Privacy Policy
Last updated on: 09 April 2023
1. Scope
Toury is committed to respecting Users’/ Creators’/ Job Applicants’/ Partners’/ Investors’/ Prospects’/ Website Visitors’ (jointly named hereinafter as the “Data Subjects”) privacy and protecting their Personal data. In this sense, the aim of this Privacy Policy is to inform Data Subjects about Toury’s processing activities as per GDPR and the Local Regulation requirements.
This Privacy Policy provides information on the processing of personal data of Data Subjects who contact us via the contact form available on our website, in accordance with the General Data Protection Regulation ("GDPR"). This Privacy Policy notice describes: how Toury collects and processes the personal data, the different stakeholders involved in this processing as well as our Data Subjects rights with regard to their data.
We recommend that both all stakeholders involved in the processing as well as Data Subjects read it carefully and on a frequent basis to fully understand this along with our privacy overview, which highlights key points about our current privacy practices.
Due to the constant evolution of Toury’s activities, this Privacy Policy may be subject to change or updates in the future. Use of our Platform after this Privacy Policy has been updated shall be deemed to constitute consent by Data Subjects, whether located in the EU or outside the EU, to the updated or modified Privacy Policy to the extent permitted by local law. Toury will notify the Data Subjects in advance in case of substantial changes and modifications to the Privacy Policy by e-mail or through any other means that ensures its receipt.
Toury will in no event modify its policies or practices to make them less effective in the protection of its Data Subjects personal data.If our Data Subjects have any doubt concerning this Privacy Policy or want to obtain more information on it, they can contact our DPO at any time to this email address: hello@touryapp.com.
2. What are your personal data rights?
- The right of access to your personal data to know which data is being processed and the processing operations carried out thereon;
- The right to correct any inaccuracies in relation to your personal data;
- The right to the erasure of your personal data, where possible; by sending us a data erasure request.
- The right to request the restriction of processing of your personal data when the accuracy, legality or need for processing of the data is in question, in which case we may retain the data for the purpose of filing or defending claims.
- The right to object to the processing of your data in order to resolve any query you may have raised with us through the contact form (website: touryapp.com>>Contact us or in the App: Profile>>Contact us) and the right to object to the processing of your data on social media and/or for the purpose of processing your CV.
- If you are the User, and you don’t want to receive any marketing communications, you have the right to unsubscribe to any marketing communication, by sending an e-mail or by using the link provided for this purpose in every commercial communication.
Please note that disabling Push notifications will also prevent you from receiving notifications about the status of any order.
If you have any questions, you can write to us at hello@touryapp.com.
If you believe that Toury is in breach of data protection law:
If believe that Toury is in breach of data protection law, do not hesitate to contact us at the e-mail: hello@touryapp.com. You may also report it to the Spanish Data Protection Agency (Agencia Española de Protección de Datos) and file a claim with the said body for the protection of your rights.
Please take into account that there may be some situations where the above rights could not be exercised or effectively executed by Toury, for example when asking us to erase all your personal data where there is contractual relationship with us.
Notifications and Modifications:
Due to the constant evolution of Toury’s activities, this Privacy Policy, the Cookie Policy and the Terms of Use are also subject to change. Toury will send all Users/ Creators / Job Applicants/ Partners/ Investors/ Prospects/ Website Visitors notifications about substantial changes and modifications to such documents by email or through any other method that ensures their receipt.
In any case, Toury will in no event modify its policies or practices to make them less effective in the protection of our customers’ previously stored personal data.
In the event of discrepancies between the translations and the Spanish version of this document, the Spanish version will prevail.
3. Who is a Data Controller of your data?
The Data Controller of your Personal Data in relation with the use of the Toury Platform and of the other Forms is Toury.
4. Useful information if you are a USER:
4.1 What are the data processing purposes and the legitimate basis of the processing?
Toury will process your the personal data for the following purposes:
1. For legal purposes.
2. For contractual purposes.
3. For security purposes.
4. For statistics and research purposes.
5. For marketing and commercial purposes.
6. For non-marketing purposes.
Legal purposes
Toury processes your personal data for:
i) detect and investigate fraud and possible crimes committed against our Platform and all the users,
ii) comply with the legislation in case any legal regulations oblige us to keep your data for a defined period of time (please check Annex I on data retention),
iii) manage and execute your request(s) to exercise the rights established in the GDPR and local regulations,
iv) file, submit and defend legal actions against Toury,
v) in any of the cases above-mentioned, Toury shall be entitled to use any data obtained from you or arisen from your activity through our Platform for the purpose of filing and/or defending any claims and/or legal actions that may be necessary, and to manage any incidents arising in connection with User’s orders.
These processing operations are carried out under our legitimate interest in detecting, investigating and preventing fraud, and to comply with all the legal obligations that Toury and the User may be subjected to, relating to any applicable law (such as Consumer law, GDPR, etc.).
Contractual purposes
Toury processes your personal data for:
i) grant you the possibility to create your own account, provide you with the services you have requested and any additional features on the Platform,
ii) locate the nearest available tours and the assossicated points of each of them (which may involve using geolocation services, if you agreed to them when asked to by the Platform, as described above),
iii) perform payment processing and collection on behalf of you,
iv) assist you in your decisions and use of the service, including the possibility to suggest you tours. Additionally, we could assist you in your decisions through automatically determined filters by the historical order you have placed in the past, providing in each case specific contents in the Platform tailored for you, v) send you the receipt corresponding to your Orders,
vi) provide you with a customer service to manage any incident related to your Orders and being able to answer your questions or consultations,
vii) notify you concerning changes or updates to our services, terms and conditions, privacy policy, cookies policy and any other corporate document that may affect you in a substantial way.
Security purposes
Toury processes your personal data for:
i) use device, location (including geolocation data, if you agreed to), profile, usage, and other data to prevent and detect malicious or unsafe activities (e.g. payment fraud, identity fraud, account hacking, phishing, incentive abuses). In particular, Toury uses your device's IP address to detect fraudulent activity on your device and to keep the platform away from attackers who may try to access your account by impersonating you;
ii) monitor all actions that could cause fraud or in the commission of a criminal offence related to the payment method employed by you; if any irregularities are detected, Toury reserves the right to retain the data provided and share it with the competent Authorities in order to carry out the relevant investigation,The above processing’s are out under Toury’s legitimate interest in ensuring that our platform is secure, and the interest and rights of our Users are protected.
iii) make sure that you follow the legal requirements related to specific products you may order through the Platform (e.g. legal age for alcoholic beverages).
