Legal

Privacy Policy

Last updated: 1 June 2026

The short version: Visitaku has no user accounts, runs no analytics or advertising, sets no tracking cookies, and never sees your card details. We store the tours you create, a reference to your Stripe customer record if you subscribe, and standard server logs. We don't sell your data. The detail is below.

1. Who we are

Visitaku (“Visitaku”, “we”, “us”, “our”) operates the website at visitaku.com, a service for creating and sharing 360° virtual tours.

Visitaku is operated by Xavier Medina Vallès, an individual based in Barcelona, Spain, who acts as the data controller responsible for the personal data described in this policy. For any privacy question, or to exercise your rights, contact us at [email protected].

2. Information we collect

Tour content you upload

When you create a tour, we store the panoramic images you upload and the tour configuration you build (the scenes, the links between them, floor names, and viewing angles). Images are converted to WebP in your browser before upload and stored on our server. A tour is identified by a random 6-digit code; we do not ask for your name or any account details to create one.

Your images may show the interior of homes or businesses, and could incidentally include people or other identifying details. Please see “Your responsibilities” below.

Payment information

Payments and subscriptions are handled entirely by Stripe on Stripe-hosted pages. We never receive or store your card number or full payment details — these go directly to Stripe. After a successful payment, we store only:

a Stripe customer reference (ID) linked to your tour;
the plan you purchased (monthly or yearly) and the dates of purchase and expiry.

Your name, email and billing details are held by Stripe under Stripe's privacy policy, not by us.

Email address (Manage page only)

If you use the “Manage subscription” page, you enter your tour code and the email you used at checkout. We send that email to look up your subscription and, if it matches, redirect you to Stripe's billing portal. This email is used only for that lookup at that moment — we do not store it.

Technical and log data

Like virtually all websites, our server keeps access logs. Each entry records the visitor's IP address, the date and time, the page or resource requested, the response status, and the browser's User-Agent string. We use these for security, abuse-prevention, and basic visit counts shown on a private operator dashboard. Logs are retained for roughly two weeks and then rotated out.

3. What we do not do

No user accounts — there is nothing to register, and no password database.
No analytics or tracking — no Google Analytics, no tracking pixels, no advertising or marketing trackers of any kind.
No cookies set by us — the Visitaku application sets no cookies and stores nothing in your browser's local storage (see Section 5).
No selling or renting of data — we do not sell, rent, or trade your data or content to anyone.
No card data — we never see or store it; Stripe does.

4. How we use information

To provide the service: store, display and share the tours you create.
To process payments and keep paid tours unlocked, via Stripe.
To operate and secure the service: prevent abuse, rate-limit requests, diagnose errors, and monitor capacity.
To produce aggregate, non-identifying statistics (e.g. visit counts) for ourselves as the operator.

5. Cookies and local storage

The Visitaku application does not set any cookies and does not use localStorage or sessionStorage. Two caveats, for full transparency:

Cloudflare, our network provider, may set strictly-necessary security cookies (for example to identify trusted traffic and mitigate bots). These are essential to keeping the site available.
If you play the embedded tutorial video on the home page, or are redirected to Stripe, those third parties may set their own cookies on their respective pages, under their own policies.

6. Third parties and sub-processors

We keep external services to a minimum. The services below necessarily receive your IP address when your browser connects to them, and process data on our behalf or as independent controllers:

Service	Role	What it receives
Stripe	Payments & subscriptions	Your name, email, card and billing details (entered on Stripe's pages).
Cloudflare	DNS, CDN, security proxy	All traffic to the site passes through Cloudflare, including your IP and request details. Also serves one script library (qrcode).
Hetzner	Server hosting	Hosts the application and stored tours/logs on our behalf.
Google Fonts	Web fonts	Your IP, when fonts load on our pages.
jsDelivr	Script/CSS library hosting (the tour viewer/editor)	Your IP, when those libraries load.
YouTube (nocookie)	Tutorial video embed on the home page	Your IP when the home page loads; cookies/data on playback. Served via youtube-nocookie.com.

Each operates under its own privacy policy. We do not control how these third parties process data once your browser contacts them.

7. How long we keep data

Tours that are never paid for are automatically and permanently deleted about 60 days after creation, along with their images and configuration.
The free trial for a new tour lasts 24 hours; after that a tour stays available but prompts for a subscription.
Paid tours and their associated records (Stripe customer reference, plan and purchase dates) are retained while the tour is in use, and purchase records may be kept longer where needed to meet accounting or legal obligations.
Server logs are kept for roughly two weeks.
Data held by Stripe is retained under Stripe's own policy.

8. Your tours are public

A published tour is viewable by anyone who has its link or 6-digit code; tours are not password-protected. Please do not upload anything you are not comfortable being publicly accessible.

9. Your responsibilities for uploaded content

You are responsible for the images you upload. By publishing a tour you confirm you have the right to share those images, and the necessary permission to depict any identifiable people or private property shown in them.

10. Your rights

Depending on where you live, you may have rights to access, correct, delete, or restrict the processing of your personal data, and to object to certain processing. You can:

Delete a tour's content by simply not subscribing — it is erased automatically after 60 days — or by contacting us to remove it sooner.
Manage or cancel a subscription, and access the data Stripe holds, via the Manage subscription page (Stripe's portal) or Stripe directly.
Contact us at [email protected] to exercise any of these rights.

If you are in the European Economic Area, you also have the right to lodge a complaint with your local data protection authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD, aepd.es). This policy is governed by the laws of Spain.

11. Children

Visitaku is not directed at children and is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children.

12. Security

We protect data in transit with HTTPS/TLS, route traffic through Cloudflare, and restrict administrative access to our server. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

13. International transfers

Because we use the providers listed in Section 6, your data may be processed on servers located outside your country. Where required, those providers rely on their own safeguards for such transfers.

14. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the latest version. Significant changes will be reflected on this page.

Questions about your privacy?
Email us at [email protected] and we'll help.

← Back to home