Privacy Policy

Last updated: 18 June 2025


1. Introduction

Welcome to the privacy policy of tourguide.systems, a trading name of Demapal Ltd (“we”, “us”, or “our”). We specialise in hiring professional wireless tour-guide (“whisper”) audio systems—transmitters with microphones and receivers with headphones—for tours, museums, conferences and interpretation events across the UK. We respect your privacy and are committed to protecting your personal data. This notice explains how we collect and process your personal data when you engage with us and informs you of your rights and how the law protects you.

Please refer to the Glossary for definitions of key terms used in this notice.


2. Important information and who we are

2.1 Purpose of this privacy notice

This notice explains how Demapal Ltd collects and processes your personal data when you enter into, or take steps to enter into, a contractual relationship with us. It supplements any other notices we may provide and is not intended to override them.

2.2 Controller

Demapal Ltd is the controller responsible for your personal data.

2.3 Contact details

  • Legal entity: Demapal Ltd
  • Data-protection manager: Ivan Zharikov
  • Address: 63 St Mary Axe, London, EC3A 8AA, United Kingdom
  • Email: ivan@demapal.com
  • Telephone: +44 (0) 20 7183 6090

You may complain at any time to the UK Information Commissioner’s Office (ICO) (ico.org.uk), but we would appreciate the chance to deal with your concerns first.

2.4 Changes to this notice

This version is dated 03 June 2025. We may update it periodically to reflect legal or operational changes.

2.5 Your duty to inform us of changes

Please keep us informed if your personal data changes during your relationship with us.


3. The data we collect about you

“Personal data” means any information about an individual from which that person can be identified. It does not include anonymised data.

CategoryDescription
Identity DataFirst and last names of clients or their representatives; company name (if applicable).
Contact DataBilling address, email address, telephone number.
Phone Call DataRecordings of inbound and outbound telephone calls between you and us.
Personal DataAny information you disclose to us during our contractual relationship.
Financial DataBank-account and payment-card details.
Transaction DataPayments to and from you and details of products or services purchased.
Usage DataInformation about how you use our services and website.
Marketing & Communications DataYour preferences in receiving marketing from us and third parties.
Logistics & Booking DataEquipment quantities, hire duration, delivery/collection addresses & times, return arrangements and any comments you provide.

4. If you fail to provide personal data

If we need personal data by law or under a contract and you fail to supply it, we may be unable to perform the contract (e.g. provide services) and may have to cancel the service.


5. How is your personal data collected?

  • Direct interactions – data you give us in forms, emails, calls, etc.
  • Automated technologies – Usage Data collected via cookies (see Cookies).

6. How we use your personal data

We rely on:

  • Performance of a contract
  • Legitimate interests (balanced against your rights)
  • Compliance with a legal obligation
  • Consent (you may withdraw at any time)

6.1 Purposes for which we use your data

Purpose / ActivityData TypesLawful basis
Register you as a new customera Identity  b Contact  c Personal
d Financial  e Phone Call
Contract; Consent (recording)
Process and deliver servicesa Identity  b Contact  c Transaction
d Financial  e Personal  f Phone Call
Contract; Legitimate interest (recover debt); Consent (recording)
Manage our relationshipa Identity  b Contact  c Phone Call  d FinancialContract; Legitimate interest (record-keeping)
Surveys / partner updatesMarketing & CommsConsent
Run and protect our businessa Identity  b ContactLegitimate interest; Legal obligation
Improve services (analytics)UsageLegitimate interest
Training & quality (call recordings)a Identity  b Contact  c Personal  d Phone CallLegitimate interest; Consent (recording)

We do not engage in automated decision-making that produces legal or similarly significant effects.


7. Marketing

You will receive marketing communications if you have opted in. You may opt out at any time.


8. Change of purpose

We will only use your data for the original purpose unless we reasonably consider a related, compatible purpose exists, or we notify you and explain the new legal basis.


9. Disclosures of your personal data

  • Internal third parties: other Demapal Ltd entities.
  • External third parties: professional advisers, HMRC/regulators, IT providers, and third parties you instruct.

All third parties must respect data security and act only on our instructions.
Where we enter an NDA, its confidentiality terms apply; personal data also remains governed by this Policy.


10. International transfers

We primarily process data in the UK/EEA. When using providers outside these areas we rely on UK-approved SCCs, adequacy decisions, and contractual/technical safeguards.

  • pCloud (Switzerland) – cloud storage
  • Synology NAS – encrypted local storage/back-ups
  • Microsoft 365 – email/collaboration
  • Xero – accounting
  • GoCardless – direct-debit processing
  • Barclays Bank UK – client banking
  • Wise Payments – international payments
  • Stripe – card-payment processing
  • Hostinger VPS – website hosting
  • Fluent Forms – web-form data
  • OpenAI (ChatGPT) – limited content generation; no storage of client data

11. Data security

We implement appropriate security (including encryption in transit and at rest) and restrict access to staff with a business need. Breach procedures are in place.


12. Data retention

  • Core records kept up to six years after relationship ends.
  • ⚠ We do not accept blanket deletion requests originating from external Terms & Conditions or procurement systems unless we are legally obliged to do so under UK law (e.g. GDPR Article 17).
  • Phone-call recordings kept 1 month – 6 years depending on need.
  • Marketing preferences retained until you withdraw consent.
  • Anonymised analytics may be kept indefinitely.

You have the right to access, correct, erase, restrict, transfer, object to processing, and withdraw consent at any time. We respond within one month to Subject Access Requests.


14. Cookies

We use cookies grouped as functional (always active), statistics, and marketing. Non-essential cookies operate only with your consent via the Complianz banner.


15. Children’s data

Our services target professional users. We do not knowingly collect data from children under 13. Contact us if you believe we hold such data.


17. Glossary

Legitimate Interest – our business interest, balanced against your rights.

Performance of Contract – processing necessary to fulfil a contract with you.

Comply with a legal obligation – processing required by law.

Internal Third Parties – Demapal Ltd entities acting as joint controllers.

External Third Parties – advisers, regulators, IT providers (including GoCardless, Stripe, Barclays Bank UK and Wise Payments for payment processing), and any third party you instruct.


18. Non-Disclosure Agreements (NDA)

NDAs cover confidential business information for specific projects. Where that information is also personal data, it is processed in line with this Privacy Policy. NDAs do not prevent us from:

  • Sharing data with authorised staff or processors (e.g. Xero, pCloud, Microsoft 365) to perform services.
  • Disclosing information required by HMRC, regulators or a court.

The higher standard of protection between an NDA and this Policy will always prevail.

⛔ We do not accept automatic confidentiality or data-handling obligations embedded within external vendor platforms, onboarding systems, or procurement portals unless explicitly reviewed and agreed in writing. Our legal obligations under UK law and this Privacy Policy prevail in all cases.