Privacy Policy

beyondthe.city (operated by Beyond The City SL) ("we", "our", "us") operates the website and mobile web application at beyondthe.city, providing curated local experiences, hotel concierge integrations, and community features for travellers and hotel partners in Valencia, Spain.

We are the data controller for the personal data described in this policy. You can contact us at privacy@beyondthe.city.

Account data — when you sign in via Google OAuth, we receive your name, email address, and profile picture from Google. We store these in our database to create your user profile.

Profile data — optional information you add: bio, current city, languages spoken, age range, and travel preferences (collected during onboarding).

Usage data — pages visited, features used, and in-app actions (e.g., places saved, bookings made). We use this to improve the platform.

Communications — messages you send in community chats, plan descriptions, blog posts, and comments.

Booking data — when you book an experience, we collect the booking reference, payment metadata (Stripe session ID), and experience details. We do not store card numbers — all payment processing is handled by Stripe.

Hotel attribution — if you arrive via a hotel partner QR code or referral link, we store the hotel reference code in your browser session to attribute the booking.

Technical data — IP address, browser type, device type, and referrer URL collected automatically by our server.

• To authenticate you and maintain your session.
• To personalise the experience feed based on your stated preferences.
• To process experience bookings and send booking confirmations.
• To calculate and pay hotel partner commissions.
• To operate community features: chats, plans, and blog posts.
• To send transactional messages (booking confirmation, plan reminders). We do not send marketing emails without your explicit consent.
• To detect and prevent fraud or abuse.
• To improve the platform through aggregated, anonymised analytics.

We process your personal data under the following lawful bases:

• Contract — processing necessary to fulfil a booking or provide the service you requested.
• Legitimate interests — fraud prevention, security, and platform improvement, balanced against your rights.
• Consent — analytics cookies and optional marketing communications. You may withdraw consent at any time.
• Legal obligation — retention of transaction records as required by Spanish and EU tax law.

We share data with the following third parties only as necessary to operate the platform:

• Google (OAuth) — authentication. See Google Privacy Policy.
• Stripe — payment processing. Card data never passes through our servers. See Stripe Privacy Policy.
• Cloudinary — image and video hosting for place stories and user uploads.
• Google Maps / Places API — map rendering and venue data enrichment.
• Hostinger VPS — infrastructure hosting within the EU.

We do not sell your personal data to any third party.

We retain your personal data for as long as your account is active. You may delete your account at any time by contacting us at privacy@beyondthe.city.

Transaction records (bookings, commissions) are retained for 7 years as required by Spanish tax law (Ley General Tributaria). Anonymised analytics data is retained indefinitely.

Community messages are deleted when a Plan chat expires (48 hours after the event) or when a chat room is closed.

If you are located in the European Economic Area, you have the following rights:

• Access — request a copy of your personal data.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data ("right to be forgotten").
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Restriction — request that we limit processing of your data.
• Withdraw consent — at any time, for processing based on consent.

To exercise any right, email privacy@beyondthe.city. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at aepd.es.

We use the following categories of cookies:

• Strictly necessary — session authentication (NextAuth). Cannot be disabled.
• Functional — remember your language, hotel code, and UI preferences. Cannot be disabled without breaking core functionality.
• Analytics — anonymised page-view tracking (Google Analytics / Plausible). You can opt out via the cookie banner.

You can manage your cookie preferences using the banner shown on first visit, or by clearing your browser cookies at any time.

Our platform is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this policy to reflect changes in our practices or for legal reasons. When we make material changes, we will update the effective date at the top of this page. Continued use of the platform after changes constitutes acceptance of the updated policy.

Data Controller: beyondthe.city (operated by Beyond The City SL)
Email: privacy@beyondthe.city
Address: Valencia, Spain