Privacy Policy
Last updated 2026-05-11 · Effective 2026-05-11
Summary
Talehopper publishes human-curated audio walking tours of Helsinki for international visitors. We try hard to collect as little personal data as possible. We do not use marketing cookies, we do not profile you with third-party trackers, and we do not sell your data. Site analytics, when enabled, are aggregate and cookie-less.
The only first-party cookie we set is the strictly-necessary Supabase session cookie used while you are signed in (admin/curator area today; visitor accounts may be added in a future release). When paid tours go live, Stripe Checkout will set its own cookies on checkout.stripe.com — not on talehopper.app. See “Recipients” below.
1. Who is responsible (data controller)
For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the data controller for Talehopper is:
- Talehopper
- Sole trader (toiminimi)
- Helsinki, Finland
- Privacy contact: privacy@talehopper.app
Pre-launch notice. Talehopper is currently in pre-launch and the underlying business is in the process of being registered as a Finnish sole trader (toiminimi). The full legal name of the natural person operating the business and the Y-tunnus (Finnish business identifier) will appear on this page when registration completes. In the meantime they are available on request from privacy@talehopper.app — your right of access under GDPR Article 15 is fully honoured even during pre-launch. Talehopper does not have a designated Data Protection Officer (DPO); Article 37(1) does not require one for our scale and processing profile.
2. What personal data we process, and why
The categories below are the complete list — we do not collect anything else.
(a) Aggregate site analytics
Data: page URL, referrer, country (city-level), screen size, anonymous device class. No IP addresses are stored, no cookies are set, and no cross-site identifier is created.
Why: measure which tours people discover and which articles convert — privacy-first analytics via Plausible Analytics.
Legal basis:Article 6(1)(f) — legitimate interest. Plausible's design (no cookies, no personal identifiers) means no consent is required under the ePrivacy Directive.
(b) Email (newsletter / launch announcements)
Data: email address, signup timestamp, source page.
Why: send occasional new-tour or new-article announcements only when you have actively opted in.
Legal basis: Article 6(1)(a) — consent (you must actively submit the form). Withdraw at any time using the unsubscribe link in every email or by emailing privacy@talehopper.app.
(c) Purchase & entitlement records
Data: Stripe customer ID, Stripe payment reference, purchased tour ID, purchase timestamp, currency and amount. We do not store your card number, CVC, or full billing address — those stay with Stripe. We do store the email you used at checkout so we can deliver your tour and respond to support questions.
Why: grant access to the tour you bought, issue receipts, handle refunds and chargebacks, comply with Finnish bookkeeping law (Kirjanpitolaki 1336/1997, 6-year retention floor for accounting documents).
Legal basis: Article 6(1)(b) — performance of the contract for the tour you purchased; and Article 6(1)(c) — legal obligation (bookkeeping).
(d) Curator / admin accounts
Data: email address, magic-link sign-in timestamp, session cookie. Today this is an internal-only surface used by the tour curator(s).
Legal basis: Article 6(1)(b) — performance of the curator agreement.
(e) User-submitted reviews (future)
Data: review text, star rating, display name, verified-purchase flag. We store a SHA-256 hash of your buyer email — the plain email is never written to the reviews table. The hash lets us link a review to a verified purchase without ever rendering the address publicly or storing it recoverable.
Legal basis: Article 6(1)(a) — consent (active review submission).
(f) Admin audit log
Data: admin user ID, action name (e.g. tour publish, slug rename), target ID, timestamp. Used for internal forensics and to honour Stripe dispute response timelines.
Legal basis: Article 6(1)(f) — legitimate interest (security and fraud prevention).
3. Recipients (who else processes your data)
We use a small number of carefully chosen processors. Each operates under a Data Processing Agreement (DPA) compliant with GDPR Article 28.
- Supabase (Supabase Inc., USA — EU eu-west-1 data region) — database hosting, authentication, file storage. DPA: supabase.com/legal/dpa.
- Stripe (Stripe Payments Europe Ltd, Ireland) — payment processing. Stripe is a separate data controller for payment data; we never see your card. DPA: stripe.com/legal/dpa.
