Search
Your privacy

Privacy policy

What data Super Tours collects, why, and your rights. A short policy because we don't collect much.

Super Tours is built to collect as little personal data as possible. No third-party trackers, no analytics scripts, no advertising cookies. This policy explains the small amount of data we do handle, why, and what you can ask us to do about it.

What we collect

  • Session cookie — set when you visit the site, used to remember your language preference and, for editors, your login. Strictly necessary; the site does not work without it.
  • Security token cookie — a CSRF token that prevents cross-site form submissions on admin pages. Strictly necessary.
  • Browser local storage — your saved favourites and recently-viewed cities. This stays on your device; we never receive it.
  • Server access logs — your IP address, the URL you requested, your browser's user-agent string and the response status, kept for up to 30 days for security and abuse-prevention purposes. Logs are not shared.
  • Submission data — when you fill in the "add an attraction" or contact form, we store the fields you typed plus your IP address. We use this only to follow up on the submission and to fight abuse.

What we do not collect

  • We do not run any third-party analytics or marketing tracker.
  • We do not sell or share data with advertisers.
  • We do not build a profile of you across browsing sessions.

Third-party processors

To show you maps, photos and place details, the site relies on a small number of external service providers. We make these requests from our server, not from your browser — so those providers do not see your IP address simply because you visited Super Tours. The exception is when you click a map or photo link that takes you off-site; from that point you are subject to that destination's privacy policy.

The categories of external services we use are: a mapping data provider (for ratings, opening hours and place photos), a stock photography licensor (for header images), a geographic dataset provider (for administrative boundaries), and a language-processing service (used server-side to draft editorial summaries and translations — your queries and personal data are never sent there). Specific provider names are available on request to [email protected].

Cookies

Only the session cookie and the security token described above. Both are strictly-necessary under EU cookie law; we do not set tracking or advertising cookies. The cookie disclosure banner appears once per browser to make this transparency visible; you can reopen it from the "Cookie preferences" link in the footer.

Your rights (GDPR)

If you are in the EEA, UK or another jurisdiction with similar rules, you have the right to request a copy of any personal data we hold about you, correct it, delete it, or object to its processing. Because we hold so little data, most of these requests are simple — usually a one-line email reply.

Write to [email protected] from the email address used in your submission, or include other identifying information. We respond within 30 days.

Data retention

  • Server access logs: 30 days.
  • Form submissions you sent: kept until processed, then either archived (with a non-personal identifier) or deleted on request.
  • Editor accounts and the audit trail of editorial actions: kept for the lifetime of the account plus 12 months for accountability.

Changes to this policy

If we make a substantive change we update the "last updated" date below and, where possible, raise the cookies banner again so returning visitors notice. The full revision history of this page is kept in our content management system.