arrow_back Back to Home

Privacy Policy

Version 1.0 • Effective November 07, 2025 • Last updated November 07, 2025

Last updated: 07.11.2025

1. Introduction

This Privacy Policy explains how TouristRank SRL (“TouristRank”, “we”, “us”, “our”) collects, processes, and protects personal data through its Platform and related services.

TouristRank complies with the EU General Data Protection Regulation (GDPR) and other applicable data-protection laws.

This Policy applies to:

  • Hotels, guesthouses, B&Bs, and similar entities using the Platform (“Users” or “Hotels”);

  • Tourists whose data is entered into the system by verified Users.

2. Identity of the Data Controller and Processor

  • Data Controller (for User data): TouristRank SRL

  • Data Processor (for Tourist data entered by hotels): TouristRank SRL acting on behalf of each verified hotel (Controller).

Registered office: Bucharest, Romania

Email: adrian.urdar@gmail.com

Website: https://www.touristrank.com

TouristRank maintains a Record of Processing Activities (Art. 30 GDPR) and performs periodic Data Protection Impact Assessments (DPIAs) to evaluate and mitigate privacy risks associated with the Platform.

3. Categories of Data Collected

A. From Hotels / Users

  • Contact information (name, email, phone)

  • Company details (legal name, registration number, address, VAT ID)

  • Login credentials (securely encrypted)

  • Billing and Stripe payment identifiers

  • Uploaded verification documents (licenses, certificates)

B. About Tourists

  • Full name, email address, and phone number

  • Country of origin (if provided)

  • Behavioural or operational reviews (e.g., reliability, property damage, no-show incidents)

  • Associated stay metadata (check-in/out dates, timestamps)

Only verified Hotels can access or enter this information. It is never public.

C. Automatically Collected Data

Via cookies and analytics tools:

  • IP address, browser type, device, session statistics
    Tools used: Google Tag Manager, Google Analytics 4, Hotjar, Facebook Pixel, LinkedIn Insight Tag

4. Legal Bases for Processing

Processing Activity

Legal Basis

Explanation

Account creation & management

Contract (Art. 6(1)(b))

Required to provide the service

Payment processing

Contract & Legal Obligation

Stripe billing & tax compliance

Tourist data entry / lookup

Legitimate Interest (Art. 6(1)(f))

To enable responsible guest management among verified Hotels

Analytics & performance

Consent

Granted through cookie banner

Marketing & retargeting

Consent

Granted through tracking-pixel consent

Legal & fraud prevention

Legal Obligation

Accounting, fraud, audit purposes

5. Purpose of Processing

We process data to:

  • Operate and maintain the Platform;

  • Enable guest-review and lookup functionality;

  • Verify businesses and prevent misuse;

  • Handle billing, support, and legal compliance;

  • Analyse performance and improve user experience.

TouristRank never publishes, sells, or markets tourist personal data.

6. Data Sharing and Recipients

Data may be shared with:

  • Stripe Inc. – payment processing

  • DigitalOcean LLC – cloud infrastructure (EU datacentres)

  • Mailgun Technologies Inc. – transactional email delivery

  • Analytics providers: Google, Hotjar, Meta, LinkedIn

  • Authorities – when required by law

All third parties operate under GDPR-compliant Data Processing Agreements (DPAs).

7. International Data Transfers

Certain providers (Stripe, Google, Meta) may store data outside the EEA.

Transfers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards ensuring an adequate level of protection.

8. Data Retention

Data Type

Retention Period

User account & billing

Account lifetime + 5 years (legal requirement)

Tourist reviews

Until deleted by the Hotel or upon valid data-subject request

Logs & backups

6–12 months

Cookies & analytics

Per-provider policy (max 26 months)

TouristRank retains data in line with its internal Record of Processing Activities and applicable law.

9. Security Measures

We apply technical and organisational safeguards, including:

  • HTTPS/TLS encryption for all traffic;

  • AES-256 encryption at rest;

  • Password hashing (bcrypt or stronger);

  • Role-based access control and audit logs;

  • Two-factor account verification;

  • Regular vulnerability scans and patching.

10. Data Subject Rights

Individuals (including tourists) may:

  • Access their personal data;

  • Request correction or deletion;

  • Restrict or object to processing;

  • Request data portability;

  • Withdraw consent (where applicable);

  • File a complaint with ANSPDCP or their national authority.

Requests: adrian.urdar@gmail.com — replies within 30 days.

11. Cookies and Tracking Technologies

Cookies are used to:

  • Enable essential site features (sessions, authentication);

  • Collect analytics for service improvement;

  • Deliver personalised ads (Meta, LinkedIn).

Non-essential cookies are disabled until consent is given through the cookie banner.

12. Children’s Data

TouristRank is intended for professional use by hospitality businesses and is not directed at minors under 18.

13. Breach Notification

If a personal-data breach occurs that may impact data subjects, TouristRank will:

  • Notify affected parties without undue delay;

  • Inform ANSPDCP within 72 hours;

  • Implement immediate remediation measures.

14. Changes to This Policy

We may update this Policy periodically.

Updates are communicated via email or in-platform notice. Continued use signifies acceptance of the new version.

15. Record of Processing Activities (Summary – Art. 30 GDPR)

Processing Activity

Data Subjects

Personal Data

Purpose

Legal Basis

Recipients

Retention

Security

User account creation

Hotels

Name, email, password, company info

Account setup & access

Contract

DigitalOcean

Account lifetime

HTTPS, AES-256

Payments

Hotels

Billing, VAT, Stripe token

Subscription billing

Contract & Legal Obligation

Stripe

5 years post-termination

PCI-DSS

Tourist data

Tourists

Name, contact, behaviour data

Responsible-guest management

Legitimate Interest

None

Until deleted by Hotel

Access control, encryption

Analytics

Visitors/Users

IP, device, session

Platform improvement

Consent

Google, Hotjar

≤ 26 months

Anonymisation

Marketing

Visitors/Users

Cookies, IDs

Ads & remarketing

Consent

Meta, LinkedIn

Per-policy

Consent banner

Compliance & fraud

Users

Transaction logs

Legal, audit

Legal Obligation

Authorities (if required)

5 years

Least-privilege access

16. Contact

TouristRank SRL

Email: adrian.urdar@gmail.com

Address: Bucharest, Romania

Website: https://www.touristrank.com

 

arrow_back Back to Home