Privacy Policy

At ThingsToDo.app, protecting your personal information is our priority. We only use your data in line with applicable legal rules, especially the EU General Data Protection Regulation (GDPR).

This Privacy Policy explains how we collect, use, and protect your personal data when you use our website, mobile apps, and services. It also explains your rights and how you can contact us.

If you are a U.S. resident, please check the section “United States Residents’ Rights” and our CCPA notice for additional details.

If you are a tour/activity provider or marketing partner, please review our Supplier Privacy Policy to understand how your data is used in a business relationship.

This Privacy Policy is written in English. If there are any translation differences, the English version is final.

I. Terms

• Activity – tours, attractions, tickets, or travel experiences offered by providers through ThingsToDo.app.
• Activity Provider – the provider offering these activities.
• CCPA – California Consumer Privacy Act of 2018.
• GDPR – General Data Protection Regulation (EU) 2016/679.
• ThingsToDo.app Platform – our booking platform available at www.getThingsToDo.app, mobile apps, partner websites, tools, and devices.
• Personal Data – any information that identifies you (e.g., name, email, device info, IP address).

II. Controller and Contact

The Controller responsible for handling your data is:

Controller: ThingsToDo Technologies
Contact: [email protected]

Please note: When you book an activity, your data may also be processed by the Activity Provider. In that case, they act as a separate data controller, and their own privacy policy applies.

III. Data We Collect & How We Use It

1. Automated Data Collection

When you visit ThingsToDo.app, we automatically collect technical data such as:

• URL of the page visited
• Connection speed/latency
• Date and time
• Device info (OS, browser, app version, language settings, crash logs)
• Pages you click/view
• IP address

We collect this to run our platform securely, prevent fraud, and improve performance (legitimate interest, Art. 6 para. 1 lit. f GDPR).

👉 Your IP address is encrypted and deleted within 30 days.

2. Data You Provide via Your Account

a. Registration

Creating an account is optional. If you register, we may collect:

• Full name
• Email address
• Password

You can also sign up using Google, Facebook, or Apple. In that case, we receive:

• Name
• Email address
• Profile photo (Facebook only)
• Authentication token

We use this to set up and manage your account (Art. 6 para. 1 lit. b GDPR).

b. Wishlists

You can save activities to a wishlist. We use this to give personalized recommendations and show relevant offers (legitimate interest, Art. 6 para. 1 lit. f GDPR).

c. Activity Reviews

After completing an activity, you may leave a review or rating. This may include:

• Rating, comments, photos
• Age range, country, first name

Reviews may appear on:

• Our platform
• Partner websites
• Promotional materials

👉 You can post anonymously or ask us to delete your review anytime by contacting support.

👉 You can also unsubscribe from review requests via the link in our emails or in your account settings.

We process this data to help other travelers, improve our services, and for marketing (legitimate interest, Art. 6 para. 1 lit. f GDPR).

3. Customer Service

3.1. Handling Inquiries

If you contact our customer support team (via email, app, or social media), we may collect personal information you provide such as:

• Name
• Email address
• Booking number
• Any details you share in your message

We may work with trusted customer service providers to respond to your requests. Some of these providers may be located outside the European Economic Area (EEA). In these cases, we use European Commission–approved standard contractual clauses to make sure your data remains protected.

We also use third-party tools like Zendesk (for support ticket management), AI-powered assistants (for faster responses), and Sprout Social (for managing social media requests). These companies may process your data (such as your name, email, username, or request details) on our behalf, and in some cases, outside the EEA. Transfers are protected under international data frameworks to ensure safety.

3.2. Improving Customer Service

To provide better support, we may analyze keywords and trends in customer inquiries. We may also send you feedback surveys after your support request to measure satisfaction and improve quality.

For this, we use analytics and feedback tools (e.g., Chattermill, Google Looker, and Simplesat). If your data is transferred outside the EEA, we apply the required legal safeguards such as standard contractual clauses or rely on adequacy decisions.

3.3. Translating Requests

Sometimes, to properly handle your inquiry, we may need to translate your message. We use trusted translation services such as DeepL and OpenAI for this purpose. Only the necessary information is processed, and this is done under our legitimate interest in providing international customer service (Art. 6 para. 1 lit. f GDPR).