- Vercel (Vercel Inc., USA — EU edge regions) — web hosting and edge delivery. DPA: vercel.com/legal/dpa.
- Plausible Analytics (Plausible Insights OÜ, Estonia) — cookieless aggregate analytics. DPA: plausible.io/data-policy.
- GoDaddy (GoDaddy.com LLC) — domain registration. Receives only the domain registrant data (owner identity) you would normally find in WHOIS.
We do not sell, rent, or trade personal data to anyone, ever.
4. Where your data is stored
Database, file storage, authentication, and the audit log are hosted in the European Union (Ireland — eu-west-1) on Supabase. Stripe processes payments in the European Economic Area. Vercel serves the site from EU edge regions whenever possible; some static assets may be delivered from the global Vercel edge network for performance.
When data is transferred outside the EEA (for example, to Stripe's US-based fraud-detection systems), the transfer is governed by the European Commission's Standard Contractual Clauses (SCCs) under Article 46 of the GDPR.
5. How long we keep your data (retention)
Storage limitation, GDPR Article 5(1)(e). The table below is the full retention schedule.
| Data | Retained |
|---|---|
| Aggregate analytics | No personal identifier ever stored |
| Newsletter email subscribers | Until you unsubscribe |
| Reviews | For the lifetime of the linked tour |
| Purchase & entitlement records | Indefinitely (anonymized on user-deletion request) |
| Admin audit log | 12 months |
Entitlements are kept indefinitely because Finnish bookkeeping law requires accounting documents to be retained for at least six years (Kirjanpitolaki 1336/1997 § 10), and the entitlement row is what links a purchase to a customer for chargeback defence. On a deletion request (Section 6) we anonymize the link to your account but preserve the row.
6. Your rights
Under GDPR you have the rights below. To exercise any of them, email privacy@talehopper.app. We respond within 30 days (Article 12(3)). The first request per calendar year is free.
- Access(Article 15) — get a machine-readable copy of all personal data we hold on you. We'll add a self-service
/api/me/data-exportendpoint in a future release; until then we send the export over email. - Rectification (Article 16) — correct anything wrong (e.g. mistyped email).
- Erasure (Article 17) — delete your account and all data tied to it. Entitlements are anonymized rather than deleted (see Section 5).
- Restriction (Article 18) — pause processing while a dispute is investigated.
- Portability (Article 20) — your access export (above) is delivered in JSON, satisfying the portability requirement.
- Objection (Article 21) — object to processing based on legitimate interest. The audit log and analytics are the two surfaces this applies to.
- Right to lodge a complaint (Article 77) — with the Finnish Data Protection Ombudsman (tietosuoja.fi) or your local supervisory authority.
7. Cookies
We set no non-essential first-party cookies. The only cookie this site sets is the Supabase auth session cookie, which is strictly necessary to keep you signed in (curator area today, buyer accounts in a future release) and is exempt from consent under the ePrivacy Directive.
When paid tours go live in a later release and you reach the payment step, you will be redirected to checkout.stripe.com. Stripe sets its own fraud-prevention cookies on that domain — their cookies, their notice. See stripe.com/cookie-settings.
8. Security
Passwords are not used — sign-in is via passwordless magic link. Database access is gated by Postgres Row Level Security on every table. Admin actions are recorded in an append-only audit log. The site is served over HTTPS only (HSTS preload-eligible) with a strict Content Security Policy. We aim to disclose security issues within 72 hours of confirmation, in line with GDPR Article 33.
9. Children
Talehopper is not directed at children under 16. We do not knowingly process the personal data of children under 16. If you believe a child has signed up to our newsletter, email privacy@talehopper.app and we will delete the record.
10. Changes to this policy
We update this page when our processing changes (for example, when paid tours and Stripe Checkout go live in a later release). Material changes are dated above and will be announced via the email subscriber list (if you're on it). Past versions are kept in this site's git history.
11. Governing law
This policy is governed by the law of Finland and the directly-applicable provisions of EU law (GDPR, ePrivacy Directive). Disputes are subject to the jurisdiction of the courts of Finland.
12. Contact
Privacy questions, data-rights requests, complaints: privacy@talehopper.app.
Order or refund issues: support@talehopper.app.