Privacy Policy

TOURIBO is operated by Oceanic Consulting VOF, a company registered in the Netherlands. Company: Oceanic Consulting VOF Registration: KVK 84553081 Address: Poortugaal, Netherlands Email: [email protected] Website: touribo.com | touribo.ai | esim.touribo.com As data controller, we determine the purposes and means of processing your personal data.

We collect the following categories of personal data: ACCOUNT DATA - Email address (required for account creation) - Display name (optional) - Password (stored as bcrypt hash — never in plain text) - Profile picture (if provided via Google OAuth) - Account creation date and last login TRIP DATA - Destinations, cities, and travel dates - Flight numbers you enter - Hotel names and addresses - Activities and itineraries generated - Notes and ratings you add - Trip sharing preferences USAGE DATA - Pages visited and features used - Device type and browser (via Google Analytics) - IP address (hashed and anonymized) - Session duration and interaction patterns CONSENT DATA - Cookie consent choices with timestamp - IP hash at time of consent - User agent string API DATA (B2B users) - API key usage statistics - Request timestamps and endpoints called - Call counts per billing period ESIM STORE DATA (esim.touribo.com) - Email address (for eSIM delivery) - Payment information (processed by Stripe — we never store card details) - eSIM order history and delivery status - Device information for eSIM activation We do NOT collect: - Payment card details (handled by payment processors) - Precise GPS location without explicit permission - Biometric data - Special category data (health, ethnicity, etc.)

We process your data under the following legal bases (GDPR Article 6): CONTRACT PERFORMANCE (Art. 6(1)(b)) Processing necessary to provide the TOURIBO service: - Account management and authentication - Trip generation and storage - API service delivery LEGITIMATE INTERESTS (Art. 6(1)(f)) Processing for our legitimate business interests: - Service improvement and bug fixing - Security monitoring and fraud prevention - Anonymous usage analytics - System performance optimization We have conducted legitimate interest assessments (LIAs) for each of the above purposes. CONSENT (Art. 6(1)(a)) Processing based on your explicit consent: - Analytics cookies (Google Analytics) - Marketing communications (if opted in) You may withdraw consent at any time without affecting the lawfulness of prior processing. LEGAL OBLIGATION (Art. 6(1)(c)) Processing required by law: - Tax and financial records retention - Responding to lawful requests from authorities

We use your personal data solely for the following purposes: SERVICE DELIVERY - Creating and managing your account - Generating AI-powered travel itineraries - Storing and syncing your trips across devices - Providing the travel assistant feature SERVICE IMPROVEMENT - Analyzing usage patterns to improve features - Identifying and fixing technical issues - Optimizing AI model performance SECURITY - Detecting and preventing unauthorized access - Monitoring for abuse or policy violations - Rate limiting API usage COMMUNICATION - Sending essential service emails (account, security) - Responding to support requests - Notifying of significant policy changes We do NOT: - Sell your personal data to third parties - Use your data for advertising profiling - Share trip data with travel providers without consent - Use your data for automated individual decision-making with legal effects

We share data with the following sub-processors to deliver our service: AI PROVIDERS - Anthropic (Claude AI) — itinerary generation Data shared: Trip parameters, no personal identifiers Location: United States Safeguard: Standard Contractual Clauses (SCCs) - Google (Gemini AI) — itinerary generation, search Data shared: Trip parameters, no personal identifiers Location: United States / EU Safeguard: Google Cloud Data Processing Addendum MAPPING & LOCATION - Google Maps Platform — maps, places, directions Data shared: City names, coordinates Location: United States / EU Safeguard: Google Cloud Data Processing Addendum ANALYTICS - Google Analytics 4 — usage analytics Data shared: Anonymized usage data, IP (anonymized) Location: United States / EU Safeguard: Google Analytics Data Processing Terms Note: Only activated with your cookie consent INFRASTRUCTURE - Hetzner Cloud — server hosting Data shared: All stored data (encrypted at rest) Location: Germany (EU) Safeguard: EU-based processing, GDPR compliant - Cloudflare — CDN and DDoS protection Data shared: Request metadata, IP addresses Location: Global with EU processing option Safeguard: Cloudflare GDPR Data Processing Addendum ESIM & PAYMENT - Stripe (stripe.com) — payment processing for esim.touribo.com Data shared: Order amount, email address, payment method Location: United States / EU Safeguard: Stripe Data Processing Agreement (PCI DSS Level 1) - zendit (zendit.io) — eSIM delivery and fulfillment Data shared: Order ID, eSIM plan details Location: Netherlands Safeguard: Data Processing Agreement - Brevo (brevo.com) — transactional email delivery Data shared: Email address, order confirmation content Location: France (EU) Safeguard: Brevo Data Processing Agreement All sub-processors are bound by data processing agreements and are required to implement appropriate technical and organizational measures.

Some of our sub-processors are located outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place: - Standard Contractual Clauses (SCCs) — approved by the European Commission - Adequacy decisions — where applicable - Binding Corporate Rules — where offered by the sub-processor For transfers to the United States, we rely on Standard Contractual Clauses in combination with the sub-processor's security certifications. You may request a copy of the relevant transfer mechanisms by contacting [email protected].

