Privacy Policy

1. What Data We Collect

When you use Ventoro Trips, we may collect the following personal data: your name, email address, and phone number when you create an account or make a booking; booking details including trip selection, date, number of participants, and special requests; device and browser information, IP address, and usage data collected automatically when you visit our site. We do not collect or store credit card numbers or payment card details — all payment processing is handled directly by Stripe.

2. How We Use Your Data

We use the data we collect to: process and confirm your bookings; send you booking confirmations and reminders via email; share necessary booking details with the Partner providing your experience (e.g., your name, contact info, number of participants); communicate with you about your account, bookings, or customer support inquiries; improve our platform, analyze usage patterns, and develop new features; send you occasional marketing communications if you have opted in (you can unsubscribe at any time).

3. Third-Party Services

We use trusted third-party services to operate our platform. Each processes data according to their own privacy policies:

• Stripe — payment processing (PCI DSS Level 1 compliant)
• Clerk — user authentication and account management
• Supabase — database and data storage (hosted in EU)
• Resend — transactional and booking confirmation emails
• Vercel — website hosting and delivery
• Google Calendar API — optional calendar sync for Partners (see section 4)
• Google Maps API — displaying meeting point locations on trip pages
• Sentry — error monitoring (captures frontend/backend errors with request context, no PII stored beyond what appears in stack traces)

4. Google API Services User Data

If you connect your Google Calendar to Ventoro Trips (available to Partners), we use the Google Calendar API to write confirmed booking events to your primary calendar. Ventoro Trips' use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We request access to the 'calendar.events' scope solely to create, view, and delete events related to your Ventoro Trips bookings on your primary calendar.
• We request access to 'userinfo.email' and 'openid' only to identify which Google account you have connected and display the email in your dashboard.
• We do NOT read, modify, or store any events that we did not create ourselves.
• We do NOT use Google user data for advertising, profiling, or sell it to third parties.
• We do NOT use Google user data to train generalized or general-purpose AI models.
• We only store the OAuth refresh token and access token required to write events; these are encrypted and accessible only by our booking creation system.
• You can disconnect Google Calendar at any time from your partner dashboard, which immediately invalidates our access to your account.

For transparency, the full Google API Services User Data Policy is available at https://developers.google.com/terms/api-services-user-data-policy. If you have any questions about our use of Google APIs, please contact us at info@ventorotrips.com.

5. Cookies

Ventoro Trips uses a limited number of cookies: authentication cookies managed by Clerk to keep you signed in; an affiliate tracking cookie (valid for 30 days) that records the affiliate source when you arrive via a QR code or affiliate link — this is used to attribute bookings to the correct affiliate partner. We do not use advertising cookies or sell your data to advertisers. You can manage cookie preferences through your browser settings.

6. Data Retention

We retain your booking data for a period of 3 years after the date of the experience, as required for legal, tax, and accounting purposes under Croatian and EU regulations. Account data is retained for as long as your account is active. If you request account deletion, we will remove your personal data within 30 days, except where retention is required by law.

7. Your Rights (GDPR)

Under the EU General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your personal data
• Right to restriction — request that we limit how we process your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing of your data for certain purposes

To exercise any of these rights, please email us at info@ventorotrips.com. We will respond to your request within 30 days.

8. Data Security

We take the security of your data seriously. All connections to our platform are encrypted using TLS/SSL. Payment data is processed entirely by Stripe and never touches our servers. Access to personal data is restricted to authorized personnel only. We regularly review our security practices and update them as necessary.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable regulations. Any updates will be posted on this page with a revised effective date. We encourage you to review this page periodically. Your continued use of the Platform after changes constitutes acceptance of the updated policy.

10. Contact

If you have any questions or concerns about this Privacy Policy or how we handle your data, please contact us: