Privacy Policy

1. Introduction

Venuto ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (venuto.app) and mobile application (collectively, the "Service").

We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws. By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Data Controller

The data controller responsible for your personal data is:

Venuto

Email: privacy@venuto.app

Contact: venuto.app/contact

3. Information We Collect

3.1 Information You Provide

Contact Information: Name and email address when you contact us or sign up for notifications
Tour Preferences: Selected cities, interests, and route preferences
Feedback: Reviews, suggestions, and support requests

3.2 Automatically Collected Information

Device Information: Device type, operating system, browser type
Usage Data: Pages visited, features used, time spent
Location Data: Only with your explicit consent, for navigation features in the app
IP Address: Used for security purposes and general geographic location (country/region level)

3.3 Cookies and Similar Technologies

We use essential cookies to make our website work. Analytics cookies are only used with your explicit consent. See our Cookie Policy below for full details.

4. Legal Basis for Processing (GDPR)

We process your data based on:

Contract Performance (Art. 6(1)(b)): To provide our tour planning services
Legitimate Interest (Art. 6(1)(f)): To improve our services, ensure security, and prevent fraud
Consent (Art. 6(1)(a)): For marketing communications, analytics cookies, and newsletter subscriptions
Legal Obligation (Art. 6(1)(c)): To comply with applicable laws

5. How We Use Your Information

To provide and maintain our tour planning Service
To personalize your experience and recommendations
To respond to your inquiries and support requests
To send service updates and notifications (you can opt out anytime)
To send iOS app launch notifications (only if you subscribed)
To analyze usage patterns and improve our Service (with anonymized data)
To detect, prevent, and address technical issues and security threats

6. Service Providers & Data Sharing

We do not sell your personal data. We work with carefully selected service providers who process data on our behalf under Data Processing Agreements (DPAs) that ensure GDPR compliance.

6.1 Our Service Providers

Cloudflare (Hosting & Security)

Purpose: Website hosting, content delivery (CDN), DDoS protection, and SSL certificates
Data processed: IP addresses, request logs, security tokens
Location: Global network with EU data centers
DPA: Cloudflare's Data Processing Addendum applies
Privacy Policy: cloudflare.com/privacypolicy

Google Tag Manager (Tag Management)

Purpose: Centralized management of marketing and analytics tags (scripts) on our website
Data processed: GTM itself does not collect personal data, but it deploys tags that may collect data (e.g., analytics, advertising pixels)
How it works: GTM acts as a container that loads other tracking scripts based on rules we configure
Consent: Tags that require consent (analytics, advertising) are only fired after you provide consent
Privacy Policy: policies.google.com/privacy

Web3Forms (Contact & Notification Forms)

Purpose: Processing contact form submissions and app launch notification signups
Data processed: Email addresses, form content, submission timestamps
Data retention: According to our retention policy (see Section 7)
Privacy Policy: web3forms.com/privacy

Google Cloud Platform (Backend API)

Purpose: Hosting our route optimization API and backend services
Data processed: Tour preferences, route requests (anonymized)
Location: EU region (europe-west1)
DPA: Google Cloud Data Processing Addendum applies
Privacy Policy: cloud.google.com/privacy

Microsoft Clarity (Analytics)

We partner with Microsoft Clarity to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization and fraud/security purposes.

Consent model: In EEA regions, activated only after consent. Outside EEA, analytics may run by default and can be managed via cookie settings.
Data anonymization: Personal information is automatically masked in recordings
Privacy Policy: Microsoft Privacy Statement

Google Analytics (Website Analytics)

Purpose: Measuring website traffic, page performance, and user engagement trends
Data processed: Pseudonymous identifiers, page views, events, device/browser data, approximate region
Consent model: In EEA regions, activated only after consent. Outside EEA, analytics may run by default and can be managed via cookie settings.
Data retention: Up to 14 months for standard analytics reporting
Controls: IP anonymization and consent mode controls are applied where available
Opt-out: Google Analytics Opt-out Add-on
Privacy Policy: policies.google.com/privacy

Google AdSense (Advertising)

Purpose: Displaying relevant travel-related advertisements to help keep Venuto free
Data processed: Cookies for ad personalization (with consent), anonymized ad performance data
Consent required: Yes - personalized ads only shown when you accept advertising cookies
Ad categories: We block inappropriate ad categories (gambling, alcohol, dating, etc.)
Opt-out: adssettings.google.com
Privacy Policy: policies.google.com/privacy

6.2 Other Disclosures

Legal Requirements: We may disclose data if required by law, court order, or to protect our legal rights
Business Transfers: In case of merger, acquisition, or sale, your data may be transferred with prior notice

7. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

Data Type	Retention Period
Contact form submissions	2 years
App notification signups	Until app launch + 6 months, or until you unsubscribe
Analytics data	14 months (anonymized)
Account data	Until you request deletion
Cookie consent preferences	12 months
Security logs	90 days

After the retention period, data is either deleted or anonymized so it can no longer be linked to you.

8. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

→

Right of Access (Art. 15)

Request a copy of all personal data we hold about you

→

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data

→

Right to Erasure (Art. 17)

Request deletion of your data ("right to be forgotten")

→

Right to Restriction (Art. 18)

Limit how we process your data in certain circumstances

→

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format (JSON/CSV)

→

Right to Object (Art. 21)

Object to processing based on legitimate interests or direct marketing

→

Right to Withdraw Consent (Art. 7)

Withdraw consent at any time, without affecting prior processing

How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@venuto.app. Please include "GDPR Request" in the subject line and specify which right you wish to exercise.

Response time: We will respond to your request within 30 days. If your request is complex, we may extend this by up to 60 days, but we will inform you within the initial 30 days.

Verification: We may need to verify your identity before processing your request.

9. International Data Transfers

Your data may be processed on servers located outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): EU-approved contractual terms for data transfers
Adequacy Decisions: Transfers to countries with adequate data protection (as determined by the EU Commission)
Data Processing Agreements: With all service providers handling personal data

Our primary hosting and API servers are located in the EU (Cloudflare and Google Cloud europe-west1 region).

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

Encryption: SSL/TLS encryption for all data in transit (HTTPS)
Infrastructure: Enterprise-grade hosting with Cloudflare and Google Cloud
Access Control: Strict access controls and authentication for all systems
Monitoring: Continuous security monitoring and regular assessments
Incident Response: Procedures to detect, report, and investigate data breaches

In the event of a data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

11. Cookie Policy

Cookies are small text files stored on your device when you visit a website. We use cookies to ensure our website functions correctly and, with your consent, to understand how you use it.

11.1 Essential Cookies (Always Active)

These cookies are strictly necessary for the website to function. They cannot be disabled.

Cookie	Purpose	Duration
cookie-consent	Stores your cookie preferences	12 months
__cf_bm	Cloudflare bot management	30 minutes
cf_clearance	Cloudflare security challenge	30 minutes

11.2 Analytics Cookies (Require Consent)

These cookies help us understand how visitors interact with our website. They are only activated after consent in EEA regions. Outside EEA, they may be active by default and can be changed in cookie settings.

Cookie	Provider	Purpose	Duration
_clck	Microsoft Clarity	User identification	12 months
_clsk	Microsoft Clarity	Session tracking	1 day
_ga	Google Analytics	Distinguishes unique visitors	13 months
_ga_*	Google Analytics	Maintains session state and event attribution	13 months
CLID	Microsoft Clarity	First-party identifier	12 months

11.3 Advertising Cookies (Require Consent)

These cookies are used to show you relevant advertisements. They are only enabled if you click "Accept All" in EEA regions. Outside EEA, they may be enabled by default. Without consent, you may still see ads, but they will not be personalized.

Cookie	Provider	Purpose	Duration
__gads	Google AdSense	Ad delivery and measurement	13 months
__gpi	Google AdSense	Ad personalization	13 months
__eoi	Google AdSense	Interest-based advertising	6 months

You can opt out of personalized advertising at Google Ad Settings.

11.4 Managing Cookies

You can manage your cookie preferences at any time:

Our Website: Click "Manage Cookies" in the footer to update your preferences
Browser Settings: Most browsers allow you to block or delete cookies through settings
Opt-out Tools: Use browser extensions like uBlock Origin or Privacy Badger

Note: Blocking essential cookies may affect website functionality.

12. Children's Privacy

Our Service is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@venuto.app. We will take steps to delete such information.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make significant changes:

We will update the "Last updated" date at the top of this page
For material changes, we will provide notice through our website or email
Continued use of the Service after changes constitutes acceptance

14. Supervisory Authority

If you are located in the European Economic Area and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local Data Protection Authority (DPA). You can find your local DPA at: edpb.europa.eu/members

15. Contact Us

For privacy-related questions, concerns, or to exercise your GDPR rights:

Privacy Inquiries:

Email: privacy@venuto.app

General Contact:

Email: contact@venuto.app

Contact Form: venuto.app/contact

We aim to respond to all privacy inquiries within 30 days.