Back to Home

Privacy Policy

Last Updated: January 3, 2026

Table of Contents

1. Introduction2. Data Controller3. Data We Collect4. How We Use Your Data5. Data Sharing6. Third-Party Services7. Data Retention8. Your Rights (GDPR)9. Data Security10. International Transfers11. Children's Privacy12. Changes to This Policy13. Contact Us

1. Introduction

Welcome to OTAlytics ("we," "us," or "our"). We are committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how we collect, use, store, and protect your information when you use our search ranking tracking service for tour operators across OTA platforms (GetYourGuide, Viator, Tripadvisor).

This policy applies to all users of OTAlytics, regardless of their subscription plan (Free, Starter, Growth, or Pro). By using our service, you agree to the collection and use of information in accordance with this policy.

2. Data Controller

OTAlytics operates under the laws of the European Union. For the purposes of the General Data Protection Regulation (GDPR), we are the data controller responsible for your personal data.

Contact Information:
Email: support@otalytics.com
For data protection inquiries: privacy@otalytics.com

3. Data We Collect

3.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (if provided)
  • Password (encrypted via Supabase Auth)
  • Account creation date
  • Subscription plan type

3.2 Service Usage Data

To provide our ranking tracking service, we collect:

  • Tour URLs you submit for tracking (GetYourGuide, Viator, Tripadvisor)
  • Keywords you associate with your tours
  • Country selections for keyword searches (Pro plan)
  • Ranking positions over time
  • Search result data (tour titles, prices, ratings, positions)
  • Historical performance data
  • Dashboard preferences and settings

3.3 Technical Information

We automatically collect:

  • IP address
  • Browser type and version
  • Device information
  • Operating system
  • Referring website
  • Pages visited and time spent
  • Authentication tokens (session management)

3.4 Payment Information

Payment processing is handled by Stripe. We do not store your full credit card information on our servers. We only store:

  • Stripe customer ID
  • Last 4 digits of your card
  • Card brand (Visa, Mastercard, etc.)
  • Subscription status and billing history

3.5 Scraped Public Data

Our service collects publicly available data from OTA platforms (GetYourGuide, Viator, Tripadvisor) including:

  • Tour listings and metadata (titles, descriptions, prices)
  • Search result rankings
  • Competitor tour information (for positioning context)
  • Platform-specific identifiers

This data is collected using automated web scraping in compliance with applicable laws and platform terms of service.

4. How We Use Your Data

We process your personal data for the following purposes:

4.1 Service Provision (Contractual Necessity)

  • Tracking your tour rankings across OTA platforms
  • Generating performance reports and analytics
  • Storing historical ranking data according to your plan limits
  • Providing dashboard insights and alerts
  • Managing your account and subscription

4.2 Communication (Legitimate Interest)

  • Sending transactional emails (account confirmations, password resets)
  • Notifying you of significant ranking changes or alerts
  • Sending billing and subscription notifications
  • Responding to your support requests
  • Sending service updates and important announcements

4.3 Service Improvement (Legitimate Interest)

  • Analyzing usage patterns to improve features
  • Monitoring system performance and errors
  • Conducting internal research and development
  • Detecting and preventing fraud or abuse

4.4 Legal Compliance (Legal Obligation)

  • Complying with applicable laws and regulations
  • Responding to legal requests and court orders
  • Protecting our rights and property
  • Enforcing our Terms of Service

4.5 Marketing (Consent)

  • Sending promotional emails about new features (opt-out available)
  • Offering upgrade opportunities to higher-tier plans
  • Sharing product news and tips

You can unsubscribe from marketing communications at any time using the link in our emails.

5. Data Sharing

We do not sell, rent, or trade your personal data. We only share your data in the following limited circumstances:

5.1 Service Providers

We share data with trusted third-party service providers who assist us in operating our service (see Section 6 for details). These providers are contractually obligated to protect your data and use it only for the purposes we specify.

5.2 Legal Requirements

We may disclose your data if required by law, including:

  • Responding to subpoenas or court orders
  • Complying with regulatory investigations
  • Protecting against fraud or security threats
  • Enforcing our legal rights

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. You will be notified of any such change and your options regarding your data.

5.4 Aggregated Data

We may share anonymized, aggregated statistics that do not identify you personally (e.g., "80% of Pro users track 10+ keywords").

