1. Who we are
TourTour is operated by TourTour, a company registered in Estonia (European Union). "We", "us", and "our" refer to TourTour. Under GDPR we are the data controller for the data described below.
For any privacy question: [email protected].
2. The short version, with detail
TourTour is built so we cannot see your personal data. Identity comes from Sign in with Apple. Purchases run through StoreKit. Saved routes, playback progress and preferences are written to your private iCloud using CloudKit, which only your Apple-ID-signed devices can read. Our servers store access logs for 90 days and nothing else about you.
This page explains exactly what we hold, why, where, for how long, and how to get rid of it.
3. Data we process & legal basis
| Data | Where it lives | We can read it? | Lawful basis (GDPR Art. 6) |
|---|---|---|---|
| Sign in with Apple opaque identifier | Your device + your private iCloud (CloudKit) | No, only your devices | Contract performance, 6(1)(b) |
| Subscription & purchases | Apple (StoreKit) + Apple-signed receipt on your device | No | Contract performance, 6(1)(b) |
| Saved routes, playback progress, preferences | Your private iCloud (CloudKit) and on your device | No, only your devices | Contract performance, 6(1)(b) |
| Location (when you allow it; ongoing & background during a walking tour) | iOS device memory only | No, never leaves your device | Contract performance, 6(1)(b) + iOS consent prompt |
| Downloaded city packs (audio, text, images) — play offline | Your device only | No | Contract performance, 6(1)(b) |
| Listen history (in-app debug) | Your device only | No | Contract performance, 6(1)(b) |
| Server access logs (IP, path, timestamp, response code) | Hetzner servers (Germany / Finland) | Yes, 90 days, then auto-deleted | Legitimate interest, 6(1)(f) |
4. How Sign in with Apple works
When you tap "Sign in with Apple" in TourTour, Apple authenticates you and hands the app a single string: an opaque user identifier. We do not request your name or email Apple withholds them and we have no way to ask later.
The app stores that identifier locally on your device, and mirrors it into your private iCloud so the same identity works on your iPad or a replacement iPhone. It never reaches our servers. To us it is meaningless, because there is no account on our side it is linked to.
You can revoke Sign in with Apple at any time at Settings → Apple ID → Sign-In & Security → Sign in with Apple. We never receive your email or your real Apple ID, so we have nothing to delete from a server.
5. CloudKit: your data in your iCloud
Saved routes, playback progress and preferences are written to your private CloudKit database inside an iCloud container we own (iCloud.app.tourtour.TourTour). Apple's CloudKit is the storage layer. Your Apple-ID-signed devices are the only readers.
To be fully honest: under GDPR we are still the data controller, because we designed the schema records like PlaybackProgress and UserPreferences exist because we defined them. Apple is our processor. But we have no servers that can read these records, and we cannot subpoena them out of Apple. Only you, signed into your Apple ID, can.
CloudKit records stay in your iCloud until you delete them. See section 12 for how to remove them.
6. Location, maps & Look Around
Location. When you open TourTour we ask iOS for your location so the app can surface the city closest to you — a coarse, one-off fix is all this feature needs. iOS shows its standard system permission prompt; if you decline, the app still works and you pick a city manually.
If you start a walking tour and opt in, TourTour asks for ongoing (“Always”) location access, including in the background, so it can advance to the next stop and play its narration as you arrive — even while the phone is locked in your pocket and your headphones are in. You can run any tour without this by moving through the stops manually.
Your location is used only on your device, in real time, to decide which narration to play and where to centre the map. It is held in device memory, never written to disk, and never transmitted to TourTour servers. We keep no location history and build no profile of where you have been. Revoke or change access any time in iOS Settings → Privacy & Security → Location Services → TourTour.
Maps & directions. Maps are drawn with Apple MapKit. For directions between stops, TourTour hands off to Apple Maps — it does not provide its own in-app turn-by-turn navigation. What happens once Apple Maps opens is governed by Apple’s privacy policy.
Look Around (VR). Some landmarks offer Apple “Look Around” street-level imagery. It streams live from Apple Maps each time you open it, so it needs an internet connection and is the one part of a tour that does not work offline. That request goes to Apple under Apple’s privacy policy; the imagery is not stored on your device and never reaches our servers.
Offline. Once a city pack is downloaded, its narration audio, text and cover images live entirely on your device and play with no connection. Live map tiles and Look Around are the only exceptions, as noted above.