For statistics and research purposes
Toury processes your statistics based on your Personal data for:
i) analyse trends, purchase behaviour and characteristics,
ii) understand how you use our Platform,
iii) manage and improve the services offered, including the possibility of adding new or different features and services to improve the quality of the services.
Marketing and commercial purposes
Toury processes your personal data for:
i) carry out marketing, communications, research and development activities,
ii) analyse and research how to improve our services both offline and on the Platform, by using the data provided by you (such as in focus groups, reviews, valuations of the services, satisfaction survey, feedback or any kind, etc.),
iii) create custom audiences with Facebook or other providers to reach out to you or other people with similar characteristics, who might be interested in using Toury services; you can manage your privacy in your Facebook or other third party platform settings,
iv) use as commercial or marketing material published by you on your social networks profiles when Toury has been expressly mentioned by you (i.e. via hashtag or @).
We may personalize the marketing communications by using the User activity in our App (including your past orders) and the interaction with the App, online advertising, previous emails, promotions, etc. However, this personalisation is not made only by automated means, nor have any legal effect or affect the User similarly.
Toury may use Push services on the User’s mobile device to provide marketing communications. If the User does not want to receive these marketing communications, he / she shall unsubscribe in the notifications centre. Please note that disabling Push notifications will also prevent the User from receiving notifications about the status of any order.
Non-marketing purposes
Toury processes your personal data for:
i) generate and provide you with receipts from each of your Orders placed through our App,
ii) inform you about any incident on the Platform or the operation of the services, including incidents related to your orders. This information can be sent by e-mail or SMS messages, and any other messaging application, that may be used by you and Toury at any moment,
iii) inform you about any changes to our Terms and Conditions, privacy policy, cookies policy, services, and more generally to inform you about any relevant non-marketing communications.
iv) process incidents and claims with insurance companies in the event you report the occurrence of any damages or unforeseen events that may be covered by Toury’s insurance policy.
4.2 What kind of data do we hold about you and how is your personal data collected?
Toury holds the following data about you:
1. Information supplied directly by you:
1.1. Registration Data: the information provided by you when you create an account on the Toury Platform: username and e-mail.
1.2. User Profile Information: the information added by you on the Platform in order to be able to use Toury's service, e.g.. your mobile phone number and delivery address. You can view and edit the personal data on your profile whenever you wish.
1.3. Payment information: payment information when processing your orders; card data will be processed by our electronic payment service providers, who will receive the data directly from you. Toury will have access to this information only for complying with the request of any competent authority, Toury offers its users to store the payment information or card details. In this case, the card details are tokenized (converted in a unique code). This token is usable in the Toury platform, allowing Toury to facilitate the use of the platform by preventing the introduction of the card details each time you want to perform a payment and provide additional security, as the details of the card are never stored in our systems. You can erase this token at any moment in your profile area.
1.4. Additional information: any information that you could supply to Toury for other purposes, e.g. your photograph or the billing address in the case if you have asked to receive invoices from Toury.
1.5. Information about previous communications with Toury: information supplied by you for the resolution of any queries or complaints about the use of the platform, whether through the contact form (website: touryapp.com>>Contact us or in the App: >>Contact us), or by e-mail.
1.6. Information regarding any accidents: information of any of the parties involved in the provision of services through the Platform for the purpose of making insurance claims or carrying out any other actions with the insurance companies contracted by Toury.
1.7. Information of conversations held with Toury: Transcription and recording of conversations for the processing of incidents, queries or other consultations that may be made to guarantee and improve the quality of our services and for security reasons.
1.8. Information on Communications: communications exchanged, to comply with any request made by authorities. Toury will never access the communications if it is not strictly necessary and will always ensure the privacy of its users and the confidentiality of all information exchanged on its platform.
1.9. Any additional information that you provide in your requests, comments or questions.
- Information indirectly supplied by Users:
2.1. Data arising from the Use of the Platform: Toury collects the data arising from your Use of the Platform every time you interact with the Platform.
2.2. Data on the application and the device: Toury stores data on the device and the Application used by you to access the services:
i) the IP address used by you to connect to the Internet using your computer or mobile phone, and to prevent fraudulent misappropriation or unauthorized access to your account by third parties,
ii) information about your computer or mobile phone, such as your Internet connection, browser type, version and operating system, and type of device,
iii) the full uniform resource locator (URL) Clickstream (the information related with your navigation through our website or the Application, links followed, etc.), including date and time,
iv) data from your account: information on the orders made by you, as well as feedback and/or comments made by you,
v) your browsing history and preferences.
2.3. Data arising from the User’s origin: if you arrive at the Toury Platform through an external source (such as a link from another website or a social network, as long as you have authorised it on those websites), Toury collects data on the source from which you arrived.
2.4. Data resulting from the management of incidents: if you contact the Toury Platform through the Contact Form(website: touryapp.com>>Contact us or in the App: >>Contact us), Toury will collect the messages received in the format used by you and may use and store them to manage current or future incidents.
2.5. Data arising from “cookies”: Toury uses its own and third-party cookies to facilitate browsing by its users and for statistical purposes, among others (please refer to the Cookie Policy for more details).
2.6. Geolocation Data: provided that you have authorised this, Toury will collect data relating to your location, including the real-time geographic location of your computer or mobile device.
2.7. Data resulting from external third parties:
i) Toury collects personal data or information from external third parties only if you authorise such third parties to share that information with Toury. For example, if you create an account through your Facebook or Google account, these platforms could disclose to us your personal data that can be found on your Facebook/Google profile (such as name, gender or age).
ii) If you choose to send messages to us from social media networks (including Twitter, Facebook and Whatsapp), we will collect that information you provide to us for the purposes set out in this privacy policy, including responding to your inquiry, providing you with customer support and resolving issues.
4.3. What are the recipients of your data and why are we communicating it?
Toury warrants that all commercial partners, technicians, suppliers or independent third parties are bound by contractually binding promises to process the information shared with them in accordance with Toury’s indications, this Privacy Policy and the applicable data protection legislation.
We will not disclose your personal data to any third party who does not act under our instructions and no communication will involve selling, renting, sharing or in any other way revealing customers’ personal information for commercial purposes in breach of the commitments made in this Privacy Policy.
When carrying out an order, data may be shared with:
- The Customer Care Services contracted by Toury for the purpose of warning you of any possible incidents or asking why negative feedback has been given; data will be used to manage any incidents that may occur during the provision of the services.
- The payment Platform and payment service providers so that the amount can be charged to your account.
- Telecommunications service providers, when they are used to send communications regarding orders or incidents relating to orders.
- Providers rendering satisfaction survey services on Toury’s behalf.
Sharing your data with third parties:
To continue providing the services offered through the Platform, Toury may share your certain personal data with:
- Payment Service Providers: When you enter your card number on the App, this is stored directly by the Payment Platforms contracted by Toury, which allows payment to be charged to your account. Payment service providers have been chosen based on their security measures and in any event complying with the security measures stipulated in the payment service legislation, and they are PCI Compliant under the Payment Card Industry Data Security Standard or PCI DSS. Toury does not store such data in any event.
- Service providers for fraud control purposes: Toury will share your data with fraud control service providers to assess the risk of the transactions carried out.
- Service providers for the anonymisation of some data: In order to prevent the misuse of your data by third-party service providers, your data may be being anonymised so that it can be used solely for the provision of the service. For example, Toury may assign your telephone numbers to third parties in order to anonymise them and provide them in this format to the providers used to carry out the services contracted by you.
- Security companies and Law Enforcement Forces and Agencies: Toury may disclose personal data on its customers’ accounts if such disclosure is necessary to comply with the law, to enforce or apply the “Terms of Use'' or to protect Toury’s, its users’ or third parties’ rights, property or safety. It includes the exchange of information with other companies (for example, Toury uses Google's reCAPTCHA Enterprise service to protect users from cyber attacks or threats to their accounts) and organisations and with Law Enforcement Forces and Agencies to protect against fraud and reduce credit risk.
- Call centre and incident management services: In order to provide a Customer Service and call centres, actions to measure your degree of satisfaction and the provision of administrative support services, your data may be disclosed to companies located outside the European Economic Area.
- Telecommunications services: In order to be able to provide you with telephone contact services, Toury may contact telecommunications companies that provide secure lines and systems for the purpose of contacting you.
- Social media connected by Users: If you connect your Toury account to other social media or to a third-party platform, Toury may use the information provided to such social media or third party in compliance with the privacy policy of the social media or third-party platform in question.
- Third parties associated with Toury for the purposes of commercial communications: Toury may transfer your personal data to third parties associated with Toury, provided that you have given your express informed and unequivocal consent to such transfer of data and that you are aware of the purpose and recipient of such transfer.
- Changes of ownership: If Toury’s ownership changes or the majority of its assets are acquired by a third party, you are informed that Toury will transfer your data to the acquiring organisations to continue to provide the services subject to the processing of data.
As Toury keeps growing continuously, we may buy or sell business units, assets, shares or legal entities, so data subjects’ information may also be transferred. That information, when acquired by Toury, shall be processed as any other information as described in our privacy policy. You acknowledge that such transfer may occur and that we will be allowed to use your personal information for any of the purposes described in this Privacy Policy. The new file controller will inform Users of its identification data. Toury states that it will comply with its duty of information and it shall inform Users of the change of file controller if and when this happens. This processing shall be carried out under the contract entered into with Toury.
- Insurance companies: Toury may provide your data to those insurers and insurance brokers it collaborates with, for the management and processing of claims and losses arising from the activity carried out by Toury and the parties that collaborate with it.
Your data will not be disclosed to any third parties unless:
i) this is necessary to provide the services requested if Toury is collaborating with third parties;
ii) if Toury has your express and unambiguous authorisation;
iii) where this has been requested by a competent authority pursuant to its functions (in order to investigate, prevent or take action in relation to illegal actions);
iv) finally, where required by law.
4.4 How long will we keep your data?
Toury shall retain your data for the duration of the contractual relationship and, after this has come to an end, for the period established by law for filing or defending the appropriate legal actions. This is established at a maximum of fifteen (15) years in order to comply with Toury’s legal obligations – which include the duty to assist the security forces as necessary in the investigation and prosecution of crimes pursuant to the higher interest of public safety – and defend itself or take any action in relation to criminal, tax and social security matters.
The said period may be shorter depending on the legal provision applicable to each purpose of data processing, as established in the table of retention periods set forth in Annex I.
5. Useful information if you are a WEB VISITOR:
5.1 What are the data processing purposes and the legitimate basis of the processing?
Toury will process your personal data for the following purposes:
i) follow up your comments left on Toury Website or our Blog. This may include, depending on your consent, the notification of new comments on the article commented by you, and the information on new entries on the blog or our website.
ii) provide you with the answer regarding your request.
5.2 What kind of data do we hold about you and how is your personal data collected?
Toury holds the following data about you:
- Information supplied directly by you:
1.1. Registration Data: the information provided by you when you request for information relating to our products and/or services.
1.2. Any additional information that you provide in your requests, comments or questions.
1.3. Data derived from cookies: TOURY uses its own and third party cookies to facilitate navigation for its users and for statistical purposes (see Cookies Policy).
11.3 How long will we keep your data?
Toury shall retain your data while it is necessary to provide you with the relevant answer to any question you may ask and, after this has come to an end, for the period established by law for filing or defending the appropriate legal actions. The said period may vary depending on the legal provision applicable to each purpose of data processing, as established in the table of retention periods set forth in Annex I.
Any comment you may post on our articles published on Toury Website and/or Blog may be kept indefinitely while the post is still published.
6. Do we proceed to international transfer of data?
When choosing service providers, Toury may transfer your data outside the borders of the European Economic Area, for example to the United States. In such cases, Toury will ensure before sending the data, that such service providers are in compliance with the standard clauses and minimum security standards established by the European Commission and that they always process the data in accordance with Toury’s instructions.
Basis and instructions regarding the international transfer
Toury may have a contractual relationship with service providers under which they agree to comply with Toury’s instructions and put in place the necessary security measures to protect your data.
