RetvenoYou do you. We do the rest.

Privacy Policy

Last updated: 2 June 2026

This Privacy Policy explains how Retveno collects, uses, shares and protects personal data when you use our booking software for tour and adventure operators (the “Service”). We’ve tried to keep it readable — if anything is unclear, contact us at [email protected].

Two roles, in plain terms. For your own account and how we run the Service, Retveno is the data controller. For the guest and customer details you bring into the Service to manage your bookings, you (the operator) are the controller and Retveno acts as your data processor — we only handle that data to provide the Service to you, under the Data Processing terms referenced below.

1. Who we are

The Service is operated by [Legal entity name], registered at [Registered address], Bulgaria (“Retveno”, “we”, “us”). For any privacy question or to exercise your rights, contact [email protected]. [If you appoint a Data Protection Officer or EU representative, name and contact them here.]

2. The data we collect

2.1 Operator account data (we are controller)

  • Account & profile: business name, email, password (stored only as a secure hash), and settings you configure.
  • Billing data: subscription plan and payment status. Card details are handled by our payment provider (Stripe) — we never see or store full card numbers.
  • Usage & technical data: log data, IP address, device/browser information and basic product analytics needed to run and secure the Service.
  • Authentication tokens for integrations you connect (e.g. Google Calendar, Meta), stored encrypted and used only to provide the feature you enabled.

2.2 Your customers’ and guests’ data (you are controller, we process)

  • Booking details you create or that are captured for you: guest name, phone, email, party size, dates, the activity booked, notes, deposit and waiver status.
  • Message-derived data from the automatic intake feature, where you enable it — see Section 3.

You are responsible for having a lawful basis to put your guests’ data into the Service and for telling your guests how you use it. We make the intake feature deliberately narrow (Section 3) to help.

3. How the automatic DM intake works (and what we don’t keep)

If you connect a messaging channel (WhatsApp, Instagram or Facebook Messenger) or forward a screenshot, Retveno helps turn booking messages into draft bookings. This feature is built to read as little as possible:

  • Trigger-word gate. An incoming text message is only processed if it contains one of the booking-related trigger words you control (e.g. “book”, “availability”, “dates”). Messages that don’t match are discarded immediately and are not sent onward or stored.
  • Automated, not human-read. No Retveno employee reads your messages as part of this feature. Matching messages are processed automatically to extract booking details.
  • AI extraction. To pull out the guest name, dates and party size, the content of a matching message (or a screenshot you forward) is sent to our AI sub-processor, Google (Gemini API), which processes it on our behalf to return structured fields. It is not used to build a profile of your guests.
  • We keep the booking, not the conversation. We store the extracted booking fields and the channel it came from. We do not retain the raw message thread as part of the booking record.

Where the feature uses Meta’s platforms, our use of information received from those APIs follows Meta’s Platform Terms and Developer Policies, including limits on how that data may be used.

4. Why we use your data (legal bases)

  • To provide the Service (contract). Creating your account, managing bookings, sending reminders, taking deposits and syncing your calendar.
  • Legitimate interests. Securing the Service, preventing abuse, improving features and basic analytics, in a way that doesn’t override your rights.
  • Legal obligation. Keeping records (e.g. tax/invoicing) where the law requires.
  • Consent. Where we ask for it — for example before connecting an optional integration. You can withdraw consent at any time.

5. Who we share data with (sub-processors)

We don’t sell your data. We share it only with vendors who help us run the Service, under contracts that require them to protect it and use it only on our instructions:

ProviderPurpose
StripePayments and deposits
Google (Gemini API)AI extraction of booking details from messages/screenshots
Google (Calendar & Sign-in)Optional two-way calendar sync and Google login
Meta PlatformsReceiving messages from WhatsApp, Instagram and Messenger where you connect them
TwilioSMS and WhatsApp reminders
ResendTransactional email (e.g. password resets, notifications)
[Hosting / database provider]Application hosting and data storage

We may also disclose data if required by law, to protect our rights or users, or as part of a business transfer (e.g. merger), in which case we’ll keep this policy’s protections in place.

6. International transfers

Some providers above may process data outside your country, including outside the European Economic Area. Where that happens, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or an adequacy decision.

7. How long we keep data

We keep account and booking data for as long as your account is active and as needed to provide the Service. After you close your account we delete or anonymise personal data within a reasonable period, except where we must keep certain records to meet legal, tax or accounting obligations or to resolve disputes. See Section 9 and our Data Deletion page to request earlier deletion.

8. How we protect data

We use industry-standard measures including encryption in transit, hashing of passwords, encryption of stored integration tokens, access controls and least-privilege practices. No system is perfectly secure, but we work to protect your data and will notify you and the relevant authority of a personal-data breach where the law requires.

9. Your rights

Subject to applicable law (including the GDPR), you may have the right to access, correct, delete, restrict or object to processing of your personal data, to data portability, and to withdraw consent. To exercise these rights, email [email protected] or use the Data Deletion page.

If you are a guest of an operator using Retveno, please contact that operator first, since they decide how your data is used; we’ll support them in responding. You also have the right to complain to your local data protection authority (in Bulgaria, the Commission for Personal Data Protection).

10. Cookies & local storage

We use strictly necessary browser storage (such as keeping you signed in) to run the Service. If we add analytics or non-essential cookies, we’ll update this section and, where required, ask for your consent first.

11. Children

The Service is for businesses and isn’t directed to children. We don’t knowingly collect data from children. If a guest you book is a minor, you are responsible for handling their data lawfully (e.g. via a parent or guardian).

12. Changes to this policy

We may update this policy from time to time. We’ll change the “last updated” date above and, for material changes, give you reasonable notice (e.g. in-app or by email).

13. Contact

Questions or requests: [email protected]. See also our Terms of Service.