Privacy Policy

1. Introduction

Welcome to Turinity.com (“Turinity”, “we”, “our”, “us”). Protecting your privacy and safeguarding your personal data is fundamental to how we operate. This Privacy Policy explains:

What personal data we collect.
How and why we process it.
With whom it may be shared.
Your rights under applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and relevant U.S. privacy laws such as the California Consumer Privacy Act (CCPA/CPRA).

Turinity operates an international online marketplace that connects travelers with local operators and activity providers. This includes:

A public-facing booking platform (the “Marketplace”).
Portals for Operators and Guests to manage activities, bookings, and support.
Integrated booking engines and APIs with third-party systems (such as Stripe, PayPal, and activity management software).
Communication and support tools, which may include AI-driven conversational technologies to assist customers efficiently.

By using our website, mobile applications, or any of our services, you agree to the practices described in this Privacy Policy.

If you do not agree, you should discontinue use of our services.

2. Data Controller and Contact Information

For the purposes of the General Data Protection Regulation (GDPR), the UK GDPR, and applicable U.S. privacy laws, the primary entity responsible for processing your personal data is:

TURIMEDIA SL

CIF: B23873052

Calle el Sauce 9, Local 3. 38670 Adeje, Santa Cruz de Tenerife, Islas Canarias, España

Email: [email protected]

Website: www.turinity.com

Turinity acts as the data controller for all data you provide directly through our platform, including:

Creating an account or making a booking.
Communications with our support team.
Newsletter or marketing subscriptions.
Technical data collected during use of our website or apps.

2.1 Operators and Independent Controllers

When you book an activity, certain personal data (such as your name, booking details, and contact information) is shared with the relevant operator or activity provider to allow them to deliver the service.

Each operator acts as an independent controller of the data they receive in connection with your booking. This means that:

Turinity is not responsible for how operators process your data once shared.
Operators may have their own privacy policies, which we encourage you to review before participation in an activity.
Operators are required under our contractual agreements to comply with applicable data protection laws.

3. Legal Bases for Processing

We process personal data only when permitted under the GDPR, the UK GDPR, and other applicable laws. Our processing relies on the following legal bases:

3.1 Contractual Necessity (Art. 6.1.b GDPR)

We process your personal data when it is necessary to enter into or perform a contract with you, including:

Managing bookings and reservations.
Sending booking confirmations, reminders, and updates.
Handling cancellations, refunds, or changes.
Facilitating communication between guests and operators.
Providing customer service related to your purchase.

3.2 Consent (Art. 6.1.a GDPR)

In certain situations, we process your data only if you give us explicit consent, such as:

Receiving marketing emails, newsletters, or promotional offers.
Allowing cookies, tracking technologies, or push notifications.
Participating in surveys, research panels, or product testing.

You may withdraw your consent at any time without affecting the lawfulness of prior processing.

3.3 Legal Obligations (Art. 6.1.c GDPR)

We may process your data to comply with legal requirements, such as:

Accounting, tax, and invoicing regulations.
Consumer protection and e-commerce obligations.
Responding to lawful requests from regulators or law enforcement.

3.4 Legitimate Interests (Art. 6.1.f GDPR)

We may process your data based on our legitimate interests, provided that these are not overridden by your rights and freedoms. Examples include:

Ensuring platform security and fraud prevention (including automated risk checks via payment providers).
Protecting our systems from abuse, bots, or malicious activity (with the help of tools such as Cloudflare and anti-fraud technologies).
Improving services by analyzing aggregated booking data and feedback.
Responding to general inquiries and customer service requests.
Personalizing your user experience and recommending relevant activities.

You have the right to object to processing based on legitimate interest at any time.

3.5 Automated Processing and Profiling

In limited cases, Turinity may rely on automated decision-making or profiling to:

Detect and block fraudulent transactions (e.g., payment risk scoring).
Analyze booking behavior for service optimization.
Provide personalized recommendations based on your browsing or booking history.

Where such automated decisions have a significant effect on you, you have the right to request human intervention and contest the decision.

4. Categories of Data We Collect

Depending on how you interact with Turinity — whether as a guest, operator, or visitor — we may collect and process the following categories of personal data:

4.1 Identity Data

First name, last name, and title.
Date of birth and age group (where required by the operator, e.g., for child/adult pricing).
Nationality or country of residence (when necessary for bookings or regulatory compliance).

4.2 Contact Data

Email address.
Phone number (mobile or landline).
Billing or home address (only where required for invoicing or operator compliance).

