Privacy Policy

At a glance

This Privacy Policy explains how UpCityWalks collects, uses, and protects the personal information you provide when you visit our website, book a walking tour, or interact with our guides. We have written it to comply with the EU General Data Protection Regulation (GDPR) and the Czech Data Processing Act (No. 110/2019 Coll.).

• We collect only what we need to confirm your booking, run the tour, and keep the site working.
• We never sell your personal information.
• Our booking is handled by Bókun; payments by our payment partners. They each have their own privacy practices.
• You can ask us at any time for a copy, correction, or deletion of your data.
• Questions? Email hello@upcitywalks.com.

1. Who we are

UpCityWalks is a walking-tour booking platform connecting travellers with local guides. For the purposes of GDPR, the data controller is:

In this policy “we”, “us”, and “our” refer to UpCityWalks. “You” refers to anyone whose personal information we process — whether you are a visitor to the website, a customer who books a tour, a guide we work with, or someone applying to work with us.

2. What information we collect

We collect different categories of information depending on how you use our service. We try to keep this list to the minimum needed for each purpose.

2.1 Booking information

When you book a tour, we collect your full name, email address, phone number, the number and category of guests in your party (adult / child / infant), the tour date and time you selected, and any special requirements you tell us about (dietary needs, accessibility requests, language preferences).

Payment is processed by our booking partner Bókun and its payment gateways. Card details are entered directly into their secure checkout — we never see or store your full payment card number. We do receive a booking confirmation, the amount paid, and a transaction reference.

2.2 Account & guide profile information

If you are a guide working with us, we hold a profile containing your name, photo, biography, languages, areas of expertise, and the tours you lead. If you are an administrator with access to our internal panel, we store your email, hashed password, and role.

2.3 Technical and usage information

When you visit our site we automatically collect your IP address, browser type and version, device type, operating system, the pages you view, the order in which you view them, and the referring site that sent you to us. This data helps us keep the site secure, diagnose errors, and understand which content is useful.

2.4 Guide referral and attribution information

Each of our guides has a unique referral code printed on their business cards and flyers as a QR code. If you arrive on the site by scanning a guide’s QR code, we store that referral code in a httpOnly cookie so that, if you go on to book a tour, the guide who recommended us receives credit. The cookie contains only the referral code — no personal information about you — and expires after 30 days.

2.5 Communications

When you email us, fill in our contact form, or message us through the booking flow, we keep a record of that correspondence and any attachments, so that we can follow up and improve our service.

3. Why we collect it & legal basis

GDPR requires us to have a clear legal basis for processing your personal data. Our processing falls into the following categories:

Performance of a contract (Art. 6(1)(b))

To accept your booking, send confirmation, share the meeting point with you, and pass the necessary details to the guide who will lead your tour. Without this information we cannot deliver the service you have paid for.

Legitimate interest (Art. 6(1)(f))

To keep the site secure (detecting and preventing fraud or abuse), to understand aggregate usage patterns so we can improve the site, to attribute bookings to the correct guide for our internal commission system, and to respond to your enquiries. When we rely on legitimate interest we balance our needs against your rights and freedoms, and you have the right to object.

Consent (Art. 6(1)(a))

For non-essential cookies (analytics, marketing) and for any marketing emails we may send you. You can withdraw consent at any time — see our Cookie Policy for cookie controls, and use the unsubscribe link in any marketing email.

Legal obligation (Art. 6(1)(c))

To meet our accounting, tax, and consumer-protection obligations under Czech law, and to respond to lawful requests from public authorities.

4. Who we share your data with

We share your information only with parties that help us deliver the service, and only to the extent necessary. Each of these is bound by a contract requiring them to protect your data and to process it only for the purposes we agree.

