Privacy Policy

Introduction

Tourist SOS, Inc. (“we,” “our,” or “us”) operates the SOS Safety certification platform. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Platform.

By using the Platform, you agree to the collection and use of information as described here. If you do not agree, please do not use the Platform.

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, password, organization name, role
• Organization Details: Property or company name, type (accommodation/tour operator), address, phone, website, property size, guest capacity
• Assessment Data: Your responses to certification module questions, facility assessment answers, and scores
• Knowledge Contributions: Local safety information you share through the knowledge base
• Chat Data: Messages you send to the SOSA AI assistant

1.2 Information We Collect Automatically

• Device Information: IP address, browser type, operating system, device type
• Usage Data: Pages visited, features used, time spent, via Vercel Analytics
• Authentication Data: Login timestamps, session tokens (managed by Supabase Auth)

1.3 Information from Third Parties

• Emergency case data from the Tourist SOS Command Center (read-only, linked to your organization)
• Team member information when staff join via invite links

2. How We Use Your Information

2.1 Platform Operations

• Operate the certification, training, and assessment features
• Generate and verify digital certificates and verification codes
• Manage team memberships and role-based access
• Generate Policies & Procedures documents from your facility assessment
• Power the SOSA AI assistant with context about your organization
• Send notifications about certification status, team activity, and training progress

2.2 Public Verification

When your organization earns an SOS Safe certification, limited information is made publicly accessible via the verification page (/verify/[code]):

• Organization name, type, city, and country
• Certification tier, issue date, and expiry date
• Verification code and certification status (active/expired/revoked)

This is a core feature of the certification system — it allows travelers and insurers to verify your certification. Assessment scores, internal team data, and other details are never exposed publicly.

2.3 Improvement and Analytics

• Analyze usage patterns to improve the Platform
• Monitor performance and fix technical issues
• We use Vercel Analytics for anonymized, privacy-friendly web analytics

3. Information Sharing

We do not sell, rent, or trade your personal information. We share information only as follows:

3.1 Service Providers

• Supabase: Authentication, database hosting, and file storage
• Vercel: Application hosting and analytics
• Anthropic: AI model provider for the SOSA assistant and policy generation

3.2 Public Verification

Organization name, location, and certification status are visible on the public verification page as described in Section 2.2.

3.3 Legal Requirements

We may disclose information when required by law, court order, or government request, or to protect the rights, property, or safety of Tourist SOS, our users, or the public.

4. Data Security

We take reasonable measures to protect your information:

• All data transmitted over HTTPS/TLS encryption
• Passwords are hashed and never stored in plain text (managed by Supabase Auth)
• Row-Level Security (RLS) policies ensure users can only access their own organization’s data
• API endpoints are rate-limited to prevent abuse
• Authentication middleware protects all dashboard routes
• Soft deletes for team member removal (data preserved for audit)

5. Data Retention

We retain your information for different periods depending on the type:

• Account and Profile Data: Until you delete your account, plus 30 days for recovery
• Certification Records: 7 years after expiry, for compliance and audit purposes
• Training Completion Records: 5 years, for staff training compliance verification
• Assessment Responses: Duration of your active certification plus 1 year
• Usage Analytics: 2 years (anonymized after 12 months)

After retention periods expire, data is securely deleted or anonymized. Some data may be retained longer if required by law.

6. Your Privacy Rights

Depending on your location, you may have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Portability: Receive your data in a machine-readable format
• Objection: Object to certain processing activities
• Restriction: Limit how we process your information

7. International Data Transfers

Your data may be processed in countries other than your own, as our service providers (Supabase, Vercel, Anthropic) operate globally. We rely on appropriate safeguards such as Standard Contractual Clauses where applicable.

8. Cookies

We use a limited set of cookies:

• Essential (Authentication): Supabase session cookies for login functionality. These are required for the Platform to work.
• Analytics: Vercel Analytics collects anonymized usage data. No personally identifiable information is tracked.
• Preferences: Cookie consent choice stored in local storage.

You can manage cookies through your browser settings. Disabling essential cookies will prevent you from logging in.

9. Children’s Privacy

Parents or guardians who believe their child has provided information to us should contact us immediately at privacy@tourist-sos.com.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email and/or a notice on the Platform. The “Last updated” date at the top will reflect the most recent revision. Continued use after changes take effect constitutes acceptance.