4.3 Booking and Transaction Data

Details of booked activities (date, time, duration, location, extras, number of participants).
Booking reference numbers.
Operator details and service provider identifiers.
Payment status and invoices (processed securely through third-party providers such as Stripe, PayPal, Apple Pay).
Deposits and balances due when using the “deposit-only” payment model.

4.4 Communication Data

Emails, chat messages, or inquiries sent to our support team.
Conversations handled by our AI-driven customer service tools, which may analyze queries for faster resolution.
Reviews, ratings, or feedback you submit regarding an activity or operator.

4.5 Technical and Usage Data

Device and browser information (IP address, operating system, browser type, version, language settings).
Log files of website usage (pages viewed, search queries, time of visit, clickstream data).
Network information, latency, and connection type (to optimize site performance).
Security-related identifiers (used for fraud prevention and protection against bots via technologies like Cloudflare).

4.6 Marketing and Preference Data

Newsletter subscriptions and interaction with marketing emails.
Preferences saved in your Turinity account (e.g., favorite activities, destinations).
Cookie and tracking data (depending on your consent choices).
Information used for remarketing and personalized offers.

4.7 Operator and Business Partner Data

For operators and suppliers registering on Turinity, we collect additional business data:

Company name, legal entity, VAT or tax ID.
Business address and website.
Contact person details (name, email, phone).
Payment and payout details (e.g., bank account, Stripe account).
Uploaded descriptions, pricing, availability, and media of offered activities.
API integration details (if using systems like Turitop or FareHarbor).

4.8 Data from AI Translations and Automation

Content provided in one language may be processed using AI translation technologies (e.g., DeepL) to make activities available in multiple languages.
For compliance, we store both the original and the translated version of activity descriptions.

4.9 Special Categories of Data

Turinity does not intentionally collect special categories of personal data (such as health data, religion, or biometric identifiers), except when strictly necessary for a booking (e.g., accessibility requirements, dietary needs). In such cases, explicit consent will be obtained.

5. How We Use Your Data

We process your personal data only for clearly defined purposes. Depending on whether you are a guest, operator, or visitor, we may use your data for the following:

5.1 To Fulfill Bookings and Provide Services

Process reservations and generate booking confirmations.
Share essential details with the operator so they can deliver the activity.
Issue QR-coded tickets and booking references.
Send reminders and updates (e.g., time changes, pickup details).
Handle cancellations, modifications, and refunds according to the relevant policy.

5.2 Payments and Financial Operations

Process payments securely via third-party providers such as Stripe, PayPal, and Apple Pay.
Manage deposits, commissions, and operator payouts.
Generate invoices and statements for operators and customers.
Prevent fraudulent or unauthorized transactions using automated risk checks.

5.3 Customer Support and Communications

Respond to your inquiries through email, chat, or messaging.
Use AI-driven support and conversation management tools to analyze and respond faster to common questions.
Document communications for quality assurance, dispute resolution, and compliance.
Allow operators to communicate with guests regarding bookings, only when necessary for service delivery.

5.4 Reviews and Ratings

Invite you to review your experience after completing an activity.
Publish reviews (including your rating, comments, first name, age range, or country if voluntarily provided).
Use reviews for improving services, highlighting “Top Rated” activities, and helping other travelers make informed decisions.

5.5 Platform Security and Fraud Prevention

Protect the platform against misuse, bots, and malicious activity using technologies such as Cloudflare and anti-fraud tools.
Verify transactions through automated fraud detection systems.
Monitor booking behavior to prevent abusive patterns or fake reservations.

5.6 Personalization and Service Improvement

Provide tailored search results, suggestions, and offers based on your activity history and preferences.
Analyze aggregated usage data to improve platform performance, booking flows, and customer experience.
Translate activity content into multiple languages using AI-powered translation technologies (e.g., DeepL), to provide multilingual access across markets.
Test new features, optimize the user interface, and monitor performance for both desktop and mobile.

5.7 Marketing and Remarketing (with Consent)

Send newsletters, offers, and promotional campaigns if you subscribed or did not object to receiving them.
Deliver personalized advertising across platforms (e.g., Google Ads, Meta/Facebook, TikTok) subject to your cookie preferences.
Measure the effectiveness of marketing campaigns and optimize targeting strategies.

5.8 Compliance with Legal Obligations

Meet tax, accounting, and invoicing requirements.
Respond to requests from authorities, courts, or regulators.
Enforce our Terms & Conditions and prevent fraudulent or unlawful use of our services.

