Privacy Policy
This policy explains what personal data heycupo collects, how we use it, who we share it with, how long we keep it, and what rights you have over it.
This policy applies to two groups of people:
- Customers. People who book an experience through a heycupo-powered booking page.
- Operators. Businesses that run experiences and use heycupo to take bookings and manage their operations.
Where a section only applies to one group, it says so.
1. Who we are
heycupo is a booking infrastructure platform operated from Lisbon, Portugal. Where this policy refers to "heycupo", "we" or "us", it means the heycupo platform and whoever operates it at the time.
For any privacy question or request, the contact is at the bottom of this policy.
2. What we collect
2.1 Customer data (when you book)
- Contact details: name, email, optionally phone number. Required to run the booking.
- Booking details: the experience, date, time, party size, any notes you added, your preferred locale.
- Payment metadata: our payment processor handles your card. We store a payment identifier, the currency and amount, and metadata needed for refunds and disputes. We never see or store your actual card number, CVC or expiry date. If you use a payment method that is saved for a card guarantee, we store a reference (a token) that can only be charged through your operator's merchant account. The reference is detached after your trip completes.
- Consent trail: the exact text of the terms you agreed to at booking, your IP address at the time, and your browser's User-Agent. This is a legal evidence record, used only if a dispute comes up.
- Operational data: timestamps for when you booked, when you boarded, when your trip was completed and whether a no-show fee was charged.
- Communication: if you email us about a booking, we store that email.
2.2 Operator data (when you run a business on heycupo)
- Account details: name, email, phone, business name, country, timezone, default locale, tax region and tax ID (optional).
- Merchant account data: your payment processor account ID and capability flags, received from the processor when you onboard. The sensitive details (bank account numbers, beneficial owner documents) live inside the processor, not inside heycupo.
- Business content: the experiences you publish, the photos you upload, your schedules, team members, meeting points and pricing.
- Operational data: every booking on your account, every ticket scanned, every payout landed.
- Support communication: any email you send us or we send you about the service.
2.3 Automatically collected
- Device and browser information on the booking page and in the operator app: IP, User-Agent, locale, basic request timing. We do not use tracking cookies on the booking page. The operator app uses secure authentication tokens for login.
- Error logs: if something breaks, we log the error and some request metadata to diagnose it. Logs that contain personal data (email, name, booking ID) are purged after 30 days.
3. Why we collect it (legal basis)
Under EU GDPR, every piece of personal data processing needs a "lawful basis". Here's ours:
| Data | Purpose | Legal basis |
|---|---|---|
| Customer contact + booking details | To run your booking, send confirmation, issue tickets, enable the operator to serve you | Performance of a contract (Article 6(1)(b) GDPR) |
| Payment metadata | Process payments, refunds, disputes | Performance of a contract + legal obligation (tax and dispute records) |
| Consent trail (IP, UA, agreed text) | Defence of legal claims arising from the booking | Legitimate interest (Article 6(1)(f)) and legal obligation for dispute evidence |
| Operator account + business content | Provide the heycupo service to the operator | Performance of a contract |
| Error logs | Diagnose and fix bugs | Legitimate interest in operating a functioning service |
| Support communication | Respond to your question | Performance of a contract / legitimate interest |
We do not rely on consent for any of the above, because all of it is necessary to run the service you asked for. The only consent-based processing is future marketing communication (opt-in, not active in v1).
4. Marketing
heycupo does not currently run marketing communications to customers. If we ever add a newsletter, a reminder email series beyond the transactional ones, or product-announcement emails, it will be opt-in with an unsubscribe link in every message, and this section will be updated.
Transactional emails (booking confirmations, QR tickets, cancellation notices, day-before reminders) are not marketing and don't require separate opt-in. You receive them because you made a booking or you run an operator account.
5. Who we share data with
We share data with a small set of service providers ("subprocessors") who help us run the service. Each of them is bound by a data processing agreement and is only allowed to use the data for the purpose we tell them to.
- Supabase (Amazon Web Services infrastructure, US region): the database that stores bookings, experiences, operator accounts and related records. Also hosts uploaded photos in its Storage product. DPA via Supabase's standard terms.
- Stripe (payments, Connect, disputes): all card payment information. We send the processor enough metadata to identify the booking. They handle card details. DPA via Stripe's standard Connect terms.
- Cloudflare (Workers, CDN, edge network): serves the booking pages, the operator app's API and the emails. Receives every request as part of normal traffic. DPA via Cloudflare's standard terms.
- Email provider (for sending booking confirmations and operator notifications): the current provider is listed in our internal subprocessor list and updated when it changes. Email content passes through the provider on its way to your inbox.
We share customer booking data with the operator whose experience you booked. That's the whole point of a booking. The operator needs to know who is coming and when. The operator acts as a data controller for their own customers and is bound by their own privacy obligations to you.
We do not share data with:
- Advertising networks.
- Data brokers.
- Analytics providers that profile individuals.
If we are required by law (court order, valid law-enforcement request, regulator demand) to share data, we will comply, and where possible we will notify the affected person first.
6. Where data is stored and international transfers
Our database is hosted by Supabase in Amazon Web Services us-east-1 (Northern Virginia). For customers in the EU, UK, Switzerland and other jurisdictions with data-protection laws, this constitutes an international transfer. The legal basis is Standard Contractual Clauses (SCCs) incorporated through Supabase's terms, together with Supabase's additional technical and organisational measures.