Where Toury is compelled to carry out further processing by EU law or the law of the EU Member States to which it is subject, it shall inform the service provider of such legal requirements prior to the processing.
Toury may subsequently change, supplement or replace the instructions initially given to the service provider by means of individual instructions and is entitled to issue appropriate instructions at any time. This includes, among other things, instructions regarding the correction, deletion and prohibition of data. All instructions issued shall be documented by both Toury and the service provider. Requirements directed to service providers
Service providers may only collect, process or use data pursuant to a master contract and in accordance with Toury’s instructions. This applies in particular to the transfer of personal data to a third country or an international organizations.
External service providers are required to inform Toury if they consider that an instruction issued by Toury, is in contravention of the data protection legislation. Furthermore, service providers are entitled to suspend the execution of the instruction concerned until its confirmation or modification by Toury, and they have a duty to refuse to carry out any instructions that are clearly illegal.
7. What security measures have been adopted?
Toury has taken the necessary steps recommended by the European Commission and the competent authority to maintain the required security level, according to the nature of the personal data processed and the circumstances of the processing, in order to avoid, to the extent possible and always in accordance with the state of the art, its alteration, loss or unauthorised access or processing. As mentioned above, the personal data supplied will not be disclosed to third parties without the data subject’s prior authorisation.
8. Definitions
For the purpose of this document:
- “Data Controller” shall mean: the entity in charge of determining the purposes and means of the processing of personal data
- “Data Processor” shall mean: the entity in charge of processing personal data on behalf of the controller
- “GDPR” shall mean: General Data Protection Regulation ((EU) 2016/679)
- “Contributors(s)” also referred to as “Creators(s)” shall mean: the independent professionals in charge of providing the user with the tours, by uploading it to the Platform.
- “Investor(s)” shall mean: anyone who shows interest in committing capital with the expectation of receiving financial returns
- “Job Applicant” shall mean: anyone who applies for a Job on Toury's website or App
- “Local regulation” shall mean: the data protection regulation applicable to your country
- “Order(s)” shall mean: tour(s) requested by the User through the Toury Platform
- “Personal data” shall mean: any information which directly relates to User(s), Creators(s), Job Applicant(s), Partner(s), Investor(s), Prospect(s), Website Visitor(s) or that may allow their identification
- “Platform” shall mean: both and indifferently the Toury website and Application
- “App” shall mean: the word “App” is used interchangeably with the word “Platform” , both words means the same: both and indifferently the Toury website and Application
- “Processing of personal data” also referred to as “Data activity(ies)” shall mean: any activity performed on or with your Personal data, such as collecting, organising, accessing, holding, storing, disclosing, adapting, destroying, erasing or using the Data in any way
- “Profiling” is the process of construction and application of user profiles generated by computerised data analysis also understandable as the use of algorithms or other mathematical techniques that allow the discovery of patterns or correlations in large quantities of data, aggregated in databases
- “Prospects” shall mean: anyone who leaves their data on Toury’s forms to receive information about Toury’s services“User(s)” shall mean: anyone who registers on Toury 's website or App
- “Website Visitor(s)” shall mean: anyone who browses Toury website, leaves comments in relation to Toury’s publications or asks any questions through the website.
- “Data Subject”: any natural person from whom data is collected or processed by Toury; in essence, the User(s), the Agent(s), the Job Applicant(s), the Partner(s), the Investor(s), the Potential Client(s), the Website Visitor(s).
ANNEX I - GENERAL RETENTION PERIODS
DATA PROTECTION (3 years. Legal ref. Spanish Organic Data Protection Law (LOPD))
- Very serious infringements: after 3 years,
- Serious infringements: after 2 years,
- Minor infringements: after 1 year
PERSONAL CIVIL ACTIONS (5 years. Legal ref. Article 1962 of the Spanish Civil Code (Código Civil))
Personal actions of any kind without a specific limitation period established from the moment when the obligation becomes enforceable, taking into account that, in the case of ongoing positive or negative obligations, the period will start running again every time they are infringed.
ACCOUNTING AND TAX DOCUMENTATION
For commercial purposes (6 years. Legal ref. Art. 30 of the Royal Decree of 22 August 1885 publishing the Civil Code): books, correspondence, documentation and supporting documents relating to their business, duly ordered, from the last entry in the books, save as may be established by general or special provisions. This commercial obligation applies to both compulsory books (income, expenses, investment goods and provisions), and the documentation and documentary evidence of the entries contained in the books (invoices issued and received, vouchers, amendment invoices, bank documents, etc.).
For tax purposes (4 years. Legal ref. Section 3 (Limitation Periods), Arts. 66 to 70 of Law 58/2003 of 17 December 2003, the General Taxation Law (Ley General Tributaria): accounting books and other compulsory record books pursuant to the applicable tax legislation (personal income tax, VAT, corporation tax, etc.), as well as documentary evidence justifying the entries in the books (including software and computer files and any other documentary evidence that is relevant for tax purposes) must be retained at least for the period during which the tax authorities are entitled to verify and investigate and, therefore, assess and inform of, the tax owed.
INFORMATION RELEVANT FOR CRIMINAL ACTIONS (10 to 15 years. Legal ref. Article 131 of the Organic Law 10/1995, of 23 November 1995, publishing the Spanish Criminal Code (Código Penal)).
Any information and documentation that may be relevant for the prosecution or defence of criminal proceedings relating to the criminal liability of legal persons.
This may include invoices, payment receipts, claims or complaints, delivery routes with geolocation, tax documentation and, in general, any other information from any data subject that may be useful to defend Toury’s legal interests.
USERS (3 years. Legal ref. Article 123.4 of Royal Legislative Decree 1/2007 of 16 November 2007 approving the consolidated text of the General User and Consumer Defence Law (Ley General para la Defensa de los Consumidores y Usuarios) and other additional laws).
Claims to enforce performance of the service as a result of non-conformity with the contract are subject to a limitation period of three years after the delivery of the product
MONEY LAUNDERING (10 years. Legal ref. Article 25 of Law 10/2010 of 28 April 2010 on the prevention of money laundering and the financing of terrorism (Ley de prevención del blanqueo de capitales y de la financiación del terrorismo).).
Documents formalising compliance with the obligations provided by law.
1. Scope
Toury is committed to respecting Users’/ Creators’/ Job Applicants’/ Partners’/ Investors’/ Prospects’/ Website Visitors’ (jointly named hereinafter as the “Data Subjects”) privacy and protecting their Personal data. In this sense, the aim of this Privacy Policy is to inform Data Subjects about Toury’s processing activities as per GDPR and the Local Regulation requirements.
This Privacy Policy provides information on the processing of personal data of Data Subjects who contact us via the contact form available on our website, in accordance with the General Data Protection Regulation ("GDPR"). This Privacy Policy notice describes: how Toury collects and processes the personal data, the different stakeholders involved in this processing as well as our Data Subjects rights with regard to their data.
We recommend that both all stakeholders involved in the processing as well as Data Subjects read it carefully and on a frequent basis to fully understand this along with our privacy overview, which highlights key points about our current privacy practices.
Due to the constant evolution of Toury’s activities, this Privacy Policy may be subject to change or updates in the future. Use of our Platform after this Privacy Policy has been updated shall be deemed to constitute consent by Data Subjects, whether located in the EU or outside the EU, to the updated or modified Privacy Policy to the extent permitted by local law. Toury will notify the Data Subjects in advance in case of substantial changes and modifications to the Privacy Policy by e-mail or through any other means that ensures its receipt.
Toury will in no event modify its policies or practices to make them less effective in the protection of its Data Subjects personal data.If our Data Subjects have any doubt concerning this Privacy Policy or want to obtain more information on it, they can contact our DPO at any time to this email address: hello@touryapp.com.
2. What are your personal data rights?
- The right of access to your personal data to know which data is being processed and the processing operations carried out thereon;
- The right to correct any inaccuracies in relation to your personal data;
- The right to the erasure of your personal data, where possible; by sending us a data erasure request.
- The right to request the restriction of processing of your personal data when the accuracy, legality or need for processing of the data is in question, in which case we may retain the data for the purpose of filing or defending claims.
- The right to object to the processing of your data in order to resolve any query you may have raised with us through the contact form (website: touryapp.com>>Contact us or in the App: Profile>>Contact us) and the right to object to the processing of your data on social media and/or for the purpose of processing your CV.
- If you are the User, and you don’t want to receive any marketing communications, you have the right to unsubscribe to any marketing communication, by sending an e-mail or by using the link provided for this purpose in every commercial communication.
Please note that disabling Push notifications will also prevent you from receiving notifications about the status of any order.
If you have any questions, you can write to us at hello@touryapp.com.
If you believe that Toury is in breach of data protection law:
If believe that Toury is in breach of data protection law, do not hesitate to contact us at the e-mail: hello@touryapp.com. You may also report it to the Spanish Data Protection Agency (Agencia Española de Protección de Datos) and file a claim with the said body for the protection of your rights.
Please take into account that there may be some situations where the above rights could not be exercised or effectively executed by Toury, for example when asking us to erase all your personal data where there is contractual relationship with us.
Notifications and Modifications:
Due to the constant evolution of Toury’s activities, this Privacy Policy, the Cookie Policy and the Terms of Use are also subject to change. Toury will send all Users/ Creators / Job Applicants/ Partners/ Investors/ Prospects/ Website Visitors notifications about substantial changes and modifications to such documents by email or through any other method that ensures their receipt.
In any case, Toury will in no event modify its policies or practices to make them less effective in the protection of our customers’ previously stored personal data.
In the event of discrepancies between the translations and the Spanish version of this document, the Spanish version will prevail.
3. Who is a Data Controller of your data?
The Data Controller of your Personal Data in relation with the use of the Toury Platform and of the other Forms is Toury.
4. Useful information if you are a USER:
4.1 What are the data processing purposes and the legitimate basis of the processing?
Toury will process your the personal data for the following purposes:
1. For legal purposes.
2. For contractual purposes.
3. For security purposes.
4. For statistics and research purposes.
5. For marketing and commercial purposes.
6. For non-marketing purposes.
Legal purposes
Toury processes your personal data for:
i) detect and investigate fraud and possible crimes committed against our Platform and all the users,
ii) comply with the legislation in case any legal regulations oblige us to keep your data for a defined period of time (please check Annex I on data retention),
iii) manage and execute your request(s) to exercise the rights established in the GDPR and local regulations,
iv) file, submit and defend legal actions against Toury,
v) in any of the cases above-mentioned, Toury shall be entitled to use any data obtained from you or arisen from your activity through our Platform for the purpose of filing and/or defending any claims and/or legal actions that may be necessary, and to manage any incidents arising in connection with User’s orders.
These processing operations are carried out under our legitimate interest in detecting, investigating and preventing fraud, and to comply with all the legal obligations that Toury and the User may be subjected to, relating to any applicable law (such as Consumer law, GDPR, etc.).
Contractual purposes
Toury processes your personal data for:
i) grant you the possibility to create your own account, provide you with the services you have requested and any additional features on the Platform,
ii) locate the nearest available tours and the assossicated points of each of them (which may involve using geolocation services, if you agreed to them when asked to by the Platform, as described above),
iii) perform payment processing and collection on behalf of you,
iv) assist you in your decisions and use of the service, including the possibility to suggest you tours. Additionally, we could assist you in your decisions through automatically determined filters by the historical order you have placed in the past, providing in each case specific contents in the Platform tailored for you, v) send you the receipt corresponding to your Orders,
vi) provide you with a customer service to manage any incident related to your Orders and being able to answer your questions or consultations,
vii) notify you concerning changes or updates to our services, terms and conditions, privacy policy, cookies policy and any other corporate document that may affect you in a substantial way.
Security purposes
Toury processes your personal data for:
i) use device, location (including geolocation data, if you agreed to), profile, usage, and other data to prevent and detect malicious or unsafe activities (e.g. payment fraud, identity fraud, account hacking, phishing, incentive abuses). In particular, Toury uses your device's IP address to detect fraudulent activity on your device and to keep the platform away from attackers who may try to access your account by impersonating you;
ii) monitor all actions that could cause fraud or in the commission of a criminal offence related to the payment method employed by you; if any irregularities are detected, Toury reserves the right to retain the data provided and share it with the competent Authorities in order to carry out the relevant investigation,The above processing’s are out under Toury’s legitimate interest in ensuring that our platform is secure, and the interest and rights of our Users are protected.
iii) make sure that you follow the legal requirements related to specific products you may order through the Platform (e.g. legal age for alcoholic beverages).
