Skip to main content

Tallinn Heritage Tours

HomeAudio Tours3D MapExploreAboutGet Tours

Privacy Policy

Last updated: May 10, 2026

1. Data Controller

The data controller for this service is:

[FIE_NAME]
Registration number: [FIE_REGISTRATION_NUMBER]
Address: [FIE_ADDRESS]
Email: [CONTACT_EMAIL]
Website: [DOMAIN]

We operate as an FIE (sole proprietor) registered in Estonia and are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Estonian data protection law.

2. Data We Collect

We collect and process the following categories of personal data:

Data CategorySpecific DataSource
Email addressProvided during checkoutYou (via Stripe)
IP addressCollected automatically by web serverYour browser
Payment dataCard details processed by Stripe (we never see full card numbers)Stripe
localStorage dataTour unlock tokens, cookie consent, language preferenceYour browser (local only)
Usage analyticsPage views, device type, referrer (anonymous, no personal identifiers)Cloudflare Web Analytics
Chat messagesQuestions sent to AI tour guide (not stored after session)You

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data based on the following legal grounds:

  • Contract performance (Art. 6(1)(b)): Processing email and payment data is necessary to fulfill your purchase and deliver access to paid audio tours.
  • Consent (Art. 6(1)(a)): Analytics cookies are only activated with your explicit consent via the cookie banner.
  • Legitimate interest (Art. 6(1)(f)): Security logging (IP addresses) to prevent fraud and abuse.

4. Data Retention

We retain data only as long as necessary:

  • Purchase records (email, tourId, amount): 7 years (Estonian tax/accounting obligation)
  • IP addresses (server logs): 30 days
  • Analytics data (Cloudflare): 90 days
  • Chat messages: Not stored (processed in real-time, discarded after session)
  • localStorage tokens: Until you clear browser data

5. Third Parties

We share data with the following processors to provide the Service:

ProcessorPurposeData SharedLocation
Stripe, Inc.Payment processingEmail, card details, amountUSA (SCCs)
Cloudflare, Inc.Website hosting, CDN, analyticsIP address, page viewsGlobal (SCCs)
AnthropicAI chatbot responsesChat messages (not stored)USA (SCCs)
ElevenLabs (historical)Audio narration generation (one-time, not ongoing)Tour scripts (no personal data)USA
RailwayBackend API hostingAPI requests, server logsUSA (SCCs)

We do NOT sell, rent, or share your personal data with any party for marketing purposes.

6. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access (Art. 15): Request a copy of your personal data
  • Right to rectification (Art. 16): Correct inaccurate data
  • Right to erasure (Art. 17): Request deletion of your data (subject to legal retention)
  • Right to restrict processing (Art. 18): Limit how we use your data
  • Right to data portability (Art. 20): Receive data in machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)): Withdraw cookie/analytics consent at any time

To exercise any of these rights, email us at: [CONTACT_EMAIL]. We will respond within 30 days.

7. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon):

Andmekaitse Inspektsioon
Tatari 39, 10134 Tallinn, Estonia
Phone: +372 627 4135
Email: info@aki.ee
Website: www.aki.ee

8. Children Under 16

Our paid Service is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16 without parental consent. If you are under 16, please do not purchase tours or provide personal information. Free tour content (Stop 1) is accessible without providing any personal data.

9. International Data Transfers

Some of our processors (Stripe, Cloudflare, Anthropic, Railway) are based in the United States. For these transfers, we rely on the EU Standard Contractual Clauses (SCCs) as the legal mechanism under GDPR Article 46(2)(c). Each processor maintains appropriate technical and organisational measures to protect your data.

10. Security Measures

We implement the following security measures:

  • All data in transit encrypted via HTTPS/TLS
  • Payment card data handled exclusively by Stripe (PCI DSS Level 1 certified)
  • Backend API protected with rate limiting and authentication
  • No full card numbers ever touch our servers

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal obligations. Material changes will be communicated by updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance.

12. Contact

For privacy-related inquiries:

[FIE_NAME]
Email: [CONTACT_EMAIL]
Address: [FIE_ADDRESS]

This Privacy Policy complies with the EU General Data Protection Regulation (GDPR) and Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

Tallinn Old Town

Tallinn Old Town — Discover Medieval Magic

Services

Audio Tours3D MapBookingsBlog

About

About UsHistoryContact

Legal

Privacy PolicyTerms of ServiceCookie PolicyRefund Policy

© 2026 Tallinn Old Town. All rights reserved.

Made for Tallinn Old Town