Privacy Policy
This policy explains what personal data heycupo collects, how we use it, who we share it with, how long we keep it and what rights you have.
It applies to customers who book through heycupo-powered pages and operators who use heycupo to run their business.
1. Who we are
heycupo is a booking infrastructure platform operated from Lisbon, Portugal. Where this policy says "heycupo", "we" or "us", it means the heycupo platform and whoever operates it at the time.
Privacy contact: hello@heycupo.com.
2. What we collect
2.1 Customers
- Contact details: name, email and optional phone.
- Booking details: operator, experience, slot, party size, language, notes and status.
- Ticket data: ticket code, QR code status, email delivery status, boarding status and completion status.
- Payment metadata: Stripe payment identifiers, currency, amount, refund status, card brand and last 4 digits where Stripe provides them. heycupo never sees or stores your full card number, CVC or card expiry date.
- Card guarantee token: if you save a card for no-show protection, Stripe stores the card and heycupo stores only a Stripe reference. The reference is detached after the trip completes or the booking is cancelled where supported.
- Consent evidence: the terms text accepted, timestamp, IP address and browser User-Agent.
- Support communication: emails or messages about a booking.
2.2 Operators and team members
- Account details: name, email, phone, business name, country, currency, timezone, default locale and role.
- Business content: experiences, photos, schedules, vehicles, team members, meeting points, pricing, refund policies and settings.
- Payment setup data: Stripe connected account ID, Stripe capability flags, payout status and onboarding status. Sensitive KYC documents and bank account numbers live inside Stripe, not heycupo.
- Plan and subscription data: plan, purchase rail, subscription status, renewal or expiry date and payment-provider identifiers from Stripe, Apple or Google where relevant.
- Operational data: bookings, ticket scans, boarding logs, no-show logs, refunds, payouts, exports and dashboard activity needed to run the product.
- Support communication: emails or messages about the service.
2.3 Automatically collected
- Request data: IP address, User-Agent, locale, route, response status and timing.
- Device data: app platform, push token, app version and crash or error metadata where available.
- PWA data: if you install heycupo from the web browser, the browser may use the heycupo service worker and manifest to open the dashboard like an app. This is for installability and does not track you across sites.
- Error logs: errors and request metadata used to diagnose issues. Logs that contain personal data are purged after 30 days where technically possible.
3. Why we collect it
| Data | Purpose | Legal basis under GDPR |
|---|---|---|
| Customer contact, booking and ticket data | Create the booking, send QR tickets, let the operator run the experience | Performance of a contract |
| Payment metadata | Process payments, refunds, card guarantees and disputes | Performance of a contract, legal obligation and legitimate interest |
| Consent evidence | Prove what was agreed if there is a dispute | Legitimate interest and legal claims |
| Operator account and business content | Provide the heycupo service | Performance of a contract |
| Plan and subscription data | Bill for Pro and Fleet, apply limits and handle renewals or downgrades | Performance of a contract |
| Request, device and error data | Security, debugging, abuse prevention and service reliability | Legitimate interest |
| Support communication | Respond to requests and keep records | Performance of a contract and legitimate interest |
We do not sell personal data. We do not use customer booking data for advertising profiles.
4. Emails and marketing
Transactional emails are necessary for the service. They include ticket emails, confirmations, reminders, cancellation notices, team invitations, sign-in codes, export emails and payment setup messages.
heycupo does not currently send marketing emails to customers. If we add marketing, it will be opt-in and include an unsubscribe link.
5. Who we share data with
We share data with the operator you booked with, because the operator needs it to serve you.
We also use subprocessors listed at heycupo.com/subprocessors, including:
- Supabase for database and authentication.
- Cloudflare for Workers, CDN, R2 photo storage, email sending and edge caching.
- Stripe for card payments, Connect onboarding, disputes and payouts.
- Apple and Google for operator plan purchases made through app-store billing.
- Expo for mobile push notifications.
- Sentry for error monitoring where enabled.
We do not share data with advertising networks, data brokers, profiling analytics providers or session recording tools.
If law requires disclosure, for example a court order, regulator request or valid law-enforcement request, we will comply where legally required and notify affected people where we can.
6. Where data is stored and transfers
The primary database is hosted by Supabase on Amazon Web Services in us-east-1 in the United States. Experience photos are stored in Cloudflare R2. Cloudflare Workers and CDN operate across Cloudflare's global edge network. Stripe, Apple, Google, Expo and Sentry operate global infrastructure.
For data transferred outside the EEA, UK or Switzerland, heycupo relies on Standard Contractual Clauses, the relevant provider's DPA or another lawful transfer mechanism. The European Commission's modern SCCs under Implementing Decision (EU) 2021/914 are the baseline for EEA transfers where applicable.
We plan to offer an EU-region database option later. Until then, if US-region storage is unacceptable to you, do not use the service.
7. How long we keep data
| Data | Retention |
|---|---|
| Completed, cancelled and refunded booking records | 7 years from booking creation for tax, accounting, fraud and dispute records |
| Consent evidence | 7 years from booking creation |
| Card guarantee Stripe references | Detached after trip completion or cancellation where supported. The identifier may remain on the booking row for audit history but is not usable for new charges |
| Operator accounts and business records | While the account is active, then 7 years after last booking or closure, whichever is later |
| Operator photos | Until deleted by the operator, the experience is deleted or the account is closed, subject to backups and legal retention |
| Error logs with personal data | 30 days where technically possible |
| Support email threads | 3 years after the last message |
| Marketing consent records if added later | While subscribed, then 3 years after withdrawal |
8. Your rights
heycupo honours privacy rights for everyone we have data about. Depending on where you live, these may include:
- Access.
- Correction.
- Deletion.
- Restriction.
- Portability.
- Objection.
- Withdrawal of consent where processing is based on consent.
Mexico ARCO rights map to access, rectification, cancellation and opposition. Brazil LGPD rights include confirmation, access, correction, portability, deletion where available, information about sharing and review of automated decisions. heycupo does not currently make automated decisions that materially affect customers.
To exercise a right, email hello@heycupo.com with enough information to find the record, usually the booking email and ticket code or the operator account email.
For GDPR requests, we respond without undue delay and within one month by default. Where legally allowed, that period may be extended by two further months for complex or numerous requests, and we will tell you within the first month if that happens.
You may also complain to your local data protection authority. In Portugal, that is CNPD at https://www.cnpd.pt.
9. Security
heycupo uses reasonable technical and organisational measures, including:
- TLS encryption in transit.
- Database encryption at rest.
- Row-level security and membership checks.
- Service-role credentials only in Workers.
- Strong authentication for operator accounts.
- Card data handled by Stripe.
- Limited internal access.
- Rate limiting and audit logs.
- Security incident response.
If we become aware of a personal-data breach that requires notification, we will notify affected operators, users and regulators as required by law.
10. Children
heycupo is not intended for children under 16 as booking customers. A parent or guardian should make bookings involving children. Operators must be at least 18 to create an account.
11. Changes
We may update this policy. Material changes, such as a new processing purpose, new retention period or new subprocessor category, will be communicated to operators and reflected on this page.
12. Contact
Privacy contact: hello@heycupo.com.
Include your name, booking email or operator email, ticket code if available and a clear description of the request.
heycupo has not formally appointed a Data Protection Officer under GDPR Article 37. Rafael Vicente, founder, is the Privacy Lead for now and can be reached at the privacy contact above.
Postal address and registered entity details are provided on request.
heycupo. Lisbon, Portugal. Last updated: version v2, effective 2026-04-27.