access to Paris
TICKETS
en_US
en_US fr_FR de_DE es_ES it_IT
en_US
en_US fr_FR de_DE es_ES it_IT

Privacy Policy

Last updated: 23 August 2025
Website: accesstoparis.com (the “Website”)
Owner / Data Controller: Andras Toth EV (individual entrepreneur, Hungary)
Tax number: 57631556-1-36
Contact: info@accesstoparis.com

1) About this Policy

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit or buy tickets on the Website, contact us (e.g., email or live chat), or otherwise use our services (collectively, the “Services”). We process personal data as a controller under the EU General Data Protection Regulation (GDPR) and applicable Hungarian/EU laws. If you have questions about this Policy or your rights, contact us at the email above.

2) What data we collect

We only collect data that is necessary for providing the Services and complying with legal obligations.

Identification & contact data – name, email address, phone number, billing country/address (if provided), company/VAT ID (if provided).

Order & ticket data – product(s) purchased (e.g., attraction tickets), booking date/time, quantity, price, currency, order ID, delivery method (e.g., PDF by email), refund/cancellation history.

Payment data – payment method, partial card data (last 4 digits, expiry month/year), transaction ID, fraud checks (we never store full card numbers). These are processed primarily by our payment processor.

Communications – messages you send us via email or live chat, call notes (if any), and related metadata.

Technical & device data – IP address, device and browser type, operating system, referral source, cookie identifiers, time zone, and basic diagnostics/logs.

Marketing preferences – newsletter/marketing opt-in status, unsubscribe status, and related consent records.

3) How we collect data

  • Directly from you when you browse the Website, make a booking, create/update your order, or contact us.
  • Automatically via cookies, pixels, and similar technologies (see Cookies below).
  • From service providers (e.g., payment processor for fraud/risk signals and transaction confirmations).

4) Why we use your data (purposes & legal bases)

We process personal data only where allowed under the GDPR. Below we explain each purpose in plain language and indicate the corresponding legal basis.

Provide the Services
What we do: process and confirm orders; issue and deliver tickets (e.g., PDF by email); handle bookings, changes and cancellations.
Legal basis: Contract necessity (GDPR Art. 6(1)(b)).

Payments & fraud prevention
What we do: process payments, refunds and chargebacks; verify transactions; monitor and prevent fraud/abuse.
Legal basis: Contract necessity (Art. 6(1)(b)) and Legitimate interests (Art. 6(1)(f)). Our payment processor may also act as an independent controller for certain antifraud/compliance checks.

Customer support
What we do: respond to emails/live chat; resolve complaints and service issues; quality assurance.
Legal basis: Contract necessity (Art. 6(1)(b)) and Legitimate interests (Art. 6(1)(f)).

Legal & tax compliance
What we do: maintain invoices and accounting records; comply with consumer protection and EU/HU tax rules; respond to lawful requests from authorities.
Legal basis: Legal obligation (Art. 6(1)(c)).

Security & diagnostics
What we do: operate hosting, logging and security (e.g., DDoS/anti-abuse); detect, investigate and remediate incidents.
Legal basis: Legitimate interests (Art. 6(1)(f)).

Analytics & site improvement
What we do: measure traffic and conversions; improve user experience and performance; run product experiments.
Legal basis: Consent (Art. 6(1)(a)) for non-essential cookies/analytics. You can withdraw consent any time via the cookie banner without affecting past processing.

Marketing communications
What we do: send newsletters or special offers; measure email performance.
Legal basis: Consent (Art. 6(1)(a)); or soft opt-in where permitted for existing customers under e-privacy rules. You can opt out at any time via the unsubscribe link.

Optional feedback
What we do: request post-purchase feedback to improve our services.
Legal basis: Legitimate interests (Art. 6(1)(f)); or Consent where required.

Cookies & Consent Mode — legal basis (summary)
For non-essential cookies and tags (including Google Analytics and Google Ads tags), we rely on consent: analytics_storage/ad_storage = “consent” under GDPR Art. 6(1)(a). Strictly necessary cookies rely on legitimate interests (Art. 6(1)(f)) and/or contractual necessity (Art. 6(1)(b)) where they are required to provide the Services (e.g., cart, checkout, security).