3.4. Call Recordings

If you contact us by phone, we may ask for your consent to record the call. Recordings are used only to improve customer service and are deleted after three months.

👉 You can withdraw your consent at any time by contacting us. Your withdrawal will not affect the legality of any processing already done before your request.

4. Technical Service Providers

4.1. Website Hosting

Our website is hosted on Amazon Web Services (AWS). When you use ThingsToDo.app, your personal data may be processed on AWS servers. We use servers located in the European Union.

In some cases (e.g., maintenance), AWS may process data outside the EEA, particularly in the USA. AWS participates in the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework, ensuring your data remains protected.

4.2. Email Delivery

We use SendGrid (Twilio Inc.) to send emails such as confirmations, updates, and notifications. Twilio may process data outside the EEA, specifically in the USA, under the same privacy frameworks mentioned above.

4.3. Protection Against Bots

To protect ThingsToDo.app from spam, bots, and misuse, we use Cheq and Datadog.

• Cheq processes device data only to check if a request is from a human. No extra storage occurs. Data may be processed in Israel, which is recognized by the EU as having adequate data protection.
• Datadog may process data in the USA under the Data Privacy Framework.

This processing is based on our legitimate interest in keeping the platform secure (Art. 6 para. 1 lit. f GDPR).

5. Marketing Newsletters

You can subscribe to the ThingsToDo.app newsletter to receive updates on offers, activities, and promotions.

• By subscribing, you consent to us processing your email and engagement data to send and personalize newsletters (Art. 6 para. 1 lit. a GDPR).
• We also log your IP address, date, and time of subscription to document consent.

If you already booked an activity or created an account, we may send you information about similar offers (legitimate interest, Art. 6 para. 1 lit. f GDPR, § 7 para. 3 UWG) unless you opt out.

👉 You can unsubscribe anytime via the unsubscribe link in emails, account settings (Notifications tab), or by contacting support.

We use Braze Inc. to manage and personalize newsletters. Braze may process data in the USA under the Data Privacy Framework.

6. Booking Activities

6.1. Activity Providers

When you book an activity on ThingsToDo.app, we collect details needed to process your booking:

• Name, billing address, email, phone number
• Number of participants
• Booking date/time
• Activity details (and sometimes passport number, age, or other required info)

We use this data to complete and manage your booking (Art. 6 para. 1 lit. b GDPR). When necessary, this data is shared with the Activity Provider, who acts as an independent data controller under their own privacy policy.

If booking requires a transfer outside the EEA, it is based on Art. 49 para. 1 lit. b, c GDPR.

• If you book via a partner site, you’ll be redirected to ThingsToDo.app to finalize your booking.
• If you book via a travel agency, they collect your details under their own policy and pass us the booking info.

If you share booking details with other participants (e.g., adding their email), you are responsible for obtaining their consent.

6.2. Booking Confirmations

We’ll send you confirmations, reminders, and updates about your bookings (e.g., meeting point changes).

These may be sent by email, SMS (if provided), or app push notification. If you have an account, you can manage notification preferences under Settings → Notifications.

This processing is necessary to deliver our service (Art. 6 para. 1 lit. b GDPR).

6.3. Booking Cancellation Insurance

Some activities include the option to purchase cancellation insurance. This service is provided by Companjon Admin GmbH (“Companjon”).

• If you choose this, your data will be processed to manage the insurance (Art. 6 para. 1 lit. b GDPR).
• For insurance contracts (eligibility, claims, etc.), Companjon acts as an independent controller.
• For offering insurance via our site, ThingsToDo.app and Companjon act as joint controllers.

You may exercise your rights by contacting either ThingsToDo.app or Companjon, and we will ensure your request reaches the right party.

7. Payments

We provide several payment options for booking an Activity. Depending on your selected payment method, we process your Personal Data to complete the transaction. This is necessary to fulfill our contractual obligations (Art. 6 para. 1 lit. b GDPR).

7.1 Credit Card Payments

Credit card payments are handled by Adyen N.V. (“Adyen”). Adyen transfers your payment details to the relevant banks/financial institutions. We only receive confirmation of the payment status and partial card details (first six and last four digits). We do not access your full card number. More information: Adyen Privacy Policy.

