Customer Privacy Policy
This privacy policy outlines how GetYourGuide uses and processes your personal data when you use GetYourGuide's services, such as through our website and mobile apps. It also informs you about your rights regarding your personal data and how you can contact us.
If you are a resident of the United States please consult the section titled “United States residents’ rights” to understand the rights that apply to you. Additionally, you can review our supplementary CCPA notice for more information.
If you are one of our supply partners, please refer to our Supplier Privacy Policy to understand how personal data is processed within the scope of our business relationship.
1. Controller and contact
The Controller responsible for processing your personal data is:
Controller: GetYourGuide Deutschland GmbH
Address: Sonnenburger Strasse 73, 10437 Berlin, Germany
Contact: https://www.getyourguide.com/contact/
For clarity, any data processing by Activity Providers who offer their services on the GetYourGuide platform is subject to their respective privacy policies. Activity providers act as separate data controllers.
2. Automated data collection
When you visit our websites or mobile apps we automatically collect certain information. The following data is stored separately from other data that you may transmit to us:
- URL of the page accessed
Latency of the network connection
Date and time
Information about your computer’s hardware and software (such as the operating system, the internet browser used, software/application version data and your language settings).
Information about clicks and which pages have been shown to you.
We store this data for the following purposes:
For load balancing, i.e. to distribute access to our website across several devices and to be able to offer you the fastest possible loading times;
To ensure the security of our IT systems, e.g. to defend against specific attacks on our systems and to recognise attack patterns;
To ensure the proper operation of our IT systems, e.g. if errors occur that we can only rectify by storing the IP address;
To enable criminal prosecution, averting of danger or legal prosecution in the event of specific indications of criminal offences.
Your IP address is encrypted to ensure confidentiality and is only accessible when absolutely necessary. It is retained for a period of 45 days.
If you’re using a mobile device, we collect data that identifies the device, as well as data about your device-specific settings and characteristics, app crashes and other system activity.
In this case, the processing is carried out to ensure the security of the processing in accordance with Art. 32 GDPR, as well as on the basis of our legitimate interest in protecting ourselves against misuse of our service (Art. 6 para. 1 lit. f GDPR).
3. GetYourGuide account
3.1 Registration
If you create a GetYourGuide user account you may provide us with the following data:
Surname/first name
E-mail address
Passwords
Alternatively, you can log in with your Facebook, Google or Apple account. In this case, we receive the following personal data from Facebook or Google or Apple in order to create a user account for you:
Name
E-mail address
Photo (Facebook only)
an authentication token
Your registration data is required to set up and manage a user account for you. In this case, you conclude a (free) user agreement with us, on the basis of which we collect this data (Art. 6 para. 1 lit. b GDPR).
In order to conclude the agreement, you must provide us with this data. However, you are neither contractually nor legally obliged to conclude the agreement and thus to provide the data.
3.2 Wishlists
After you have created a user account, you have the option to create wishlists with activities and tours and to share these wishlists with other users. Your data is processed for these purposes in order to be able to provide you with the corresponding functions (Art. 6 para. 1 lit. b GDPR).
4. Reviews and ratings
Our website offers the possibility to rate and comment on tours or activities. After you have completed a tour booked via our website, we may ask you to rate it accordingly. Submitting a rating is, of course, voluntary. You have the option to submit the review anonymously. When you submit a rating, we collect the data you enter in order to process it according to the function you use and publish it on our website. You can have a rating deleted at any time by contacting our customer service.
You can object at any time to receiving review requests by clicking the unsubscribe link in each review request email. If you have an account, you can also do so from the Settings -> Notifications section on your profile. Otherwise, you can also send us a message using the link https://www.getyourguide.com/contact/.
The processing of your data for these purposes is done to protect our legitimate interest in providing our users with as much information as possible about the tours we offer. User ratings are also in the interest of all users (Art. 6 para. 1 lit. f GDPR).
5. Customer support
5.1 Processing of enquiries
If you get in touch with our customer service team or reach out to us through other means such as our social media channels, your request will be processed by our processor, GetYourGuide Global Services GmbH.
For handling such enquiries, we, or GetYourGuide Global Services GmbH uses systems provided by Zendesk, Inc. based in the USA. Zendesk is certified under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, both of which are administered by the U.S. Department of Commerce. This ensures that data transferred is handled with a level of protection compliant with EU data protection requirements. Additionally, we, or GetYourGuide Global Services GmbH utilises the services of Chatbotize sp. z o.o., based in Poland, to offer an automated chatbot that assists in managing and responding to customer queries.
For the processing and administration of enquiries via our social media channels, we or GetYourGuide Global Services GmbH also use the services of NICE Ltd, based in the UK.
5.2 Improvement of customer service
In order to continuously improve our customer service, we analyse enquiries sent to us on the basis of certain parameters and keywords. Although, as a matter of principle, no analysis is carried out on the basis of personal data, it cannot be ruled out that, in individual cases, personal data may also be processed within this context. The processing required within this context serves our legitimate interest as well as that of our customers in the continuous improvement of our customer service (Art. 6 para. 1 lit. f GDPR).
For the evaluation of enquiries, we use the systems of the providers Chattermill Analytics Limited (Great Britain) and the business intelligence platform Looker, provided by Google, Ltd. (Ireland).
5.3 Translations
In certain cases, it is necessary for us to translate incoming requests into a specific language. This may require the processing of personal data necessary to protect our legitimate interest in providing international customer service, Art. 6 para. 1 lit. f GDPR. For this purpose, we use the services of DeepL SE and Open AI, Inc. There is no EU Commission adequacy decision for the USA. We have therefore concluded the standard contractual clauses approved by the EU Commission with Unbabel in accordance with Art. 46 para. 2 lit. c GDPR.
5.4 Storage and evaluation of telephone calls
Telephone calls are only stored and analysed if you have given us your prior consent. We will only use this data for the purpose of improving our customer service. The recordings will be deleted after three months. The legal basis is Art. 6 para. 1 lit. a GDPR. You have the option to revoke your consent at any time by contacting one of the contact channels mentioned in this privacy policy. This will not affect the lawfulness of the processing carried out by us until your revocation.
6. Technical service providers
We use technical service providers for hosting and some of the services required for the website. Accordingly, the processing of data takes place on the servers of these service providers. These service providers only process the data according to our explicit instructions and are obliged to guarantee sufficient technical and organisational measures for data protection. Consequently, our service providers act for us as so-called processors within the meaning of Art. 28 GDPR.
6.1 Hosting of the website
For the hosting of our website, we use the services of Amazon Web Services EMEA S.a.r.l. ("AWS") based in Luxembourg. Accordingly, when you interact with our website or provide personal data, it is processed on AWS servers. We only use servers located in the European Union. To cover remote maintenance and similar constellations, we have concluded the standard contractual clauses approved by the EU Commission with AWS in accordance with Art. 46 para. 2 lit. c GDPR.
6.2 E-Mails
For sending emails, we use the Sendgrid service of Twilio Inc based in the USA ("Twilio"). Twilio is certified to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce.
7. Newsletter
You have the option on our website to register for our newsletter. With our newsletter, we would like to send you information on offers, tours, activities or special promotions that is as personalised as possible. By registering for our newsletter, you therefore consent to us processing your email address for the purpose of sending the newsletter. The legal basis for this processing is Art. 6 para. 1 lit a GDPR. You can revoke your consent at any time by unsubscribing from our newsletter. To do this, you can use the unsubscribe link contained in every email or send us a message using the link https://www.getyourguide.com/contact/. To verify your e-mail address, you will first receive a registration e-mail, which you must confirm via a link (double opt-in). When you register for the newsletter, we store the IP address and the date and time of registration. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to prove your consent (Art. 6 para. 1 lit. c in conjunction with Art. 7 para. 1 GDPR).
If you have booked a tour via our website or created a GetYourGuide account, we will send you our newsletter based on our legitimate interest in promoting similar services to your bookings or account (Art. 6 para. 1 lit. f GDPR, § 7 para. 3 UWG) unless you have objected to this use. If cookies are used for newsletter personalisation, we will obtain your separate consent.
You can object to this at any time – even during registration – by deselecting the corresponding checkbox or clicking the unsubscribe link in the respective emails. In addition, if you have an account, you can always subscribe or unsubscribe to different types of communication from the Settings -> Notifications section on your profile.
For the dispatch of our newsletter and the personalisation of content, we use the services of the provider Braze Inc. based in the USA ("Braze"). Braze is certified to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce.
8. Bookings & payments
8.1 Bookings
When you book a tour, activity or similar on our site, we collect the data required to carry out the tour. This usually includes the following information: First and last name, billing address, email address, telephone number, number of participants, date and time. Depending on the activity booked, it may also be necessary for us to collect further information, such as your flight number or the age of the participants. The processing that takes place in connection with this is based on Art. 6 para. 1 lit. b GDPR. To the extent necessary, we will transfer your data to the provider responsible for the tour or activity who will process your personal data as set out in their privacy policy as an independent data controller. If a transfer to a third country outside the European Economic Area is necessary, this is based on Art. 49 para. 2 lit. b, c GDPR.
If you make bookings via partner sites, you will be redirected to provide you personal data and conclude the booking process on the GetYourGuide website, as described above. On some partner sites, your data is collected by the partner as a separate data controller, in accordance with their privacy policy, and we receive the data required to make the booking from the partner.
On other websites who have partnered with us in order to integrate the booking offers directly on their own website, both the partner and GetYourGuide act as separate data controllers for the processing of your personal data.
You have the option to share the booking details with other participants by providing the email address where GetYourGuide can send them the booking confirmation and important communication related to the booking. If you choose to do so, it is your responsibility to get consent from the participant to share their email address with GetYourGuide.
8.2 Booking confirmations
In order to keep you updated on your bookings we will send you booking confirmations as well as reminders and updates for upcoming bookings (e.g. changed times or meeting points) to make sure that you have all information you need to attend your booked services. Booking confirmations are sent to your email address, and/or by SMS to the phone number you provide during the booking process and/or through a push notification from GYG app. If you have an account, you can choose more granularly how you want to be notified from the Settings -> Notifications section on your profile.
We process your personal data in order to be able to provide you with these features of our service (Art. 6 para. 1 lit. b GDPR).
8.3 Payments
You have various options for paying for your booking. In doing so, we will process the data required in each case depending on the selected payment method. Within this context, your personal data will be processed as described below, which is based on Art. 6 para. 1 lit. b GDPR and is necessary to carry out the payment method you have chosen.
8.3.1 Credit card payments
For the processing of payments by credit card, we use the service provider Adyen N.V. ("Adyen"), which is based in the Netherlands. The data provided during your payment will be forwarded by Adyen to the respective banks or financial institutions for the purpose of processing the payment. In the case of payments by credit card, we only receive the information that a payment has or has not been made, along with the first and the last 4 digits of the credit card number. We therefore have no knowledge of your full credit card number.
For the processing of payments by credit card, we also use the services of Primer API Limited, based in the UK, as a payment orchestration service that automatically redirects the payment request to the appropriate payment service provider.
8.3.2 Payment via PayPal
If you have a PayPal account, you can also process your payment via PayPal. In this case, we receive from PayPal not only the information that a payment has been made, but also the e-mail address and address you have registered with PayPal.
8.3.3 Payment by invoice
If you pay by invoice, we will transfer your personal data to Klarna Bank AB (publ) based in Sweden ("Klarna"). Klarna will process the data first for the purpose of credit assessment and then, if necessary, for payment processing.
