Privacy Policy

1. Overview

Whereabouts (“we”, “our”, or “the Service”) is a software-as-a-service (SaaS) product developed by TourismTech. The platform enables users to create, manage, and discover listings for tourism businesses.

We are committed to protecting your privacy and safeguarding your personal information in accordance with applicable Canadian and U.S. laws, including:

  • PIPEDA (Canada)
  • PIPA (Alberta and British Columbia)
  • FOIP / FOIPPA (for public-sector clients)
  • ATIA (Access to Information Act)

We also follow principles consistent with the EU GDPR regarding transparency, accountability, and lawful processing.

2. Information We Collect

We collect and process the following categories of information:

  • Account Information: Name, email, organization, and login credentials (secured through Auth0).
  • Business Data: Listings, descriptions, contact details, and other information you choose to publish.
  • Usage Data: Browser type, operating system, IP address, and analytics from PostHog and Mapbox.
  • Communications: Support inquiries and correspondence sent to our team.
  • Payments: Managed entirely through Stripe (PCI DSS Level 1 certified). No cardholder data is stored or processed by Whereabouts.

3. How We Use Information

Your data is used to:

  • Provide and maintain the Whereabouts platform.
  • Authenticate users and secure accounts.
  • Facilitate communication and collaboration between team members.
  • Improve functionality, analytics, and performance.
  • Comply with legal and contractual obligations.

We do not sell or rent your personal information.

4. Data Storage and Security

All data is hosted in MongoDB Atlas (Montreal, Canada). Our systems implement:

  • TLS 1.2+ encryption in transit.
  • AES-256 encryption at rest.
  • Hourly encrypted backups.
  • Role-based access controls (RBAC) via Auth0.

All cloud service providers (MongoDB Atlas, Render.com, Netlify, Stripe, OpenAI, Mapbox, SendGrid, Auth0, PostHog) maintain SOC 2 or ISO 27001 certifications.

5. Data Retention

We retain data as long as your organization maintains an active account. Upon termination or written request, data is permanently deleted from production and backup systems within 30 days, unless retention is required by law.

6. User Rights

Depending on your jurisdiction, you have rights to:

  • Access, correct, or delete personal information.
  • Request a copy of your data.
  • Withdraw consent for processing.
  • File complaints with privacy regulators (e.g., Office of the Privacy Commissioner of Canada).

Contact: security@tourism.tech

7. Data Transfers

Primary data residency is Canada.

Limited data processing may occur in the United States by trusted providers (Stripe, Auth0, SendGrid, OpenAI). All such processors maintain contractual and technical safeguards for equivalent privacy protection.

8. Cookies and Analytics

We use cookies and tracking tools (Mapbox, PostHog) for performance monitoring and feature optimization. You can disable cookies in your browser settings.

9. Policy Updates

We may revise this policy periodically. Users will be notified of significant updates by email or through the application interface.

10. Contact

tourism.tech: Security & Compliance Team

📧 security@tourism.tech

📍 Toronto, Ontario, Canada

Still need help? Contact Us Contact Us