Privacy Policy

Effective date: April 17, 2026

Introduction

amazonia.tours ("we", "us", or "our") operates the amazonia.tours website. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

By using our platform, you acknowledge that you have read and understood this Privacy Policy.

Data We Collect

We collect the following categories of personal data:

Account Information

Email address (required for account creation)
Username (required, publicly visible)
Display name (optional)
Profile picture (obtained via social login provider)

Guide & Organization Profiles

If you register as a guide or manage an organization, we additionally collect:

Biography and professional description
Phone number and contact details
Specialties, languages spoken, and certifications
Organization address, website, and social media links
Geographic coordinates (for map display)

Media Uploads

When you upload photos or videos, we store the files along with metadata such as dimensions, file type, and descriptive alt text.

Interaction Data

When you click contact buttons (WhatsApp, phone, email), we log the interaction type, your browser's user agent, referring page, and IP address. This data is used for analytics and spam prevention.

Recommendations

When you recommend another user, we store the recommendation message and the relationship between both accounts.

Technical Data

We automatically collect certain technical information including your IP address, browser type, operating system, and page interactions for error monitoring and performance optimization.

Social Login Data (Facebook, Google, Apple)

When you sign in or sign up using Facebook Login (provided by Meta Platforms, Inc.), Google Sign-In, or Apple Sign-In — all brokered through our identity provider Auth0 — the chosen provider shares a limited set of profile fields with us:

A stable user identifier (e.g. your Facebook user ID, Google sub, or Apple user identifier)
Your email address (the primary email on that provider's account)
Your public name
Your profile picture URL

For Facebook Login specifically, we only request the "public_profile" and "email" permissions — nothing else. We never receive your friends list, posts, messages, contacts, or any other content from these providers, and we never post or take any action on your behalf. We use these fields solely to create and authenticate your account and to display your name and avatar where appropriate on amazonia.tours.

How We Use Your Data

We process your personal data for the following purposes:

Account managementPerformance of contract

To create and manage your account, authenticate you, and provide our services.

Platform functionalityPerformance of contract

To display guide profiles, organization listings, and enable the recommendation network.

CommunicationPerformance of contract

To send transactional emails such as account verification and important service updates.

Analytics and improvementLegitimate interest

To understand how the platform is used, monitor errors, and improve user experience.

Security and spam preventionLegitimate interest

To protect our platform from abuse, detect fraud, and prevent spam through contact logging and honeypot fields.

Cookies & Local Storage

We use cookies that are strictly necessary for the operation of our platform. We do not use advertising or tracking cookies.

Cookie	Purpose	Duration	Type
en_session	Authentication session	Session (expires on logout or after inactivity)	Strictly necessary
en_theme	Remembers your light/dark theme preference	1 year	Functional
en_locale	Remembers your language preference	1 year	Functional
en_layout	Remembers your layout preference	1 year	Functional
en_toast	Displays temporary notification messages	Session	Strictly necessary
Client hints	Detects your color scheme preference to prevent flash of unstyled content	Session	Functional

We also use hidden form fields (honeypot technique) to prevent spam submissions. This does not involve cookies or tracking.

Third-Party Services

We work with the following trusted third-party providers to deliver our services:

Auth0 (Okta)

Purpose:: Authentication & identity brokering for Facebook Login, Google Sign-In, and Apple Sign-In
Data shared:: User identifier, email, name, and profile picture received from the chosen provider (Facebook, Google, or Apple)
Data location:: EU region (auth0.com)
Privacy policy:: https://auth0.com/privacy

Meta Platforms, Inc. (Facebook Login)

Purpose:: Upstream identity provider when you choose "Continue with Facebook"
Data shared:: Requested permissions: public_profile + email only. Fields received: app-scoped Facebook user ID, name, profile picture URL, and primary email address.
Data location:: US / EU
Privacy policy:: https://www.facebook.com/policy.php

