Legal Information

Privacy Policy

1. Data Controller

Ilias Ammour
Altes Gericht 22
35398 Giessen
Germany
Email: info@jpnboosted.com

2. Overview of Processing

This privacy policy explains the type, scope, and purpose of the processing of personal data within our online offering and the associated websites, features, and content.

3. Data Collected

We collect the following personal data:

• Upon registration / login: Name, email address, profile picture (optional), authentication tokens.
• Via Single Sign-On (Google Login): Basic profile data transmitted by Google (name, email address, profile picture).
• For contact inquiries: Name, email address, message content.
• For bookings: Name, email, phone number, group size, preferred date, tour preferences.
• For newsletter subscription: Email address.
• Automatically collected data: IP address, browser type and version, operating system, time of access, referrer URL.

4. Legal Basis

The processing of personal data is based on the following legal bases (GDPR):

• Art. 6 (1) (a) – Consent (e.g., newsletter subscription).
• Art. 6 (1) (b) – Performance of a contract & pre-contractual measures (e.g., processing bookings, account creation).
• Art. 6 (1) (c) – Legal obligation (e.g., retention of invoices).
• Art. 6 (1) (f) – Legitimate interest (e.g., website security, essential cookies, spam prevention).

5. Cookies

We strictly use essential cookies only:

• Supabase Auth Cookies – for authentication and session management (login status).
• NEXT_LOCALE – to store your preferred language setting.

These cookies are absolutely necessary for the secure operation of the website and do not require prior consent. We do not use tracking, analytics, or marketing cookies.

6. Hosting and Content Delivery Network

This website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. When you visit our website, server log files (including IP address) are automatically collected to ensure the security and stability of the website. Legal basis: Art. 6 (1) (f) GDPR.

7. Authentication & Database (Supabase & Google)

We use Supabase Inc. (Server location: Region eu-central-1 / Frankfurt) for user authentication and database management. Supabase processes email addresses, passwords (encrypted), and session tokens. Legal basis: Art. 6 (1) (b) GDPR.

Login with Google: We offer the option to log in via Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). If you choose this option, you will be redirected to Google. After a successful login, Google transmits your email address and name to us to create your account. Legal basis: Art. 6 (1) (b) GDPR.

8. Payment Processing (Stripe)

We use Stripe Inc., 510 Townsend Street, San Francisco, CA 94103, USA, to process payments. We do not store credit card data on our servers. Your payment data is transmitted directly to Stripe. Stripe may process certain data as an independent controller for fraud prevention purposes. Legal basis: Art. 6 (1) (b) GDPR.
More information: https://stripe.com/privacy.

9. Transactional Emails and Newsletter

System Emails: We use Resend Inc., USA, to send booking-related emails.
Newsletter: If you sign up for our newsletter, we store your email address until you unsubscribe. The sending is based on your explicit consent (Art. 6 (1) (a) GDPR). You can unsubscribe at any time (withdrawal of consent).

10. Data Transfer to Third Countries (USA)

Some of our service providers (Vercel, Stripe, Resend) are based in the USA. Data transfer is based on the adequacy decision of the EU Commission (EU-US Data Privacy Framework) for certified companies, as well as on EU Standard Contractual Clauses to guarantee a level of data protection equivalent to the GDPR.

11. Data Storage and Deletion

We only store data for as long as is necessary for the respective purpose:

• Account data: Until you delete your account.
• Newsletter data: Until you withdraw your consent (unsubscribe).
• Booking data/invoices: 10 years (statutory retention periods in Germany).
• Server logs: Usually a maximum of 30 days.

12. SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content, this site uses SSL or TLS encryption (recognizable by the lock symbol in the browser address bar).

13. Your Rights as a Data Subject

You have the following rights under the GDPR:

• Right of Access (Art. 15 GDPR)
• Right to Rectification (Art. 16 GDPR)
• Right to Erasure (Art. 17 GDPR)
• Right to Restriction of Processing (Art. 18 GDPR)
• Right to Data Portability (Art. 20 GDPR)
• Right to Object (Art. 21 GDPR)
• Right to Withdraw Consent (Art. 7 (3) GDPR): You can withdraw your consent (e.g., for the newsletter) at any time with effect for the future.

To exercise your rights, please contact us at: bookings@jpnboosted.com

14. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority is usually the supervisory authority of your usual place of residence or our company headquarters (The Hessian Commissioner for Data Protection and Freedom of Information).