8.4 Chargebacks
In the event of chargebacks, we use the services of Global Merchant Risk Technologies trading as The Chargeback Company (Chargebacks911) based in Ireland to process a chargeback on behalf of GetYourGuide. For this purpose, we give Chargebacks911 access to your booking data, including the limited payment information stored (the first and last 4 digits of your credit card).. Chargebacks911 will then process the chargeback with your bank or PayPal or Ayden. The processing is carried out within the context of the execution of the contract (Art. 6 para. 1 lit. b GDPR) as well as on the basis of our legitimate interest in the effective processing of chargebacks (Art. 6 para. 1 lit. f GDPR).
8.5 Booking Cancellation Insurance
If you visit our website from certain regions, you will be able to also book activities with extended cancellation rights covered by insurance. The insurance coverage is offered to you by Companjon Admin GmbH with registered address at c/o Wilhelm Rechtsanwälte Partnerschaft von Rechtsanwälten mbB, Reichsstraße 43, 40217 Düsseldorf. If you book this option, your personal data will be processed based on Art. 6 para. 1 lit. b GDPR.
With regards to the data processing connected to offering these insurances on the GetYourGuide website, GetYourGuide and Companjon Admin GmbH act as joint data controllers. With regards to the data processing directly connected to the insurance contract (such as eligibility, decision making process, claim processing etc.), Companjon Admin GmbH acts as an independent data controller.
You can exercise your data subject rights towards either GetYourGuide or Companjon and we will ensure the request is forwarded to the responsible party.
9. Fraud prevention
In order to protect ourselves and the activity providers from fraudulent bookings, we evaluate the information provided by our customers during the booking process, including the data technically transmitted by their device, insofar as this is necessary to protect our legitimate interest and that of the activity providers in reliable bookings (Art. 6 para. 1 lit. f GDPR).
For this purpose, we use services of the providers Sift Science, Inc. (USA), Adyen N.V. (Netherlands) and Ethoca Inc. (Canada). We have therefore concluded the standard contractual clauses approved by the EU Commission with Sift Science, Inc. pursuant to Art. 46 para. 2 lit. c GDPR. For Canada, there is an adequacy decision by the EU Commission in accordance with Art. 45 GDPR for processing by private-sector organisations.
10. Protection against bots
To protect us from bots and similar technologies, we use the Cheq service provided by CHEQ AI Technologies Ltd. based in Israel ("Cheq"). Cheq will use the data automatically transmitted by your device to determine whether the request most likely originates from a human. No further storage of the data will take place. The processing is carried out in order to ensure the security of the processing in accordance with Art. 32 GDPR and on the basis of our legitimate interest in protecting ourselves against misuse of our service (Art. 6 para. 1 lit. f GDPR). For Israel, there is an adequacy decision of the EU Commission according to Art. 45 GDPR.
11. Cookies and other online tracking technologies
We use so-called "cookies" and other online tracking technologies to offer certain functions of our website,to optimise the use of our website and our apps or for the purpose of executing our marketing and advertising strategy.
Specifically, we use (unless other cookies are specified elsewhere in this privacy policy or our cookie consent) the following cookies and tracking technologies:
Session cookies: These cookies are needed to store certain technical data during your visit to our website, e.g. to determine whether you have logged in.
Persistent cookies: These cookies are needed to store data beyond a browser session if you wish to do so.
Web beacons (such as tags or tracking pixels): they can be used to retrieve information from your device, such as your device type or operating system, your IP address, and the time of your visit. They are also used to serve and read cookies in your browser or to trigger the placement of a cookie
Scripts: are small computer programs embedded within our web pages that support different functionality (security features, interactive features etc). They can also be used for analytical or advertising purposes. For example, a script can collect information about how you use our website, such as which pages you visit or what you search for.
Tracking URLs: these are links with a unique identifier in them used to track which website brought you to the our website or the app.
Software Development Kits (SDKs) are part of our app source code and unlike browser cookies, SDK data is stored in the app storage.They’re used to analyse how the apps are being used, send personalised push notifications or to allow the app to share data with third parties. To do this, they record unique identifiers associated with your device, like device ID and IP address, as well as your in-app activity and your network location.
We categorise cookies and other tracking technologies into the following categories:
Strictly Necessary Technologies: These are technologies required for our websites and apps to function and they must be enabled in order for you to use our services.
Analytical Technologies: These measure and track how our website and apps are used. We use this information to improve our website, apps and services.
Marketing Technologies: These are used by GetYourGuide and other trusted partners to collect information about user journeys both on the website and in the app, in order to deliver relevant sponsored content about our products and to execute our marketing and advertising strategy.
You can find more detailed information about each category and give or withdraw consent from Analytical or Marketing Technologies by accessing the link “Cookies and Marketing Preferences” in our website footer or from the “Privacy Preferences” section in the App menu.
The tool enables you to activate or deactivate cookies, trackers, SDKs and other technologies used on our website and in the GetYourGuide apps. You can navigate between the different groups of technologies and find detailed information about each group, as well as more information about the third parties GetYourGuide might share your data with. You have the option to turn each of the categories on or off individually.
Your preferences will be remembered across devices and platforms (Website and Apps): for example, when you accept or reject all non-essential tracking technologies by using this tool while navigating the website, your choice will be remembered with the help of a unique identifier and non-essential tracking technologies will be automatically enabled or disabled when you access the GetYourGuide App.The legal basis for the use of these cookies is § 25 para. 2 of the German Telecommunications and Telemedia Data Protection Act (TTDSG) or Art. 6 para. 1 b GDPR, insofar as they are necessary for the use of our website and the functions you have accessed. Otherwise, we use cookies and other tracking technologies – as described below – on the basis of your consent. You can revoke your consent at any time via our consent manager.
12. Customer Research and Visitor Journey Recordings
12.1 Customer surveys and research panels
We or research agencies we collaborate with might invite you to participate in moderated or unmoderated research panels. You might be either a GetYourGuide Customer or an external participant recruited independently by the agency. The participation and the video recordings of these sessions are always based on your express consent, which we collect in writing before the research activity. Research agencies we might collaborate with are: Respondent, Inc., a company based in the US (you can find their Privacy Policy here), Userlytics, a company based in the US (you can find their Privacy Policy here), Lookback Group Inc., a company located in the US (you can find their Privacy Policy here). These research agencies act as data controllers. We invite you to participate based on our legitimate interest and we do not address you in case you have opted out of marketing emails.
When you access our website, you might be prompted in a pop-up window to answer some questions about the GetYourGuide product or features. We collect the answers in an aggregate form and they are not linked personally to you. This is completely optional and you give your consent for us to process your answers if you choose to answer the questions.
12.2 Visitor Journey Recordings
We use heat mapping services of Hotjar Ltd., Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta. Heat mapping services are used to display and record the areas of a page where visitors most frequently move the mouse or click. This shows us where the points of interest are, for the purpose of improving our website and our services. The recording happens only on certain pages and for a daily limited number of random visitor sessions. The recording is kept for a period of 365 days and then automatically deleted. We process this data on the basis of consent. Hotjar honors generic “Do Not Track” requests, if you want to exercise this right you can access Hotjar’s opt-out information here.
13. Marketing and remarketing services
13.1 Evaluation of advertising on the web and on social media platforms
With regard to our social media advertising, we use a service provided by Smartly.io Solutions Oy, based in Finland, to analyse the success of our advertisements.
13.2 Google services
We use the services of Google Ireland Limited, Building Gordon House, 4 Barrow Street, Dublin D04 E5W5, Ireland ("Google") described below.
Google may process some personal data in the US via the Google LLC entity which is certified to the EU-U.S. Data Privacy Framework, and Google Ireland Limited relies on this framework to transfer personal information that originated in the EEA to the U.S.
Basic information on the processing of your personal data by Google can be found here: https://policies.google.com/privacy?hl=en.
You also have the following setting options with Google:
You can deactivate personalised advertising from Google: https://adssettings.google.com/anonymous?hl=en&sig=ACi0TCie_PP0WXzD2NDiHGJny9ca0PSQVyMysggnxws0C7Hxy7edd8F9O3gyme7JNE3bplGpLmt8pU3iFPJYnpIHlEL7FSn5hXWg8EhEQAbCywX-v9nEW3M
You can disable personalised advertising on a device-by-device basis: (https://support.google.com/ads/answer/1660762?hl=en-GB#mob)
You can disable personalised advertising by browser: (http://optout.networkadvertising.org/?c=1)
13.2.1 Google Analytics 360
If you have consented, we use Google Analytics 360, a web analytics service. Google Analytics 360 collects pseudonymous data from you about the use of our website, including your shortened IP address, and uses cookies. This data is transmitted to a Google server in the USA and stored there. Google will use this information for the purpose of evaluating your use of the website and the app, compiling reports on website and app activity, and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.
Your data will be stored by Google Analytics for a period of up to 26 months. After this period, the data is deleted and only aggregated statistics are kept.
The use of Google Analytics is based on your consent (Art. 6 para. 1 lit. a GDPR).
You can revoke your consent at any time and deactivate Google Analytics using a browser add-on. You can download this here: http://tools.google.com/dlpage/gaoptout. Alternatively, you can revoke your consent as described here: https://developers.google.com/analytics/devguides/collection/analyticsjs/user-opt-out. You can also revoke your consent via our consent manager. This does not affect the lawfulness of the processing carried out until your revocation.
13.2.2 Google Campaign Manager, Display & Video 360, Google Ads and Search Ads 360
If you have consented, we use advertising products from Google. We use Cookies, Client Tags, Server-to-Server, SDKs, to record and share your usage behaviour on our website and in the app in order to display interest-based advertising for our products on other pages within the Google advertising network. This includes Google Search, Youtube and other sites operated by Google and its subsidiaries, as well as sites operated by Google's advertising partners. The information, such as hashed identifiers and browsing activity is transmitted accordingly to Google and Google's partners. Additional data processing will only take place if you have consented to Google linking your browsing history to your Google Account and using information from your Google Account to personalise the ads you see on the web. In this case, Google will use your data together with Google Analytics data to create and define target group lists for remarketing. To do this, your personal data will be temporarily linked by Google with Google Analytics data to form target groups.
The use of these services is based on your consent (Art. 6 para. 1 lit. a GDPR).
You can revoke your consent via our consent manager. This does not affect the lawfulness of the processing carried out until your revocation. Furthermore, the remarketing cookie is automatically deleted as soon as it is no longer necessary for the purposes for which we collected or used it in accordance with the above paragraphs.
13.3 Meta services (Facebook, Instagram)
We use the services of Meta Platforms Ireland Limited ("Meta") described below. Please note that this may also involve processing by Meta Inc. based in the USA. Meta Platforms, Inc. (“Meta”) is certified to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce.
Basic information on the further processing and use of your data by Meta as well as your setting options for protecting your privacy with Meta can be found in Meta’s privacy policy at https://www.facebook.com/privacy/explanation.
13.3.1. Meta Pixel and Server to Server
We share data about some of your GetYourGuide interactions with Meta to show you more relevant ads or to help find similar audiences. Your shared data also helps us monitor and analyze our marketing success to optimize ad efficiency. GetYourGuide and Meta are Joint Controllers for this technology, governed by a Controller Addendum.
