Join now

Privacy Policy

Last updated: June 2026

1. Data controller

  • Controller: Rubén Castillo Vázquez (owner of the "Touryteller" brand and app)
  • Tax ID (NIF): 47605649L
  • Registered address: Carrer Riera, 4 BIS, 08759 Vallirana (Barcelona), Spain
  • DPO email: dpo@touryteller.com
  • Website: https://touryteller.com

2. Purposes of processing

At Touryteller we process the personal data you provide for the following purposes:

  • User registration: manage your sign-up as a user of the Touryteller platform and mobile app, allowing you to access available services.
  • Bookings and service management: process your bookings of gamified urban routes and manage checkpoints, scores and content associated with your experience.
  • Location-based features: provide the map, route navigation and checkpoint validation features in the mobile app (see section 7).
  • Advertising: display advertising in the free version of the mobile app (see section 7).
  • Payment processing: process the purchases made in the app through a secure payment provider (see section 7).
  • Sign-in and authentication: allow you to create your account and sign in securely, including via Google and Apple (see section 7.4).
  • Media content: allow you to capture and attach photos and videos during the tours.
  • Marketing communications: send you information about new routes, promotions, events and Touryteller news, provided you have given prior consent.
  • Satisfaction surveys: send you surveys to learn your opinion about the services provided and improve platform quality.
  • Statistical studies: carry out aggregated and anonymised analyses on platform usage to improve our services.
  • User support: handle queries, requests or incidents you send us through enabled contact channels.
  • Compliance with legal obligations: respond to requirements from public administrations and comply with applicable regulations.

3. Legal basis for processing

The legal basis for processing your data depends on each purpose:

  • Performance of contract (Art. 6.1.b GDPR): processing is necessary to provide the contracted services, including platform registration and sign-in, booking management, participation in gamified routes and payment processing.
  • Legitimate interest (Art. 6.1.f GDPR): we carry out anonymised statistical studies and satisfaction surveys to improve our services. You may object to this processing at any time.
  • Consent (Art. 6.1.a GDPR): certain processing is based on your express consent —marketing communications, access to geolocation and personalised advertising in the mobile app—, which you may withdraw at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6.1.c GDPR): processing of certain data is necessary to comply with tax, commercial and other obligations required from us.

4. Recipients of the data

Your personal data may be communicated to the following recipients:

  • Public administrations: when there is a legal obligation (Tax Agency, Social Security, judicial authorities).
  • Payment providers (Stripe): Stripe Payments Europe, Ltd. and Stripe, Inc., to securely process the payments made in the app. Touryteller does not store your full card details.
  • Maps and geolocation provider (Mapbox): Mapbox, Inc., to generate the interactive maps and show your position in the mobile app.
  • Advertising network (Google AdMob): Google Ireland Ltd. / Google LLC, to display and measure advertising in the free version of the mobile app.
  • Firebase (Google): Google Ireland Ltd. / Google LLC, for authentication and sign-in in the mobile app (Firebase Authentication).
  • Sign-in providers (Google and Apple): Google LLC (Google Sign-In) and Apple Inc. (Sign in with Apple), only if you choose to sign in with your Google account or your Apple ID.
  • Social networks: only if you expressly authorise the linking of your Touryteller account with profiles on social networks (Meta/Facebook, Instagram, X, TikTok, LinkedIn).
  • Technology service providers: companies providing us with hosting, email, analytics and communications services, with whom we have signed the corresponding data processing agreements.

5. International data transfers

Some of our technology providers are located outside the European Economic Area. In all cases we have adopted appropriate safeguards to protect your data:

  • Google (Google Drive, Google Analytics, Google AdMob, Firebase): United States. Adhered to the EU-U.S. Data Privacy Framework (European Commission adequacy decision of 10 July 2023).
  • Mapbox, Inc.: United States. Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Stripe (Stripe Payments Europe, Ltd. — Ireland; Stripe, Inc. — USA): the main processing takes place in the European Union; any transfers to the USA are covered by the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses (SCCs).
  • Apple (Apple Inc.): United States. Adhered to the EU-U.S. Data Privacy Framework. Applies only if you sign in with your Apple ID.
  • Mailchimp (The Rocket Science Group LLC): United States. Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Sendgrid/Twilio Inc.: United States. Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Social networks (Meta Platforms, X Corp., TikTok, LinkedIn): United States and other countries. Standard Contractual Clauses and, where applicable, Data Privacy Framework.

6. Data retention

We will keep your personal data for as long as necessary to fulfil the purpose for which it was collected:

  • Registration data: while you maintain an active account on the platform. Once cancellation is requested, the data will be blocked during the applicable legal periods.
  • Booking and payment data: during the validity of the contractual relationship and, afterwards, during legal prescription periods (5 years for personal actions, 4 years for tax obligations).
  • Location data: processed in real time to provide the service and not retained linked to your identity beyond what is necessary for the operation of the route (see section 7.1).
  • Marketing communications: until you withdraw your consent.
  • Browsing data and cookies: as indicated in our Cookie Policy.

