Introduction
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services. It applies to all interactions with our site and forms.
Data Controller
The data controller is Raphael Tours and Events. See the company details shown above.
What data we collect
- Contact and inquiry data collected via our forms:
- first name, last name, email
- optional: phone, phone country, message, how you heard about us, company name, corporate request flag
- for tour inquiries: number of people, date preference, tour title, tour URL, optional tour id
- Review data submitted via our review form:
- first name, optional last name, email, country, rating, optional review text, optional reservation code, tour title, tour URL, tour id
- Technical data:
- IP address and user-agent may be processed by our infrastructure and third-party providers for security and delivery (e.g., CDN, email provider), and by Supabase when storing submissions
- Cookies for consent and currency preference (see Cookie Policy)
How we collect data
- When you submit our contact or tour inquiry form, we validate your input and store it in our database.
- When you submit a review, we store your review details for moderation and publishing.
- We may process limited technical data via our hosting and analytics stack.
Purpose and legal basis
- Respond to your inquiries and provide customer support (contractual necessity and legitimate interest).
- Manage bookings, tour inquiries, and customer communication (contractual necessity).
- Send confirmation and administrative emails related to your submission (legitimate interest/contractual necessity).
- Moderate and publish reviews (consent and legitimate interest).
- Ensure security, prevent abuse, and maintain service integrity (legitimate interest).
Where data is stored and processed
- Database and forms: Supabase (managed Postgres). Submissions are inserted into
booking_requests
,contact_form_submissions
, andreviews
tables via secure server actions. - Email delivery: Brevo (Sendinblue). We send notification and confirmation emails to customers and admins.
- Hosting/CDN: Our site is deployed with CDN and build tooling which may process logs for delivery and security.
Third parties and processors
- Supabase: storage and retrieval of form and review data.
- Brevo: transactional email delivery for contact, tour inquiry, and review confirmations/notifications.
- Google Tag Manager (GTM): if enabled, used to manage analytics and marketing tags. Data collection depends on configured tags and your consent settings.
- Cloudflare Turnstile: if enabled on forms, used to prevent automated abuse. Processes limited request metadata to validate human interactions.
Cookies and similar technologies
We use essential cookies for consent and preferences. See the Cookie Policy for details. GTM-related cookies are only set if consent is granted where required.
Data retention
- Contact and inquiry submissions: retained as long as necessary to respond and for record-keeping, then deleted or anonymized.
- Reviews: retained for moderation and as long as they remain published, or until you request removal.
- Email logs: retained by our email provider per their retention policy.
Your rights
Depending on your jurisdiction, you may have rights to access, rectify, delete, restrict, port, or object to processing of your personal data. To exercise these rights, contact us at [email protected].
International transfers
We may transfer data to service providers located outside your country. We implement appropriate safeguards such as standard contractual clauses when required.
Security
We use technical and organizational measures including server-side validation, tokenized review workflow, and role-restricted access to reduce risk of unauthorized access.
Children
Our services are not directed to children under 13. If you believe a child has provided us personal data, contact us to remove it.
Contact
For privacy requests, contact [email protected].
Changes to this policy
We may update this policy. Please check the “Last updated” date at the top of this page.