This Privacy Policy describes how Romania City Tours (“we”, “us”, “our”) collects, uses, and protects your personal data when you visit our website, make an enquiry, or book a tour.

We are the data controller for the processing of personal data described below.
Contact: [email protected]
Postal address (optional): Aleea Iorgovanilor 2, Giarmata Vii, jud.Timis, Romania

1. What data we collect

We collect and process the following categories of data:

  • Identity & contact data: name, email, phone number, billing address.
  • Booking data: tour selected, travel date/time, number of travelers, traveler names/notes, pickup/location, special requirements.
  • Payment data: payment method, billing details, transaction ID, amount (card data is processed securely by our payment provider; we do not store full card numbers).
  • Enquiry & support data: messages you send us by forms or email.
  • Technical data: IP address, device/browser information, cookies and similar technologies.
  • Marketing preferences: your opt-in/opt-out choices.
2. How we collect data
  • Directly from you: when you submit an enquiry, create a booking, or contact us.
  • Automatically: via cookies and similar tools when you browse our site.
  • From third parties: payment processors, analytics tools (if enabled).
3. Why we use your data (legal bases)

We process your data only when we have a lawful basis under GDPR:

  • To provide our services (perform a contract): handle enquiries, take bookings, deliver tours, provide customer support.
  • To take steps at your request before a contract: send quotes or availability information.
  • To comply with legal obligations: invoicing, accounting, tax, and regulatory requirements.
  • Our legitimate interests: website security and fraud prevention, improving our services, communicating with existing customers about similar services (you can opt out anytime).
  • Your consent: marketing newsletters and non-essential cookies. You can withdraw consent at any time.
4. Who we share data with

We share data only with trusted processors who help us run our services, under data-processing agreements:

  • Website & booking platform: WordPress and plugins necessary to operate bookings (Bokun).
  • Email delivery/SMTP: services used to send transactional emails.
  • Payment processors: e.g., Stripe/PayPal or your bank for card or bank-transfer payments.
  • Analytics & performance tools (if enabled): to understand site usage and improve the experience.
  • Professional services: accountants, legal advisors (where necessary).

We never sell your personal data.

5. International transfers

Some providers may be located outside the EEA/UK (e.g., United States). When transfers occur, we rely on adequacy decisions or Standard Contractual Clauses (SCCs) and implement additional safeguards where appropriate.

6. Cookies

We use cookies to make the site work, remember preferences, and (if enabled) measure performance.

  • Strictly necessary cookies – required for the site and bookings to function.
  • Analytics/Performance cookies – only with your consent.
  • Marketing cookies – only with your consent.

You can manage your preferences at any time via the cookie banner or your browser settings. For details, see our Cookie Policy (or the cookie section in this page).

7. Data retention

We keep data only as long as needed for the purpose collected:

  • Enquiries: up to 12 months after our last communication.
  • Bookings & invoices: up to 6 years to meet accounting/tax requirements.
  • Marketing contacts: until you unsubscribe or withdraw consent.
  • Technical logs: typically 12 months for security and troubleshooting.

When retention expires, we securely delete or anonymize the data.

8. Security

We apply appropriate technical and organizational measures to protect your data, including encryption in transit (HTTPS), restricted access, regular updates, and staff confidentiality obligations. No method of transmission or storage is 100% secure, but we work to protect your information to the best of our ability.

9. Your rights (GDPR)

You have the right to:

  • Access your personal data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”) in certain circumstances.
  • Restrict or object to processing, including direct marketing.
  • Data portability for data you provided to us.
  • Withdraw consent at any time (when processing is based on consent).
  • Lodge a complaint with your local supervisory authority (in France: CNIL).

To exercise your rights, contact us at [email protected]. We may need to verify your identity before fulfilling your request.

10. Children

Our services are not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, please contact us to delete it.

11. Third-party links

Our website may contain links to other sites. We are not responsible for their privacy practices. Please review their policies.

12. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be posted on this page with the “Last updated” date.

Contact

🔹 Contact / Data Protection Officer → For any GDPR-related request, contact us at [[email protected]]

If you have questions about this Privacy Policy or how we handle your data, please contact:
[email protected]