PRIVACY POLICY & GDPR INFORMATION
What To Do In Singapore
Effective date: 1.2.2025
This Privacy Policy explains how personal data is processed in connection with the purchase and use of digital travel products and related services offered under the brand What To Do In Singapore (“we”, “us”, “our”, “Provider”), in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Czech data protection laws. By using our website, booking system and services, you acknowledge that you have read and understood this Privacy Policy.
1) Data Controller (Správce osobních údajů)
Data Controller / Provider: Marek Kotyza
Business name: Bc. Marek Kotyza
Company ID (IČO): 75084431
Registered office: Matějkova 1935/12, 190 00 Praha – Libeň, Czech Republic
Email (GDPR contact): info@whattodoinsingapore.com
Phone: [INSERT, optional]
We do not generally appoint a Data Protection Officer (DPO) unless required by law. You may contact us via the GDPR contact email above.
2) Scope of processing
We process personal data to the extent necessary for bookings and fulfilment of Digital Products, delivery of access links, vouchers and tickets, customer support and dispute handling, accounting and legal obligations, fraud prevention and protection of our services, and optional marketing communication only where legally permitted. We do not sell personal data to third parties.
3) Categories of personal data we process
Depending on how you interact with us and what you purchase, we may process the following categories.
3.1 Identification and contact details: name and surname, email address, phone number (if provided).
3.2 Booking and transaction data: booking ID/reference, date/time of purchase, purchased product(s), price, currency, payment status, voucher/ticket/QR code information, refund/cancellation history.
3.3 Communication data: support emails and messages, complaint handling communication, records of our replies.
3.4 Technical and device data (only where applicable): IP address, browser type, device type, operating system, language settings, approximate location inferred from IP, timestamp, referrer URL, cookie identifiers (if cookies are used).
3.5 Legal and security data (only where applicable): fraud indicators, abuse reports, audit logs, proof of purchase, evidence provided by the customer in disputes.
We do not intentionally process special categories of personal data (sensitive data), such as health data, biometric data, political opinions, religion etc. If you voluntarily share such data in communication, you do so at your own discretion and we will process it only to the extent necessary for handling your request.
4) Purposes of processing and legal bases (Art. 6 GDPR)
We process personal data only where there is a lawful basis.
4.1 Contract performance (Art. 6(1)(b) GDPR): processing necessary to accept and fulfil your Booking, deliver Digital Products, provide vouchers/tickets, manage rescheduling (if possible), handle refunds where applicable.
4.2 Legal obligation (Art. 6(1)(c) GDPR): compliance with Czech accounting and tax laws, invoicing and record keeping, consumer law obligations, handling statutory complaints.
4.3 Legitimate interest (Art. 6(1)(f) GDPR): fraud prevention, protection of the booking system and Digital Products against abuse/sharing, maintaining service security, improving quality and user experience, internal analytics, responding to disputes, enforcing our Terms & Conditions, defending legal claims.
4.4 Consent (Art. 6(1)(a) GDPR), where applicable: optional marketing newsletter or remarketing cookies (only where consent is required and given). You may withdraw consent at any time.
5) Recipients of personal data (who we share data with)
We share personal data only to the minimum extent necessary.
5.1 Booking system and IT providers: Bókun (booking management, vouchers, product delivery configuration), website hosting providers, cloud storage providers, email delivery providers.
5.2 Payment processors: payment gateways used in the checkout (e.g., Stripe or other payment providers connected to Bókun). We do not store full payment card details.
5.3 Third-party attractions / suppliers (Ticket Bundles): where a ticket, voucher, time slot, or entry reservation is included, your personal data may be shared with the relevant Third Party Provider to enable redemption and fulfilment.
5.4 Advisors and authorities: accountants, tax advisors, legal counsel, courts, police, supervisory authorities where legally required.
Any processing by such recipients may be governed by their own privacy policies. We only cooperate with processors providing adequate safeguards under GDPR.
6) International transfers (outside the EEA)
Some service providers (especially SaaS platforms like booking systems, analytics tools, email tools) may process data outside the European Economic Area. Where such transfer occurs, we ensure appropriate safeguards in accordance with GDPR, such as EU Standard Contractual Clauses (SCCs) and adequate technical and organisational measures.
7) Data retention (how long we keep data)
We retain personal data only for as long as necessary.
7.1 Booking and invoicing records: typically 10 years due to legal accounting and tax obligations.
7.2 Customer support communication: typically up to 3 years after last contact, unless needed longer for dispute resolution.
7.3 Fraud/security logs: typically 6–24 months depending on risk and necessity.
7.4 Marketing consent data: until you withdraw consent or object.
We may keep data longer where necessary to establish, exercise or defend legal claims.
8) Cookies and tracking
We may use cookies and similar technologies for basic functionality and performance of our website and booking process.
8.1 Necessary cookies: required for the website and booking checkout to function.
8.2 Analytics cookies (optional): used to analyse website performance and user behaviour.
8.3 Marketing cookies (optional): used for remarketing or advertising attribution.
Where required by applicable law, we will request cookie consent before placing non-essential cookies. You can manage cookies via your browser settings and, where available, cookie banner preferences.
9) Security measures
We apply appropriate technical and organisational measures to protect personal data, including access control, secure authentication, encryption where applicable, limited access rights, and monitoring for unauthorised access. Despite safeguards, no method of transmission over the internet is 100% secure; therefore we cannot guarantee absolute security.
10) Automated decision-making and profiling
We do not make decisions based solely on automated processing that would produce legal or similarly significant effects on you. Limited profiling may occur for fraud prevention or analytics, but it does not result in legal effects.
11) Your rights under GDPR
You have the right to:
11.1 Access (Art. 15): request confirmation whether we process your data and obtain a copy.
11.2 Rectification (Art. 16): request correction of inaccurate or incomplete data.
11.3 Erasure (Art. 17): request deletion where applicable, unless we must keep data due to legal obligations.
11.4 Restriction (Art. 18): request restricted processing under certain conditions.
11.5 Portability (Art. 20): request transfer of your data in a structured format where legally applicable.
11.6 Objection (Art. 21): object to processing based on legitimate interest, including objection to direct marketing.
11.7 Withdraw consent (Art. 7(3)): withdraw consent at any time (if processing is based on consent).
11.8 Complaint: lodge a complaint with a supervisory authority.
For Czech Republic, the supervisory authority is: Úřad pro ochranu osobních údajů (UOOU).
12) How to exercise your rights
To exercise your rights, contact us at: [INSERT EMAIL]. We may request verification of your identity to prevent unauthorised access. We will respond without undue delay, typically within one month as required by GDPR.
13) Children
Our services are not intended for children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will take appropriate action.
14) Updates to this Privacy Policy
We may update this Privacy Policy to reflect changes in law, our services, or data processing practices. The latest version is always published on our website and/or booking page. The version effective at the time of purchase applies for that Booking unless a mandatory legal requirement states otherwise.
15) Contact
Data Controller / Provider: Bc. Marek Kotyza, IČO 75084431, Matějkova 1935/12, 190 00 Praha – Libeň, Czech Republic
GDPR contact email: info@whattodoinsingapore.com