6. Data Sharing and Disclosure

We do not sell your personal data. However, in order to provide our services effectively and securely, we may share your personal data with selected third parties under strict conditions. All sharing is limited to what is necessary for the stated purpose and is carried out in compliance with the GDPR, UK GDPR, and other applicable laws.

6.1 Operators and Activity Providers

When you book an activity, we share relevant booking details (such as your name, contact details, number of participants, extras selected, and booking reference) with the operator so they can deliver the service.
Operators act as independent controllers and may process your data according to their own privacy policies.
Turinity contractually requires operators to handle customer data securely and only for the purposes of delivering the booked service.

6.2 Payment Service Providers

Payments are processed by third-party providers such as Stripe, PayPal, and Apple Pay.
We do not store your full credit card details.
These providers act as separate data controllers and process data under their own privacy policies.

6.3 Technology and Hosting Partners

Our platform is hosted on secure servers within the European Union, with protections against unauthorized access and downtime.
We use Cloudflare for network protection, DDoS mitigation, and web application firewall services.
We may engage additional cloud service providers to ensure reliable performance and scalability.

6.4 Customer Service and AI Tools

To provide fast and multilingual support, we use AI-powered conversation management tools that may analyze and process customer requests.
These tools are used exclusively to improve response quality and speed.
Where necessary, support-related data may be processed outside the EEA under Standard Contractual Clauses (SCCs) or adequacy decisions.

6.5 Marketing and Analytics Partners

With your consent, we may share limited data with trusted partners to deliver personalized advertising and measure effectiveness:

Google (Analytics, Ads, Campaign Manager).
Meta (Facebook, Instagram).
TikTok (advertising and remarketing).
Affiliate networks and tracking partners for campaign attribution.

6.6 API Integrations

For bookings synced with operator systems (e.g., Turitop, FareHarbor), we may transfer booking data (such as names, participant counts, and selected options) to those systems to ensure availability and confirmation.
Such data transfers are limited to what is necessary for booking fulfillment.

6.7 Legal and Regulatory Authorities

We may disclose personal data if required to:

Comply with applicable laws, regulations, or legal processes.
Respond to lawful requests from regulators, tax authorities, or law enforcement.
Protect the rights, property, or safety of Turinity, our users, or others.

6.8 Corporate Transactions

In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of the transaction. Any such transfer will comply with applicable data protection laws, and you will be notified of material changes.

6.9 Other Service Providers

We may engage carefully selected third parties that act as processors on our behalf, for services such as:

Email delivery and notification systems.
SMS or WhatsApp booking confirmations.
Security monitoring and fraud detection.
Professional advisors (lawyers, auditors, consultants).

These providers are contractually obligated to process data only under our instructions and in compliance with GDPR.

7. International Data Transfers

Turinity is an international platform. This means that, in certain cases, your personal data may be transferred to service providers or partners located outside the European Economic Area (EEA), the United Kingdom, or Switzerland. Whenever such transfers occur, we ensure that they are protected by adequate safeguards in line with Articles 44–50 GDPR.

7.1 Transfers Based on Adequacy Decisions

Where possible, we rely on adequacy decisions by the European Commission that confirm a third country provides an adequate level of protection.

For example:

Transfers to the United States may be covered by the EU–U.S. Data Privacy Framework, the UK Extension, and the Swiss–U.S. Data Privacy Framework, which apply to certified companies such as Google, Meta, TikTok, and Cloudflare.

7.2 Transfers Based on Standard Contractual Clauses (SCCs)

If no adequacy decision exists, we use the Standard Contractual Clauses (SCCs) approved by the European Commission. These contracts ensure that your personal data receives a level of protection essentially equivalent to that within the EEA.

This may apply to:

Payment processors not certified under the Data Privacy Framework.
AI-driven support and conversation tools located outside the EEA.
Affiliate or marketing technology providers.

7.3 Transfers Based on Explicit Consent

In limited cases, if a transfer cannot be covered by adequacy or SCCs, we may request your explicit consent before transferring your data internationally.

7.4 Operator Data Transfers

If you book an activity with an operator located outside the EEA (e.g., tours in the UAE or the Caribbean), it may be necessary to transfer your personal data directly to that operator to fulfill the booking. Such transfers are based on Art. 49(1)(b) GDPR (necessary for the performance of a contract).

7.5 Safeguards in Place

We implement additional safeguards to protect your personal data during international transfers, including:

Data minimization (only sharing the information strictly necessary).
Encryption during transfer and at rest.
Contractual obligations requiring third parties to process data securely and lawfully.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law. Once the data is no longer needed, it will either be deleted or anonymized so that it can no longer be linked to you.

