary data within the European Economic Area (EEA). However, some of our third-party service providers operate from or transfer data to countries outside the EEA, including the United States.

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission, used with providers such as Stripe, Google, Stream, and Firebase.
• Transfers to countries with an EU adequacy decision, where applicable.
• Provider participation in recognised certification schemes (e.g. ISO 27001, SOC 2 Type II).

07 Data Retention

We retain your personal data for as long as your account is active, or as long as necessary to provide our services. Below is our retention schedule by data type.

When you delete your account, we initiate deletion of your personal profile data within 30 days. Certain records (e.g. transaction data) may be retained longer as required by law, but will be isolated from active processing.

08 Your Rights Under GDPR

As a resident of the EEA or the UK, you have the following rights regarding your personal data. You can exercise most of these rights directly in the app (Profile → Settings → Privacy).

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your personal data. You can delete your account directly in the app at any time.
• Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON) to transfer to another service.
• Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent: Where processing is based on your consent (e.g. location access, marketing emails), you may withdraw at any time without affecting prior processing.
• Right to lodge a complaint: You may file a complaint with the Dutch Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl.

We will not charge a fee for reasonable requests. We may need to verify your identity before processing your request to protect your data from unauthorised access.

09 Cookies & Tracking Technologies

Our website (tourguys.live) uses cookies. Our mobile app does not use browser cookies, but uses equivalent technologies such as device identifiers and analytics SDKs.

9.1 What are cookies?

Cookies are small text files stored in your browser when you visit a website. They help us remember your preferences, keep you logged in, and understand how you use our site.

9.2 Types of cookies we use

9.3 Managing cookies

You can manage your cookie preferences at any time by clicking "Cookie settings" in the footer of our website. You may also configure your browser to block or delete cookies — note that this may affect certain features of our site.

10 Children's Privacy

TourGuys Live is not intended for use by children under the age of 16. We do not knowingly collect personal data from children.

If you are a parent or guardian and believe that your child has created an account or provided us with personal data without your consent, please contact us at help@tourguys.live and we will delete the relevant data promptly.

For guided tours involving minors, we require the consent and presence of a parent or legal guardian throughout the tour. The adult booking the tour is responsible for ensuring this.

11 Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration.

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Database records and file storage are encrypted at rest via Supabase (AES-256).
• Password hashing: Passwords are never stored in plain text. We use bcrypt hashing via Supabase Auth.
• Access controls: Only authorised team members have access to production data. Access is role-based and logged.
• Payment security: We never store card numbers. All payment data is handled directly by Stripe, which is PCI DSS Level 1 certified.
• Identity verification: Guide ID documents are processed by Stripe Identity and never stored directly on our servers.
• Incident response: In the event of a data breach affecting your rights and freedoms, we will notify you and the Autoriteit Persoonsgegevens within 72 hours as required by GDPR Art. 33–34.

12 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data processing practices.

When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Send an in-app notification and/or email to all registered users.
• Where required by law, request renewed consent for any new processing activities.

We encourage you to review this policy periodically. Continued use of TourGuys Live after a policy update constitutes acceptance of the updated terms, except where we are required to obtain explicit consent.

Previous versions of this policy are available upon request by contacting info@tourguys.nl.

13 Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or our data practices, please reach out to us through the appropriate channel below.

TourGuys Live B.V.
Registered in the Netherlands
Legal enquiries: info@tourguys.nl
Support: help@tourguys.live