We also use Primer API Ltd. (“Primer”) for payment orchestration. Primer routes the payment request to the correct service provider and may process data in the UK (recognized by the EU as having adequate data protection). More information: Primer Privacy Policy.

7.2 Other Payment Services (PayPal, Stripe, Checkout.com, J.P. Morgan)

When paying with these services, we receive payment confirmation and may also obtain billing/contact details (e.g., your PayPal email). These providers act both as independent controllers and, in some cases, as processors on our behalf. Their privacy policies apply:

• PayPal Inc.
• Stripe Payments Europe Ltd.
• Checkout SAS
• J.P. Morgan Chase Bank N.A.

7.3 Payment by Invoice

For invoice payments, we use Klarna Bank AB (publ) (“Klarna”). Klarna may run credit checks (including probability score values based on statistical models and address data) before processing your payment. More information: Klarna Privacy Policy.

7.4 Chargebacks

If a chargeback occurs, we work with Global Merchant Risk Technologies Ltd. (“Chargebacks911”) to manage the process with your bank. They may access booking and payment data to resolve the dispute. This is based on contractual necessity (Art. 6 para. 1 lit. b GDPR) and our legitimate interest in efficient chargeback handling (Art. 6 para. 1 lit. f GDPR). More information: Chargebacks911 Privacy Policy.

8. Fraud Prevention

To protect our platform, Activity Providers, and customers from fraud, we use fraud prevention services from Sift Science, Inc., Adyen N.V., and Ethoca Inc. These tools analyze transaction and behavior data to detect suspicious or malicious activity. Processing is based on our legitimate interest in security and fraud prevention (Art. 6 para. 1 lit. f GDPR).

• Sift Science may process data in the USA (protected via EU Standard Contractual Clauses under Art. 46 para. 2 lit. c GDPR).
• Ethoca may process data in Canada (recognized as adequate by the EU).

9. Cookies and Tracking Technologies

We use cookies and similar technologies to provide website/app functions, optimize usability, and support marketing.

Types of technologies used:

• Session Cookies – store technical data during your visit (e.g., login status).
• Persistent Cookies – store data beyond a single session (if you choose).
• Web Beacons (tracking pixels) – collect info such as device type, IP address, visit time, and cookie status.
• Scripts – support functionality (e.g., security, interactivity, analytics, advertising).
• Tracking URLs – record which website/app led you to us.
• SDKs – integrated in our apps; collect device IDs, IP, usage data, and support push notifications or third-party integrations.

Categories of technologies:

• Strictly Necessary – required for basic site/app functionality.
• Analytical – measure and improve performance (usage, pages visited, searches).
• Marketing – used with trusted partners to personalize content/ads and track user journeys.

Your controls:
You can manage or revoke consent for Analytical/Marketing technologies at any time via “Cookies and Marketing Preferences” (website footer) or “Privacy Preferences” (app menu). Settings apply across devices using a unique identifier.

Legal basis:

• Strictly necessary technologies – required under §25(2) TDDDG / Art. 6(1)(b) GDPR.
• Analytical/Marketing technologies – used only with your consent (revocable at any time).

10. Customer Research

10.1. Customer Surveys and Research Panels

We, or carefully selected research agencies, may invite customers or external participants to take part in research studies. Participation (including any recordings, e.g., video) only takes place with your prior explicit written consent in accordance with Art. 6 para. 1 lit. a GDPR.

We may collaborate with the following research agencies, each acting as an independent data controller:

• Respondent, Inc. (“Respondent”)
• Userlytics Corp. (“Userlytics”)
• Lookback Group Inc. (“Lookback”)

These providers may process data outside the European Economic Area (EEA), specifically in the USA. To safeguard your rights, we rely on the European Commission’s Standard Contractual Clauses (SCCs) under Art. 46 para. 2 lit. c GDPR.

Additionally, when visiting our website, you may be asked to answer short product or feature-related questions. These responses are collected in aggregated, non-identifiable form. Participation is entirely voluntary.

10.2. Visitor Journey Recordings

We use heat mapping and session recording services from Hotjar Ltd. (“Hotjar”) to analyze visitor interactions (e.g., clicks, movements, scrolls). Recordings are limited to specific pages and a small number of random sessions.

