Privacy Policy
1. Who we are
Touristy is operated by Markovate Inc., a Canadian corporation registered in Ontario. Contact: hello@touristy.ai. Postal: 60 Atlantic Avenue, Suite 200, Toronto, ON M6K 1X9, Canada.
2. What we collect
Account data: email address, optional username, your IP at signup, login timestamps.
Trip content: documents you upload, trip JSON you create, chat messages you send to the AI assistant. This content is private to you and the members of your travel groups.
Payment data: we store a Stripe Customer ID and subscription metadata. We never store card numbers; Stripe holds those under their PCI compliance scope.
Telemetry: aggregate visit counts via Cloudflare Web Analytics (no cookies, no cross-site identity, no IPs retained).
3. What we do not collect
No advertising trackers, no third-party fingerprinters, no purchase or location data outside what you upload to your own trips. We do not sell, rent, or trade your data.
4. How we use it
To run the Service (document classification, itinerary generation, AI chat); to process payments (via Stripe); to send operational email (magic-link logins, family invites, payment receipts, refund confirmations); to respond to support inquiries.
5. Subprocessors
We share data with these third parties to operate the Service. Each is bound by their own privacy policy and applicable data-protection agreements. The current list lives at /legal/subprocessors. We will update that page and notify subscribed users at least 30 days before adding any new subprocessor.
6. Data retention
Active accounts: retained as long as your account is active.
After deletion request: a 30-day soft-delete window allows recovery; after 30 days, account and trip content are permanently erased.
Billing records: retained 7 years to comply with Canadian Revenue Agency record-keeping requirements.
7. Your rights
Subject to applicable law, you have the right to access, correct, export, and delete your personal data. Email hello@touristy.ai with the words "Data request" and we'll respond within 30 days.
Canada (PIPEDA): You may also escalate complaints to the Office of the Privacy Commissioner of Canada (priv.gc.ca).
EU/UK (GDPR): You have the right to lodge a complaint with your supervisory authority.
California (CCPA/CPRA): You may request a copy of personal information collected in the past 12 months and request deletion. We do not "sell" personal information as defined under CCPA.
8. International transfers
Your data may be processed in the United States (Stripe, Anthropic, Cloudflare, Google), Canada (Markovate Inc., Hostinger Canadian region), and other regions where our subprocessors operate. We rely on Standard Contractual Clauses, adequacy decisions, or other valid transfer mechanisms as applicable.
9. Security
We use TLS for all network traffic, encryption at rest for the database, magic-link authentication (no passwords), and least-privilege access controls. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.
10. Children
The Service is not directed at children under 13 (or under 16 in the EEA/UK). We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. Material changes are notified by email at least 14 days before the effective date. Continued use after the effective date constitutes acceptance.
12. Contact
Privacy questions and data requests: hello@touristy.ai