Home / Privacy Policy

Privacy Policy

MyExplorio — operated by GC Hospitality Labs LTD

This Privacy Policy explains how GC Hospitality Labs LTD (“MyExplorio”, “we”, “us”, “our”) collects, uses, shares and protects your personal data when you visit myexplorio.com, browse activities, or make a booking. We are committed to protecting your privacy in compliance with Regulation (EU) 2016/679 (the “GDPR”) and the Cyprus Law providing for the Protection of Natural Persons with regard to the Processing of Personal Data (Law 125(I)/2018).

Last updated: 4 June 2026

Contents

  1. Data Controller
  2. Our role
  3. Data we collect
  4. Legal basis
  5. How we use your data
  6. Who we share data with
  7. International transfers
  8. Data retention
  9. Your GDPR rights
  10. Security
  11. Cookies
  12. Children
  13. Changes
  14. Complaints & contact

1. Data Controller

The data controller responsible for your personal data is:

CompanyGC Hospitality Labs LTD
Registered addressAeolias 1, Paralimni 5292, Cyprus
Tax Identification Code60342505Q
Contact[email protected]

For any question about this policy or to exercise your rights, contact us at [email protected].

Given the nature and scale of our processing, we are not required to appoint a Data Protection Officer (Art. 37 GDPR) and have not appointed one; all data-protection matters are handled at the contact above.

2. Our role: booking intermediary

MyExplorio is a booking service that connects you with independent third-party activity providers in Cyprus. We facilitate the discovery and reservation of activities and collect a booking fee online; the activities themselves are performed by the providers, not by us. Because of this model, your personal data is shared with the relevant activity provider so that they can honour your booking (see Section 6).

3. Data we collect

3.1 Booking and contact data

When you make a booking, we collect your first name, last name, email address and mobile phone number, together with the details of your booking (the activity, date, time slot, number of participants and any options you select).

3.2 Verification data

To confirm that you control the email address and phone number you provide, we send one-time verification codes (OTPs) and process your entry of those codes. We do not store the codes after they have been used or have expired.

3.3 Payment data

Online payments are processed by Stripe. You enter your card or payment-method details directly into Stripe’s secure form. Full card numbers never reach our servers. We receive only a payment confirmation, a payment reference, the amount, the payment method type and the status.

3.4 Technical and usage data

When you use the website we automatically receive technical data such as your IP address, browser type, device type, the pages you view and the time of your visit. This is used for security, fraud prevention and to keep the service running reliably.

3.5 Communications

If you contact our support team, we keep a record of your message and our reply so we can assist you and resolve any issue with your booking.

Providing your name, email address and mobile phone number is necessary to enter into and perform your booking (Art. 13(2)(e) GDPR). If you do not provide it, we cannot process your reservation. Technical and usage data is collected automatically as described above.

4. Legal basis for processing

  • Performance of a contract (Art. 6(1)(b) GDPR) — processing your booking, verifying your contact details, taking payment of the booking fee and passing your reservation to the activity provider.
  • Legitimate interests (Art. 6(1)(f) GDPR) — website security, fraud prevention, error monitoring and improving our service. We balance these interests against your rights and freedoms.
  • Legal obligation (Art. 6(1)(c) GDPR) — keeping accounting and tax records as required by Cypriot law.
  • Consent (Art. 6(1)(a) GDPR) — for any non-essential cookies or optional communications, where applicable. You may withdraw consent at any time.

Automated decision-making (Art. 13(2)(f) GDPR): we do not take decisions producing legal or similarly significant effects about you by solely automated means. Our payment processor (Stripe) may carry out automated fraud and risk checks that are necessary to process your payment securely.

5. How we use your data

  • Create, confirm and manage your activity booking
  • Verify your email address and phone number
  • Process the online booking-fee payment securely
  • Share the booking with the activity provider so they can deliver the experience
  • Send you booking confirmations and your activity pass
  • Respond to your enquiries and provide customer support
  • Detect, prevent and investigate fraud and misuse
  • Comply with our legal, accounting and tax obligations

6. Who we share your data with

We share your personal data only where necessary, with the following categories of recipients:

Activity Providers

The independent operator that delivers your chosen activity receives the data needed to honour your booking — typically your name, the booking details and the number of participants — so they can check you in and collect any balance due on the day. Each provider is an independent controller of the data once it is shared with them for that purpose.

