01Who we are
This service ("LOKA", "we", "us") is operated by Amphi Labs BV (in formation) — a private limited company being constituted in the Netherlands. Until the Dutch incorporation deed is signed (expected 1 July 2026), the service is operated on behalf of the company-in-formation by its founder, in line with Dutch law on the BV i.o. ("in oprichting"). Full identification of the operator behind the company-in-formation is available on written request.
For all data-protection matters: amo@amphilabs.com.
The data controller is the operator named above. We have not appointed a Data Protection Officer because the scale of processing does not meet the thresholds set out in Article 37 GDPR — but the contact above answers all data-protection requests directly.
02What data we collect
We only collect what we need to build your itinerary and run the service. In practice:
| Category | Examples | Source |
|---|---|---|
| Identification & contact | First name, email address | You — via the quiz / sign-up form |
| Travel profile | Age range, gender (optional), travel companions, destinations of interest, trip length, budget band, food preferences, activity preferences, climate preferences, Spanish-language level, country of origin | You — via the quiz |
| Transactional data | Purchase amount, currency, timestamp, last 4 digits of card, billing country | Stripe (our payment processor) — we never see full card numbers |
| Communications | Emails you send us, our replies, satisfaction-survey responses (NPS) | You |
| Technical data | IP address (truncated), browser type, device type, referrer, pages visited, timestamps | Automatically — server logs and analytics (with consent) |
We do not deliberately collect special-category data (health, religion, political opinions, biometrics). Please do not send us such data in free-text fields.
03Why we use it
- Build and deliver your travel plan — matching your answers to verified local guides, eco-stays and social enterprises, then sending you a personalised itinerary within 24 hours.
- Process your payment — via Stripe, and issue you a receipt.
- Provide customer support — answering your emails, resolving issues, handling refund requests.
- Improve the service — aggregated and pseudonymised analysis of which itineraries work, which destinations are popular, which questions confuse users.
- Send service messages — confirmations, follow-ups, NPS survey after your trip. We do not send marketing emails to people who have not opted in.
- Meet legal obligations — accounting records, tax records, responding to lawful authority requests.
- Defend our rights — establish, exercise or defend legal claims.
04Legal bases
Under Article 6 GDPR, every use of your data has a specific legal basis. Ours are:
| Activity | Legal basis |
|---|---|
| Building and delivering your travel plan; processing your payment | Contract — Article 6(1)(b). The processing is necessary to perform the service you bought. |
| Customer support; service emails | Contract — Article 6(1)(b). |
| Marketing emails, newsletters, optional analytics cookies | Consent — Article 6(1)(a). You can withdraw consent any time. |
| Tax, accounting, anti-fraud, lawful requests | Legal obligation — Article 6(1)(c). |
| Service improvement on pseudonymised data; defending legal claims | Legitimate interests — Article 6(1)(f). We balance these against your rights and you can object at any time. |
05Who we share it with
LOKA does not sell your personal data. We share it only with the service providers we need to run the service ("processors"). Each one is bound by a contract that limits what they can do with your data.
| Provider | Purpose | Location |
|---|---|---|
| Netlify, Inc. | Hosting the LOKA website and form submissions | United States (with EU sub-processors) |
| Stripe Payments Europe Ltd. | Processing card payments | Ireland (EU) — with US sub-processors |
| Google Ireland Ltd. (Google Workspace / Gmail) | Sending and receiving operational email at amo@amphilabs.com | Ireland (EU) — with US sub-processors |
| Local guides, eco-stays and partners | Only when you explicitly book or request to be contacted by them — we share your name and request, never your payment details | Mexico |
We may also share data with public authorities if required by law (tax, court order, anti-fraud).
06International transfers
Some of our processors store data in or transfer it to the United States or to Mexico. When that happens, we rely on:
- EU–US Data Privacy Framework certification (for US providers that hold it, including Netlify, Stripe and Google).
- Standard Contractual Clauses approved by the European Commission, where Data Privacy Framework coverage does not apply.
- Your explicit consent, for the specific transfer to local providers in Mexico when you book a stay or experience with them.
You can request a copy of the safeguards in place by emailing us.
07How long we keep it
| Data | Retention |
|---|---|
| Quiz answers + delivered itinerary | 3 years from purchase, then deleted or fully anonymised. Kept to support customer service and re-bookings. |
| Account email + marketing consent | Until you unsubscribe or request deletion. |
| Invoices, receipts and accounting records | 7 years (Dutch tax law / equivalent EU accounting requirements). |
| Server logs | 30 days, then deleted. |
| Support emails | 3 years after the conversation closes. |
08Your rights
Under GDPR you have the right to:
- Access — get a copy of the data we hold about you.
- Rectification — correct anything that is wrong.
- Erasure ("right to be forgotten") — ask us to delete your data, subject to our legal retention obligations.
- Restriction — ask us to pause processing while a dispute is resolved.
- Portability — receive your data in a structured, machine-readable format.
- Object — to processing based on legitimate interests, and to marketing at any time.
- Withdraw consent — at any time, for anything you previously consented to. Withdrawal does not affect processing already carried out.
- Lodge a complaint — with the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), as the supervisory authority of our seat, or with the data-protection authority in your EU country of residence.
To exercise any right, email amo@amphilabs.com. We respond within one month (extendable by two months for complex requests, with notice).
09Security
We protect your data with HTTPS encryption in transit, encrypted storage with our processors, access controls limited to the operator, and a documented incident response process. In the event of a personal data breach likely to result in a high risk to your rights, we will notify both our lead supervisory authority (the Dutch Autoriteit Persoonsgegevens, within 72 hours of becoming aware) and you, in line with Articles 33–34 GDPR.
10Children
LOKA is not aimed at people under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
11Changes to this policy
We may update this policy as the service evolves or to reflect legal changes. The "Last updated" date at the top of the page always reflects the current version. Material changes will also be notified by email to active customers.
12Contact
Questions, requests, or complaints — please write to amo@amphilabs.com.