• Bókun ehf. - our reservation system. Stores booking details and handles payment processing through its integrated gateways. Based in Iceland (an EEA country).
• Vercel Inc. hosts the website. Supabase Inc. provides our database and authentication for the admin and guide areas. Both are based in the United States and are accessed under Standard Contractual Clauses (see Section 5).
• DeepL SE (Germany, EU) provides automated translation of parts of the site between the languages we offer.
• Google Analytics - loaded only after you accept analytics cookies. See our Cookie Policy for details and opt-out.
• The guide leading your tour receives your first name and party size so they can greet you at the meeting point. They do not receive your contact details, payment information, or any sensitive data.
• We may disclose information if required by law, court order, or to protect the rights, property, or safety of UpCityWalks, our customers, or others.
• We never sell, rent, or trade your personal information to third parties for their own marketing purposes.

5. International data transfers

Some of the providers listed above (notably Vercel, Supabase, and Google) are based in the United States. When personal data is transferred outside the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses (SCCs) to ensure your data continues to be protected to a standard equivalent to GDPR.

You can request a copy of the safeguards in place for any transfer by contacting us at the address in Section 13.

6. How long we keep your data

We keep your personal information only as long as we need it for the purposes we collected it. Specifically:

• Booking records - kept for 10 years after the tour, to meet Czech accounting and tax law obligations.
• Customer service correspondence - kept for 3 years after the last contact.
• Marketing consent - kept until you withdraw it, then removed within 30 days.
• Guide referral cookies - expire from your browser after 30 days.
• Analytics data - retained in aggregated, non-identifying form for up to 26 months.
• Server access logs - rotated and deleted within 90 days.

When the retention period ends, data is securely deleted or anonymised so it can no longer be linked to you.

7. Your rights under GDPR

You have the following rights with respect to the personal information we hold about you:

• Access - ask for a copy of your data and information about how we use it.
• Rectification - correct inaccurate or incomplete information.
• Erasure (“right to be forgotten”) - ask us to delete your data when there is no overriding legal reason to keep it.
• Restriction - ask us to limit how we use your data while we investigate a complaint or correction.
• Portability - receive the data you provided to us in a structured, machine-readable format, or have us send it directly to another provider.
• Objection - object to processing based on legitimate interest, including direct marketing.
• Withdraw consent - where processing relies on consent, you can withdraw it at any time without affecting prior processing.
• Complaint - lodge a complaint with the Czech Office for Personal Data Protection (see Section 13).

To exercise any of these rights, email us at hello@upcitywalks.com. We will respond within one month, as required by GDPR. We may need to verify your identity before we can act on your request.

8. Children’s privacy

Our service is intended for adults. We do not knowingly collect personal data directly from children under 15 (the age of digital consent under Czech law). Children may participate in tours booked by a parent or guardian, in which case we collect only the minimum information needed (typically first name and age category, for the guide’s headcount).

If you believe a child under 15 has provided us with personal data, please contact us and we will delete it.

9. How we protect your data

We use technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These include encrypted connections (HTTPS / TLS) for all traffic to and from the site, secure password hashing for accounts, access controls so that only authorised staff can reach personal data, and regular review of our infrastructure.

No system is completely secure. If we ever become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the Czech Office for Personal Data Protection within 72 hours, and we will tell you directly where required by GDPR.

10. Third-party links

Our site sometimes links to third-party websites — for example, maps, social media, or partner pages. We are not responsible for the privacy practices of these sites. We encourage you to read their privacy policies before sharing any information with them.

11. Cookies

We use cookies and similar technologies to make the site work, to remember your preferences, and (with your consent) to measure how the site is used. A full list of cookies, their purpose, and how to manage them is in our Cookie Policy.

12. Changes to this policy

We may update this Privacy Policy from time to time, for example when we add new features, change service providers, or when the law changes. When we make significant changes we will update the “Last updated” date at the top of this page, and where appropriate notify you by email or via a notice on the site. We encourage you to review this page periodically.

13. Contact us & complaints

If you have any questions about this policy or how we handle your personal data, please reach out:

If we have appointed a Data Protection Officer, you can also contact them directly at privacy@upcitywalks.com.

You also have the right to lodge a complaint with the Czech supervisory authority:

We would appreciate the chance to address your concerns directly before you contact the authority, but you may complain to them at any time.

This Privacy Policy is provided in English. If a translation is offered in another language and there is any inconsistency, the English version prevails.