This Data Processing Agreement (DPA) summary describes how SimilarTours processes personal data on behalf of users + partners when GDPR Article 28 applies. It is a plain-language summary; for the full contractual DPA (signed when an arrangement requires one) contact hello@similartours.com.
Roles
For browsers using SimilarTours, we act as a data controller for the limited information we collect (analytics, click-out events, account profile data). For users who book a tour through a partner site, the partner is the data controller for everything entered into the booking flow - SimilarTours does not see or store payment, traveler, or contact details collected at the partner's checkout.
What personal data we process
- Anonymous browser/device data - page views, referrer, user-agent, rough geographic location derived from IP. Used to understand traffic patterns and improve the site.
- Click-out events - which tour you clicked through to a partner site to view. Used to confirm bookings flow correctly and for partner attribution.
- Account information (only if you create an account) - email, name, optional profile fields. Used to authenticate you and remember your preferences.
Sub-processors
We use the following sub-processors to deliver the service:
- Supabase (database + authentication, EU/US regions) - stores account data + click-out events.
- Vercel (hosting + CDN, global) - serves the website + runs the edge functions.
- Google Analytics 4 (anonymized analytics, Google LLC) - only loaded when you accept analytics cookies.
- Microsoft Clarity (session analytics, Microsoft Corporation) - only loaded when you accept analytics cookies.
- Viator (a Tripadvisor company) (tour catalog + booking) - the partner you click through to; sees the data you enter at their checkout, not data we hold.
If we add or change a sub-processor we will update this page. Material changes affecting how data leaves the EU/UK will be flagged before the change takes effect.
International transfers
Some sub-processors process data outside the EU/UK (Google, Microsoft, Vercel global edge). Transfers rely on the European Commission's Standard Contractual Clauses and the sub-processor's own GDPR posture (each vendor maintains a public DPA). We have no transfer mechanism beyond these standard mechanisms.
Data subject rights
You can exercise your GDPR rights (access, rectification, erasure, data portability, objection, restriction) by emailing hello@similartours.com. We respond within 30 days. For data the partner controls (e.g., a Viator booking), contact the partner directly - we'll point you to the right place if you're unsure.
Breach notification
If a personal-data breach occurs that affects controllers we work with, we notify them within 48 hours of becoming aware. For users directly affected we notify without undue delay, in line with GDPR Article 34.
Contact + recourse
For DPA-specific questions email hello@similartours.com. If you're unsatisfied with our response, you can lodge a complaint with your national supervisory authority (in the EU/EEA), the Information Commissioner's Office (UK), or equivalent regulator in your jurisdiction.