If you have consented, the Meta pixel and server to server connection is used on our website and the app to transmit data to Meta. We record when you perform certain actions on our website and apps, as well as usage data (such as URL, referrer URL, IP address, device and browser characteristics and timestamp) and transmit it to Meta associated with hashed identifiers. If available, your Facebook ID is transmitted. Meta will use this information to understand which ad you clicked, to measure the success of certain ads and to provide us with this information in aggregate form. If you have a Facebook profile and log in there, you can be presented with targeted personalised advertising on Facebook based on the data transmitted. Data from users who do not have a Facebook or Instagram profile is discarded by Meta without being used.
We use the Meta pixel on the basis of your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time via our consent manager. This does not affect the lawfulness of the processing carried out until your revocation.
We are joint controllers with Meta Platforms, Inc. for such data transfer to Facebook. You can find our agreement on this joint controllership here: https://www.facebook.com/legal/controller_addendum. The processing is carried out based on your consent (Art. 6 para. 1 lit. a GDPR). You can withdraw your consent at any time with future effect by rejecting Marketing Technologies in our consent manager.
13.3.2. TikTok
We use TikTok Technology Limited services to show you relevant interest-based ads. Your data, which is forwarded to TikTok, also helps us to monitor and analyse the success of our marketing activities. The legal basis on which we do this is consent. Storage centers are located in US, European Union, UK, Malaysia, Singapore. Certain entities in the TikTok corporate group have limited remote access to personal data, including from China. China is a country that - in the terms of EU Regulation 2016/679 - does not provide an adequate level of protection of personal data, and TikTok relies on Standard Contractual Clauses for this international data transfer. Here you can read more about TikTok’s global data transfer details.
Basic information on the further processing and use of your data by TikTok as well as your setting options for protecting your privacy with TikTok can be found the privacy policy at https://www.tiktok.com/legal/page/eea/privacy-policy/en#info-collected
13.4. Other remarketing services and affiliate networks
If you have consented, we also use the remarketing services described below on our website. In each case, your usage behaviour on our website is analysed using cookies. The providers will use this information to play personalised advertising on third-party sites.
Remarketing service of Criteo S.A. based in France ("Criteo"). Criteo will serve personalised advertising on sites connected to the Criteo network.
Remarketing services provided by Microsoft Ireland Operations Limited, based in Ireland ("Microsoft"). Microsoft will use the cookie information to serve personalised advertisements through the Bing search engine and to display advertisements to you on third-party sites.
Remarketing service provided by Snap Group Limited based in the UK ("Snapchat"). Snapchat will use the cookie information to show you personalised advertising.
Affiliate network services provided by AWIN AG, Eichhornstraße 3 10785 Berlin
Affiliate network services provided by Conversant Europe Ltd. 1st Floor, 2 Television Centre, 101 Wood Lane, London W12 7FR, United Kingdom
Affiliate network services provided by Tradedoubler GmbH, Herzog-Wilhelm-Strasse 26, 80331 Munich Germany
We use these services on the basis of your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time via our consent manager. This does not affect the lawfulness of the processing carried out until your revocation.
14. Integrated third-party content
We have also integrated third-party content on our website. This content is loaded from the servers of the respective providers, so that your end device transmits certain technically necessary data to the third-party provider. In particular, it cannot be ruled out that these providers may take note of the IP address assigned to you. Insofar as personal data is processed, this is done on the basis of the privacy policies of the respective third-party providers. The integration by us is based on our legitimate interests in being able to provide our users with the corresponding content and functionalities and to be able to operate our website economically, Art. 6 para. 1 lit. f GDPR. In detail, we integrate the following third-party content:
Contentstack
We have integrated content from the content delivery network Contentstack of Contentstack LLC, which is based in the USA. Please note that there is no EU Commission adequacy decision for the USA. We have therefore concluded the standard contractual clauses approved by the EU Commission with Contentstack LLC in accordance with Art. 46 para. 2 lit. c GDPR. For more information on data protection at Contentstack LLC, please visit: https://www.contentstack.com/privacy.
15. Social media
15.1 Facebook
Facebook is operated by Meta Platforms Ireland Limited , Merrion Road, Dublin 4, D04 X2K5, Ireland. ("Facebook"). If you visit or like our Facebook page as a registered Facebook user, Facebook collects personal data from you. Even if you are not registered with Facebook and visit our Facebook page, Meta may collect pseudonymous usage data from you. For more information, please see Meta’s data policy at https://www.facebook.com/about/privacy/ and at https://www.facebook.com/legal/terms/information_about_page_insights_data. In the data policy, you will also find information on the settings options for your Facebook account.
Your personal data may also be provided to other Facebook companies. This may involve the transfer of personal data to the USA and other third countries. Meta Platforms, Inc. (“Meta”) is certified to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce.
In addition, as part of the operation of our Facebook page, we are jointly responsible with Meta for the processing of so-called page insights. With the help of these page insights, Meta analyses the behaviour on our Facebook page and provides us with this information in non-personal form. For this purpose, we have concluded a joint data protection responsibility agreement with Meta Ireland, which you can view at the following link: https://www.facebook.com/legal/terms/page_controller_addendum. In this agreement, Meta undertakes, among other things, to assume primary responsibility under the GDPR for the processing of Page Insights and to comply with all obligations under the GDPR with regard to the processing of Page Insights.
15.2 Instagram
Our Instagram page can be found at: https://www.instagram.com/GetYourGuide/
Instagram is operated by Meta Platforms Ireland Limited , Merrion Road, Dublin 4, D04 X2K5, Ireland ("Meta"). The Instagram privacy policy can be found at: https://help.instagram.com/519522125107875. In it you will also find information on the settings options for your account.
