Privacy
Policy.
Last updated: May 10, 2026
1. Data Controller
The data controller for this service is:
Ralf Rasmus Rätsepp
Registration number: 17537098
Address: Viru Väljak 2
Email: [email protected]
Website: oldtownwalks.com
We operate as an FIE (sole proprietor) registered in Estonia and are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Estonian data protection law.
2. Data We Collect
We collect and process the following categories of personal data:
| Data Category | Specific Data | Source |
|---|---|---|
| Email address | Provided during checkout | You (via Stripe) |
| IP address | Collected automatically by web server | Your browser |
| Payment data | Card details processed by Stripe (we never see full card numbers) | Stripe |
| localStorage data | Tour unlock tokens, cookie consent, language preference | Your browser (local only) |
| Usage analytics | Page views, device type, referrer (anonymous) | Cloudflare Web Analytics |
| Chat messages | Questions sent to AI tour guide (not stored after session) | You |
3. Legal Basis for Processing (GDPR Art. 6)
We process your personal data based on the following legal grounds:
- Contract performance (Art. 6(1)(b)): Processing email and payment data is necessary to fulfill your purchase and deliver access to paid audio tours.
- Consent (Art. 6(1)(a)): Analytics cookies are only activated with your explicit consent via the cookie banner.
- Legitimate interest (Art. 6(1)(f)): Security logging (IP addresses) to prevent fraud and abuse.
4. Data Retention
We retain data only as long as necessary:
- Purchase records: 7 years (Estonian tax/accounting obligation)
- IP addresses (server logs): 30 days
- Analytics data (Cloudflare): 90 days
- Chat messages: Not stored (processed in real-time, discarded after session)
- localStorage tokens: Until you clear browser data
5. Third Parties
We share data with the following processors to provide the Service:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Email, card details, amount | USA (SCCs) |
| Cloudflare, Inc. | Website hosting, CDN, analytics | IP address, page views | Global (SCCs) |
| Anthropic | AI chatbot responses | Chat messages (not stored) | USA (SCCs) |
| ElevenLabs | Audio narration generation (one-time) | Tour scripts (no personal data) | USA |
| Railway | Backend API hosting | API requests, server logs | USA (SCCs) |
We do NOT sell, rent, or share your personal data with any party for marketing purposes.
6. Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of access (Art. 15): Request a copy of your personal data
- Right to rectification (Art. 16): Correct inaccurate data
- Right to erasure (Art. 17): Request deletion of your data (subject to legal retention)
- Right to restrict processing (Art. 18): Limit how we use your data
- Right to data portability (Art. 20): Receive data in machine-readable format
- Right to object (Art. 21): Object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)): Withdraw cookie/analytics consent at any time
To exercise any of these rights, email us at: [email protected]. We will respond within 30 days.
7. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon):
Andmekaitse Inspektsioon
Tatari 39, 10134 Tallinn, Estonia
Phone: +372 627 4135
Email: [email protected]
Website: www.aki.ee
8. Children Under 16
Our paid Service is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16 without parental consent. Free tour content (Stop 1) is accessible without providing any personal data.
9. International Data Transfers
Some of our processors (Stripe, Cloudflare, Anthropic, Railway) are based in the United States. For these transfers, we rely on the EU Standard Contractual Clauses (SCCs) as the legal mechanism under GDPR Article 46(2)(c).
10. Security Measures
We implement the following security measures:
- All data in transit encrypted via HTTPS/TLS
- Payment card data handled exclusively by Stripe (PCI DSS Level 1 certified)
- Backend API protected with rate limiting and authentication
- No full card numbers ever touch our servers
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal obligations. Material changes will be communicated by updating the “Last updated” date.
12. Contact
For privacy-related inquiries:
Ralf Rasmus Rätsepp
Email: [email protected]
Address: Viru Väljak 2
This Privacy Policy complies with the EU General Data Protection Regulation (GDPR) and Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).