7. Data processing in the mobile app

In addition to the processing described above, the Touryteller mobile app (available for iOS and Android) carries out the following specific processing:

7.1. Geolocation

  • Data processed: precise geographic location (GPS) of your device.
  • Purpose: show your position on the map, guide you along the gamified routes, validate your arrival at checkpoints, unlock content and challenges based on your proximity to points of interest, and display interactive maps.
  • When we access it: only while you are using the app (foreground use). The app does not track your location in the background or when you are not using it.
  • Legal basis: your consent (Art. 6.1.a GDPR), which you grant by accepting the location permission requested by your device's operating system. You may withdraw it at any time from your device settings; in that case, some app features may no longer be available.
  • Maps provider: maps are generated using Mapbox (Mapbox, Inc.). To show you the map and your position, Mapbox may process your location and technical device data. You can read its privacy policy at mapbox.com/legal/privacy.
  • Retention: location data is processed in real time to provide the service and is not retained linked to your identity beyond what is necessary for the operation of the route, except in aggregated and anonymised form for statistical purposes.

7.2. Advertising and advertising identifiers

  • Advertising: the free version of the app may display advertising, including rewarded ads, through Google AdMob (Google Ireland Ltd. / Google LLC).
  • Data processed: to display and measure advertising, AdMob may process your device's advertising identifier (IDFA on iOS; Advertising ID / AAID on Android), device data, IP address and information about your interaction with the ads.
  • App Tracking Transparency (ATT) on iOS: on Apple devices, before carrying out any tracking for advertising purposes we will ask for your permission through Apple's App Tracking Transparency (ATT) system. Personalised advertising will only be shown if you authorise it; if you do not grant permission, you can still use the app and will see non-personalised advertising.
  • Legal basis: your consent (Art. 6.1.a GDPR).
  • How to manage or disable it:
    • iOS: Settings → Privacy & Security → Tracking (you can revoke permission at any time).
    • Android: Settings → Google → Ads (you can reset or delete your advertising ID and turn off personalisation).
  • More information: how Google uses data from apps that use its services at policies.google.com/technologies/partner-sites.

7.3. In-app payments

  • Payment provider: purchases made in the app are processed through Stripe (Stripe Payments Europe, Ltd. and Stripe, Inc.), a payment service provider compliant with the PCI-DSS security standard.
  • Data processed: the data needed to process the payment (amount, card or payment method details, and billing data) is processed directly by Stripe. Touryteller does not store your full card details.
  • Legal basis: performance of contract (Art. 6.1.b GDPR) and compliance with legal obligations (Art. 6.1.c GDPR).
  • More information: stripe.com/privacy.

7.4. Sign-in and authentication

  • Service: sign-in and account management are handled through Firebase Authentication (Google), with the option to sign in via Google Sign-In or Sign in with Apple.
  • Data processed: your email address, a user identifier and the basic account data that the chosen provider (Google or Apple) shares to authenticate you.
  • Purpose: create your account, authenticate you securely and give you access to the app's services.
  • Legal basis: performance of contract (Art. 6.1.b GDPR).
  • Scope of Firebase use: the app uses Firebase solely for authentication. It does not use Firebase Cloud Messaging, Firebase Analytics, Crashlytics or Performance Monitoring.
  • More information: firebase.google.com/support/privacy and policies.google.com/privacy.

7.5. Device permissions

To provide its features, the app may request the following permissions, which you can grant, deny or revoke at any time from your device settings:

  • Location (while in use): to show you the routes and nearby points of interest of the tour (section 7.1). Accessed only while you are using the app.
  • Camera: to capture photos and videos during the tours.
  • Microphone: to record audio when you record videos.
  • Photos / gallery: to attach media content and save captures to your device.
  • Advertising tracking (ATT / IDFA on iOS): to show AdMob advertising (section 7.2).
  • Internet connection: required for the technical operation of the app.

8. Rights of the data subject

As the data subject, you may exercise the following rights at any time:

  • Right of access: know what personal data of yours we are processing.
  • Right of rectification: request correction of inaccurate or incomplete data.
  • Right of erasure ("right to be forgotten"): request the deletion of your data when it is no longer necessary for the purpose for which it was collected.
  • Right to restriction of processing: request that we restrict the processing of your data in certain circumstances.
  • Right to portability: receive your data in a structured, commonly used and machine-readable format, and transmit it to another controller.
  • Right to object: object to the processing of your data, including profiling.
  • Right not to be subject to automated decisions: not be subjected to decisions based solely on automated processing, including profiling, that produce legal effects.

How to exercise your rights

You may exercise any of these rights by sending a written communication to dpo@touryteller.com, attaching a copy of your ID or equivalent identification document. We will respond to your request within a maximum period of one month from receipt.

Complaints to the supervisory authority

If you consider that the processing of your personal data infringes current regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), based at C/ Jorge Juan, 6, 28001 Madrid, and website www.aepd.es.

9. Responsibility of the data owner

  • The user warrants that they are over 14 years of age and that the data provided is true, accurate, complete and up to date. The user shall be responsible for any damages they may cause to Touryteller or to third parties through providing false, inaccurate, incomplete or outdated data.
  • If the data provided belongs to a third party, the user warrants that they have informed said third party of the aspects contained in this policy and obtained their authorisation to provide their data.

10. Modifications to this policy

Rubén Castillo Vázquez (Touryteller) reserves the right to modify this Privacy Policy to adapt it to legislative or jurisprudential changes, as well as industry practices. In such cases, the modified policy will be published on this page indicating the date of the last update.

Last updated: June 2026.