6. Third-Party Services

We use the following third-party services to operate OTAlytics. Each service has its own privacy policy:

6.1 Supabase (Authentication)

Purpose: User authentication and session management
Data Shared: Email, password (encrypted), authentication tokens
Location: EU/US data centers
Privacy Policy: https://supabase.com/privacy

6.2 Stripe (Payment Processing)

Purpose: Subscription billing and payment processing
Data Shared: Name, email, payment method, billing address
Location: Global (GDPR compliant)
Privacy Policy: https://stripe.com/privacy

6.3 PostHog (Analytics)

Purpose: Product analytics and feature usage tracking
Data Shared: Usage events, page views, feature interactions
Location: EU instance
Privacy Policy: https://posthog.com/privacy

6.4 Sentry (Error Monitoring)

Purpose: Error tracking and performance monitoring
Data Shared: Error logs, stack traces, user IDs
Location: US data centers
Privacy Policy: https://sentry.io/privacy

6.5 ZenRows (Web Scraping)

Purpose: Scraping OTA platforms for ranking data
Data Shared: Search queries (keywords, locations)
Location: US data centers
Privacy Policy: https://www.zenrows.com/privacy

6.6 SendGrid (Transactional Email)

Purpose: Sending account notifications and alerts
Data Shared: Email address, name, email content
Location: US data centers
Privacy Policy: https://www.twilio.com/legal/privacy

7. Data Retention

We retain your data for the following periods:

7.1 Account Data

  • Retained as long as your account is active
  • Deleted within 30 days after account deletion (unless legal retention required)

7.2 Ranking Data

Historical ranking data is retained according to your subscription plan:

  • Free Plan: 30 days
  • Starter Plan: 90 days
  • Growth Plan: 180 days
  • Pro Plan: Unlimited (until account deletion)

7.3 Billing Data

  • Retained for 7 years to comply with tax and accounting regulations

7.4 Technical Logs

  • Server logs: 90 days
  • Error logs: 180 days
  • Analytics data: 2 years (aggregated)

7.5 Backup Data

Backup copies of your data may persist for up to 30 days after deletion from production systems.

8. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

8.1 Right of Access

You can request a copy of all personal data we hold about you. We will provide this in a structured, machine-readable format (JSON/CSV) within 30 days.

8.2 Right to Rectification

You can update or correct your personal data at any time through your account settings or by contacting us.

8.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and all associated data. We will delete your data within 30 days, except where retention is required by law.

8.4 Right to Data Portability

You can export your ranking data in CSV or JSON format through your dashboard settings.

8.5 Right to Restrict Processing

You can request that we pause processing of your data while we verify or investigate your concerns.

8.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

8.7 Right to Withdraw Consent

Where we process data based on your consent (e.g., marketing emails), you can withdraw consent at any time.

8.8 Right to Lodge a Complaint

If you believe we have violated your privacy rights, you can file a complaint with your local data protection authority.

To exercise any of these rights, contact us at: privacy@otalytics.com

9. Data Security

We implement industry-standard security measures to protect your data from unauthorized access, disclosure, alteration, or destruction:

9.1 Technical Measures

  • TLS/SSL encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • Secure password hashing (bcrypt via Supabase)
  • Regular security audits and penetration testing
  • Automated vulnerability scanning

9.2 Organizational Measures

  • Access controls and role-based permissions
  • Employee confidentiality agreements
  • Security awareness training
  • Incident response procedures
  • Regular backups with encryption

9.3 Infrastructure Security

  • Hosted on secure, GDPR-compliant cloud providers
  • Firewall protection and intrusion detection
  • DDoS mitigation
  • Regular software updates and patches

While we strive to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

10. International Data Transfers

OTAlytics operates primarily within the European Union. However, some of our service providers (Sentry, ZenRows, SendGrid) are based in the United States.

When we transfer data outside the EU/EEA, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements (DPAs) with all processors
  • Verification that providers comply with GDPR requirements

You have the right to obtain information about these safeguards by contacting us at privacy@otalytics.com.

11. Children's Privacy

OTAlytics is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@otalytics.com, and we will delete the information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

  • Posting a notice on our website
  • Sending an email to your registered email address
  • Updating the "Last Updated" date at the top of this policy

Your continued use of OTAlytics after such changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@otalytics.com
Support: support@otalytics.com

Data Protection Officer:
For GDPR-related inquiries, contact our DPO at dpo@otalytics.com

We will respond to all requests within 30 days.