Privacy Policy

This Privacy Notice for Tourli ("we," "us," or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

Tourli is a travel planning application that helps you discover places, create itineraries, and plan trips using AI-powered recommendations. We offer our Services through our website and mobile apps on iOS and Android.

• Visit our website at tourli.com or any website of ours that links to this Privacy Notice
• Download and use our mobile application (Tourli) on iOS or Android, or any other application of ours that links to this Privacy Notice
• Use our travel planning, itinerary creation, place discovery, or AI-powered recommendation features
• Purchase subscriptions or creator content through our Services
• Engage with us in other related ways, including any marketing or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at conrad@conradru.com.

Summary of Key Points

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.

Do we process any sensitive personal information? We do not process sensitive personal information.

Do we collect any information from third parties? We do not collect any information from third parties.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.

In what situations and with which parties do we share personal information? We may share information in specific situations and with specific third parties.

How do we keep your information safe? We have adequate organizational and technical processes and procedures in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure.

What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information.

How do you exercise your rights? The easiest way to exercise your rights is by visiting tourli.com/contact, or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.

Table of Contents

1. What Information Do We Collect?
2. How Do We Process Your Information?
3. What Legal Bases Do We Rely On?
4. When And With Whom Do We Share Your Personal Information?
5. Do We Use Cookies And Other Tracking Technologies?
6. Do We Offer Artificial Intelligence-Based Products?
7. How Do We Handle Your Social Logins?
8. International Data Transfers
9. How Long Do We Keep Your Information?
10. How Do We Keep Your Information Safe?
11. Do We Collect Information From Minors?
12. What Are Your Privacy Rights?
13. Controls For Do-Not-Track Features
14. Do United States Residents Have Specific Privacy Rights?
15. Do Other Regions Have Specific Privacy Rights?
16. Do We Make Updates To This Notice?
17. How Can You Contact Us About This Notice?
18. How Can You Review, Update, Or Delete The Data We Collect?

1. What Information Do We Collect?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

• Names
• Email addresses
• Phone numbers
• Contact preferences
• Travel preferences and interests
• Trip and itinerary data
• Saved places and locations

Sensitive Information. We do not process sensitive information.

Payment Data. We may collect data necessary to process your payment if you choose to make purchases, such as your payment instrument number, and the security code associated with your payment instrument. All payment data is handled and stored by Stripe. You may find their privacy notice here: https://stripe.com/gb/privacy.

Social Login Data. We provide you with the option to register and log in using your Google account or Apple account. If you choose to register in this way, we will collect certain profile information about you from the authentication provider, as described in the section called "How Do We Handle Your Social Logins?" below.

Application Data. If you use our application(s), we also may collect the following information if you choose to provide us with access or permission:

• Mobile Device Data. We automatically collect device information (such as your mobile device ID, model, and manufacturer), operating system, version information and system configuration information, device and application identification numbers, browser type and version, hardware model Internet service provider and/or mobile carrier, and Internet Protocol (IP) address (or proxy server).
• Push Notifications. We may request to send you push notifications regarding your account or certain features of the application(s). If you wish to opt out from receiving these types of communications, you may turn them off in your device's settings.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information automatically collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information.

The information we collect includes:

• Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files.
• Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Services.
• Location Data. We collect location data such as information about your device's location, which can be either precise or imprecise. You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device.

Google API. We use Google Maps Platform APIs (including Google Maps API and Places API) to provide location-based services, place information, and mapping features within our Services. Our use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

2. How Do We Process Your Information?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• To facilitate account creation and authentication and otherwise manage user accounts.
• To deliver and facilitate delivery of services to the user.
• To respond to user inquiries/offer support to users.
• To send administrative information to you.
• To fulfill and manage your orders, including subscriptions and creator content purchases.
• To provide AI-powered travel recommendations, including trip planning suggestions, itinerary generation, and place recommendations via our third-party AI service providers.
• To request feedback.
• To send you marketing and promotional communications. You can opt out of our marketing emails at any time.
• To deliver targeted advertising to you.
• To protect our Services.
• To monitor and improve service reliability using error tracking and crash reporting tools.
• To identify usage trends using product analytics to understand how users interact with our Services and improve them.
• To determine the effectiveness of our marketing and promotional campaigns.
• To save or protect an individual's vital interest.

