← Bosnia Guide

    Privacy Policy

    General Information & Data Controller

    • This Privacy Policy describes how the Bosnia Guide Platform ('we', 'us') collects, uses, and protects your personal data when you use our services.
    • Data Controller: Bosnia Guide | Contact: hello@bosnia.guide

    Legal Basis for Processing

    • We process personal data on the following legal bases under GDPR Article 6:
    • Legitimate interest (Art. 6(1)(f)): technical operation of the Platform, security, and analytics.
    • Consent (Art. 6(1)(a)): analytics cookies and advertising cookies (Google Analytics, Google Ads).
    • Necessary for the performance of a service (Art. 6(1)(b)): processing your email address when you use the AI assistant.

    Types of Data We Collect

    • Contact information: email address (only when you use the AI assistant or contact form).
    • Communication data: content of messages submitted via the contact form or AI assistant.
    • Technical data: IP address, browser type, device type, operating system, pages visited, time of visit.
    • Cookie and tracking data: see our Cookie Policy for details.
    • Contributor account data (only for users who maintain a contributor account): full name, email address, business or organisation name (where applicable), phone number, account credentials, and operational metadata such as last login, account status, and audit logs.

    How We Use Your Data

    • To respond to your inquiries submitted via the contact form or AI assistant.
    • To improve user experience and the quality of our services.
    • To ensure the technical functionality and security of the Platform.
    • For anonymous statistical analysis of Platform usage.

    Data Retention

    • Email addresses collected via the AI assistant are retained only as long as necessary to respond to the inquiry and are deleted within 90 days.
    • Trip planner data (travel preferences and generated itineraries) is stored in the Platform's database and retained until you request its deletion.
    • Contact form messages are retained for up to 12 months.
    • Technical and analytics data are retained for up to 26 months.
    • Contributor account data is retained for the active life of the account; after a deactivation request, it is retained for up to 24 months for legal, accounting, fraud-prevention, audit, and dispute-resolution purposes, then deleted, unless a longer retention is required by applicable law.
    • Content submitted by contributors (locations, photographs, 360° panoramic imagery, video references, events, tour information, descriptions) is treated as Platform content under the licence granted in the Terms of Use and is retained indefinitely as part of the Platform. Individual items may be removed on request, subject to the 'Content Removal Requests' section of the Terms of Use and to applicable legal retention obligations.
    • You may request deletion of your data at any time by contacting us at hello@bosnia.guide.

    Data Sharing

    • We do not sell or share your personal data with third parties for their own marketing purposes.
    • We may share data with the following processors strictly to operate the Platform: hosting and infrastructure providers; OpenAI, LLC (United States) for AI assistant queries; Google LLC for analytics (Google Analytics) and advertising (Google Ads); Resend, Inc. (United States) for sending transactional emails such as verification codes — only your email address is transmitted to this service; and Cloudflare, Inc. (United States) as our CDN and security proxy, which may process visitors' IP addresses to protect the Platform against malicious traffic (see https://www.cloudflare.com/privacypolicy/).
    • All processors are bound by data processing agreements and may only use data as instructed by us.
    • The Platform cannot guarantee that third-party processors will fully comply with their GDPR obligations at all times; however, we actively monitor compliance and contractually bind all processors through data processing agreements.

    International Data Transfers

    Some processors (OpenAI, Google) are based in the United States. Data transfers to the US are carried out under appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection.

    Your Rights Under GDPR

    • You have the following rights regarding your personal data:
    • Right of access: request a copy of the personal data we hold about you.
    • Right to rectification: request correction of inaccurate or incomplete data.
    • Right to erasure ('right to be forgotten'): request deletion of your personal data.
    • Right to restriction: request that we limit the processing of your data.
    • Right to data portability: receive your data in a structured, machine-readable format.
    • Right to object: object to processing based on legitimate interest.
    • Right to lodge a complaint: you may contact the supervisory authority — Agencija za zaštitu osobnih podataka Bosne i Hercegovine (www.azlp.ba).
    • The right to erasure applies to personal data we hold about you. Content you have contributed to the Platform (location listings, photographs, panoramic imagery, video references, events, tours, descriptions) is treated as Platform content under the licence granted at submission. Requests to remove specific contributed content are handled under the 'Content Removal Requests' section of the Terms of Use, subject to legal retention requirements and to technical feasibility (some references may persist temporarily in backups and caches).
    • To exercise any of these rights, contact us at: hello@bosnia.guide

    Right to Erasure — Limitations

    • When you request erasure of data processed via the AI assistant, we will delete your data from the Platform's database.
    • However, data that was transmitted to OpenAI for processing may be retained by OpenAI for up to 30 days as part of their abuse monitoring systems. We cannot delete this data from OpenAI's systems before their retention period expires.
    • After 30 days, OpenAI deletes all API data from their abuse monitoring systems. This limitation is disclosed in accordance with Art. 17(3) GDPR.
    • Content contributed to the Platform may be retained where applicable law requires the Platform to keep it (for example, as evidence in an investigation or to comply with a regulatory or court order), or where the content is the subject of an open complaint, dispute, or claim. References may also persist for a limited period in backups and caches.