Explorio (activity marketplace platform)

Bookings are created and managed through the Explorio activity-marketplace platform, which processes booking and participant data on our behalf to register your reservation and make it available to the activity provider. Legal basis: Art. 6(1)(b) GDPR.

Stripe (payment processing)

Online payments are processed by Stripe Payments Europe, Ltd. Data shared: name, email and the booking amount. Card data is handled directly by Stripe (PCI-DSS Level 1 certified). Legal basis: Art. 6(1)(b) GDPR. Privacy: stripe.com/privacy.

Sentry (error monitoring)

We use Sentry to detect and diagnose technical errors so we can keep the service stable. Data: anonymised error reports, IP address (for security) and browser/device information. We do not send names, emails or payment details to Sentry. Legal basis: Art. 6(1)(f) GDPR. Privacy: sentry.io/privacy.

Email delivery

Booking confirmations and transactional emails are sent through a third-party email-delivery provider. Data shared: your name, email address and booking details. Legal basis: Art. 6(1)(b) GDPR.

SMS verification

To verify your mobile number, the one-time code is sent through a third-party SMS / telephony provider. Data shared: your phone number and the verification message. Legal basis: Art. 6(1)(b) GDPR (necessary to confirm your booking).

Hosting, CDN & infrastructure

The website and its supporting services are hosted by reputable cloud infrastructure providers that process data (including IP addresses and request metadata) strictly to operate, secure and deliver the service. Legal basis: Art. 6(1)(f) GDPR.

All processors act under written data-processing agreements and may only process your data on our instructions. We do not sell your personal data, and we do not use it for third-party advertising.

7. International data transfers

Some of our service providers (such as Stripe, Sentry and certain hosting services) may process data outside the European Economic Area, including in the United States. Where this happens, the transfer is protected by appropriate safeguards — the EU-U.S. Data Privacy Framework and/or the European Commission’s Standard Contractual Clauses, together with supplementary technical and organisational measures where required. You may request a copy of the relevant safeguards by contacting us at [email protected] (Art. 13(1)(f) / Art. 46 GDPR).

8. Data retention

We keep your personal data only for as long as necessary for the purposes described above:

  • Booking and payment records: 7 years (Cypriot tax and accounting law)
  • Verification codes (OTPs): deleted immediately after use or expiry
  • Support communications: up to 2 years from last contact
  • Technical / security logs: typically up to 90 days, after which IP addresses are deleted or pseudonymised

9. Your GDPR rights

Subject to the conditions in the GDPR, you have the right to:

  • Access — obtain a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data (the “right to be forgotten”)
  • Restriction — limit how we process your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on our legitimate interests
  • Withdraw consent — at any time, where processing is based on consent

To exercise any right, email [email protected]. We will respond within one month. Note that some data must be retained to meet legal obligations even after an erasure request.

10. Security

We apply appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), access controls, the use of PCI-DSS-certified payment processing, and the principle of data minimisation. No method of transmission over the internet is completely secure, but we work continuously to protect your information.

11. Cookies

We use a minimal number of strictly necessary cookies and local storage to operate the site, remember your preferences and keep your booking session secure. Our payment processor (Stripe) may set cookies that are necessary for fraud prevention and to complete a payment. We do not use third-party advertising cookies. Where we use any non-essential cookies, we will ask for your consent first, and you can change your choice at any time through your browser settings.

12. Children

MyExplorio is intended for adults. The person making a booking must be at least 18 years old. We do not knowingly collect personal data directly from children. Where an activity includes minors, the booking adult is responsible for providing their details and for their participation.

13. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the latest version. Material changes will be highlighted on this page. Please review it periodically.

14. Complaints & contact

If you have a concern about how we handle your data, please contact us first at [email protected] so we can put it right.

You also have the right to lodge a complaint with the Cypriot supervisory authority, the Office of the Commissioner for Personal Data Protection: www.dataprotection.gov.cy.