7. Purchases (StoreKit)
Subscriptions and one-off purchases are handled by Apple via StoreKit. We do not see your card, billing address, name or email. Your device receives an Apple-signed receipt (a JWS token) proving entitlement, and a small Cloudflare Worker we operate checks the signature so we can confirm the purchase is valid without holding any payment data.
Refund requests go through Apple's standard process (Settings → Apple ID → Subscriptions or reportaproblem.apple.com).
8. Server access logs & security
Every API request the app makes catalogue lookups, city-pack downloads, entitlement checks creates a single line in our access log: timestamp, IP address, URL path, HTTP response code. We keep these for 90 days and then they are automatically deleted. Lawful basis: legitimate interest under GDPR Art. 6(1)(f), specifically security and abuse prevention.
We do not log request bodies. We do not link access logs to any user identity. We do not sell, share or enrich them.
9. Sub-processors & international transfers
The companies below process data on our behalf. Each handles only the slice listed.
- Apple Sign in with Apple, StoreKit, CloudKit, MapKit. Acts as our processor (and, for Sign in with Apple, joint actor at the identity layer). Mix of EU and US infrastructure depending on the service.
- Hetzner (Germany / Finland) primary application servers and access logs.
- Neon (Frankfurt, EU) Postgres database for the public city catalogue.
- Cloudflare (EU region) R2 object storage for city-pack delivery; a Cloudflare Worker handling StoreKit entitlement checks. No personal data is stored in R2 the packs are the same for every user.
- Bunny.net (EU) CDN edge delivery for static assets and pack chunks.
- Backblaze B2 (US, SCCs in place) off-site cold backup of pack archives. Contains no personal data.
Cross-border transfers to the US (Apple, Backblaze) rely on Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.
10. Marketing website (this site)
This marketing website uses no cookies, no analytics SDK, no advertising pixels and no third-party trackers. We do not run Google Analytics, Facebook Pixel, Hotjar, Mixpanel, Segment or anything similar.
Standard server access logs apply (see section 8).
11. The iOS app: no analytics, no SDKs
The TourTour iOS app ships with no analytics SDK, no advertising framework, no crash-reporting SDK and no third-party data sharing. There is no Firebase, no Mixpanel, no Segment, no Amplitude, no Sentry. We have built the app so there is nothing to disclose here beyond what is in this policy.
No automated decision-making or profiling in the sense of GDPR Art. 22 takes place.
12. Account & data deletion
Inside the app, Settings → Delete Account wipes your local TourTour data and signs you out: playback progress, listen history, downloaded packs, saved routes, catalogue cache, app preferences, and the locally stored Sign in with Apple identifier.
Your CloudKit records (the ones in your private iCloud) are part of your iCloud account, not ours. The current in-app flow does not delete those for you. To remove them too:
- Delete TourTour from every device you used it on, and
- Go to iOS Settings → Apple ID → iCloud → Manage Account Storage → TourTour and tap "Delete from iCloud".
We are shipping an in-app option that wipes the CloudKit zone for you in a near-term update; until then, email [email protected] and we will walk you through it.
Server access logs (which only contain your IP) age out automatically after 90 days. If you want them purged sooner, email us with the rough timeframe and we will clear matching entries.
Purchase history sits with Apple contact Apple Support if you want that erased.
13. Your GDPR rights
If you are in the EU, EEA, UK, or anywhere else that grants similar rights, you have the right to:
- Access the personal data we hold about you (in practice: your matching access-log entries).
- Rectify incorrect data.
- Erase data, subject to the limits in section 12.
- Restrict or object to processing based on legitimate interest.
- Portability for data you provided to us.
To exercise any of these, email [email protected]. We respond within 30 days. For data Apple holds (your Apple ID, purchase records, CloudKit content as the storage layer), Apple is the direct contact: apple.com/legal/privacy.
You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI) aki.ee/en.
14. Children
TourTour is not directed at children under 16. We do not knowingly collect data from anyone under 16, and Sign in with Apple already enforces Apple's age-based account rules. If you believe a child has used the app and you want anything removed, email us and we will help.
15. Changes
When this policy changes, we update the "Last updated" date at the top. Material changes are surfaced in-app before they take effect.
Questions?
Reach out if anything here is unclear, or if you want to exercise any of your rights.
[email protected]