We retain your data for the following periods: ACCOUNT DATA - Active accounts: retained for the duration of your account - Deleted accounts: immediately deleted upon request (cascade deletion) - Inactive accounts: deleted after 2 years of inactivity (automated) TRIP DATA - Retained as long as your account is active - Deleted immediately when you delete a trip - Deleted within 30 days of account deletion CONSENT LOGS - Retained for 3 years (legal requirement for demonstrating compliance) - Automatically purged after retention period ANALYTICS DATA - Google Analytics data: 14 months (Google's default) - Internal usage logs: 90 days API USAGE DATA - Call logs: 12 months for billing and abuse detection - Aggregated statistics: indefinitely (no personal data) SECURITY LOGS - Authentication logs: 90 days - Security incident logs: 3 years Our automated cleanup runs on the 1st of each month and removes data past its retention period.

Under the General Data Protection Regulation (GDPR), you have the following rights: RIGHT OF ACCESS (Art. 15) You can request a copy of all personal data we hold about you. → Use "Export My Data" in your Dashboard settings RIGHT TO RECTIFICATION (Art. 16) You can correct inaccurate personal data. → Update your profile in account settings → Contact [email protected] for other corrections RIGHT TO ERASURE (Art. 17) — "Right to be Forgotten" You can request deletion of all your personal data. → Use "Delete My Account" in Dashboard settings → Deletion cascades to all trips, activities, and notes RIGHT TO DATA PORTABILITY (Art. 20) You can receive your data in machine-readable format. → Use "Export My Data" in Dashboard (JSON format) RIGHT TO RESTRICTION (Art. 18) You can request we limit processing of your data while a dispute is resolved. → Contact [email protected] RIGHT TO OBJECT (Art. 21) You can object to processing based on legitimate interests. → Contact [email protected] RIGHT TO WITHDRAW CONSENT (Art. 7(3)) You can withdraw cookie consent at any time. → Clear cookies and revisit touribo.com to reset consent → Contact [email protected] RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING (Art. 22) We do not make legally significant automated decisions about you. HOW TO EXERCISE YOUR RIGHTS Email: [email protected] Response time: Within 30 days (may be extended to 60 days for complex requests) We will verify your identity before processing rights requests. RIGHT TO LODGE A COMPLAINT If you believe we have violated your rights, you may lodge a complaint with: - The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) Website: autoriteitpersoonsgegevens.nl Phone: +31 70 888 85 00 - Your local EU supervisory authority

We use the following cookies: ESSENTIAL COOKIES (always active — no consent required) - Session cookie: maintains your login state (expires: 30 days or session) - CSRF token: protects against cross-site request forgery - Next.js cookies: required for application functionality ANALYTICS COOKIES (require consent) - _ga, _ga_* (Google Analytics 4): anonymous usage tracking Duration: 2 years | Purpose: product improvement Only set when you click "Accept All" in the cookie banner We do NOT use: - Advertising or tracking cookies - Third-party social media pixels - Fingerprinting technologies MANAGING COOKIES - Decline analytics cookies using our cookie banner - Clear cookies via your browser settings - Use private/incognito browsing to prevent cookie storage Your consent choice is stored locally and in our database with a timestamp.

We implement the following technical and organizational measures to protect your data: TECHNICAL MEASURES - All data transmitted over TLS 1.3 (HTTPS enforced) - Passwords hashed using bcrypt (cost factor 12) - IP addresses hashed using SHA-256 before storage - Database access restricted to application servers only - API keys stored as hashed values - Regular automated backups with encryption - Server located in Germany (Hetzner, ISO 27001 certified) ORGANIZATIONAL MEASURES - Access control: only authorized personnel access production systems - Regular security updates and patch management - Dependency vulnerability monitoring - Incident response procedures documented DATA BREACH PROCEDURE In the event of a data breach: 1. We will assess the breach within 24 hours 2. Notify the Dutch DPA within 72 hours if required 3. Notify affected users without undue delay if high risk 4. Document the breach in our incident log To report a security vulnerability: [email protected]

TOURIBO is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If you are under 16, please do not use TOURIBO or provide any personal information. If we become aware that we have collected personal data from a child under 16 without parental consent, we will delete it immediately. Parents or guardians who believe their child has provided personal data should contact [email protected].

We may update this Privacy Policy from time to time. When we make significant changes: - We will update the "Last Updated" date at the top - We will notify registered users by email - We will display a notice on the website - For material changes affecting your rights, we will seek fresh consent where required We encourage you to review this policy periodically. Your continued use of TOURIBO after changes constitutes acceptance of the updated policy (for non-material changes).

For all privacy-related matters: Privacy Officer: Oceanic Consulting VOF Email: [email protected] Response time: Within 30 days Postal Address: Oceanic Consulting VOF Poortugaal, Netherlands KVK 84553081 For urgent security matters, please mark your email as "URGENT — SECURITY". Dutch Data Protection Authority (Autoriteit Persoonsgegevens): Website: autoriteitpersoonsgegevens.nl Phone: +31 70 888 85 00