For statistics and research purposes
Toury processes your statistics based on your Personal data for:
i) analyse trends, purchase behaviour and characteristics,
ii) understand how you use our Platform,
iii) manage and improve the services offered, including the possibility of adding new or different features and services to improve the quality of the services.
Marketing and commercial purposes
Toury processes your personal data for:
i) carry out marketing, communications, research and development activities,
ii) analyse and research how to improve our services both offline and on the Platform, by using the data provided by you (such as in focus groups, reviews, valuations of the services, satisfaction survey, feedback or any kind, etc.),
iii) create custom audiences with Facebook or other providers to reach out to you or other people with similar characteristics, who might be interested in using Toury services; you can manage your privacy in your Facebook or other third party platform settings,
iv) use as commercial or marketing material published by you on your social networks profiles when Toury has been expressly mentioned by you (i.e. via hashtag or @).
We may personalize the marketing communications by using the User activity in our App (including your past orders) and the interaction with the App, online advertising, previous emails, promotions, etc. However, this personalisation is not made only by automated means, nor have any legal effect or affect the User similarly.
Toury may use Push services on the User’s mobile device to provide marketing communications. If the User does not want to receive these marketing communications, he / she shall unsubscribe in the notifications centre. Please note that disabling Push notifications will also prevent the User from receiving notifications about the status of any order.
Non-marketing purposes
Toury processes your personal data for:
i) generate and provide you with receipts from each of your Orders placed through our App,
ii) inform you about any incident on the Platform or the operation of the services, including incidents related to your orders. This information can be sent by e-mail or SMS messages, and any other messaging application, that may be used by you and Toury at any moment,
iii) inform you about any changes to our Terms and Conditions, privacy policy, cookies policy, services, and more generally to inform you about any relevant non-marketing communications.
iv) process incidents and claims with insurance companies in the event you report the occurrence of any damages or unforeseen events that may be covered by Toury’s insurance policy.
4.2 What kind of data do we hold about you and how is your personal data collected?
Toury holds the following data about you:
1. Information supplied directly by you:
1.1. Registration Data: the information provided by you when you create an account on the Toury Platform: username and e-mail.
1.2. User Profile Information: the information added by you on the Platform in order to be able to use Toury's service, e.g.. your mobile phone number and delivery address. You can view and edit the personal data on your profile whenever you wish.
1.3. Payment information: payment information when processing your orders; card data will be processed by our electronic payment service providers, who will receive the data directly from you. Toury will have access to this information only for complying with the request of any competent authority, Toury offers its users to store the payment information or card details. In this case, the card details are tokenized (converted in a unique code). This token is usable in the Toury platform, allowing Toury to facilitate the use of the platform by preventing the introduction of the card details each time you want to perform a payment and provide additional security, as the details of the card are never stored in our systems. You can erase this token at any moment in your profile area.
1.4. Additional information: any information that you could supply to Toury for other purposes, e.g. your photograph or the billing address in the case if you have asked to receive invoices from Toury.
1.5. Information about previous communications with Toury: information supplied by you for the resolution of any queries or complaints about the use of the platform, whether through the contact form (website: touryapp.com>>Contact us or in the App: >>Contact us), or by e-mail.
1.6. Information regarding any accidents: information of any of the parties involved in the provision of services through the Platform for the purpose of making insurance claims or carrying out any other actions with the insurance companies contracted by Toury.
1.7. Information of conversations held with Toury: Transcription and recording of conversations for the processing of incidents, queries or other consultations that may be made to guarantee and improve the quality of our services and for security reasons.
1.8. Information on Communications: communications exchanged, to comply with any request made by authorities. Toury will never access the communications if it is not strictly necessary and will always ensure the privacy of its users and the confidentiality of all information exchanged on its platform.
1.9. Any additional information that you provide in your requests, comments or questions.
- Information indirectly supplied by Users:
2.1. Data arising from the Use of the Platform: Toury collects the data arising from your Use of the Platform every time you interact with the Platform.
2.2. Data on the application and the device: Toury stores data on the device and the Application used by you to access the services:
i) the IP address used by you to connect to the Internet using your computer or mobile phone, and to prevent fraudulent misappropriation or unauthorized access to your account by third parties,
ii) information about your computer or mobile phone, such as your Internet connection, browser type, version and operating system, and type of device,
iii) the full uniform resource locator (URL) Clickstream (the information related with your navigation through our website or the Application, links followed, etc.), including date and time,
iv) data from your account: information on the orders made by you, as well as feedback and/or comments made by you,
v) your browsing history and preferences.
2.3. Data arising from the User’s origin: if you arrive at the Toury Platform through an external source (such as a link from another website or a social network, as long as you have authorised it on those websites), Toury collects data on the source from which you arrived.
2.4. Data resulting from the management of incidents: if you contact the Toury Platform through the Contact Form(website: touryapp.com>>Contact us or in the App: >>Contact us), Toury will collect the messages received in the format used by you and may use and store them to manage current or future incidents.
2.5. Data arising from “cookies”: Toury uses its own and third-party cookies to facilitate browsing by its users and for statistical purposes, among others (please refer to the Cookie Policy for more details).
2.6. Geolocation Data: provided that you have authorised this, Toury will collect data relating to your location, including the real-time geographic location of your computer or mobile device.
2.7. Data resulting from external third parties:
i) Toury collects personal data or information from external third parties only if you authorise such third parties to share that information with Toury. For example, if you create an account through your Facebook or Google account, these platforms could disclose to us your personal data that can be found on your Facebook/Google profile (such as name, gender or age).
ii) If you choose to send messages to us from social media networks (including Twitter, Facebook and Whatsapp), we will collect that information you provide to us for the purposes set out in this privacy policy, including responding to your inquiry, providing you with customer support and resolving issues.
4.3. What are the recipients of your data and why are we communicating it?
Toury warrants that all commercial partners, technicians, suppliers or independent third parties are bound by contractually binding promises to process the information shared with them in accordance with Toury’s indications, this Privacy Policy and the applicable data protection legislation.