8.1 Bookings and Transaction Data

Bookings, invoices, and payment records are stored for a minimum of 5 years to comply with tax, accounting, and legal obligations.
If you request deletion of your account, we may still retain booking-related records for this legal retention period.

8.2 Customer Accounts

If you create a Turinity account and later request deletion, we will delete or anonymize your account information without undue delay.
Certain backup copies may remain temporarily stored until overwritten in the normal course of system operations.

8.3 Operator Accounts

Operator registration forms, financial details, and payout records are retained for the duration of the partnership and up to 7 years after termination, to comply with commercial and financial obligations.

8.4 Communications and Support Data

Emails, chat interactions, and AI-handled support conversations are typically retained for up to 3 years for training, quality assurance, and dispute resolution.
In cases of ongoing disputes or legal claims, data may be retained longer until the issue is resolved.

8.5 Marketing and Newsletter Data

If you have subscribed to marketing communications, we keep your contact data until you withdraw your consent or unsubscribe.
After unsubscribing, we may retain a minimal record (your email) on a suppression list to ensure you no longer receive marketing messages.

8.6 Reviews and Ratings

Reviews linked to a completed booking may remain published on the platform for transparency and user trust, even if your account is deleted.
If you wish to remove a published review, you may request deletion at any time.

8.7 Technical and Security Data

Log files, IP addresses, and security monitoring data (e.g., Cloudflare logs) are retained for a short period, usually 30–90 days, unless required longer for security investigations.

8.8 Legal Obligations and Disputes

In certain cases, we may need to retain data beyond the standard periods, including:

For ongoing audits, regulatory investigations, or legal proceedings.
To secure, assert, or defend against legal claims.

9. Data Security Measures

Turinity applies strict technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, alteration, or disclosure. These measures are continuously reviewed and updated to meet industry standards.

9.1 Encryption and Secure Transmission

All data transmitted through our platform is protected with SSL/TLS encryption.
Sensitive data such as payment information is encrypted and processed exclusively by trusted third-party providers (e.g., Stripe, PayPal, Apple Pay).

9.2 Network and Infrastructure Protection

We use Cloudflare’s security services to protect against Distributed Denial of Service (DDoS) attacks, bots, and malicious traffic.
Firewalls and intrusion detection systems monitor suspicious activity in real time.
Data centers hosting Turinity services apply physical safeguards (restricted access, 24/7 monitoring).

9.3 Access Control and Internal Policies

Access to personal data is strictly limited to authorized personnel who require it for their role.
Multi-factor authentication (MFA) and strong password policies are enforced internally.
All access to sensitive data is logged and monitored for audit purposes.

9.4 Fraud Prevention

Payment transactions are monitored using automated fraud detection technologies.
Suspicious activity may be flagged and reviewed to prevent unauthorized bookings or chargebacks.
Operators are required to comply with Turinity’s anti-fraud and data protection standards.

9.5 Data Minimization

We only collect the personal data necessary for the specific purpose.
Backups are stored securely with retention limits to avoid unnecessary storage.
Anonymization and pseudonymization techniques are applied where possible to reduce risk.

9.6 Incident Response

In the event of a data breach, Turinity has procedures in place to:
- Contain and investigate the incident immediately.
- Notify the relevant supervisory authorities within 72 hours (as required by GDPR).
- Inform affected users if the breach is likely to result in a high risk to their rights and freedoms.

10. Your Rights Under GDPR and Other Laws

As a user of Turinity, you have a number of rights under the General Data Protection Regulation (GDPR), the UK GDPR, and other applicable laws. We are committed to enabling you to exercise these rights easily and transparently.

You can exercise your rights at any time by contacting us at:

📧 [email protected]

We may need to verify your identity before fulfilling your request.

10.1 Right of Access (Art. 15 GDPR)

You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with details about how we use it.

10.2 Right to Rectification (Art. 16 GDPR)

You have the right to request correction of inaccurate or incomplete personal data we hold about you.

10.3 Right to Erasure – “Right to Be Forgotten” (Art. 17 GDPR)

You have the right to request deletion of your personal data in certain circumstances, for example when:

The data is no longer necessary for the purposes for which it was collected.
You withdraw your consent and there is no other legal basis for processing.
The data has been unlawfully processed.

This right may be limited where we are required by law to retain certain data (e.g., for tax, accounting, or dispute resolution).

10.4 Right to Restriction of Processing (Art. 18 GDPR)

You may request that we restrict processing of your personal data, for example if you contest its accuracy or object to our processing based on legitimate interests.