Your personal data may also be made available to other Meta companies. This may involve the transfer of personal data to the USA and other third countries. Meta is certified to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce. In addition, as part of the operation of our Instagram page, we are jointly responsible with Meta for the processing of so-called Instagram Insights. With the help of these Instagram Insights, Meta analyses the behaviour on our Instagram page and provides us with this information in non-personal form. For this purpose, we have concluded a joint data protection responsibility agreement with Meta, which you can view at the following link: https://facebook.com/legal/terms/page_controller_addendum. In it, Facebook undertakes, among other things, to assume primary responsibility under the GDPR for the processing of Instagram Insights and to fulfil all obligations under the GDPR with regard to the processing of Page Insights.
15.3 X (Twitter)
You can find our X account at: https://x.com/GetYourGuide/
X is operated by Twitter International Unlimited Company, One Cumberland Place, Fenian Street Dublin 2, D02 AX07 Ireland ("Twitter"). Twitter's privacy policy can be found at: https://xr.com/en/privacy. In it you will also find information on the settings options for your Twitter account.
Please note that Twitter also transfers personal data to third countries outside the European Economic Area for which there is no EU Commission adequacy decision. Insofar as such a transfer occurs, Twitter will use the standard contractual clauses approved by the EU Commission.
We also use the Twitter Analytics function. As part of this function, we receive non-personal information from Twitter International about the use of our account. This information allows us to analyse and optimise the effectiveness of our Twitter activities. The processing that takes place within this context is based on our legitimate interest in optimising our Twitter activities (Art. 6 para. 1 lit. f GDPR).
15.4 Pinterest
You can find our Pinterest page at: https://www.pinterest.com/GetYourGuide/
Pinterest is operated by Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland ("Pinterest"). Pinterest's privacy policy can be found at: https://policy.pinterest.com/en/privacy-policy.
Please note that Pinterest also transfers personal data to third countries outside the European Economic Area for which there is no EU Commission adequacy decision. To the extent that such transfer occurs, Pinterest will take appropriate data protection measures, such as by entering into the standard contractual clauses approved by the EU Commission. For more information, please refer to Pinterest's privacy policy.
Finally, we receive non-personal information and analytics from Pinterest about the use of our account. This information allows us to analyse and optimise the effectiveness of our Pinterest activities. The processing that takes place within this context is based on our legitimate interest in optimising our Pinterest activities (Art. 6 para. 1 lit. f GDPR).
15.5 YouTube
You can find our YouTube page at: https://www.youtube.com/GetYourGuide/
YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). You can find Google Ireland's privacy policy at https://policies.google.com/privacy?hl=en. In it you will also find information on the settings options for your Google account. Please note that your Google account may be used for various Google services (e.g. Gmail, YouTube, Google Search) and Google Ireland may merge personal data relating to the Google services you use in accordance with your Google account settings.
Finally, we receive non-personal information and analytics from Google about the use of our account or interactions with our videos. This information allows us to analyse and optimise the effectiveness of our YouTube activities. The processing that takes place within this context is based on our legitimate interest in optimising our YouTube activities (Art. 6 para. 1 lit. f GDPR).
15.6 LinkedIn
You can find our LinkedIn account at: https://www.linkedin.com/company/getyourguide-ag/
For users located in the European Economic Area and Switzerland, LinkedIn is operated by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland ("LinkedIn Ireland"). You can find LinkedIn's data protection guidelines here: https://www.linkedin.com/legal/privacy-policy?trk=organization-guest_footer-privacy-policy. In it you will also find information on the settings options for your LinkedIn profile.
Please note that LinkedIn also transfers personal data to third countries outside the European Economic Area for which there is no EU Commission adequacy decision. Insofar as such a transfer occurs, LinkedIn will use the standard contractual clauses approved by the EU Commission. Corresponding information can be found at https://www.linkedin.com/help/linkedin/answer/62533.
Finally, we receive non-personal information and analytics from LinkedIn about the use of our account or interactions with our posts. This information allows us to analyse and optimise the effectiveness of our LinkedIn activities. The processing that takes place within this context is based on our legitimate interest in optimising our LinkedIn activities (Art. 6 para. 1 lit. f GDPR).
15.7 WhatsApp
You can also contact us with enquiries via WhatsApp. WhatsApp is operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland ("Meta"). The privacy policy for WhatsApp can be found at: https://www.whatsapp.com/legal/privacy-policy-eea?lang=en. In it you will also find information on the settings options for your account.
The processing takes place in order to be able to deal with the enquiries you send to us (Art. 6 para. 1 lit. b GDPR). Further storage of the data transmitted within the context of your enquiry is based on our legitimate interest in the proper documentation of our business operations and the safeguarding of our legal positions (Art. 6 para. 1 lit. f GDPR) and, if applicable, for the fulfilment of legal obligations (Art. 6 para.1 lit. c GDPR).
15.8 Competitions
Occasionally, we also run competitions via our social media site. To participate, you must, for example, comment on certain content, "like" us or tag us. We process the data you provide within this context in order to run the competition and notify the winner(s) (Art. 6 para. 1 lit. b GDPR).
15.9 Social Media Management
In order to measure the success of our social media activities, we also record when we are tagged on social media networks. Within this context, we also process information about the people who tag us. The processing that takes place within this context is based on our legitimate interest in optimising our social media activities (Art. 6 para. 1 lit. f GDPR).
For this purpose, we use the Curalate tool provided by Curalate, Inc. based in the USA. Please note that there is no EU Commission adequacy decision for the USA. We have therefore concluded the standard contractual clauses approved by the EU Commission with Curalate Inc. in accordance with Art. 46 para. 2 lit. c GDPR.
15.10 Analysis of our social media activities
We also evaluate the success of our social media postings. We analyse how often individual postings are clicked. For this purpose, we use the services of Looker Data Sciences, Inc. based in the USA. The data processing is based on our legitimate interest in analysing our reach and the success of our social media activities. There is no EU Commission adequacy decision for the USA. We have therefore concluded the standard contractual clauses approved by the EU Commission with Looker Data Sciences, Inc. pursuant to Art. 46 para. 2 lit. c GDPR. On the other hand, we use Google Analytics for these purposes (see the separate section on Google Analytics).
