PRIVACY POLICY

(for Global Experience LTD and all Carpe Diem / related tour websites)

Last updated: 11.11.2025

This Privacy Policy explains how Global Experience LTD (“we”, “us”, or “our”) collects, uses, discloses, and protects personal information in connection with our websites and services, including:

• https://www.carpediemtours.com/
  
  
• https://thetipsytours.com/
  
  
• https://jackrippertour.com/
  
  
• https://ghosttourlondon.com/
  
  
• https://thebudapestfoodtour.com/
  
  
• https://sohofoodtour.com/
  
  

(collectively, the “Websites”) and any tours, products, or services we offer (the “Services”).

We are committed to handling personal information in a manner consistent with applicable data protection laws, including, where applicable, the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA).

By using our Websites or Services, you acknowledge that you have read and understood this Privacy Policy.

1. Who We Are

Data controller:
Global Experience LTD
12 London Road
Morden, England, SM4 5BQ
United Kingdom

If you have any questions about this Privacy Policy or our data practices, you can contact us at:

• Email: tech@carpediemtours.com
  
  

We have not appointed a Data Protection Officer, but you may use the email above for all privacy-related questions and requests.

2. Scope of This Policy

This Privacy Policy applies to personal information we process when you:

• Visit or use any of our Websites;
  
  
• Make an enquiry about a tour or experience;
  
  
• Make a booking or purchase through our booking widget (powered by third-party providers);
  
  
• Receive marketing or service communications from us;
  
  
• Interact with us via email, phone, WhatsApp, social media or other channels in relation to our Services.
  
  

This Policy does not apply to third-party websites, platforms, or services that may be linked from our Websites (for example, payment providers, social networks, or online travel agencies). We encourage you to review the privacy policies of those third parties.

3. Categories of Personal Information We Collect

Depending on how you interact with us, we may collect and process the following categories of personal information:

3.1 Information you provide directly

Contact and enquiry data

When you fill in a contact or enquiry form on any of our Websites, or otherwise contact us, we may collect:

• Name and surname
  
  
• Email address
  
  
• Telephone number
  
  
• Travel dates
  
  
• Travel destination / tour of interest
  
  
• Billing address (where you choose to provide it)
  
  
• The content of your message or enquiry
  
  

Booking data

When you make a booking using our third-party booking widget (e.g. Rezdy), we may receive:

• Name and contact details
  
  
• Booking details (tour, date, time, group size, special requests)
  
  
• Billing address and other details required for invoicing
  
  
• Confirmation that payment was successful (but not your full card details)
  
  

Marketing and communication preferences

When you consent to receive marketing (e.g. during or after checkout), we may collect:

• Email address
  
  
• Name (if provided)
  
  
• Your preferences regarding marketing channels and content
  
  

Communication may also occur via channels such as WhatsApp, where we may process your phone number and message content.

3.2 Information collected automatically

When you visit our Websites, we automatically collect certain information through cookies, pixels, and similar technologies, including:

• IP address
  
  
• Approximate location (based on IP address)
  
  
• Device identifiers
  
  
• Browser type and settings
  
  
• Operating system
  
  
• Pages visited, time and date of visit, time spent on each page
  
  
• Referring URL (the page you came from)
  
  
• Clicks, scrolls, and other interactions on the site (for example, through Microsoft Clarity session analytics)
  
  

We use tools such as:

• Google Analytics 4 (GA4), implemented via Google Tag Manager (GTM)
  
  
• Microsoft Clarity
  
  
• Google Ads, Meta/Facebook Pixel, TikTok Pixel
  
  
• Klaviyo (for email/marketing analytics)
  
  

Some of these tools involve cookies or similar technologies that require your consent where required by law.

4. How We Collect Personal Information

We collect personal information in the following ways:

• Directly from you – when you submit a form, make an enquiry, place a booking, communicate with us, or opt in to marketing.
  
  
• Automatically – via cookies, pixels, and similar technologies when you browse our Websites.
  
  
• From third parties – for example, booking platforms, payment providers, marketing tools (such as Klaviyo), and our CRM system (Monday.com), which support our operations.
  
  

5. Purposes and Legal Bases for Processing

Where the GDPR/UK GDPR applies, we rely on one or more of the legal bases listed in brackets.

We use your personal information for the following purposes:

1. To respond to enquiries and provide our Services
   
   
   • Handling your contact requests and questions
     
     
   • Providing information and quotes about tours and experiences
     
     
   • Processing bookings and reservations, including confirmations and updates
     Legal bases: performance of a contract or pre-contractual steps; legitimate interests in running our business and responding to potential customers.
     
     
2. To process bookings and payments
   
   
   • Processing orders for tours and related services through our booking widget
     
     
   • Issuing receipts and invoices
     
     
   • Communicating about your booking (e.g. reminders, changes, cancellations)
     Legal bases: performance of a contract; legal obligations (e.g. accounting, tax).
     
     
3. To provide customer support and communication
   
   
   • Responding to emails, contact forms, WhatsApp messages, and other communications
     
     
   • Managing complaints and resolving issues
     Legal bases: performance of a contract; legitimate interests.
     
     
4. To conduct analytics and improve our Websites and Services
   
   
   • Understanding how visitors use our Websites
     
     
   • Improving usability, performance, and content
     
     
   • Detecting and preventing technical problems
     Legal bases: legitimate interests (improving services and ensuring website security); consent where required for analytics cookies.
     
     
5. To conduct marketing and remarketing
   
   
   • Sending email marketing (e.g. via Klaviyo) to individuals who have consented or where another lawful basis exists (such as “soft opt-in” for existing customers, where permitted by law)
     
     
   • Running advertising and remarketing campaigns via Google Ads, Meta/Facebook, TikTok and similar platforms
     
     
   • Measuring and optimising the effectiveness of our campaigns
     Legal bases: consent (for email marketing and non-essential cookies/trackers); legitimate interests (promoting and growing our business) where permitted.
     
     
6. To ensure security and prevent fraud
   
   
   • Monitoring for and protecting against fraudulent bookings, abuse, or suspicious activity
     
     
   • Protecting the integrity and security of our systems and data
     Legal bases: legitimate interests; compliance with legal obligations.
     
     
7. To comply with legal and regulatory obligations
   
   
   • Keeping appropriate business and accounting records
     
     
   • Complying with tax, accounting, and tourism-related legal obligations
     
     
   • Responding to lawful requests from public authorities
     Legal bases: compliance with legal obligations.
     
     

Where we rely on consent, you may withdraw your consent at any time (for example, by using unsubscribe links or adjusting your cookie settings). Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our Websites. These may be:

• Strictly necessary cookies – required for the basic functioning of the site (e.g. security, session management).
  
  
• Preference/functional cookies – to remember your preferences.
  
  
• Analytics cookies – to understand and improve how our Websites are used (e.g. GA4, Microsoft Clarity).
  
  
• Advertising/remarketing cookies – to deliver and measure personalised advertising (e.g. Google Ads, Meta/Facebook, TikTok).
  
  

We use Cookiebot as our consent management platform to display a cookie banner and allow you to manage your preferences. Where required by law, we only place non-essential cookies (such as analytics or advertising cookies) after you have given your consent.

You can also control cookies through your browser settings. However, blocking certain cookies may affect the functionality of the Websites.

7. Payments and Third-Party Providers

Payments

Bookings and payments are processed via Rezdy and its payment partners such as RezdyPay and PayPal. When you make a payment:

• Your payment data is processed directly by these payment providers.
  
  
• We do not store your full payment card details on our own systems.
  
  

The use of your payment information is governed by the respective payment provider’s privacy policy, which we encourage you to review.

Other key third-party providers

We may share or allow access to personal information with the following categories of service providers, strictly for the purposes described above:

• Booking platform and payment providers (e.g. Rezdy, RezdyPay, PayPal)
  
  
• Email and marketing platforms (e.g. Klaviyo)
  
  
• Customer relationship management (CRM) tools (e.g. Monday.com)
  
  
• Analytics and advertising partners (e.g. Google, Meta/Facebook, TikTok, Microsoft)
  
  
• Cookie consent provider (Cookiebot)
  
  
• Hosting, IT and security providers
  
  

These third parties act as our processors or independent controllers depending on the circumstances. Where they act as processors, they are contractually obligated to process personal information only on our instructions and to implement appropriate security measures.

We do not “sell” personal information in the traditional sense. If activities we perform are treated as “selling” or “sharing” under CCPA/CPRA (for example, certain advertising cookies), we will provide appropriate notices and honor the applicable rights and opt-out requests.

8. International Data Transfers

Our main servers are located in the United Kingdom.

Because we have customers and service providers around the world, your personal information may be transferred to or accessed from countries outside your country of residence, including countries outside the EU/EEA and UK (such as the United States).