We will not disclose your personal data to any third party who does not act under our instructions and no communication will involve selling, renting, sharing or in any other way revealing customers’ personal information for commercial purposes in breach of the commitments made in this Privacy Policy.
When carrying out an order, data may be shared with:
- The Customer Care Services contracted by Toury for the purpose of warning you of any possible incidents or asking why negative feedback has been given; data will be used to manage any incidents that may occur during the provision of the services.
- The payment Platform and payment service providers so that the amount can be charged to your account.
- Telecommunications service providers, when they are used to send communications regarding orders or incidents relating to orders.
- Providers rendering satisfaction survey services on Toury’s behalf.
Sharing your data with third parties:
To continue providing the services offered through the Platform, Toury may share your certain personal data with:
- Payment Service Providers: When you enter your card number on the App, this is stored directly by the Payment Platforms contracted by Toury, which allows payment to be charged to your account. Payment service providers have been chosen based on their security measures and in any event complying with the security measures stipulated in the payment service legislation, and they are PCI Compliant under the Payment Card Industry Data Security Standard or PCI DSS. Toury does not store such data in any event.
- Service providers for fraud control purposes: Toury will share your data with fraud control service providers to assess the risk of the transactions carried out.
- Service providers for the anonymisation of some data: In order to prevent the misuse of your data by third-party service providers, your data may be being anonymised so that it can be used solely for the provision of the service. For example, Toury may assign your telephone numbers to third parties in order to anonymise them and provide them in this format to the providers used to carry out the services contracted by you.
- Security companies and Law Enforcement Forces and Agencies: Toury may disclose personal data on its customers’ accounts if such disclosure is necessary to comply with the law, to enforce or apply the “Terms of Use'' or to protect Toury’s, its users’ or third parties’ rights, property or safety. It includes the exchange of information with other companies (for example, Toury uses Google's reCAPTCHA Enterprise service to protect users from cyber attacks or threats to their accounts) and organisations and with Law Enforcement Forces and Agencies to protect against fraud and reduce credit risk.
- Call centre and incident management services: In order to provide a Customer Service and call centres, actions to measure your degree of satisfaction and the provision of administrative support services, your data may be disclosed to companies located outside the European Economic Area.
- Telecommunications services: In order to be able to provide you with telephone contact services, Toury may contact telecommunications companies that provide secure lines and systems for the purpose of contacting you.
- Social media connected by Users: If you connect your Toury account to other social media or to a third-party platform, Toury may use the information provided to such social media or third party in compliance with the privacy policy of the social media or third-party platform in question.
- Third parties associated with Toury for the purposes of commercial communications: Toury may transfer your personal data to third parties associated with Toury, provided that you have given your express informed and unequivocal consent to such transfer of data and that you are aware of the purpose and recipient of such transfer.
- Changes of ownership: If Toury’s ownership changes or the majority of its assets are acquired by a third party, you are informed that Toury will transfer your data to the acquiring organisations to continue to provide the services subject to the processing of data.
As Toury keeps growing continuously, we may buy or sell business units, assets, shares or legal entities, so data subjects’ information may also be transferred. That information, when acquired by Toury, shall be processed as any other information as described in our privacy policy. You acknowledge that such transfer may occur and that we will be allowed to use your personal information for any of the purposes described in this Privacy Policy. The new file controller will inform Users of its identification data. Toury states that it will comply with its duty of information and it shall inform Users of the change of file controller if and when this happens. This processing shall be carried out under the contract entered into with Toury.
- Insurance companies: Toury may provide your data to those insurers and insurance brokers it collaborates with, for the management and processing of claims and losses arising from the activity carried out by Toury and the parties that collaborate with it.
Your data will not be disclosed to any third parties unless:
i) this is necessary to provide the services requested if Toury is collaborating with third parties;
ii) if Toury has your express and unambiguous authorisation;
iii) where this has been requested by a competent authority pursuant to its functions (in order to investigate, prevent or take action in relation to illegal actions);
iv) finally, where required by law.
4.4 How long will we keep your data?
Toury shall retain your data for the duration of the contractual relationship and, after this has come to an end, for the period established by law for filing or defending the appropriate legal actions. This is established at a maximum of fifteen (15) years in order to comply with Toury’s legal obligations – which include the duty to assist the security forces as necessary in the investigation and prosecution of crimes pursuant to the higher interest of public safety – and defend itself or take any action in relation to criminal, tax and social security matters.
The said period may be shorter depending on the legal provision applicable to each purpose of data processing, as established in the table of retention periods set forth in Annex I.
5. Useful information if you are a WEB VISITOR:
5.1 What are the data processing purposes and the legitimate basis of the processing?
Toury will process your personal data for the following purposes:
i) follow up your comments left on Toury Website or our Blog. This may include, depending on your consent, the notification of new comments on the article commented by you, and the information on new entries on the blog or our website.
ii) provide you with the answer regarding your request.
5.2 What kind of data do we hold about you and how is your personal data collected?
Toury holds the following data about you:
- Information supplied directly by you:
1.1. Registration Data: the information provided by you when you request for information relating to our products and/or services.
1.2. Any additional information that you provide in your requests, comments or questions.
1.3. Data derived from cookies: TOURY uses its own and third party cookies to facilitate navigation for its users and for statistical purposes (see Cookies Policy).
11.3 How long will we keep your data?
Toury shall retain your data while it is necessary to provide you with the relevant answer to any question you may ask and, after this has come to an end, for the period established by law for filing or defending the appropriate legal actions. The said period may vary depending on the legal provision applicable to each purpose of data processing, as established in the table of retention periods set forth in Annex I.
Any comment you may post on our articles published on Toury Website and/or Blog may be kept indefinitely while the post is still published.
6. Do we proceed to international transfer of data?
When choosing service providers, Toury may transfer your data outside the borders of the European Economic Area, for example to the United States. In such cases, Toury will ensure before sending the data, that such service providers are in compliance with the standard clauses and minimum security standards established by the European Commission and that they always process the data in accordance with Toury’s instructions.
Basis and instructions regarding the international transfer
Toury may have a contractual relationship with service providers under which they agree to comply with Toury’s instructions and put in place the necessary security measures to protect your data.