10.5 Right to Data Portability (Art. 20 GDPR)

You may request a copy of the personal data you provided to us in a structured, commonly used, machine-readable format, and have the right to transmit it to another controller where technically feasible.

10.6 Right to Object (Art. 21 GDPR)

You may object at any time to the processing of your personal data based on legitimate interests (Art. 6.1.f GDPR) or for direct marketing purposes. If you object to marketing, we will immediately stop sending promotional communications.

10.7 Right to Withdraw Consent (Art. 7 GDPR)

Where we process your data based on your consent (e.g., newsletters, marketing, cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.

10.8 Right to Lodge a Complaint (Art. 77 GDPR)

If you believe your rights have been violated, you may lodge a complaint with your local data protection authority. For Spain, this is the Agencia Española de Protección de Datos (AEPD):

🌍 www.aepd.es

You may also contact the supervisory authority in your country of residence or work.

10.9 Data Processing When Exercising Your Rights

For transparency and compliance, we may store limited information about your request (e.g., date, nature of request, our response) for up to 3 years, to demonstrate compliance with our legal obligations.

11. Cookies and Tracking Technologies

Turinity uses cookies and similar technologies to provide core functionality, improve performance, and deliver personalized experiences. The use of cookies and trackers complies with the GDPR, the UK GDPR, the ePrivacy Directive, and applicable U.S. laws.

When you first visit our platform, you will see a cookie consent banner allowing you to manage your preferences.

11.1 What Are Cookies?

Cookies are small text files that are placed on your device when you visit our site. They enable us to recognize your device, store preferences, and track interactions with our services.

In addition to cookies, we may use related technologies such as:

Pixels and web beacons (to track actions like email opens or ad clicks).
Scripts (to enable interactive features).
Tracking URLs (to understand which source directed you to our site).
SDKs (software development kits in our mobile apps, enabling push notifications, analytics, and personalized experiences).

11.2 Categories of Cookies and Technologies

a) Strictly Necessary

Essential for basic functions such as navigation, secure login, and checkout.
Without these, the website cannot function properly.
Legal basis: Art. 6.1.b GDPR (contractual necessity).

b) Functional and Analytical

Collect information on how visitors use our site (e.g., most viewed pages, search filters).
Help us optimize performance and user experience.
Legal basis: Art. 6.1.a GDPR (consent).

c) Marketing and Remarketing

Track user behavior to deliver relevant ads on third-party platforms.
Help measure effectiveness of campaigns (impressions, clicks, conversions).
Examples: Google Ads, Meta (Facebook & Instagram), TikTok Ads.
Legal basis: Art. 6.1.a GDPR (consent).

11.3 Third-Party Tracking and Advertising Partners

If you consent, we may share limited data with trusted partners for marketing and analytics purposes, including:

Google: Analytics, Campaign Manager, Ads, Display & Video 360.
Meta: Facebook Pixel and conversion APIs for personalized ads.
TikTok: Remarketing services to show relevant ads on the TikTok platform.
Affiliate networks: To track bookings from partner sites and manage commissions.

11.4 How Long Are Cookies Stored?

Session cookies: Deleted once you close your browser.
Persistent cookies: Remain on your device until expiry or manual deletion (from a few days to 24 months, depending on the cookie).

11.5 Managing Preferences and Opt-Out

You can manage cookies and trackers in the following ways:

Via the Turinity consent banner and cookie settings page.
Through your browser settings (block, delete, or limit cookies).
By opting out of specific advertising partners:
- Google Ads: https://adssettings.google.com
- Meta Ads: https://www.facebook.com/ads/preferences
- TikTok Ads: https://www.tiktok.com/legal/privacy-policy

Rejecting cookies may limit functionality of the platform (e.g., saving preferences, faster checkout).

11.6 Legal Basis

Strictly necessary cookies: Art. 6.1.b GDPR.
Analytics and marketing cookies: Art. 6.1.a GDPR (consent).

12. Customer Reviews and Ratings

Turinity values transparency and user feedback. After participating in an activity, you may be invited to leave a review or rating. Reviews help future travelers make informed decisions and allow operators to improve their services.

12.1 Collection of Reviews

We may contact you by email, SMS, or WhatsApp after your booking to request a review.
Reviews typically include:
- Star rating (1–5).
- Written comments.
- Optional details such as your first name, age group, or country of origin.
Submission of reviews is entirely voluntary.

12.2 Publication of Reviews

Submitted reviews may be displayed publicly on the relevant activity page in the Turinity marketplace.
Reviews are linked to the operator and specific booking to ensure authenticity.
You may choose to submit a review anonymously.