    AI Assistant Data Processing

    • Data entered by users when using the AI assistant are technically processed via OpenAI, LLC (United States), solely to generate responses.
    • The following specific data categories are transmitted to OpenAI when you use the AI trip planner: travel dates (arrival and departure), group composition (number of adults and children), interest and activity preferences, accommodation type preferences, additional services requested (taxi, tourist guide), car availability, free-text notes or additional wishes (max 250 characters), email address, and selected language preference.
    • To generate the itinerary, the Platform also transmits a filtered subset of its location database (location names, categories, tags, coordinates, and metadata) to OpenAI as context. This is platform data used to produce relevant recommendations.
    • OpenAI may retain API input and output data for up to 30 days for abuse monitoring and safety purposes, after which it is deleted from OpenAI's systems.
    • Trip planning inputs and the generated itinerary are stored in the Platform's database to allow you to access your itinerary and for service improvement. This data is retained until you request its deletion. You may request deletion at any time by contacting hello@bosnia.guide.
    • The Bosnia Guide Platform does not use this data for commercial purposes, nor does it independently share or sell it to third parties.
    • Your email address submitted to use the AI assistant is not used for marketing and is not shared with third parties.

    Automated Decision-Making

    • The AI trip planner uses automated processing to generate personalised travel itineraries based on your inputs and available location data. No human reviews the itinerary before it is presented to you.
    • The generated itinerary is a suggestion only and does not create any obligation, booking, or legal effect.
    • Under Art. 22 GDPR, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Since the itinerary is purely informational and does not produce legal effects, Art. 22 does not strictly apply. We disclose this for transparency.
    • You may contact us at hello@bosnia.guide to request human review of any AI-generated output.

    Location Submission Data

    • When you submit a location listing via our public request form, we collect the following personal data: first name, last name, company name (if applicable), phone number, and email address.
    • Purpose: this data is used solely to verify your submission, communicate with you regarding the listing, and send technical notifications related to your submission. It is not publicly displayed on the Platform.
    • Uploaded images (up to 10 photos per submission) are stored on our servers and may be published publicly on the Platform as part of the approved location listing.
    • Legal basis: your explicit consent provided via the consent checkbox in the submission form (Art. 6(1)(a) GDPR).
    • Retention: personal data from location submissions is retained for the duration of the active business relationship (initial 30-day listing period and any subsequent renewals). After the last renewal period expires without extension, data is retained for up to 12 additional months for administrative follow-up, then deleted. You may request deletion at any time.
    • To request deletion of your submission data, contact us at: hello@bosnia.guide

    Contributor Accounts

    • Some users register a contributor account to submit content to the Platform.
    • Personal data collected when the account is created: full name, email address, business or organisation name (where applicable), and phone number. We also process operational metadata such as last login, account status, and audit logs.
    • Purpose: account authentication; communication regarding submitted content; technical and security notifications; audit and compliance.
    • Legal basis: performance of the contributor agreement (Art. 6(1)(b) GDPR) and the Platform's legitimate interest in operating and securing the service (Art. 6(1)(f) GDPR).
    • This personal data is not publicly displayed on the Platform.
    • Content the contributor submits (locations, photographs, 360° panoramic imagery, video references, events, tour information, and descriptions) is treated as Platform content under the licence granted in the Terms of Use, and is retained as described in the Data Retention section above.
    • Account deactivation: contributors may request deactivation at any time by emailing hello@bosnia.guide. Account data may be retained for up to 24 months after deactivation as described in the Data Retention section. Submitted content remains on the Platform under the licence granted at submission, and individual items may be removed on request under the 'Content Removal Requests' section of the Terms of Use.

    Uploaded Images & EXIF Metadata

    • Photos uploaded through the location submission form may contain embedded metadata (EXIF data), which can include GPS coordinates, camera model, date and time of capture, and other technical information.
    • All uploaded images are processed through an automatic compression pipeline that strips EXIF metadata, including GPS location data, before storage and publication on the Platform.
    • As a result, no EXIF metadata from your original photos is retained or published.

    Cookies

    For full details on how we use cookies and local storage, please see our Cookie Policy at https://bosnia.guide/cookies.

    Data Breach Notification

    • In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority (Agencija za zaštitu ličnih podataka Bosne i Hercegovine) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR.
    • If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art. 34 GDPR), providing details of the breach, its likely consequences, and the measures taken or proposed.

    Children's Data

    • The Platform and its AI assistant are not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16.
    • If you are a parent or guardian and believe your child has provided us with personal data, please contact us at hello@bosnia.guide. If we become aware that we have collected data from a child under 16, we will delete it immediately. This is in accordance with Art. 8 GDPR.

    Policy Changes

    We reserve the right to periodically modify this Privacy Policy. Updated versions will be published on the Platform with the date of the last modification clearly indicated.

    Contact

    For any questions regarding this Privacy Policy or to exercise your rights, contact us at: hello@bosnia.guide

    Last updated: June 2026