Where Toury is compelled to carry out further processing by EU law or the law of the EU Member States to which it is subject, it shall inform the service provider of such legal requirements prior to the processing.
Toury may subsequently change, supplement or replace the instructions initially given to the service provider by means of individual instructions and is entitled to issue appropriate instructions at any time. This includes, among other things, instructions regarding the correction, deletion and prohibition of data. All instructions issued shall be documented by both Toury and the service provider. Requirements directed to service providers
Service providers may only collect, process or use data pursuant to a master contract and in accordance with Toury’s instructions. This applies in particular to the transfer of personal data to a third country or an international organizations.
External service providers are required to inform Toury if they consider that an instruction issued by Toury, is in contravention of the data protection legislation. Furthermore, service providers are entitled to suspend the execution of the instruction concerned until its confirmation or modification by Toury, and they have a duty to refuse to carry out any instructions that are clearly illegal.
7. What security measures have been adopted?
Toury has taken the necessary steps recommended by the European Commission and the competent authority to maintain the required security level, according to the nature of the personal data processed and the circumstances of the processing, in order to avoid, to the extent possible and always in accordance with the state of the art, its alteration, loss or unauthorised access or processing. As mentioned above, the personal data supplied will not be disclosed to third parties without the data subject’s prior authorisation.
8. Definitions
For the purpose of this document:
- “Data Controller” shall mean: the entity in charge of determining the purposes and means of the processing of personal data
- “Data Processor” shall mean: the entity in charge of processing personal data on behalf of the controller
- “GDPR” shall mean: General Data Protection Regulation ((EU) 2016/679)
- “Contributors(s)” also referred to as “Creators(s)” shall mean: the independent professionals in charge of providing the user with the tours, by uploading it to the Platform.
- “Investor(s)” shall mean: anyone who shows interest in committing capital with the expectation of receiving financial returns
- “Job Applicant” shall mean: anyone who applies for a Job on Toury's website or App
- “Local regulation” shall mean: the data protection regulation applicable to your country
- “Order(s)” shall mean: tour(s) requested by the User through the Toury Platform
- “Personal data” shall mean: any information which directly relates to User(s), Creators(s), Job Applicant(s), Partner(s), Investor(s), Prospect(s), Website Visitor(s) or that may allow their identification
- “Platform” shall mean: both and indifferently the Toury website and Application
- “App” shall mean: the word “App” is used interchangeably with the word “Platform” , both words means the same: both and indifferently the Toury website and Application
- “Processing of personal data” also referred to as “Data activity(ies)” shall mean: any activity performed on or with your Personal data, such as collecting, organising, accessing, holding, storing, disclosing, adapting, destroying, erasing or using the Data in any way
- “Profiling” is the process of construction and application of user profiles generated by computerised data analysis also understandable as the use of algorithms or other mathematical techniques that allow the discovery of patterns or correlations in large quantities of data, aggregated in databases
- “Prospects” shall mean: anyone who leaves their data on Toury’s forms to receive information about Toury’s services“User(s)” shall mean: anyone who registers on Toury 's website or App
- “Website Visitor(s)” shall mean: anyone who browses Toury website, leaves comments in relation to Toury’s publications or asks any questions through the website.
- “Data Subject”: any natural person from whom data is collected or processed by Toury; in essence, the User(s), the Agent(s), the Job Applicant(s), the Partner(s), the Investor(s), the Potential Client(s), the Website Visitor(s).
ANNEX I - GENERAL RETENTION PERIODS
DATA PROTECTION (3 years. Legal ref. Spanish Organic Data Protection Law (LOPD))
- Very serious infringements: after 3 years,
- Serious infringements: after 2 years,
- Minor infringements: after 1 year
PERSONAL CIVIL ACTIONS (5 years. Legal ref. Article 1962 of the Spanish Civil Code (Código Civil))
Personal actions of any kind without a specific limitation period established from the moment when the obligation becomes enforceable, taking into account that, in the case of ongoing positive or negative obligations, the period will start running again every time they are infringed.
ACCOUNTING AND TAX DOCUMENTATION
For commercial purposes (6 years. Legal ref. Art. 30 of the Royal Decree of 22 August 1885 publishing the Civil Code): books, correspondence, documentation and supporting documents relating to their business, duly ordered, from the last entry in the books, save as may be established by general or special provisions. This commercial obligation applies to both compulsory books (income, expenses, investment goods and provisions), and the documentation and documentary evidence of the entries contained in the books (invoices issued and received, vouchers, amendment invoices, bank documents, etc.).
For tax purposes (4 years. Legal ref. Section 3 (Limitation Periods), Arts. 66 to 70 of Law 58/2003 of 17 December 2003, the General Taxation Law (Ley General Tributaria): accounting books and other compulsory record books pursuant to the applicable tax legislation (personal income tax, VAT, corporation tax, etc.), as well as documentary evidence justifying the entries in the books (including software and computer files and any other documentary evidence that is relevant for tax purposes) must be retained at least for the period during which the tax authorities are entitled to verify and investigate and, therefore, assess and inform of, the tax owed.
INFORMATION RELEVANT FOR CRIMINAL ACTIONS (10 to 15 years. Legal ref. Article 131 of the Organic Law 10/1995, of 23 November 1995, publishing the Spanish Criminal Code (Código Penal)).
Any information and documentation that may be relevant for the prosecution or defence of criminal proceedings relating to the criminal liability of legal persons.
This may include invoices, payment receipts, claims or complaints, delivery routes with geolocation, tax documentation and, in general, any other information from any data subject that may be useful to defend Toury’s legal interests.
USERS (3 years. Legal ref. Article 123.4 of Royal Legislative Decree 1/2007 of 16 November 2007 approving the consolidated text of the General User and Consumer Defence Law (Ley General para la Defensa de los Consumidores y Usuarios) and other additional laws).
Claims to enforce performance of the service as a result of non-conformity with the contract are subject to a limitation period of three years after the delivery of the product
MONEY LAUNDERING (10 years. Legal ref. Article 25 of Law 10/2010 of 28 April 2010 on the prevention of money laundering and the financing of terrorism (Ley de prevención del blanqueo de capitales y de la financiación del terrorismo).).
Documents formalising compliance with the obligations provided by law.