12.3 Moderation and Quality Standards

Reviews are subject to moderation to ensure compliance with Turinity’s content standards.
We reserve the right to remove reviews that:
- Contain offensive or discriminatory language.
- Include personal information (e.g., phone numbers, addresses).
- Are unrelated to the activity or service provided.
Operators cannot delete or alter customer reviews, but they may respond publicly to provide clarification.

12.4 Use of Reviews

Reviews may be used for:
- Display on the Turinity platform.
- Marketing and promotional purposes (with identifying details anonymized unless you consent otherwise).
- Assigning activity badges such as “Top Rated” or “Recommended.”

12.5 Retention of Reviews

Reviews remain visible on the platform for as long as the activity is listed.
If you delete your account, reviews linked to your past bookings may remain published for transparency, but you can request removal.

12.6 Legal Basis

Collection and publication of reviews are based on our legitimate interest in ensuring transparency and improving services (Art. 6.1.f GDPR).
Use of reviews for marketing may require your consent (Art. 6.1.a GDPR).

13. Customer Service and Communications

Turinity provides customer support through multiple channels, including email, chat, and messaging services such as WhatsApp or SMS. To ensure fast, reliable, and multilingual assistance, we make use of AI-powered technologies and conversation management tools.

13.1 Processing of Inquiries

When you contact our customer service team, we process the personal data you provide, such as your name, email address, booking reference, and the content of your inquiry.
This information is used exclusively to resolve your request, provide guidance, or handle disputes.

13.2 Use of AI and Automation

Turinity may use AI-driven tools to analyze, categorize, and respond to support requests more efficiently.
These systems can assist in:
- Identifying the type of request (e.g., cancellation, refund, operator issue).
- Offering automated replies for common questions.
- Routing complex inquiries to human support agents.
AI processing is always monitored by our team to ensure accuracy and fairness.

13.3 Communication Channels

We may respond to inquiries via email, in-platform messages, WhatsApp, SMS, or phone (if provided).
All communications are logged and stored for quality control, dispute resolution, and legal compliance.

13.4 Translation of Inquiries

To provide support to users worldwide, messages may be processed by secure translation technologies (including AI-based translation) to ensure effective communication between customers, operators, and support agents.

13.5 Improving Our Customer Service

We may analyze aggregated customer service data to identify trends, improve response times, and enhance the quality of our support.
On occasion, you may be invited to provide feedback through customer satisfaction surveys. Participation is voluntary.

13.6 Retention of Support Data

Customer service inquiries and transcripts are typically stored for up to 3 years to allow proper resolution of disputes and for training and quality purposes.
In cases involving legal obligations or disputes, data may be stored longer until resolved.

13.7 Legal Basis

Processing of inquiries is based on contractual necessity (Art. 6.1.b GDPR) when related to an existing booking.
Use of AI tools, translations, and service optimization is based on legitimate interest (Art. 6.1.f GDPR).
Surveys and feedback requests are based on consent (Art. 6.1.a GDPR).

14. Booking Activities and Operator Data

Turinity operates as a global marketplace that connects travelers with independent operators and activity providers. When you book an activity through our platform, certain personal data must be shared with the relevant operator to enable them to deliver the service.

14.1 Data Shared with Operators

To fulfill your booking, Turinity shares only the information necessary with the operator, which may include:

Your name and surname.
Contact details (email address and/or phone number).
Number of participants (adults, children, infants).
Booking reference number.
Date, time slot, and duration of the activity.
Any extras or add-ons you selected during booking (e.g., transport, food, private guide).
Pickup point details (if applicable).
Special notes or requests (e.g., accessibility requirements, dietary needs).

14.2 Operators as Independent Controllers

Each operator acts as an independent data controller for the data they receive.
Turinity is not responsible for how operators process data once shared with them.
Operators must comply with GDPR or applicable local data protection laws and maintain their own privacy policies.
We strongly encourage you to review the operator’s privacy policy before participating in an activity.

14.3 Operator Obligations on Turinity

As part of their contractual agreement with Turinity, operators must:

Use customer data only for the purpose of delivering the booked service.
Protect personal data against unauthorized access or disclosure.
Respect retention limits and delete data once no longer necessary.
Not use customer data for independent marketing purposes unless they have obtained valid consent.

14.4 API Integrations and Booking Systems

Some operators use external booking systems (e.g., Turitop, FareHarbor). In these cases:

Turinity may transfer booking data to the operator’s system through secure API connections.
Data shared includes the same categories listed above, transmitted solely for booking management and confirmation.
These systems act either as processors or controllers depending on the operator’s setup, and they are contractually required to apply GDPR safeguards.

