1. Controller

The controller responsible for the processing of personal data within the meaning of Art. 4 (7) GDPR is:

Temple Tree Value GmbH
Landsberger Straße 187 | Haus D
80687 Munich, Germany
Contact: privacy@touristiciq.com

2. Scope

This policy applies to the Touristic IQ web application (the “Service”) operated by Temple Tree Value GmbH for business users (employees of hotels, tour operators and partners). Touristic IQ is a B2B platform — we do not knowingly collect data from consumers or from children under 16.

3. Categories of personal data

Depending on how you use the Service, we process the following categories of personal data:

• Account data: first and last name, business email address, role within the tenant, encrypted password.
• Authentication data: sign-in timestamps, IP address of the sign-in request, optional two-factor authentication state.
• Usage data: pages opened, actions performed inside the Service, query and report identifiers, language and theme preferences.
• Communication data: content of support messages and notifications you exchange with us through the Service or via email.

4. Purposes and legal bases

We process personal data for the following purposes and on the legal bases stated:

• Providing the Service — account creation, authentication, access control, hosting your benchmarking and pricing data (Art. 6 (1)(b) GDPR – performance of contract).
• Security and abuse prevention — audit logging, rate limiting, intrusion detection, incident response (Art. 6 (1)(f) GDPR – legitimate interest in operating a secure platform).
• Legal compliance — retention of bookkeeping-relevant records and responses to lawful requests (Art. 6 (1)(c) GDPR – legal obligation).
• Service communication — transactional emails (account, billing, incident notifications) and product announcements relevant to your subscription (Art. 6 (1)(b) and (f) GDPR).

5. Cookies and similar technologies

We use only strictly necessary cookies and local storage required to keep you signed in, remember your language and theme, and protect against CSRF. No third-party advertising, profiling or analytics cookies are set. Consent for non-essential cookies is requested separately via our cookie banner; without consent only essential cookies are stored.

6. Server logs

Our servers automatically record IP address, timestamp, requested URL, HTTP status code, user agent and referrer for each request. Logs are retained for up to 30 days for security and troubleshooting purposes (Art. 6 (1)(f) GDPR) and are then deleted or anonymised.

7. Recipients and processors

Personal data is processed by carefully selected service providers acting as processors under Art. 28 GDPR: our EU-based cloud hosting provider, our transactional email provider, and software providers whose tooling is necessary to operate and monitor the Service. We have concluded data processing agreements with each of them. We do not sell personal data and do not share it with third parties for their own marketing purposes.

8. International data transfers

Personal data is processed on servers located in the European Union. If a processor occasionally accesses data from outside the EU/EEA, the transfer is safeguarded by EU Standard Contractual Clauses (Art. 46 GDPR) and, where applicable, supplementary measures such as encryption at rest and in transit.

9. Your rights

Subject to the conditions of Art. 15 – 22 GDPR, you have the right to:

• access the personal data we hold about you (Art. 15);
• request correction of inaccurate data (Art. 16);
• request erasure (Art. 17);
• request restriction of processing (Art. 18);
• receive your data in a structured, machine-readable format (Art. 20);
• object to processing based on our legitimate interests (Art. 21).

To exercise these rights, please contact privacy@touristiciq.com.

10. Storage periods

Account and usage data are stored for the duration of your subscription and deleted within 90 days after termination, unless statutory retention obligations (e.g. § 257 HGB, § 147 AO) require longer storage of specific records. Server logs are retained for up to 30 days. Notifications you have dismissed are deleted immediately.

11. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence or place of work. For our registered office, the competent authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

12. Changes to this policy

We may update this policy to reflect changes in our Service or in applicable law. The current version is always available at this URL and the effective date above. Material changes will be notified to active users in-app or by email at least 14 days before they take effect.