• Retention: 365 days, then automatic deletion.
• Basis: Your consent (Art. 6 para. 1 lit. a GDPR).
• Hotjar honors “Do Not Track” (DNT) browser requests.

11. Marketing and Remarketing Services

We use marketing and remarketing tools only with your consent (Art. 6 para. 1 lit. a GDPR). You may withdraw consent at any time via the “Cookies and Marketing Preferences” link (website footer) or the “Privacy Preferences” menu (app). Revocation does not affect prior lawful processing.

11.1. Advertising Effectiveness Analysis

• Smartly.io Solutions Oy (“Smartly”)
• Adjust GmbH (“Adjust”)

These tools measure campaign success and optimize advertising strategies.

11.2. Google Services

Provider: Google Ireland Limited.
Google may process data in the USA, covered by the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Framework.

11.2.1. Google Analytics 360

• Collects pseudonymized usage data, including shortened IP addresses.
• Retention: up to 26 months, then aggregated.
• Consent can be withdrawn via: browser add-on, our consent manager, or [Google opt-out tools].

11.2.2. Google Ads, Display & Video 360, Campaign Manager

If you consent, remarketing tools analyze your interactions and deliver personalized ads across the Google Network (Search, YouTube, Display Network).

• Involves cookies, tags, SDKs, and server-to-server integrations.
• Google may combine browsing history with your Google Account (if you consent).

Options to manage ads:

• Disable personalized ads on Google
• Disable personalized ads per device
• Disable personalized ads per browser

11.3. Meta Services (Facebook, Instagram)

Provider: Meta Platforms Ireland Limited.
Data may be processed in the USA under the EU-U.S. Data Privacy Framework.

11.3.1. Meta Pixel & Server-to-Server Integration

If you consent, we share website/app usage data with Meta to:

• Deliver personalized ads
• Analyze ad performance
• Build lookalike audiences

Data transmitted: URLs, referrer, IP address, device/browser details, timestamp, and (if available) hashed identifiers like Facebook ID.

• Joint Controllers: Meta & ThingsToDo

Users without Meta accounts are excluded by Meta.

11.4. TikTok Ads

Provider: TikTok Technology Ltd.
If you consent, TikTok processes interaction data to deliver interest-based ads and measure marketing effectiveness.

• Data transfers outside the EEA are safeguarded by SCCs (Art. 46 para. 2 lit. c GDPR).
• [TikTok Privacy Policy]

11.5. Other Remarketing & Affiliate Services

If you consent, we may also use:

• Criteo S.A. → personalized ads across the Criteo network
• Microsoft Ireland Operations Limited → Bing Ads + partner sites
• Snap Group Limited (“Snapchat”) → personalized ads
• Affiliate Networks: AWIN AG, Conversant Europe Ltd., Tradedoubler GmbH, Rakuten Marketing (AU & JP)

Each service uses cookies/trackers to analyze usage and deliver ads based on your preferences.

12. Integrated Third-Party Content

We embed third-party content (e.g., videos, widgets, CMS content) into our site. Loading such content requires your device to transmit technical data (such as your IP address) to the respective provider.

• Processing is subject to each provider’s own privacy policy.
• Basis: Legitimate interest (Art. 6 para. 1 lit. f GDPR) — ensuring content availability and website functionality.

Example: We integrate services from Contentstack LLC (“Contentstack”).

13. Social Media

We maintain official pages on various social media platforms. When you interact with us there, the respective platform providers also process your Personal Data in accordance with their own privacy policies.

13.1. Facebook

• Our Facebook Page is available.
• Operator: Meta Platforms Ireland Limited.
• When you visit or interact with our Page, Meta processes your Personal Data (whether or not you have a Facebook account).
• Together with Meta, we act as joint controllers for “Page Insights” data, which provides us with aggregated, non-identifiable analytics about activity on our Page.
• Meta assumes primary GDPR responsibility for Page Insights.
• Data may be transferred to the USA and other third countries. Transfers are safeguarded by the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Framework.

13.2. Instagram

• Our Instagram Page is available.
• Operator: Meta Platforms Ireland Limited.
• Meta provides us with “Page Insights” about activity on our Instagram Page.
• Data is processed jointly by Meta and us, with Meta assuming primary GDPR responsibility.
• Basis: legitimate interest (Art. 6 para. 1 lit. f GDPR) — optimizing our Instagram presence.

13.3. X (formerly Twitter)

• Operator: X Corp.
• Personal Data may be processed outside the EEA, including in the USA.
• Safeguards: EU-U.S. Data Privacy Framework and related extensions.

13.4. Pinterest

• Operator: Pinterest Europe Ltd.
• Pinterest provides us with aggregated, non-identifiable analytics.
• Basis: legitimate interest (Art. 6 para. 1 lit. f GDPR) — analyzing and improving Pinterest activities.

13.5. TikTok

• Operators: Depending on your region → TikTok Technology Limited / TikTok Information Technologies UK Limited / TikTok Inc. / TikTok Pte. Ltd.
• TikTok may transfer data to third countries without adequacy decisions. Safeguards: Standard Contractual Clauses (SCCs).
• Joint responsibility: TikTok provides us with TikTok Analytics (aggregated insights). TikTok assumes primary GDPR responsibility.
• Basis: legitimate interest (Art. 6 para. 1 lit. f GDPR).

13.6. YouTube

• Operator: Google Ireland Limited.
• Google may merge YouTube data with other Google services (depending on your Google account settings).
• We receive non-personal analytics about our videos and channel performance.
• Basis: legitimate interest (Art. 6 para. 1 lit. f GDPR).

13.7. LinkedIn

• Operator: LinkedIn Ireland Unlimited Company (for EEA/Switzerland).
• LinkedIn may transfer Personal Data outside the EEA, safeguarded via Standard Contractual Clauses (SCCs).
• We receive non-personal analytics on our posts and account activity.
• Basis: legitimate interest (Art. 6 para. 1 lit. f GDPR).

13.8. WhatsApp

• You can contact us via WhatsApp (operated by Meta).
• Data processing for handling inquiries: contract performance (Art. 6 para. 1 lit. b GDPR).
• Further storage:
  • Legitimate interest (business documentation, legal defense) — Art. 6 para. 1 lit. f GDPR
  • Legal obligations (if applicable) — Art. 6 para. 1 lit. c GDPR

13.9. Competitions

If we run social media competitions, we may process your participation data (e.g., comments, likes, tags) to manage the competition and notify winners.

• Basis: contract performance (Art. 6 para. 1 lit. b GDPR).

13.10. Social Media Management

We may record when our brand is tagged on social networks and process related information.

• Basis: legitimate interest (Art. 6 para. 1 lit. f GDPR) — measuring engagement and success of our activities.

13.11. Analysis of Social Media Activities

We analyze the reach and performance of our posts (e.g., clicks, interactions) using tools like Google Looker and Google Analytics.

• Basis: legitimate interest (Art. 6 para. 1 lit. f GDPR).

14. CRM System

To manage customer relationships, we use a Customer Relationship Management (CRM) system. This helps us:

• Respond efficiently to inquiries
• Organize communications
• Deliver contextual advertising within legal limits
• Basis: legitimate interest (Art. 6 para. 1 lit. f GDPR).
• Provider: Braze. Personal Data may be processed in the USA.
• Safeguards: EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework.

If you provide consent (Art. 6 para. 1 lit. a GDPR), we may also use Braze to send you:

• Newsletters
• Push notifications
• In-app messages tailored to your interests and usage

15. Personalization of Website Content

We may process your data to show you personalized content on our website (e.g., tours and activities relevant to your interests).

• Legal basis: Our legitimate interest in improving user experience and providing relevant recommendations (Art. 6 para. 1 lit. f GDPR).

