WHO WE ARE
Yellow Molly Aktiebolag (trading as Private Tours)
Org. nr 559577-5080
How Private Tours collects, uses, and protects your personal data — written plainly, in line with the GDPR.
WHO WE ARE
Yellow Molly Aktiebolag (trading as Private Tours)
Org. nr 559577-5080
This privacy policy applies to personal data processed by Private Tours ("we", "us") through this website, our booking flow, and any direct communication you have with us. It does not apply to third-party services we link to but do not operate.
"Personal data" means any information relating to an identified or identifiable natural person. "Processing" means any operation we perform on personal data — collection, storage, use, disclosure, or deletion. "Controller" means the party that decides why and how personal data is processed; for the purposes of this policy, that is us.
We collect the following categories of personal data:
| Activity | Data Categories | Legal Basis | Retention |
|---|---|---|---|
| Process tour bookings via Bokun | Name, email, phone, booking metadata | Art. 6(1)(b) — Contract | 7 years (Bokföringslag) |
| Group inquiry form | Name, email, phone, group size, requirements | Art. 6(1)(b) — Pre-contract | 24 months |
| Contact form responses | Name, email, message | Art. 6(1)(f) — Legitimate interest | 24 months |
| Booking confirmation emails | Email, booking details | Art. 6(1)(b) — Contract | Tied to booking |
| Concierge wizard preferences | Audience + interest selections | Art. 6(1)(a) — Consent (localStorage only) | Until cleared |
| Web Vitals metrics | Anonymized perf data, truncated IP | Art. 6(1)(f) — Legitimate interest | 90 days |
| Tour catalog semantic search | Tour content embeddings only — no user data | Art. 6(1)(f) — Legitimate interest | Rebuilt on content change |
| Spam / abuse prevention | IP, request rate | Art. 6(1)(f) — Legitimate interest | 30 days |
| Tax record retention | Booking + invoice data | Art. 6(1)(c) — Legal obligation | 7 years (Bokföringslag) |
Process tour bookings via Bokun
Group inquiry form
Contact form responses
Booking confirmation emails
Concierge wizard preferences
Web Vitals metrics
Tour catalog semantic search
Spam / abuse prevention
Tax record retention
We share data only with providers required to deliver the service. Each operates under a Data Processing Agreement.
| Provider | Role | Location | Transfer Mechanism |
|---|---|---|---|
Bokun (Tripadvisor LLC) | Booking platform | Iceland / United States | EU SCCs |
Stripe (via Bokun Pay) | Payment processing | Ireland (EU) / United States | EU SCCs + DPF |
Vercel Inc. | Web hosting + Blob storage | United States (EU edge regions) | EU SCCs + DPF |
Supabase Inc. | PostgreSQL database (EU region) | European Union | DPA + EU region |
OpenAI | Embeddings — tour catalog content only, no user data | United States | EU SCCs |
Google Workspace | Transactional email (SMTP) | United States (EU region) | EU SCCs + DPF |
Meta Platforms (WhatsApp) | Deep-link only — user-initiated chat | EU / United States | User-initiated; not our processing |
Some of our sub-processors operate from countries outside the European Economic Area (EEA), notably the United States. Where such transfers occur, we rely on EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework (DPF).
We choose providers with EU regions or EU-fronted edge presence wherever practical — for example, our database lives in an EU region, and our hosting platform serves EU traffic from European edge nodes.
We keep personal data only as long as necessary:
Have your data deleted where we have no overriding legal duty to retain it.
Email us; we may need to keep tax-relevant records for 7 years.
Request deletionLimit how we use your data while a dispute is resolved.
Email us with the basis for restriction.
Request restrictionReceive your data in a machine-readable format.
Email us; we will provide a structured export.
Request exportObject to processing based on our legitimate interest.
Email us with your specific situation.
Object to processingWithdraw consent at any time, without affecting prior lawful processing.
Email us; consent-based processing stops on withdrawal.
Withdraw consentWe do not make decisions with legal effect about you using automation alone.
Email us if you have questions about our concierge wizard.
Learn moreWe respond to all rights requests within 30 days. Free of charge.
Our service is intended for adults aged 16 and over. Children under 16 cannot create bookings on this site. Children may participate in tours as accompanied guests of an adult booker. If we learn we have collected personal data from someone under 16, we will delete it within 30 days.
Our concierge wizard suggests tours based on audience and interest selections you provide. These selections are stored only in your browser's localStorage — we never receive them on our servers. The wizard offers recommendations only; you remain in full control of your choices. This is not an automated decision under Article 22 GDPR.
We protect personal data using industry-standard measures: TLS encryption in transit, encryption at rest, role-based access control, and audit logging. In the event of a personal data breach affecting your rights, we will notify the supervisory authority within 72 hours and inform affected individuals without undue delay.
We update this policy when our processing changes. The 'Updated' date in the hero reflects the latest revision. Material changes will be communicated via on-site notice. Prior versions are available in the project's public git history.
If you believe we have mishandled your personal data, contact us first — we will work to resolve it. You also have the right to complain directly to the Swedish Authority for Privacy Protection (IMY).
We respond within 12 hours.