Privacy Policy

Effective: 26 April 2026 · Last reviewed: 26 April 2026 · Note: This is a comprehensive draft. It still requires review by qualified counsel before publication for paid traffic. Recommended generators for the final version: Termly, iubenda, or Cookiebot.

Who we are

Facts From Upstairs (“FFU”, “we”, “our”) operates factsfromupstairs.com (the “Site”), a publisher of magazine-quality travel guides. The Site is operated from Canada. For the purposes of Canadian privacy law (PIPEDA), we act as the controller of any personal data we collect.

What we collect

We collect different categories of information depending on how you interact with the Site.

Information you provide directly

• Email address — when you subscribe to the FFU Editorial Letter or submit a Custom Guide request.
• Trip details — when you fill out the Plan a Trip or Custom Guide forms (destination, dates, free-text notes about your trip style).
• Correspondence — if you email us, we store the message and your email address to respond and for our records.

Information collected automatically

• Standard server logs — IP address (truncated/hashed), browser user-agent, referrer, request path, timestamp.
• Cookies and similar technologies — see Cookies section below.
• Analytics — aggregate, non-identifying usage metrics (page views, time on page, clicks).

Information from third parties

If you click an affiliate link to a partner (Booking.com, World Nomads, Airalo, KiwiTaxi, Viator, etc.), the partner may notify us that a referral or transaction occurred. We do not receive your name, email, payment, or contact details from these partners.

How we use your data

• To deliver the Custom Guide or other content you specifically requested.
• To send the FFU Editorial Letter (only with your opt-in consent), and let you unsubscribe at any time via the link in every email.
• To improve the Site — understand which guides are useful, fix broken links, prioritise editorial work.
• To respond to correspondence, complaints, and legal requests.
• To detect and prevent fraud, spam, and abuse.

We do not sell, rent, or trade your personal data. We do not use your data for automated decision-making with significant effects on you.

Legal bases (GDPR/UK GDPR for EEA/UK visitors)

• Consent — for newsletter subscriptions and non-essential cookies.
• Contract — to deliver Custom Guides you have requested.
• Legitimate interests — for security, fraud prevention, anonymous analytics, and improving the Site (we balance these against your rights and you may object).
• Legal obligation — where the law requires us to retain or disclose data.

Third-party processors

We share necessary information with the following processors who handle data on our behalf under written agreements:

• Hosting — GoDaddy Managed WordPress (servers, backups).
• Email service provider — for newsletter delivery and Custom Guide emails (provider being onboarded; will be disclosed in this section once live).
• AI providers — Anthropic (Claude) for editorial assistance and Custom Guide generation.
• Voice synthesis — ElevenLabs (powers the optional “Alex” on-site voice widget).
• Image generation — Higgsfield (used by editors only, never with personal data).
• Affiliate networks — Booking.com, World Nomads, Airalo, KiwiTaxi, Viator, and others. Cookies set by these networks when you click their links are governed by their own policies.

Cookies

We use functional cookies (required for site features such as the search modal and chat widget), optional analytics cookies (with your consent), and third-party affiliate cookies (set when you click an affiliate link). You can refuse non-essential cookies through your browser settings or the on-site cookie banner (when published).

International transfers

Some of our processors are located outside Canada and the EEA (notably the United States). When we transfer your data internationally, we rely on Standard Contractual Clauses, adequacy decisions, or your explicit consent, as applicable.

Data retention

• Newsletter subscribers: until you unsubscribe.
• Custom Guide requesters: 12 months after the guide is delivered, then anonymised or deleted.
• Server logs: 30 days.
• Correspondence: up to 2 years for legal and complaint-handling purposes.

Your rights

Depending on your jurisdiction, you have rights to: access your data, request correction, request deletion (“right to be forgotten”), object to processing, withdraw consent, request data portability, and lodge a complaint with your data protection authority. To exercise any of these rights, email privacy@factsfromupstairs.com. We respond within 30 days.

For California residents (CCPA/CPRA)

You have the right to know what categories of personal information we collect, request deletion, opt out of sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising), and not be discriminated against for exercising your rights. We retain personal information only for the periods stated above. To exercise these rights, email privacy@factsfromupstairs.com.

Children

The Site is not directed at children under 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided information, contact us and we will delete it.

Security

We use industry-standard safeguards (HTTPS, hashed credentials, restricted access controls, regular backups). No internet-connected system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify affected users and the relevant authorities as required by law.

Changes

We may update this policy. Material changes will be highlighted on this page and (where appropriate) emailed to subscribers. The “Last reviewed” date at the top reflects the most recent update.

Contact

Privacy inquiries: privacy@factsfromupstairs.com.
General contact: /contact/.