Where we transfer personal information from the EU/EEA or UK to a country that is not subject to an adequacy decision, we will implement appropriate safeguards, such as:

• Standard Contractual Clauses approved by the European Commission or UK authorities; and/or
  
  
• Other legally recognised mechanisms for international transfers, where applicable.
  
  

You may contact us at tech@carpediemtours.com for more information on these safeguards.

9. Data Retention

We keep personal information only for as long as necessary for the purposes described in this Privacy Policy, including to comply with legal, accounting, and reporting obligations.

In general, we apply the following criteria:

• Enquiry data: kept for up to 4 years from the date of last contact, unless a longer retention is required or justified (for example, in case of a dispute).
  
  
• Booking and transaction data: kept for the duration of the relationship and then for the period required by tax and accounting laws (which may be several years).
  
  
• Marketing data: kept until you withdraw your consent or object to receiving marketing, or after a defined period of inactivity, and then removed or anonymised.
  
  
• Technical and analytics data: kept for periods aligned with our analytics tools’ default or configured settings, after which it is aggregated or anonymised where possible.
  
  

Where data is no longer needed, we will delete or anonymise it.

10. Security of Personal Information

We take appropriate technical and organisational measures to protect personal information against unauthorised access, loss, misuse, or alteration. These measures include:

• HTTPS/TLS encryption on our Websites;
  
  
• Access controls and least-privilege principles for staff and systems;
  
  
• Regular backups of key systems;
  
  
• Use of reputable hosting and IT providers;
  
  
• Password security practices and security monitoring.
  
  

However, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

11. Your Rights

Your rights depend on where you live and which data protection laws apply. Subject to legal limitations, you may have some or all of the following rights:

EU/UK and similar jurisdictions

• Right of access: to obtain confirmation whether we process your personal information and to receive a copy.
  
  
• Right to rectification: to request correction of inaccurate or incomplete data.
  
  
• Right to erasure: to request deletion of your personal information in certain circumstances.
  
  
• Right to restriction of processing: to request that we temporarily restrict processing in certain situations.
  
  
• Right to object: to object to processing based on legitimate interests and to object at any time to processing for direct marketing.
  
  
• Right to data portability: to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller, where the legal conditions are met.
  
  
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.
  
  

California and certain US state residents

Depending on applicable law, you may also have:

• The right to know what categories of personal information we collect, use, disclose, “sell” or “share”;
  
  
• The right to request access to and deletion of your personal information;
  
  
• The right to correct inaccurate personal information;
  
  
• The right to opt out of the “sale” or “sharing” of personal information;
  
  
• The right not to be discriminated against for exercising your privacy rights.
  
  

12. Exercising Your Rights

To exercise any of these rights, please contact us at:

• Email: tech@carpediemtours.com
  
  

Please:

• Clearly state which right(s) you wish to exercise; and
  
  
• Provide sufficient information for us to verify your identity (we may request additional information if necessary).
  
  

We will respond to your request in accordance with applicable law.

If you are in the EU/EEA or UK, you also have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

13. Children’s Privacy

Our Websites and Services are not directed to children under 16 years of age, and we do not knowingly collect personal information from children under this age.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at tech@carpediemtours.com. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information as required by law.

14. Marketing Communications

We send marketing communications (for example, via email or WhatsApp) primarily to:

• Customers who have made a booking; and/or
  
  
• Individuals who have explicitly opted in to receive such communications.
  
  

You can opt out of marketing at any time by:

• Clicking the unsubscribe link contained in our marketing emails;
  
  
• Replying with the appropriate stop words in WhatsApp (for example, “STOP”) where applicable; or
  
  
• Contacting us at tech@carpediemtours.com and specifying that you no longer wish to receive marketing.
  
  

We may still send you non-marketing communications that are necessary for your bookings or our contractual relationship (for example, booking confirmations, essential updates, or service messages).

15. Automated Decision-Making and Profiling

We do not use personal information to make decisions that are based solely on automated processing (including profiling) that produce legal effects or similarly significant effects on you.

Where we use basic segmentation for marketing purposes (e.g. by location, previous booking, or website behaviour), this is done to send more relevant content and does not have legal or similarly significant effects.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our Services, technologies, or legal requirements.

When we do so, we will update the “Last updated” date at the top of this page. In some cases, we may provide additional notice (for example, a banner on the Websites or an email) for significant changes.

We encourage you to review this Privacy Policy periodically.

17. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

• Email: tech@carpediemtours.com