14.5 Operator Reviews and Ratings

After completing an activity, you may be invited to leave a review about the operator’s service.
Reviews are linked to specific operators to ensure transparency and fairness.
Turinity does not allow operators to delete or alter reviews, although they may reply to customer feedback.

14.6 Joint Responsibilities

In certain cases (e.g., where Turinity and an operator jointly determine the purposes of data processing, such as fraud prevention or dispute resolution), both parties may act as joint controllers under Article 26 GDPR. In such cases, responsibilities are clearly defined in contractual agreements.

14.7 Legal Basis

Sharing of booking details with operators is based on contractual necessity (Art. 6.1.b GDPR).
Operator compliance and data handling obligations are based on legitimate interest (Art. 6.1.f GDPR) and legal requirements.

15. Payments and Financial Data

Turinity processes payment information strictly for the purpose of completing reservations securely. All payments are handled by trusted third-party providers; Turinity does not store or have access to full card details.

15.1 Payment Methods

You may pay for activities on Turinity using:

Credit or debit cards.
Digital wallets such as Apple Pay or Google Pay (where available).
PayPal or other trusted payment services.

15.2 Processing of Payments

Payments are processed through providers such as Stripe, PayPal, and Apple Pay, who act as independent controllers for your financial data.
We only receive limited information: payment status, transaction ID, payment method, and in some cases the last four digits of your card number.
These providers may process data outside the EEA. In such cases, appropriate safeguards such as the EU–U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs) apply.

15.3 Fraud Prevention

Transactions are encrypted and monitored using automated fraud detection systems.
We may temporarily block or flag suspicious payments to protect customers, operators, and the platform.
Data necessary to prevent fraud may be shared with payment providers or, where legally required, with authorities.

15.4 Chargebacks and Disputes

If a chargeback or payment dispute occurs, we may share relevant booking and transaction details with the payment processor or bank to resolve the issue.

15.5 Retention of Financial Data

Payment records and invoices are retained for a minimum of 5 years in compliance with accounting and tax laws.
After this period, they are securely deleted or anonymized.

15.6 Legal Basis

Processing of payment data is based on contractual necessity (Art. 6.1.b GDPR).
Fraud detection and dispute handling are based on legitimate interest (Art. 6.1.f GDPR).
Retention of financial records is based on legal obligation (Art. 6.1.c GDPR).

16. Fraud Prevention and Platform Security

Turinity is committed to maintaining a safe and trustworthy environment for both guests and operators. To achieve this, we apply multiple layers of security and fraud-prevention technologies.

16.1 Fraud Prevention

Transaction monitoring: All payments are screened by automated systems that detect unusual patterns or high-risk behavior.
Risk scoring: Certain bookings may be flagged for additional review if they exceed predefined thresholds (e.g., unusually large transactions, mismatched customer details).
Chargeback protection: In the event of a disputed payment, we work with payment providers to review relevant transaction and booking information.
Operator safeguards: Operators are contractually required not to misuse guest data and to comply with fraud-prevention standards.

16.2 Security of the Platform

Cloudflare protection: Turinity uses Cloudflare services to mitigate Distributed Denial of Service (DDoS) attacks, prevent malicious bot traffic, and ensure continuous platform availability.
Web Application Firewall (WAF): Requests are filtered to block suspicious or unauthorized attempts to access the platform.
Secure coding practices: Our systems are developed with security-by-design principles, including regular audits, penetration testing, and vulnerability patching.

16.3 Data Integrity and Monitoring

Encryption: Sensitive data is encrypted both in transit (via SSL/TLS) and at rest.
Access controls: Internal access to systems and databases is strictly limited to authorized staff under multi-factor authentication.
Logging and audits: All administrative actions and critical booking or payment events are logged with timestamps to provide a verifiable audit trail.

16.4 Incident Response

In case of a suspected security incident or data breach, Turinity follows a strict response protocol:

Immediate containment and investigation.
Notification of the competent supervisory authority within 72 hours where required by GDPR.
Communication to affected individuals if the breach poses a high risk to their rights and freedoms.
Implementation of corrective measures to prevent recurrence.

16.5 Legal Basis

Fraud prevention is carried out on the basis of legitimate interest (Art. 6.1.f GDPR).
Security and monitoring measures are necessary for compliance with Art. 32 GDPR (security of processing).

17. International Users: U.S. Residents’ Rights

If you are a resident of the United States, you may have specific privacy rights under state laws such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and similar laws in Colorado, Connecticut, Virginia, and other states.

