Privacy Policy

2.1. Account & Authentication Data. When you sign in using Google OAuth, we receive your name, email address, and profile photo from Google. We use this information to create and maintain your Vamos account. We do not receive or store your Google password.

2.2. Tour Questionnaire Data. When you plan a tour, we collect your responses to our questionnaire, including your interests, preferred pace, walking capacity, group size, preferred language, health notes, personal requests, and selected tour date. This data is used to generate a personalized itinerary.

2.3. Booking Data. When you book a tour, we collect your tour date, group size, selected payment method, pickup type and address (if applicable), optional donation amount, and customer email address. For unauthenticated users, your email address is used to associate bookings with your account if you later sign in.

2.4. Guide Profile Data. If you register as a guide, we collect your name, email address, biography, languages spoken, specialties, neighborhoods you cover, weekly availability schedule, maximum tours per day, buffer time between tours, and group size preferences. This information is displayed to tourists to facilitate guide matching.

2.5. Chat Messages. We store messages exchanged between guides and our AI assistant within the context of specific bookings. These messages are retained alongside booking records to support tour coordination and dispute resolution.

2.6. Feedback Data. When you submit feedback through the platform, we collect the free-text content of your submission and, if applicable, the associated booking. Feedback may be submitted anonymously or linked to your account.

2.7. Newsletter Subscriptions. If you subscribe to our newsletter, we collect your email address and name. Newsletter subscriptions are managed through Flukebase and require double confirmation (double opt-in) before we send marketing communications.

2.8. Guide Stop Suggestions. Guides may suggest new stops for the tour catalog. We collect the stop name, description, category, and location data provided in these suggestions.

2.9. Itinerary Data. We generate and store itinerary data including tour stops, estimated durations, walking distances, and AI-generated route explanations. This data is derived from your questionnaire responses and our catalog of stops.

2.10. Guide Notifications. We track notification preferences and delivery status for in-app and email notifications sent to guides, including booking assignments, stop approval or rejection notices, and tour reminders.

3.1. Tour Generation & Personalization. We use your questionnaire responses, preferences, and profile information to generate personalized walking tour itineraries using AI. Your interests, pace, walking capacity, and group size directly influence the itinerary we create for you.

3.2. Booking & Payment Processing. We use your booking data to coordinate tours between tourists and guides, process payments, send confirmation emails, and maintain transaction records.

3.3. Guide Matching. We use guide profile data (availability, specialties, languages, neighborhoods, group size range) to match tourists with suitable guides for their tour.

3.4. Communication. We use your email address to send transactional communications (booking confirmations, tour reminders, stop approval notifications) and, with your consent, marketing communications (newsletter).

3.5. Platform Improvement. We use feedback submissions, anonymized usage patterns, and aggregate data to improve the platform experience, refine our AI itinerary generation, and expand our catalog of stops.

3.6. Safety & Compliance. We retain booking and transaction records to comply with legal and financial obligations, resolve disputes, and prevent fraudulent activity.

4.1. Stripe (card payment processing). When you pay by credit or debit card, your payment information is processed directly by Stripe. Vamos is PCI compliant and never stores, processes, or has access to your full card number, CVV, or other sensitive card data. Stripe's privacy policy governs how they handle your payment information.

4.2. BTCPay Server / Lightning Network (Bitcoin payment processing). If you choose to pay with Bitcoin, your payment is processed through BTCPay Server via the Lightning Network. Transaction details (amount, payment hash, and settlement status) are recorded, but no personal financial account information is stored by Vamos.

4.3. OpenAI (GPT-4o) (AI itinerary generation and chat). We send your questionnaire responses, tour preferences, and chat messages to OpenAI's API to generate personalized itineraries and power the guide chat assistant. OpenAI processes this data in the United States. We do not send payment information or passwords to OpenAI. OpenAI's data usage policies apply to data processed through their API.

4.4. Google OAuth (authentication). We use Google's OAuth 2.0 service for user authentication. When you sign in, Google shares your basic profile information (name, email, profile photo) with us. We do not access your Google contacts, calendar, or other Google services.

4.5. Flukebase (CRM, newsletter management, and feedback collection). Newsletter subscriptions, contact information, and feedback submissions may be processed through Flukebase for management and analytics purposes.

4.6. Mox Mail Server (transactional and notification emails). All emails from Vamos are sent from noreply@vamoslocal.com through our self-hosted Mox mail server. Email authentication is enforced through SPF, DKIM, and DMARC protocols.

5.1. Session Cookies. Vamos uses session cookies to maintain your authentication state when you sign in via Google OAuth. These cookies are essential for the platform to function and are managed by Auth.js. They expire when your session ends or after a set period of inactivity.

5.2. No Third-Party Tracking Cookies. We do not currently use any third-party tracking cookies. There are no advertising cookies, social media tracking pixels, or cross-site tracking mechanisms on Vamos.

5.3. No Analytics Scripts. We do not currently use any third-party analytics scripts (such as Google Analytics) on the platform. If we introduce analytics in the future, we will update this policy and notify users accordingly.

6.1. Transactional Emails. We send booking confirmation emails when you complete a checkout. These are essential service communications and are not marketing messages. You cannot opt out of transactional emails while maintaining an active booking.

