Privacy Policy

Information We Collect

Information You Provide

• —Phone Number: We collect your WhatsApp phone number to deliver the tour experience and communicate with you.
• —Email Address: We collect your email address during purchase for receipt and order confirmation purposes only.
• —Access Codes: When you purchase a tour, we generate a unique access code that you provide to access the tour.

Information We Automatically Collect

• —Tour Progress: We store your progress through the tour to maintain your session state.
• —Order Information: We store order details including purchase date, tour selection, payment amount, and order status.
• —Usage Data: We may log technical information such as message timestamps and error logs for service improvement.

How We Use Your Information

• —Deliver the Service: Provide the tour experience, track your progress, and send tour-related messages.
• —Process Purchases: Generate access codes, send purchase confirmations, and manage your access to purchased tours.
• —Order Management: Track orders, process refunds, and maintain records as required by UK law.
• —Improve the Service: Analyse usage patterns to improve the tour experience and fix technical issues.
• —Security: Protect against fraud, abuse, and unauthorised access.

Data Protection and Security

Phone Number Hashing

For your privacy and GDPR compliance:

• —We never store your raw phone number. All phone numbers are hashed using SHA256 before storage.
• —Your phone number is converted to a cryptographic hash that cannot be reversed to reveal your original number.

Data Storage

• —Tour Progress: Stored with automatic expiration (24 hours for session state, 30 days for access codes).
• —Access Codes: Linked to your hashed phone number and expire after 30 days.
• —Order Information: Stored in a secure PostgreSQL database with minimal personal information.

Security Measures

• — All data is transmitted over encrypted connections (HTTPS/TLS).
• — Access to data is restricted to authorised systems only.
• — Database access is protected with row-level security policies.

Data Retention

• —Tour Progress: Automatically deleted after 24 hours of inactivity.
• —Access Codes: Expire and are deleted after 30 days.
• —Order Records: Retained for accounting and tax purposes as required by UK law. Personal information can be anonymised upon request.

Your Rights (GDPR & UK GDPR)

If you are located in the EEA or United Kingdom, you have the following data protection rights:

• —Right to Access: Request information about what personal data we hold about you.
• —Right to Rectification: Request correction of inaccurate data.
• —Right to Erasure: Request deletion/anonymisation of your personal data.
• —Right to Data Portability: Request a copy of your data in a portable format.
• —Right to Object: Object to processing of your personal data.

Third-Party Services

Stripe

We use Stripe to process payments. Stripe collects and processes your payment information according to their privacy policy. We do not store your full payment card details. Please review Stripe’s Privacy Policy.

Automatic Receipts: Stripe automatically sends payment receipts to the email address you provide during checkout.

Twilio

We use Twilio to deliver WhatsApp messages. Twilio processes your phone number to deliver messages. Please review Twilio’s Privacy Policy.

Redis/Upstash

We use Upstash Redis to store session state and access codes. Data is stored in encrypted form and automatically expires.

Database Storage

All order information is stored in a secure PostgreSQL database. Data is encrypted in transit and at rest, with row-level security enabled.

Children’s Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last Updated” date.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

• Email: iscatours@gmail.com
• Jurisdiction: United Kingdom (UK GDPR applies)