16. Further Sharing of Data

Beyond the cases described above, we only share Personal Data without your prior consent in the following situations:

• Law enforcement & legal obligations:
  If necessary to investigate illegal use of our services, prosecute offenses, or respond to official requests, we may share Personal Data with authorities or injured third parties.
  • Legal basis: legitimate interest (Art. 6 para. 1 lit. f GDPR) or legal obligation (Art. 6 para. 1 lit. c GDPR).
• Business operations:
  We may disclose data to auditors, accounting firms, lawyers, banks, tax advisors, and similar bodies if required for providing services (Art. 6 para. 1 lit. b GDPR), for business operations (Art. 6 para. 1 lit. f GDPR), or due to legal obligations (Art. 6 para. 1 lit. c GDPR).
• Partnerships:
  We may share booking events with trusted partners when related to promotional content on their platforms.
  • Legal basis: legitimate interest in measuring campaign effectiveness and ensuring fair reimbursement (Art. 6 para. 1 lit. f GDPR).
• Service providers (processors):
  We rely on third-party companies for certain services. These providers:
  • Are carefully selected and regularly reviewed
  • May process your data only for specified purposes
  • Are contractually bound to comply with this Privacy Policy and GDPR (Art. 28 para. 1 GDPR)
    If data is transferred outside the EEA, we ensure safeguards such as:
  • Adequacy decisions (Art. 45 GDPR)
  • Standard Contractual Clauses (SCCs) (Art. 46 GDPR).
• Business restructuring:
  In the event of mergers, acquisitions, or restructuring, customer data may be transferred along with the business.
  • Legal basis: legitimate interest in adapting to economic and legal changes (Art. 6 para. 1 lit. f GDPR).

17. Automated Decision-Making & Profiling

We may use automated fraud prevention tools that assign “fraud scores” to transactions.

• If a transaction is flagged as high risk, it may be automatically blocked.
• Your rights: You can request human review, express your opinion, and contest the decision by contacting our privacy team (see Section 19).

18. Data Deletion

• We delete or anonymize your Personal Data when it is no longer needed for its original purpose.
• If legal obligations require retention (e.g., tax or compliance reasons), we restrict processing and retain data only as required.
• If you delete your account, your profile and data will be permanently removed, except for backup copies retained to comply with legal requirements or to secure/defend legal claims (Art. 6 para. 1 lit. f GDPR).

19. Your Rights as a Data Subject

Under GDPR, you have the following rights:

• Right of access (Art. 15 GDPR): Request details of the Personal Data we process about you.
• Right to rectification (Art. 16 GDPR): Request correction of inaccurate Personal Data.
• Right to erasure (Art. 17 GDPR): Request deletion of your Personal Data under certain conditions.
• Right to restriction (Art. 18 GDPR): Request limitation of processing in certain situations.
• Right to data portability (Art. 20 GDPR): Receive your Personal Data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR): Object to processing based on Art. 6 para. 1 lit. e or f GDPR.
• Right to lodge a complaint (Art. 77 GDPR): File a complaint with your supervisory authority.
• Right to withdraw consent (Art. 7 para. 3 GDPR): Withdraw previously given consent at any time.

When you exercise these rights, we may process your Personal Data for verification and documentation purposes.

• Legal basis: Art. 6 para. 1 lit. c GDPR in conjunction with Art. 15–22 GDPR.

📩 Contact:

• Email: [email protected]
• Data Protection Officer: Fresh Compliance Legal Notice

20. Rights for U.S. Residents

If you are a resident of California, Colorado, Connecticut, Virginia, or other U.S. states with data protection laws, you may have additional rights under CCPA/CPRA and similar laws.

20.1. Your Rights Include:

• Access: Know what categories of Personal Data we collect and share.
• Deletion: Request deletion of your Personal Data (with exceptions).
• Correction: Request correction of inaccurate data.
• Limit sensitive data use: Restrict how sensitive data (e.g., IDs, geolocation, health data) is used.
• Do Not Sell/Share My Data: Opt out of sharing data for targeted advertising or behavioral tracking.
• Non-discrimination: You will not be penalized for exercising your rights.

20.2. How to Exercise Your Rights

• Adjust settings in the “Cookies and Marketing Preferences” (website footer) or “Privacy Preferences” (app menu).
• Submit requests directly via our contact details in Section 19.
• Authorized agents (e.g., registered representatives) may submit requests on your behalf.
• Parents may submit requests for their minor children.

20.3. Important Notes

• We do not sell Personal Data as defined under CCPA/CPRA.
• We do not knowingly share the Personal Data of minors under 16 years old.
• Targeted advertising and data sharing occur only in line with your cookie preferences.