6.2. Guide Notifications. Guides receive email notifications for booking assignments, stop approval or rejection notices, and tour reminders. These are operational communications necessary for guides to fulfill their responsibilities on the platform.

6.3. Newsletter. Our newsletter is strictly opt-in. We use a double confirmation process (double opt-in): after subscribing, you will receive a confirmation email and must verify your subscription before receiving any marketing content. Every newsletter email includes a clear unsubscribe link. You can unsubscribe at any time, and we will stop sending marketing emails promptly.

7.1. Account Data. Your account information (name, email, profile photo) is retained for as long as your account remains active. Upon request, we will delete your account and associated personal data, subject to any legal retention obligations.

7.2. Booking & Transaction Records. Booking records and payment transaction data are retained for a minimum of five (5) years after the transaction date to comply with legal and financial reporting obligations. This includes booking details, payment confirmations, and refund records.

7.3. Chat Messages. Chat messages between guides and the AI assistant are retained alongside the associated booking record. They follow the same retention period as booking data.

7.4. Newsletter Data. Your newsletter subscription data (email, name) is retained until you unsubscribe. Upon unsubscription, your email is removed from active mailing lists. We may retain a record of your unsubscription to ensure we do not inadvertently re-subscribe you.

7.5. Feedback. Feedback submissions are retained indefinitely for product improvement purposes. If you request deletion of feedback you have submitted, we will honor that request where technically feasible.

7.6. Itinerary & Questionnaire Data. Generated itineraries and questionnaire responses are retained alongside booking records. If no booking was made, this data may be purged after a reasonable period.

8.1. Encryption in Transit. All data transmitted between your browser and our servers is encrypted using HTTPS (TLS/SSL). This includes all form submissions, authentication flows, and API communications.

8.2. Database Security. Your data is stored in a PostgreSQL database with role-based access controls. Database access is restricted to authorized services and personnel only.

8.3. Authentication Security. Vamos uses OAuth-only authentication through Google. We never store, process, or handle user passwords in any form. Session tokens are managed securely using industry-standard JWT (JSON Web Token) practices.

8.4. Email Security. Our email infrastructure enforces SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) protocols to prevent email spoofing and ensure the integrity of our email communications.

8.5. Payment Security. Card payment data is handled exclusively by Stripe, which maintains PCI DSS Level 1 compliance. Bitcoin payment data is processed through BTCPay Server. Vamos never stores sensitive payment credentials on our servers.

9.1. Right to Access. You have the right to request a copy of the personal data we hold about you. We will provide this information in a commonly used, machine-readable format upon request.

9.2. Right to Correction. You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. You can update much of your profile information directly through the platform.

9.3. Right to Deletion. You have the right to request the deletion of your personal data. We will comply with such requests except where we are required to retain data for legal or financial compliance purposes (such as transaction records for the five-year retention period described in Section 7.2).

9.4. Right to Withdraw Consent. Where we process your data based on consent (such as newsletter subscriptions), you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing that occurred before the withdrawal. You can unsubscribe from the newsletter at any time and request account deletion by contacting us.

9.5. Right to Data Portability. You have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.

9.6. Right to Object. You have the right to object to the processing of your personal data in certain circumstances, including for direct marketing purposes.

9.7. How to Exercise Your Rights. To exercise any of these rights, please contact us at noreply@vamoslocal.com. We will respond to your request within 15 business days, as required by the LGPD. For GDPR-related requests, we will respond within 30 calendar days.

10.1. Vamos operates primarily in Brazil and is subject to the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018). We process your personal data based on the following legal bases as defined in Article 7 of the LGPD: consent (for newsletter subscriptions and optional data collection), contract performance (for booking and payment processing), legitimate interest (for platform improvement and security), and legal obligation (for financial record retention).

10.2. As a data subject under the LGPD, you have all the rights described in Section 9 of this policy. You also have the right to petition the Autoridade Nacional de Proteção de Dados (ANPD) if you believe your data protection rights have been violated.

11.1. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we recognize your rights under the GDPR. We process your personal data based on the legal bases of contract performance, legitimate interest, legal obligation, and consent, as applicable.

11.2. You have the right to lodge a complaint with your local supervisory authority if you believe our processing of your personal data infringes the GDPR.

12.1. Your personal data may be processed on servers located outside of Brazil. Our infrastructure may involve data processing in various jurisdictions to ensure reliable service delivery.

12.2. Specifically, data sent to OpenAI for AI itinerary generation and chat is processed in the United States. Data processed by Stripe for card payments may also be transferred to and processed in the United States and other jurisdictions where Stripe operates.

12.3. Where personal data is transferred internationally, we ensure that appropriate safeguards are in place in accordance with applicable data protection laws, including the LGPD and GDPR.

13.1. Vamos allows you to share itineraries via public share pages. These pages display itinerary stops (names, descriptions, durations, and walking distances) but do not expose any personal data such as your name, email, or booking details.

13.2. When an itinerary is shared, Open Graph (OG) metadata is generated for social media previews. This metadata contains only the itinerary title and a generic description — no personal information is included.