This section supplements the information provided in this Privacy Policy.

17.1 Categories of Personal Information Collected

As described in Sections 4 and 5, Turinity may collect the following categories of information:

Identifiers (e.g., name, email, phone number, account ID).
Commercial information (e.g., bookings, payments, transaction history).
Internet or device information (e.g., IP address, browser, operating system, clickstream data).
Geolocation data (if provided by your device and consented).
Inferences (preferences and interests derived from bookings and searches).
Sensitive personal information (only in limited cases, such as passport or ID numbers required by an operator to deliver a service).

17.2 Rights of U.S. Residents

Depending on your state of residence, you may have the following rights:

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to Access: Obtain a copy of the personal information we hold about you.
Right to Deletion: Request deletion of your personal information, subject to legal obligations.
Right to Correction: Request correction of inaccurate information.
Right to Data Portability: Receive your data in a portable, machine-readable format.
Right to Limit Use of Sensitive Data: Restrict the use of sensitive information (e.g., ID numbers, precise geolocation).
Right to Opt-Out of “Sharing” or Targeted Advertising: You may opt out of data sharing for cross-context behavioral advertising.
Right to Non-Discrimination: You will not be discriminated against for exercising your privacy rights.

17.3 Sale or Sharing of Personal Information

Turinity does not “sell” personal data for monetary consideration.
We may “share” personal data with third-party advertising and analytics partners for targeted advertising. This is considered a “sale” or “sharing” under some U.S. laws.
You may opt out of this sharing at any time via our Cookie Preferences tool.

17.4 How to Exercise Your Rights

U.S. residents can exercise their rights by contacting us at:

📧 Email: [email protected]

We may need to verify your identity before fulfilling your request. You may also designate an authorized agent to make requests on your behalf, in accordance with applicable law.

17.5 Children’s Data

Turinity does not knowingly collect personal information from children under 16 years old. If we become aware that we have inadvertently collected such data, we will delete it promptly.

17.6 Legal Basis

Processing of data for U.S. residents is carried out in accordance with the CCPA/CPRA and other applicable state privacy laws.

18. Corporate Changes and Business Transfers

Turinity is a growing international platform. In the event of future changes to our corporate structure, your personal data may be part of the transferred assets.

18.1 Mergers, Acquisitions, or Restructuring

If Turinity undergoes a merger, acquisition, divestiture, restructuring, reorganization, or sale of assets, your personal data may be transferred to the acquiring or successor entity.
Such transfers will only take place if the new entity agrees to handle your data in a manner consistent with this Privacy Policy and applicable laws.

18.2 Continuity of Service

In the case of a transfer, your personal data may continue to be used to ensure uninterrupted operation of the platform, including honoring existing bookings and operator agreements.

18.3 Notification of Changes

If ownership or control of Turinity changes, we will notify you in advance, either via email or through a prominent notice on our platform.
You will be informed of your rights regarding your personal data in the context of such changes.

18.4 Legal Basis

These transfers are based on legitimate interest (Art. 6.1.f GDPR) in ensuring the continuity and lawful operation of our business.

19. Updates to This Policy

Turinity may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data processing practices.

19.1 Notification of Changes

If we make material changes (for example, expanding how we use your data or sharing it with new categories of partners), we will notify you in advance by:
- Sending an email to the address linked to your account (if available).
- Posting a prominent notice on our website or mobile applications.

19.2 Review Periodically

We encourage you to review this Privacy Policy periodically so that you are always aware of how we protect your data.

19.3 Effective Date

The most recent version of the Privacy Policy will always be available on our website at www.turinity.com/privacy.
Each version will include a “Last Updated” date at the top.

19.4 Legal Basis

Updating this Privacy Policy is necessary to comply with Art. 24 GDPR (responsibility of the controller) and applicable consumer protection laws.

20. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, you may contact us at:

TURIMEDIA SL
CIF: B23873052
Calle el Sauce 9, Local 3. 38670 Adeje, Santa Cruz de Tenerife, Islas Canarias, España
Email: [email protected]
Website: www.turinity.com

You may also file a complaint with your local data protection authority. In Spain, this is the:

Agencia Española de Protección de Datos (AEPD)

C/ Jorge Juan, 6
28001 Madrid, Spain
Website: www.aepd.es

For users located in other EU/EEA countries, you can find your local supervisory authority via the European Data Protection Board (EDPB):

https://edpb.europa.eu

For residents of the United States, you may exercise your rights under CCPA/CPRA or other state laws as outlined in Section 17 by contacting us at the email address above.

Destinations