Google LLC (Sign-In)

Purpose:: Upstream identity provider when you choose "Continue with Google"
Data shared:: Google user identifier, email, name, and profile picture (only when you use Google Sign-In)
Data location:: US / EU
Privacy policy:: https://policies.google.com/privacy

Resend

Purpose:: Transactional email delivery
Data shared:: Email address and email content
Data location:: US (resend.com)
Privacy policy:: https://resend.com/legal/privacy-policy

Supabase Storage

Purpose:: File & image storage
Data shared:: Uploaded media files
Data location:: EU region
Privacy policy:: https://supabase.com/privacy

OpenStreetMap / Nominatim

Purpose:: Map display & geocoding
Data shared:: Your IP address may be visible when loading map tiles
Data location:: Various
Privacy policy:: https://wiki.osmfoundation.org/wiki/Privacy_Policy

YouTube (Google)

Purpose:: Embedded video playback
Data shared:: IP address, browser information, and cookies are transmitted to Google only after you actively click the play button
Data location:: US/EU (google.com)
Privacy policy:: https://policies.google.com/privacy

We also load stock images from Pexels (pexels.com). No personal data is shared with Pexels; only image files are loaded by your browser.

YouTube videos are embedded using the privacy-enhanced mode (youtube-nocookie.com) and a two-click consent pattern: no data is transferred to Google until you actively click the play button. Thumbnails are served through our own image proxy. This approach complies with the GDPR and the German TTDSG by ensuring no third-party connection is established without your explicit action.

Data Storage & Security

Your data is stored on servers located in the European Union. We use industry-standard security measures to protect your personal data, including:

Encrypted connections (HTTPS/TLS) for all data in transit
HttpOnly, Secure, and SameSite cookie attributes to prevent cross-site attacks
OAuth-based authentication — we never store your password
Server-side session management with automatic expiration
Access controls limiting who can view and modify data

While we take every reasonable precaution, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data.

Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

Right of access — You can request a copy of the personal data we hold about you.

Right to rectification — You can update or correct your personal data through your account settings, or contact us for assistance.

Right to erasure — You can request deletion of your account and associated data — including identifiers received from Facebook, Google, or Apple — at any time. Step-by-step instructions are on our dedicated Data Deletion page at /data-deletion. Some data may be retained for legal obligations.

Right to restrict processing — You can ask us to limit how we process your data in certain circumstances.

Right to data portability — You can request your data in a structured, machine-readable format.

Right to object — You can object to processing based on legitimate interests, including analytics.

Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, please contact us at hello@amazonia.tours. We will respond within 30 days as required by GDPR. For account and data deletion specifically, see our dedicated instructions at /data-deletion.

You also have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

Revoking Access from Facebook, Google, or Apple

In addition to deleting your account on amazonia.tours, you can revoke our app's access from the identity provider itself at any time:

Facebook: Settings & Privacy → Settings → Apps and Websites → remove our app from the "Active" list
Google: Google Account → Security → Third-party apps with account access → revoke
Apple: Settings → Your name → Password & Security → Apps Using Apple ID → Stop using Apple ID

Revoking access at the provider prevents future sign-ins but does not delete data already stored on our platform. To permanently erase your data, follow the instructions on our Data Deletion Instructions page.

Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy:

Account data: retained while your account is active, deleted upon request
Session data: automatically expires after the session timeout period
Contact interaction logs: retained for up to 12 months for analytics, then anonymized
Media uploads: retained while your account is active, deleted upon account deletion
Error logs and monitoring data: retained for up to 90 days

When data is no longer needed, it is securely deleted or anonymized so it can no longer be linked to you.

Children's Privacy

Our platform is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@amazonia.tours and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will notify you through the platform or via email.

We encourage you to review this policy periodically. The "effective date" at the top of this page indicates when the latest revision was made.

Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

Email:: hello@amazonia.tours
Website:: amazonia.tours