Privacy policy

Tours.ba is a marketplace for travel experiences in Bosnia and Herzegovina. You book on Tours.ba, and a named local operator delivers your day. This policy explains how we collect, use, share, and protect your personal data, and the choices you have.

GDPR and UK GDPR

Plain‑English summary

Your rights explained

Cookie controls

Marketplace transparency

1. Who is responsible for your data

  • Controller: [Company legal name], trading as Tours.ba, [registered office address]
  • Contact: privacy@tours.ba
  • EU representative (if required): [Name, address]
  • UK representative (if required): [Name, address]
  • Data Protection Officer (if appointed): [Name], dpo@tours.ba

We follow the EU GDPR and UK GDPR. If local consumer or privacy laws give you stronger rights, we honour those.

2. What data we collect

We collect only what we need to run the marketplace and support your trip.

You give us

  • Account details: name, email, phone
  • Booking details: participants, dates, language choice, pickup notes
  • Payment details: last four digits and token from our payments provider
  • Messages: emails, chat with support, review text and photos
  • Access or dietary notes you choose to share for a safer or more comfortable day

We collect automatically

  • Device and log data: IP address, browser, pages viewed, approximate location
  • Cookies and similar technologies: see the Cookie policy for full list and controls

We receive from others

  • Operators: booking status, meeting updates, attendance, incident reports if any
  • Payments provider: payment status, fraud signals
  • Analytics and anti‑fraud tools: risk scores to keep the platform safe

We do not need special category data. If you share access needs that reveal health information, we use them only to support your booking.

3. Why we use your data and the legal bases

Purpose

Examples

Legal basis

Provide the service

Create your account, process bookings, send confirmations

Contract

Safety and support

Share meeting details with the Operator, handle changes and incidents

Contract, legitimate interests, vital interests in emergencies

Payments and refunds

Take payment, issue refunds, prevent fraud

Contract, legitimate interests, legal obligation

Service improvement

Fix errors, measure site performance

Legitimate interests

Marketing

Send newsletters if you opt in, show on‑site recommendations

Consent for email, legitimate interests for on‑site suggestions

Legal compliance

Keep records, handle disputes, respond to lawful requests

Legal obligation

You can withdraw consent at any time. This does not affect processing done before withdrawal.

4. Who sees your data

We share only what is necessary.

  • Operators: name, booking details, contact phone if needed for the meeting point, access notes you choose to share
  • Payments provider: card token, billing details, refund amounts
  • Technology partners: secure hosting, analytics, error tracking, email delivery
  • Support tools: our helpdesk platform to manage your request
  • Public authorities: where the law requires it, or to protect safety

We do not sell personal data.

5. Where your data goes

Our servers and partners may be in the EEA, the UK, and other countries. When we transfer data, we use approved safeguards such as Standard Contractual Clauses, UK IDTA or Addendum, and partner audits. You can ask for a copy of relevant safeguards.

6. How long we keep your data

We keep data only as long as needed.

  • Account data: while your account is active, then up to 24 months for queries
  • Booking records and invoices: up to 7 years to meet tax and accounting rules
  • Support tickets: up to 3 years after closure
  • Reviews and photos: until you delete them or ask us to remove them
  • Cookie data: see lifetimes in the Cookie policy

When retention ends, we delete or anonymise the data.

7. Your rights

Depending on your location, you may have the right to:

  • Access a copy of your data
  • Correct inaccurate data
  • Delete your data
  • Restrict or object to processing
  • Move your data to another service
  • Withdraw consent for marketing
  • Complain to a data protection authority

To act on your rights, email privacy@tours.ba. We respond within one month in most cases. You can also contact your local authority, for example [Your EEA authority] or the ICO in the UK.

8. Marketing and communications

We send service emails about your booking. You can opt in to our newsletter on forms that clearly say what you will receive. Every marketing email has an Unsubscribe link. Unsubscribing does not affect service emails.

9. Cookies and similar technologies

We use essential cookies to make the site work, and optional cookies for analytics and marketing. You can manage consent in the banner and the Cookie policy at any time. Refusing optional cookies will not stop you from booking, but may limit features.

10. Children

You must be at least 18 to book. Our content helps families plan, but the site is not directed at children. If you believe a child gave us data without consent, contact privacy@tours.ba and we will delete it.

11. Security

We protect data with encryption in transit, access controls, and regular reviews. Only trained staff and trusted partners can access personal data for approved tasks. No online service is perfectly secure, so we encourage good hygiene such as unique passwords.

If we ever face a breach that risks your rights, we will inform you and the authorities as required by law.

12. Automated decisions

We use automated checks to reduce fraud and abuse. These checks do not produce legal or similarly significant effects without human review.

13. Changes to this policy

We update this page when our services or the law changes. We post the new date at the top. If the changes are material, we will notify you by email or on the site.

14. Contact us

  • Email: privacy@tours.ba
  • Support: see Contact in the footer