Privacy Policy

We collect information you provide directly and information generated when you use our services.

Account & Booking Data

• Name, email address, and password (hashed — never stored in plain text)
• Phone number and nationality (optional, for booking purposes)
• Passport or ID details for international tours where legally required
• Billing address and payment details — we do not store card numbers; payments are processed securely by Stripe

Passenger Information

• Names, ages, and dietary requirements for each passenger on your booking

Usage & Technical Data

• IP address, browser type, and device identifiers
• Pages visited, links clicked, and session duration (collected via server logs)
• Authentication tokens stored in secure HTTP-only cookies

Communications

• Messages sent through our in-app chat or contact form
• Email correspondence with our team

• Fulfil your booking — confirm reservations, send itineraries, and coordinate with tour guides
• Process payments — securely charge and refund via Stripe
• Account management — authenticate you, reset passwords, and maintain your booking history
• Customer support — respond to questions, complaints, and in-app chat messages
• Service notifications — booking confirmations, reminders, and tour updates
• Promotional emails — deal alerts and offers, only if you opted in. You can unsubscribe at any time
• Legal compliance — meet tax, accounting, and regulatory obligations
• Fraud prevention — detect and block suspicious activity

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

We use a small number of essential cookies:

• Session cookie — keeps you logged in across page loads (HTTP-only, secure)
• CSRF token — protects form submissions from cross-site attacks

We do not use advertising cookies, third-party tracking pixels, or sell behavioural data to ad networks.

We share your data only where necessary:

• Stripe — payment processing. Stripe is PCI-DSS compliant. See stripe.com/privacy
• Google OAuth — if you sign in with Google, Google authenticates you. We receive only your name and email. See Google's Privacy Policy
• Email provider — to send transactional and booking emails on our behalf
• Tour guides & local operators — names and group size for confirmed bookings only
• Law enforcement — if required by a valid legal order

• Account data — retained while your account is active. You may request deletion at any time
• Booking records — kept for 7 years to comply with financial and tax regulations
• Chat messages — retained for 12 months, then automatically deleted
• Marketing preferences — removed immediately upon unsubscribe

Depending on your location, you have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — ask us to fix inaccurate or incomplete information
• Deletion — request that we erase your account and personal data
• Portability — receive your data in a structured, machine-readable format
• Opt-out — unsubscribe from marketing emails via the link in any email, or from your account settings
• Withdraw consent — at any time, where processing is based on consent

To exercise any of these rights, email us at contact@gotripjapan.com. We will respond within 30 days.

We take reasonable technical and organisational measures to protect your data:

• Passwords are hashed using bcrypt — we cannot read your password
• All data is transmitted over HTTPS/TLS
• Database access is restricted to authorised server processes only
• Payment data is handled entirely by Stripe and never touches our servers
• Session tokens are stored in secure, HTTP-only cookies

No system is 100% secure. If you suspect unauthorised access to your account, contact us immediately.

Our services are not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have done so inadvertently, please contact us and we will delete it promptly.

Our site may link to external websites (e.g., Google Maps, attraction pages). We are not responsible for the privacy practices of those sites. Please review their policies independently.

We may update this policy from time to time. When we do, we will update the effective date above and, for material changes, notify you by email or a prominent notice on our site. Continued use of our services after the change constitutes acceptance.

If you have any questions about this policy or how we handle your data, please reach out: