Privacy Policy

Last updated: April 2026

1. Who We Are

LycianWay Walking Tours ("we", "us", "our") operates the website lycianway.co.uk and provides guided walking tour services along the Lycian Way in Turkey. We are committed to protecting your personal data and respecting your privacy.

2. What Data We Collect

We collect the following personal data when you interact with our services:

Booking data: Full name, email address, phone number, number of guests, preferred dates, and special requests
Account data: Email address and encrypted password (if you create an account)
Payment data: Processed securely by Stripe. We do not store your card details
Communication data: Messages sent via our contact form or email
Technical data: Browser type, IP address, and pages visited (if analytics cookies are accepted)

3. How We Use Your Data

To process and manage your booking
To send booking confirmations and trip-related communications
To respond to enquiries and support requests
To improve our website and services (with consent)
To comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

Contract: Processing necessary to fulfil your booking
Legitimate interest: Responding to enquiries, improving our services
Consent: Analytics cookies and marketing communications (where applicable)
Legal obligation: Tax and accounting requirements

5. Data Sharing

We share your data only with:

Stripe: Payment processing
Resend: Transactional email delivery
Cloudflare: Website hosting and security

We do not sell your personal data to third parties.

5a. Safety & check-in data flow

If you use our daily check-in feature during an active hike and miss two or more consecutive check-ins, we send alert emails to help locate you. The recipients of those alerts depend on your booking status:

Always — your Personal Emergency Contact(s). The contacts you added in your profile receive your name, the number of days you've missed, your last check-in date, and your last known GPS coordinates. They also receive a unique tracking-code link to check your status.
If you are enrolled on a marketplace-agency tour (you entered a departure code provided by the agency), we additionally email that agency. They receive your name, email, phone number (if you provided one), last known stage, last check-in date, and last known GPS coordinates. Rationale: the agency has operational duty of care for you while you are on their tour and is the closest and fastest responder on the trail.
If you booked a LycianWay-organised tour directly with us, we additionally email our own operations team at ops@lycianway.co.uk. They receive the same fields as an agency would.

Reminders continue daily until you check in again, your hike session ends, or an operator manually closes your departure. You can disable the tour-operator notification path by cancelling your booking/enrollment before your hike; Personal Emergency Contact alerts can only be disabled by removing the contact from your profile.

Opting out of phone sharing with operators: if you prefer not to share your phone number with the tour operator when a check-in is missed, remove your phone number from your LycianWay profile (Settings → Profile). The missed-check-in alerts will then include only your name, email, last stage, date and coordinates — no phone. Note that in a genuine emergency, operators without your phone may take longer to reach you; we recommend keeping the phone field populated.

6. Cookies

We use the following types of cookies:

Essential cookies: Required for the website to function (e.g., session tokens, cookie consent preference). These cannot be disabled.
Analytics cookies: Help us understand how visitors use our site. Only loaded with your consent.

You can change your cookie preferences at any time by clearing your browser's local storage.

7. Data Retention

Booking data: retained for 6 years (UK tax requirements)
Account data: retained until you request deletion
Enquiry data: retained for 2 years
Analytics data: anonymised after 14 months

8. Your Rights

Under GDPR, you have the right to:

Access your personal data
Rectify inaccurate data
Request erasure ("right to be forgotten")
Restrict or object to processing
Data portability
Withdraw consent at any time

To exercise these rights, email us at hello@lycianway.co.uk.

9. Data Security

We protect your data using industry-standard measures including HTTPS encryption, hashed passwords (PBKDF2-SHA256), and secure cloud infrastructure via Cloudflare.

10. Who processes your data on our behalf (subprocessors)

We use the following third-party services to operate LycianWay. Each has its own privacy practices — follow the links for detail. We have a UK-GDPR Article 28 data processing agreement in place (or equivalent standard terms) with each of them.

DigitalOcean (LLC, USA) — server + database hosting. Region: London (LON1). Privacy
Cloudflare (Inc., USA) — CDN, DNS, WAF, DDoS protection. Privacy
Stripe (Payments Europe Ltd, Ireland / Inc., USA) — card payments, booking deposits. We never see or store your full card number. Privacy
Resend (Inc., USA) — transactional email (booking confirmations, reminders). Privacy
Mapbox (Inc., USA) — interactive trail maps + offline tile packs. Privacy
Zoom Video Communications (Inc., USA) — video-conferencing for Ask Lycia Live events. Only for event attendees. Privacy
Firebase / Google Cloud Messaging (Google LLC, USA) — mobile push notifications. Privacy
Apple Push Notification service (Apple Inc., USA) — mobile push on iOS. Part of the Apple Developer Agreement.
OpenStreetMap (Foundation, UK) — map tile data provider under ODbL licence.

Some of these transfer data to the USA. Where they do, we rely on the UK's adequacy decision for the USA (Data Bridge, 2023) or Standard Contractual Clauses as appropriate.

11. Children

LycianWay is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. EU/UK users must be at least 16 to create an account (or have verifiable parental consent) under UK-GDPR Article 8. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Your consumer cancellation right (Consumer Contracts Regulations 2013)

For paid services (booking deposits), you generally have a 14-day right to cancel under the UK Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013. However, travel, accommodation, and hospitality services with a specific performance date are exempt under Reg 28(1)(h). Tour deposits therefore follow the cancellation policy set out in our Terms of Service.

For non-travel paid features (e.g. a provider marketplace subscription), the 14-day right applies. Email hello@lycianway.co.uk within 14 days of purchase to exercise it.

13. How to delete your account

You can de-identify your account and request erasure of your content at any time:

In the mobile app: Settings → Delete account
By email: write to hello@lycianway.co.uk from the address your account is registered to

When you delete your account we immediately replace your name, email, phone, bio, photos and social links with placeholder values and invalidate all your sessions. Content you posted in public spaces (reviews, trail feed, stories) is displayed under "Deleted User" — you can request full removal of that content under Article 17 of UK-GDPR by emailing us with the word "FULL ERASURE" in the subject. We retain booking invoices for 7 years to meet HMRC tax record-keeping obligations. Stripe retains payment records under its own policy. Full details: /delete-account.

14. Complaints

If you believe we have mishandled your personal data, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

15. Changes to This Policy

We may update this policy from time to time. The "last updated" date at the top will reflect the most recent revision.

16. Contact

Data controller: Pixelo Mobile Ltd (trading as LycianWay), company number 10585806. Registered office: Demsa Accounts, 565 Green Lanes, Haringey, London, England, N8 0RL.

For privacy-related queries: hello@lycianway.co.uk