TourMate
Legal

Privacy Policy

Last updated: 11/06/2026

1. Introduction

TourMate SAS ("TourMate", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your personal data when you use our mobile application ("the App") and website. We operate in full compliance with the General Data Protection Regulation (GDPR) and the French Data Protection Act.

2. Data We Collect

We collect and process the following categories of personal data depending on your role (Guide or Client) and your use of the App:

2.1 Account Data

  • Email address — used for authentication and account recovery;
  • Name / display name — shown to trip participants;
  • Profile photo — optional, visible to other trip members;
  • User role — whether you register as a Guide or a Client.

2.2 Trip Data (created by Guides)

  • Trip details — destination, dates, itinerary, stops, points of interest, scheduled activities;
  • Maps and routes — geolocation data you choose to share within a trip;
  • Documents and photos — tickets, confirmations, images, and files uploaded to a trip.

2.3 Communication Data

  • Chat messages — text, images, and media exchanged within trip chats;
  • Notifications — push tokens and in-app notification preferences.

2.4 Location Data

  • GPS coordinates — only collected when you explicitly enable location sharing for a trip. You can revoke this permission at any time in your device settings.

2.5 Payment Data

  • If premium features become available, payments are processed by secure third-party providers (e.g., Stripe). TourMate does not store your credit card or banking details.

2.6 Technical Data

  • Device information — device type, operating system, unique device identifiers;
  • Log data — IP address, timestamps, crash logs, usage analytics;
  • Cookies — essential cookies on the website and optional analytics cookies (see Section 10).

3. How We Use Your Data

Your data is used for the following purposes:

  • Providing the service — creating accounts, managing trips, sharing itineraries, enabling chat;
  • Communication — delivering trip updates, notifications, and chat messages;
  • Security — detecting fraud, abuse, or unauthorized access;
  • Improving the App — analysing usage patterns to fix bugs and develop new features;
  • Legal compliance — fulfilling tax, accounting, or regulatory obligations.

4. Legal Basis for Processing

Under GDPR, we rely on the following legal bases:

  • Performance of a contract — processing necessary to deliver TourMate services;
  • Consent — for location sharing, marketing communications, and optional analytics cookies;
  • Legitimate interests — fraud prevention, network security, service improvement;
  • Legal obligation — tax records, financial audits, or lawful requests from authorities.

5. Data Retention

We retain your data only as long as necessary for the purposes described:

  • Account data — kept while your account is active; deleted within 30 days after account deletion, unless legal obligations require longer retention;
  • Trip data — stored for the duration of the trip plus 1 year, after which it is permanently deleted (unless you delete the trip earlier);
  • Chat messages — retained for the trip duration plus 6 months, then deleted;
  • Technical logs — retained for up to 12 months;
  • Backups — encrypted backups are purged within 90 days of data deletion.

6. Data Sharing & Third Parties

We do not sell your data. We only share data in the following limited circumstances:

  • Within a trip — your name, profile photo, messages, and shared trip content are visible to other members of trips you join or create;
  • Service providers — trusted technical providers who help us operate the App:
    • Firebase / Google Cloud (hosting, authentication, database);
    • Cloud messaging services (push notifications);
    • Analytics providers (anonymous usage data only).
  • Legal requirements — if required by law, court order, or to protect our rights and safety.

All third-party providers are bound by data processing agreements (DPAs) and comply with GDPR.

7. Data Security

We implement industry-standard security measures:

  • Encryption in transit — all data transmitted between the App and our servers uses TLS 1.3;
  • Encryption at rest — databases and backups are encrypted using AES-256;
  • Secure authentication — OAuth 2.0 and Firebase Authentication with password hashing;
  • Access controls — role-based permissions restrict data access to authorized personnel only;
  • Regular audits — security assessments and penetration testing are conducted periodically.

8. International Data Transfers

Our primary servers are located in the European Union (EU). Some third-party services (e.g., Firebase) may process data in the United States under the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs) approved by the European Commission. We ensure all international transfers have adequate safeguards in place.

9. Your Rights (GDPR)

As a data subject, you have the following rights:

  • Right to access — request a copy of the personal data we hold about you;
  • Right to rectification — correct inaccurate or incomplete data;
  • Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention requirements;
  • Right to restrict processing — limit how we use your data in certain circumstances;
  • Right to data portability — receive your data in a structured, machine-readable format;
  • Right to object — object to processing based on legitimate interests or direct marketing;
  • Right to withdraw consent — revoke consent for optional processing (e.g., location sharing) at any time;
  • Right to lodge a complaint — file a complaint with a data protection authority (see Section 13).

To exercise any of these rights, contact us at privacy@tourmate.fr. We will respond within 30 days. We may ask you to verify your identity before processing your request.

10. Cookies & Tracking Technologies

The tourmate.fr website uses the following cookies:

  • Essential cookies — required for the website to function (e.g., security, session management);
  • Analytics cookies — help us understand how visitors interact with the site (e.g., Google Analytics, Plausible). These are only set with your consent;
  • Preference cookies — remember your language or display preferences.

You can manage cookie preferences through the cookie banner on our website or via your browser settings.

11. Children's Privacy

TourMate is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data without parental consent, please contact us at privacy@tourmate.fr and we will delete the information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via the App or email at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact & Data Protection Officer

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection Officer (DPO):

  • Email: privacy@tourmate.fr
  • Postal address: TourMate SAS, DPO, Paris, France

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection authority:

https://www.cnil.fr

14. Data Processing Agreement for Guides (B2B)

If you are a professional tour guide or travel agency using TourMate to manage client trips, you act as a data controller for your clients' personal data (e.g., names, contact details, trip preferences) that you upload or share through the App. TourMate acts as a data processor for this data. By using the App, you agree that:

  • you have obtained lawful consent from your clients to process their data within TourMate;
  • you will only use the App for legitimate trip management purposes;
  • you will notify your clients of their rights regarding their personal data;
  • TourMate provides technical tools (data export, trip deletion) to help you comply with your own GDPR obligations.

For a formal Data Processing Agreement (DPA), please contact us at privacy@tourmate.fr.

Summary: We collect only what we need, keep it secure, never sell it, and give you full control over your data. If you have any doubts, just email us — we are here to help.