Privacy Policy
Last updated: 11 June 2026
This policy describes what personal data Tourisma collects, why, and how you can control it. It is written under the Digital Personal Data Protection Act, 2023 (DPDP Act) of India.
1. Who we are
Tourisma is a trip-planning service available at tourisma.app. For data protection purposes, Tourisma is the Data Fiduciary responsible for your personal data.
Contact for data matters: support@tourisma.app
2. What we collect
Account data: When you sign up, we collect your email address and a username. These are required to save and share trips.
Trip data: Itineraries you save — including destinations, travel dates, group size, budget type, and day-by-day activity schedules. This data belongs to you.
Usage analytics: Anonymised page views and feature interactions via PostHog (self-hosted proxy). We do not track individual users across sessions without consent.
Device data: IP address (used only for rate limiting, not stored beyond the request), browser type, and approximate timezone.
3. Why we collect it
Service delivery: Your email and trip data are needed to save itineraries, send trip-ready emails, and provide pre-trip reminders (T-14 booking checklist, T-2 packing guide).
Product improvement: Aggregated, anonymised analytics help us understand which features are used and where the experience breaks down.
Communications: We send transactional emails related to trips you have saved (trip-ready confirmation, pre-trip reminders). We do not send marketing emails without your explicit consent.
4. Third parties we share data with
We do not sell your personal data. We share it only with service providers who process it on our behalf:
- ·Supabase (Ireland): Database and authentication hosting
- ·Vercel (USA): Application hosting and serverless functions
- ·Google Maps Platform (USA): Place enrichment (names, photos, ratings) — no user data sent
- ·Resend (USA): Transactional email delivery
- ·PostHog (USA/EU): Product analytics — data proxied through our own domain
- ·Upstash (USA): Redis cache and rate limiting — no PII stored
5. Data retention
Account data: Retained until you delete your account.
Trip data: Retained until you delete the trip or your account. Trips with a departure date are retained for 90 days after the trip ends, then eligible for automated deletion.
Analytics: Anonymised event data retained for 12 months.
Place enrichment cache: Google Places data cached for 30 days; contains no personal data.
6. Your rights under the DPDP Act
Under the Digital Personal Data Protection Act, 2023, you have the right to:
- ·Access a summary of personal data we hold about you
- ·Correct inaccurate or outdated personal data
- ·Erase your personal data (account + all saved trips)
- ·Withdraw consent for non-essential processing at any time
- ·Nominate a person to exercise these rights on your behalf
- ·File a complaint with the Data Protection Board of India
To exercise any of these rights, email support@tourisma.app with the subject line "Data Request". We will respond within 72 hours.
7. Cookies
We use a single first-party session cookie for authentication (Supabase Auth). We do not use third-party advertising cookies. Analytics are collected via a first-party proxied script with no third-party cookies.
8. Children
Tourisma is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact us and we will delete it promptly.
9. Changes to this policy
We may update this policy when our data practices change. Material changes will be communicated by email to registered users at least 7 days before they take effect. Continued use after that date constitutes acceptance.
10. Contact
Data questions or requests: support@tourisma.app
Grievance Officer (DPDP Act): same address. We will acknowledge all requests within 48 hours.