16. CRM system
To manage our customer relationships, we store your personal data in our CRM system. This enables us to answer any enquiries in a targeted manner and to send you contextual advertising within the permissible framework. The processing that takes place within this context is based on our legitimate interest in managing our customer relationships, Art. 6 para. 1 lit. f GDPR. For this purpose, we use the services of the provider Braze, Inc. based in the USA ("Braze"). Braze is certified to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce.
17. Personalisation of website content
We also process your data in order to display personalised content on our website. The legal basis for this is our legitimate interest in showing you tours and activities that are relevant to you, Art. 6 para. 1 lit. f GDPR.
18. Further sharing of data
Beyond the cases described, your personal data will only be passed on without your express prior consent in the following cases:
If it is necessary for the clarification of an illegal use of our services or for legal prosecution, personal data will be forwarded to the law enforcement authorities and, if necessary, to injured third parties. However, this only happens if there are specific indications of unlawful or abusive behaviour. A transfer may also take place if this serves to enforce terms of use or other agreements. We are also legally obliged to provide information to certain public authorities upon request. These are law enforcement agencies, authorities that prosecute administrative offences subject to fines and the tax authorities.
This data is disclosed on the basis of our legitimate interest in combating abuse, prosecuting criminal offences and securing, asserting and enforcing claims and provided that your rights and interests in the protection of your personal data are not overridden, Art. 6 para. 1 lit. f GDPR or on the basis of a legal obligation pursuant to Art. 6 para. 1 lit. c GDPR.
We disclose personal data to auditors, accounting service providers, lawyers, banks, tax consultants and similar bodies insofar as this is necessary for the provision of our services (Art. 6 para. 1 lit. b GDPR) or the proper operation of our business (Art. 6 para. 1 lit. f GDPR) or we are obliged to do so (Art. 6 para. 1 lit. c GDPR).
We rely on contractually affiliated third-party companies and external service providers ("processors") to provide the services. In such cases, personal data is passed on to these processors to enable them to continue processing. These processors are carefully selected and regularly reviewed by us to ensure that your rights and freedoms are protected. The processors may only use the data for the purposes specified by us and are also contractually obliged by us to treat your data exclusively in accordance with this privacy policy and the German data protection laws.
The transfer of data to processors takes place on the basis of Art. 28 para. 1 GDPR.
As part of the further development of our business, it may happen that the structure of GetYourGuide Deutschland GmbH changes by changing the legal form, founding, buying or selling subsidiaries, parts of the company or components. In such transactions, customer information is passed on together with the part of the company to be transferred. Whenever personal information is disclosed to third parties to the extent described above, we will ensure that this is done in accordance with this privacy policy and the relevant data protection laws.
Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances as necessary (Art. 6 para. 1 lit. f GDPR).
19. Automated individual decisions or profiling measures
We do not use any automated processing processes to bring about a decision or profiling.
20. Erasure of your data
We delete or anonymise your personal data as soon as it is no longer necessary for the purposes for which we collected or used it in accordance with the above paragraphs. We also continue to retain your data if we are obliged to do so for legal reasons or if the data is needed for a longer period of time for criminal prosecution or to secure, assert or enforce legal claims.
If you delete your user account, your profile will be deleted completely and permanently. However, we will retain backup copies of your data to the extent and for as long as this data is required for legal reasons or for criminal prosecution or to secure, assert or enforce legal claims.
If data must be retained for legal reasons, processing will be restricted. The data is then no longer available for further use.
Storage beyond the contractual relationship is based on our aforementioned legitimate interests according to Art. 6 para. 1 lit. f GDPR.
21. Your rights as a data subject
You have the rights described below with regard to the processing of your personal data. To exercise your rights, you can make a request here, by post or by email.
You can reach our dedicated data privacy team by sending an email to: dpo.inbox[at]getyourguide.com
21.1 Right of access to information
You have the right to receive information from us at any time, upon request, about the personal data we process that concerns you, to the extent and subject to the conditions of Art. 15 GDPR and § 34 BDSG.
21.2 Right to correct incorrect data
You have the right to request that we correct personal data relating to you without delay if it is inaccurate.
21.3 Right to erasure
You have the right to demand that we delete the personal data concerning you under the conditions described in Art. 17 GDPR and § 35 BDSG. These conditions provide in particular for a right to erasure if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, as well as in cases of unlawful processing, the existence of an objection or the existence of an obligation to erasure under Union law or the law of the Member State to which we are subject.
21.4 Right to restriction of processing
You have the right to demand that we restrict processing in accordance with Art. 18 GDPR. This right exists in particular if the accuracy of the personal data is disputed between the user and us, for the duration that the verification of the accuracy requires, as well as in the event that the data subject requests restricted processing instead of erasure in the case of an existing right to erasure; furthermore, in the event that the data is no longer required for the purposes pursued by us, but the user requires it for the assertion, exercise or defence of legal claims, as well as if the successful exercise of an objection is still disputed between us and the user.
21.5 Right to data portability
You have the right to receive from us the personal data relating to you that you have provided to us in a structured, commonly used, machine-readable format in accordance with Art. 20 GDPR.
21.6 Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out, inter alia, on the basis of Art. 6 para. 1 lit. e or f GDPR, in accordance with Art. 21 GDPR. We will then stop processing your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
21.7 Right of appeal
You have the right to contact a supervisory authority of your choice in case of complaints.