The payment processor stores payment data in its own global infrastructure. Cloudflare's Workers infrastructure is distributed across its global edge network. Each of them has its own transfer safeguards.
We plan to offer an EU-region database for EU-resident customers in a future version. Until then, if the US-region storage is unacceptable to you, don't use the service.
7. How long we keep data
| Data | Retention |
|---|---|
| Completed booking records (customer contact, booking details, payment metadata, consent trail) | 7 years from booking creation. This covers the longest tax-record retention requirement across the jurisdictions we serve (Portugal, Spain, Mexico, Brazil) and gives a dispute window. |
| Cancelled or refunded bookings | Same 7 years. Tax records exist whether or not the trip happened. |
| Saved payment method tokens for card-guarantee bookings | Detached from the payment processor's customer object on trip completion (typically within 48 hours). The token identifier stays on the booking row for the 7-year retention but is no longer usable for charges. |
| Operator accounts | Active for as long as the account exists. 7 years after the last booking or account closure, whichever is later. |
| Operator-uploaded photos | Deleted when the operator deletes the experience, or on account termination. |
| Error logs with personal data | 30 days. |
| Support email threads | 3 years from the last message. |
| Marketing consent records (when we add marketing) | For the lifetime of the marketing opt-in plus 3 years after withdrawal. |
We will not keep your data longer than we need to. If you have a specific request to erase your data sooner, see Section 8.
8. Your rights
If you are in the EU, UK, Switzerland, Mexico, Brazil or any jurisdiction with a comparable data-protection law, you have statutory rights over your personal data. heycupo honours these rights for everyone we have data about, regardless of residence.
The rights you have:
- Access. Ask what data we hold about you and receive a copy.
- Rectification. Ask us to fix data that's wrong.
- Erasure ("right to be forgotten"). Ask us to delete your data. Subject to legal retention obligations (tax records, dispute evidence) where we restrict processing instead of deleting.
- Restriction. Ask us to stop actively processing your data while a dispute is being sorted.
- Portability. Ask us to export your data to you in a structured, machine-readable format. We provide JSON.
- Objection. Object to processing based on legitimate interest.
- Withdraw consent. Where processing is based on consent, withdraw it at any time. Does not affect past processing.
Mexico-specific (LFPDPPP): the four ARCO rights are Acceso, Rectificación, Cancelación and Oposición. They map to the rights above.
Brazil-specific (LGPD): you have the rights above plus the right to information about data sharing, the right to know about the consequences of refusing consent, and the right to review automated decisions that affect you. heycupo does not currently make automated decisions that affect customers. No algorithmic pricing, no algorithmic acceptance or rejection of bookings.
To exercise any right, email the contact at the bottom of this policy with enough information for us to find you in our records (at minimum: the email you booked with, and ideally a booking ticket code). We respond within 30 days by default, and may extend to 60 days for complex requests. Free of charge in the vast majority of cases. We may charge a reasonable fee for clearly excessive or repetitive requests, per GDPR Article 12(5).
You also have the right to complain to a supervisory authority if you think we're mishandling your data. In Portugal the authority is the CNPD (Comissão Nacional de Proteção de Dados, https://www.cnpd.pt). In other jurisdictions, find your local data-protection authority's site.
9. Security
We take reasonable technical and organisational measures to protect personal data:
- Transport encryption (TLS) for everything in transit.
- Database-level encryption at rest.
- Row-level security on the database so operators can only see their own data.
- Strong authentication for operator accounts.
- Card data handled exclusively by our payment processor, which is PCI-DSS Level 1 certified.
- Limited employee access on a need-to-know basis (currently, a very small number of people).
- Incident response. We will notify affected users and regulators within 72 hours of becoming aware of a personal-data breach, per GDPR Article 33.
No system is perfectly secure. If we notice a breach affecting your data, we'll tell you.
10. Children
heycupo is not intended for children under 16. We do not knowingly collect data from anyone under 16 directly as the booking customer. If your child is under 16 and participating in an experience, the booking must be made by a parent or guardian in their own name, with the child included in the party size.
For operators, you must be 18 or older to create a heycupo operator account.
If you believe a child has created an account or booked directly, contact us and we'll remove the data.
11. Changes to this policy
We may update this policy. If we make a material change (new subprocessor, new retention period, new purpose of processing), we'll notify operators by email and show a notice on the booking page for customers making new bookings. The version you agreed to when you made a booking continues to apply to that booking as a historical record.
12. Contact
Privacy contact: hello@heycupo.com. Use this address for any data protection request: access, rectification, erasure, restriction, portability, objection, questions about this policy, or security concerns.
heycupo has not formally appointed a Data Protection Officer under GDPR Article 37, because the processing heycupo carries out does not cross the thresholds that make DPO appointment mandatory (no large-scale systematic monitoring of data subjects, no large-scale processing of special category data, no public-authority status). Rafael Vicente, as founder, is the named Privacy Lead responsible for compliance and reachable at hello@heycupo.com.
Postal address and registered entity details are provided on request.
Include your name, the email you booked with (if you are a customer), the operator name (if you are using heycupo as an operator), and a clear description of your request. heycupo responds within 30 days by default, extendable to 60 days for complex requests, per GDPR Article 12(3).
heycupo. Lisbon, Portugal. Last updated: version v1, effective 2026-04-13.