3. What Legal Bases Do We Rely On To Process Your Information?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law.

If you are located in the EU or UK

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases:

• Consent. We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time.
• Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you.
• Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests.
• Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations.
• Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party.

If you are located in Canada

We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time.

4. When And With Whom Do We Share Your Personal Information?

In Short: We may share information in specific situations described in this section and/or with the following third parties.

We may need to share your personal information in the following situations:

• Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
• When we use Google Maps Platform APIs. We may share your information with certain Google Maps Platform APIs (e.g., Google Maps API, Places API).
• Creator Marketplace. When you purchase content from third-party creators on our platform, we share necessary transaction information with the creator and our payment processor (Stripe) to facilitate the purchase.

Third-Party Service Providers

We use the following third-party service providers to operate and improve our Services. Your information may be shared with these providers as necessary:

• Supabase — Database hosting and user authentication. supabase.com/privacy
• Stripe / Stripe Connect — Payment processing for subscriptions and creator marketplace purchases. stripe.com/gb/privacy
• OpenAI — AI-powered trip planning and recommendations. openai.com/policies/privacy-policy
• Anthropic (Claude) — AI-powered trip planning and recommendations. anthropic.com/privacy
• Google Cloud AI (Gemini) — AI-powered trip planning and recommendations. cloud.google.com/terms/cloud-privacy-notice
• Google Maps Platform — Place data, maps, and location services. policies.google.com/privacy
• Sentry — Error tracking and crash reporting to maintain service reliability. sentry.io/privacy
• PostHog — Product analytics to understand usage patterns and improve our Services. posthog.com/privacy
• Google Sign-In — Authentication provider. policies.google.com/privacy
• Apple Sign-In — Authentication provider. apple.com/legal/privacy

5. Do We Use Cookies And Other Tracking Technologies?

In Short: We may use cookies and other tracking technologies to collect and store your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.

We also permit third parties and service providers to use online tracking technologies on our Services for analytics and advertising, including to help manage and display advertisements, to tailor advertisements to your interests, or to send abandoned shopping cart reminders.

We use PostHog for product analytics to understand how users interact with our Services and to identify areas for improvement. We use Sentry for error tracking and crash reporting to maintain the reliability and performance of our Services. Both services may collect technical information such as your IP address, browser type, device information, and usage patterns.

6. Do We Offer Artificial Intelligence-Based Products?

In Short: We offer products, features, or tools powered by artificial intelligence, machine learning, or similar technologies.

As part of our Services, we offer products, features, or tools powered by artificial intelligence, machine learning, or similar technologies (collectively, "AI Products"). These tools are designed to enhance your experience and provide you with innovative solutions.

Use of AI Technologies

We provide the AI Products through third-party service providers ("AI Service Providers"), including OpenAI, Anthropic and Google Cloud AI. As outlined in this Privacy Notice, your input, output, and personal information will be shared with and processed by these AI Service Providers to enable your use of our AI Products. You must not use the AI Products in any way that violates the terms or policies of any AI Service Provider.

Our AI Products

Our AI Products are designed for the following functions:

• Trip planning suggestions and personalised itinerary generation
• Place discovery and recommendations based on your preferences
• Travel information summarisation and research assistance

What Data Is Shared with AI Providers

When you use our AI-powered features, we may send the following information to our AI Service Providers: your travel preferences, destination details, dates, and any other information you provide as part of your trip planning queries. We do not send your account credentials, payment information, or other sensitive personal data to AI Service Providers.

All personal information processed using our AI Products is handled in line with this Privacy Notice and our agreements with third-party AI Service Providers.

7. How Do We Handle Your Social Logins?

In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.

Our Services offer you the ability to register and log in using your Google account or Apple account. Where you choose to do this, we will receive certain profile information about you from the authentication provider.

• Google Sign-In: We typically receive your name, email address, and profile picture.
• Apple Sign-In: We typically receive your name and email address. Apple allows you to hide your real email address using a private relay address.