Note on consent & objections
Where we rely on consent, you can withdraw it at any time. Where we rely on legitimate interests, you have the right to object; we will stop unless we demonstrate compelling legitimate grounds or the processing is needed for legal claims.

5) Cookies & similar technologies

We use:

  • Strictly necessary cookies – required for core site functions (e.g., cart, checkout, security). These run without consent.
  • Analytics/performance cookies – help us understand how visitors use the site. These run only with your consent.
  • Marketing/advertising cookies – for ad measurement and personalization. These run only with your consent.
    You can manage preferences at any time via the cookie banner or your browser settings. For details, see our Cookie Policy.
  • We use Google Analytics and may use Google Ads tags. These tools use cookies and similar technologies to measure performance and (where consented) personalize ads. We only activate non-essential cookies after your consent. Learn more about how Google processes data: Google Privacy Policy.
  • You can change or withdraw your consent at any time via Cookie settings.

6) Who we share data with

We share personal data only with trusted recipients, under contracts that protect your data and limit use to our instructions.

  • Payment processor (e.g., Stripe, Inc. and/or Stripe Payments Europe): card processing, fraud/risk management, and refunds. Stripe may act as an independent controller for parts of the processing (see Stripe’s own privacy notice).
  • Hosting & infrastructure: web hosting, CDN, and security services (e.g., DDoS protection).
  • Email ticket delivery: email service provider(s) to send order confirmations and PDF tickets.
  • Customer support tools: live chat/helpdesk tools to handle your requests.
  • Analytics & tag management: tools that collect aggregated usage data (only with your consent).
  • Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) — analytics and advertising tags (Google Analytics/Google Ads). Privacy: Google Privacy Policy.
  • Professional advisors & authorities: accountants, auditors, or regulators/courts when required by law.
  • We do not sell your personal data.

7) International data transfers

Some providers may process data outside the EEA/UK (e.g., in the US). Where this happens, we rely on an adequacy decision (if available) or on Standard Contractual Clauses (SCCs) and implement supplementary safeguards as needed to protect your data.

8) Data retention

We keep data only as long as necessary for the purposes described above, and to meet legal/defense requirements:

  • Orders, invoices, and payment records: retained for up to 8 years to comply with Hungarian/EU accounting and tax laws.
  • Customer support communications: typically 3 years after resolution (unless needed longer for legal claims).
  • Marketing data: until you unsubscribe or after 24 months of inactivity.
  • Analytics data: per tool settings (commonly 14–26 months) or until anonymized/aggregated.
  • Server logs & security records: typically 12 months, unless needed longer to investigate incidents.
    When retention periods expire, we delete or irreversibly anonymize the data.

9) Your privacy rights (EEA/UK)

Subject to legal limits, you can:

  • Access your personal data and get a copy.
  • Rectify inaccurate or incomplete data.
  • Erase data (right to be forgotten) where GDPR allows.
  • Restrict processing in certain cases.
  • Object to processing based on legitimate interests or to direct marketing.
  • Portability – receive data you provided to us in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
  • Withdraw consent at any time (for consent-based processing).

To exercise your rights, contact us at the email above. We may need to verify your identity.

If you believe your rights have been violated, you can lodge a complaint with your local supervisory authority. In Hungary, this is the National Authority for Data Protection and Freedom of Information (NAIH). You may also seek a remedy before the competent courts.

10) Security

We implement technical and organizational measures to protect personal data, including encryption in transit (TLS), access controls, least-privilege policies, and regular monitoring. However, no online service can guarantee absolute security.

11) Children

Our Services are intended for adults and general audiences. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact us to delete it.

12) Automated decision-making

We do not use automated decision-making that produces legal or similarly significant effects about you without human involvement. Our payment processor may perform automated fraud/risk checks; if such checks affect your transaction, you can contact us to request a human review.

13) Third-party links

The Website may contain links to third-party sites. We are not responsible for their privacy practices. Please review their policies.

14) Changes to this Policy

We may update this Policy to reflect legal, technical, or business changes. The updated version will be posted here with a new “Last updated” date. If changes are material, we will take appropriate steps to notify you (e.g., banner or email, where required).

15) Contact us

Data Controller: Andras Toth EV (individual entrepreneur, Hungary)
Email: info@accesstoparis.com
Postal address: Budapest 1143, Hungária Krt. 50, Pf 122