21.8 Data processing when exercising your rights
Finally, we would like to point out that we process the personal data provided by you when exercising your rights pursuant to Art. 15 to 22 GDPR for the purpose of implementing these rights and to be able to provide evidence thereof. This processing is based on the legal basis of Art. 6 para. 1 lit. c GDPR in conjunction with Art. 15 to 22 GDPR and § 34 para. 2 BDSG.23
22. United States residents’ rights
22.1 Disclosure
If you are a resident of certain states, including California, Colorado, Connecticut or Virginia, you may have specific rights. The additional disclosures and rights relevant to residents of certain U.S. states that have enacted data protection laws and regulations are set out below. This Section also provides you with necessary information about the personal information we collect and how we may use this information.
The California Consumer Privacy Act of 2018, the California Consumer Privacy Act of 2018 ("CCPA"), the California Privacy Rights Act of 2020 (“CPRA”) and other states privacy laws provide certain U.S. residents with specific rights regarding personal information. This section of the Privacy Policy describes those rights and how to exercise them. This section does not apply to publicly available information.
Some information is collected automatically when you access our website (See Section 3 Automated data collection of this Privacy Policy).
More details on the personal information we collect, how we collect it and why we collect it can be found below:
When you create an account on our website (see Section 4 GetYourGuide account);
When you decide to leave reviews (see Section 5 Reviews and ratings);
Where you need customer support (see Section 6 Customer Support);
By our service providers (see Section 7 Technical service providers);
When you subscribe to our newsletter (see Section 8 Newsletter);
When you book activities on our Platform (see Section 9 Bookings & payments);
For fraud prevention purposes (see Section 10 Fraud prevention);
To protect us against bots (see Section 11 Protection against bots);
By using cookies (see Section 12 Cookies);
For marketing purposes (see Section 14 Marketing and remarketing services);
Some of our trusted partners may collect some of your personal information as described in Section 15 Integrated third-party content;
When you interact with us on social media (see Section 16 Social Media);
For customer support purposes (see Section 17 CRM system);
For product development purpose;
For personalisation of website content purposes (see Section 18);
If it is necessary for providing a service you are requesting, we will collect, process or you may also supply us with the following sensitive personal information to operate our business: username and passwords, government IDs, such as driver’s license and passport number. For example, in a very limited number of cases, some tour providers selling you tickets and activities might require the collection of your passport number or other valid ID during the checkout process.
Depending on your cookie preferences, we may “share” categories of personal information, as defined under California law, to or with third parties and for the business and commercial purposes described in this Privacy Policy. According to the CPRA, “sharing” means the disclosure of your personal information to a third party or cross-context behavioral advertising, whether or not for monetary or other valuable consideration. See Section 25.6 below for more information about the context in which we share your personal information and how you request to opt-out.
We do not “sell” personal information as defined under CPRA or under Consumer Data Protection Act (Virginia privacy law) (“CDPA”).
We do not “sell” your personal information as defined under the CCPA.
We do not knowingly “share” the personal information of known minors under 16 years of age.
22.2 Access to Specific Information Rights
You have the right to request that we disclose certain information to you about how we collected and used your personal information. Once we have received a valid request from you, we will disclose to you, to the extent permitted by law:
The categories of personal information we collected about you.
The categories of sources for your personal information we collected about you.
The business or commercial purpose for collecting, selling, or sharing your personal information, if applicable.
The categories of third parties with whom we share your personal information.
If we disclosed your personal information for a business purpose, the personal information categories that each category of recipient obtained.
22.3 Deletion Right
Residents of certain states have the right to request that we delete the personal information that we have collected about them, subject to certain exceptions described in Section 23.3 of this Privacy Policy and as set forth in applicable law(s).
22.4 Correction Right
Residents of certain states have the right to request that we correct inaccurate personal information that we maintain about them as explained in Section 23.2 of this Privacy Policy, subject to certain exceptions set forth in applicable law(s).
22.5 No Discrimination
We will not discriminate against you for exercising any of your privacy rights.
22.6 Do Not Sell or Share My Personal Information
You are free to change your cookie preferences at any time and request to opt out of sharing of your personal information to third parties, subject to certain exceptions set forth in applicable law(s). By “sharing”, we refer to the processing of personal data as described above in Section 12 Cookies and Section 13 Marketing and remarketing services. We and other companies place tracking technologies on our websites to allow us to collect and share, with selected partners, information about your behavior on our website in order to display interest-based advertising for our products on other pages or to improve our advertising accuracy and relevance. If you decide to opt out of this data sharing, you will need to click on the Preference Center link and change your preferences by opting out of “Share or Sale of Personal data”.
22.7 Opt Out of Targeted Advertising
Certain data collection and processing on our website for purposes of interest-based advertising may be deemed “targeted advertising,” or a “sale” or “sharing” of personal information by some state laws, like under the CDPA. Depending on your cookie preferences and to the extent permitted by law, we may disclose your personal information to our trusted partners for targeted advertising. You may request that we stop using and sharing your personal information for such targeted advertising by clicking on the Preference Center link and change your preferences by opting out of “Share or Sale of Personal data”.
22.8 Do not share or disclose my sensitive personal information
You have the right to limit how your sensitive personal information is disclosed or shared with third parties. To exercise your rights described in this Privacy policy, please contact us at the following link: https://www.getyourguide.com/contact/.
22.9 Exercising Your Rights
You can exercise any of your rights as described in this Privacy Policy to the extent permitted by applicable law(s).
Please provide enough information and describe your request with sufficient detail to enable us to properly respond to your request. We will take reasonable steps to verify your identity before we can respond to your request.
If you reside in California, you or a person registered with the California Secretary of State that you authorize to act on your behalf, may file a request.
If you reside in Connecticut or Colorado, you have the option to designate an authorized agent to file a request on your behalf.
You may also make a verifiable consumer request on behalf of your minor child.
23. Changes to this privacy policy
The current version of this privacy policy is always available at https://www.getyourguide.com/privacy_policy.
Last updated: 4 June 2024