We will use the information we receive only for the purposes that are described in this Privacy Notice or that are otherwise made clear to you on the relevant Services. We do not access your contacts, friends list, or other social data through these sign-in methods.

8. International Data Transfers

In Short: We are based in the United Kingdom but use service providers located in the United States and other countries. Your personal information may be transferred to and processed in countries other than your own.

Tourli is based in the United Kingdom. However, many of our third-party service providers, including our AI providers (OpenAI, Anthropic, Google), database hosting (Supabase), payment processing (Stripe), error tracking (Sentry), and product analytics (PostHog), are based in or process data in the United States.

When we transfer your personal information outside of the UK or European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses and the UK's International Data Transfer Agreement (IDTA) where applicable for transfers to countries that have not received an adequacy decision.
• EU-US Data Privacy Framework: Where our US-based providers are certified under the EU-US Data Privacy Framework, we rely on this certification as a valid transfer mechanism.
• Adequacy decisions: Where the European Commission or UK government has determined that a country provides an adequate level of data protection, we rely on that decision.

By using our Services, you acknowledge that your personal information may be processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your country. We take steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it.

If you have questions about our international data transfers or the safeguards we have in place, please contact us at conrad@conradru.com.

9. How Long Do We Keep Your Information?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this notice will require us keeping your personal information for longer than the period of time in which users have an account with us.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

10. How Do We Keep Your Information Safe?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.

11. Do We Collect Information From Minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly collect, solicit data from, or market to children under 18 years of age or the equivalent age as specified by law in your jurisdiction, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services.

If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at conrad@conradru.com.

12. What Are Your Privacy Rights?

In Short: Depending on your state of residence in the US or in some regions, such as the European Economic Area (EEA), United Kingdom (UK), Switzerland, and Canada, you have rights that allow you greater access to and control over your personal information.

In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; (iv) if applicable, to data portability; and (v) not to be subject to automated decision-making.

Withdrawing your consent: If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us.

Account Information

If you would at any time like to review or change the information in your account or terminate your account, you can:

• Log in to your account settings and update your user account.
• Contact us using the contact information provided.

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

13. Controls For Do-Not-Track Features

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

14. Do United States Residents Have Specific Privacy Rights?

In Short: If you are a resident of certain US states, you may have the right to request access to and receive details about the personal information we maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your personal information.

We may sell or share personal information to third parties for purposes such as advertising or marketing. If you are a US resident and would like to opt out of the use or sharing of your personal information for these purposes, you may do so by contacting us.

Categories of Personal Information We Collect

We have collected the following categories of personal information in the past twelve (12) months:

• Identifiers (contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address, and account name)
• Personal information as defined in the California Customer Records statute
• Protected classification characteristics under state or federal law
• Commercial information (transaction information, purchase history, financial details, and payment information)
• Internet or other similar network activity
• Geolocation data (device location)
• Audio, electronic, sensory, or similar information
• Professional or employment-related information
• Inferences drawn from collected personal information

Your Rights

You have rights under certain US state data protection laws. These rights may include:

• Right to know whether or not we are processing your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to request the deletion of your personal data
• Right to obtain a copy of the personal data you previously shared with us
• Right to non-discrimination for exercising your rights
• Right to opt out of the processing of your personal data for targeted advertising, sales, or profiling

15. Do Other Regions Have Specific Privacy Rights?

In Short: You may have additional rights based on the country you reside in.

Australia and New Zealand

We collect and process your personal information under the obligations and conditions set by Australia's Privacy Act 1988 and New Zealand's Privacy Act 2020 (Privacy Act).

Republic of South Africa

At any time, you have the right to request access to or correction of your personal information. You can make such a request by contacting us.

16. Do We Make Updates To This Notice?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Revised" date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

17. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may email us at conrad@conradru.com or contact us by post at:

18. How Can You Review, Update, Or Delete The Data We Collect From You?

Based on the applicable laws of your country or state of residence in the US, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information.

To request to review, update, or delete your personal information, please visit: tourli.com/contact