Skip to main content

GDPR & Cookies

Last updated: March 2026

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European regulation that came into force on 25 May 2018. It gives European citizens greater control over their personal data and requires organisations that process such data to be transparent and accountable.

What data do we collect?

Chateauxplorer collects only the data strictly necessary to provide its services:

  • Account data — email address when you create an account (via Supabase Auth)
  • Usage data — pages visited, session duration (anonymised)
  • Voluntarily submitted data — messages sent via our contact form
  • Passport & favourites — monuments you have stamped or saved, linked to your account

Cookies

We use the following types of cookies:

  • Essential cookies — required for authentication and core site functionality. These cannot be disabled.
  • Analytics cookies — anonymised data to help us understand how the site is used and improve it. You can decline these via the banner shown on your first visit.
  • Partner cookies — GetYourGuide may set cookies when you interact with their booking widget. These are only active if you have accepted cookies.

You can change your cookie preferences at any time by clearing your browser's local storage or adjusting your browser settings.

Your rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of the data we hold about you
  • Right to rectification — correct inaccurate data
  • Right to erasure — request deletion of your data (“right to be forgotten”)
  • Right to portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to restriction — request that we restrict processing of your data

To exercise any of these rights, contact us via our contact form. We will respond within 30 days.

Data retention

Personal data is retained for the period necessary for the purpose for which it was collected, and no longer than 3 years after your last interaction with our services. Account data is deleted upon account deletion.

Data transfers

Your data is processed by the following sub-processors, all of which are GDPR-compliant:

  • Supabase — authentication and database hosting (EU servers)
  • Vercel — website hosting and deployment
  • Cloudinary — image hosting and optimisation

Contact & DPO

For any questions about the protection of your personal data, please contact us via our contact form.