Privacy Policy

Amanda Solutions is a software-as-a-service platform for tour operators, operated by Amanda Solutions, a company organized under the laws of Costa Rica. You can reach us at privacy@amandasolutions.com.

This policy covers the website at amandasolutions.com and the app at any subdomain ending in .amandasolutions.com.

• To provide the Service: we can't run your workspace without storing your data in it.
• To bill you: for paid plans, we need billing information to charge your card.
• To communicate with you: product updates, security alerts, billing notices, price change notices, and support replies.
• To improve the product: aggregated, anonymized usage data helps us understand which features matter.
• To keep the service secure: we use logs to detect and respond to abuse, fraud, or security incidents.
• To comply with the law: when legally required (tax records, court orders).

We do not sell your personal data. We do not use your Customer Data to train machine learning models except for features you explicitly opt into (like the AI assistant on the Scale plan).

Depending on your jurisdiction, we rely on one of the following legal bases to process your personal data:

• Performance of a contract — to deliver the Service you signed up for.
• Legitimate interest — to improve the product, prevent abuse, and keep the Service secure.
• Legal obligation — when the law requires us to retain or disclose data.
• Consent — for optional marketing communications and cookies that are not strictly necessary.

We share data only with the subprocessors needed to run the Service. Each one is contractually bound to protect your data and use it only for the purposes we instruct.

• Supabase Inc. (United States) — hosts your database, handles authentication, stores uploaded files.
• Vercel Inc. (United States) — hosts the application and serves static assets from a global CDN.
• Google LLC (Global) — provides Maps and location services when you use address lookup or route planning.
• Anthropic PBC (United States) — powers the in-app AI assistant on Scale plans. Only the specific queries you send to the assistant are forwarded; your broader workspace data is not.

We do not share your personal data with advertisers, data brokers, or analytics companies that build cross-site profiles.

We will provide at least 30 days' notice before adding or replacing a subprocessor. If you object, you can terminate your subscription and receive a pro-rata refund of any unused prepaid annual cycle.

Amanda Solutions is based in Costa Rica, and our primary infrastructure (Supabase, Vercel) is hosted in the United States. By using the Service, you acknowledge that your data will be transferred to and processed in the United States and other countries where our subprocessors operate.

We implement appropriate safeguards for international data transfers, including standard contractual clauses with our subprocessors where applicable.

We use a small number of cookies and local storage keys:

• Authentication cookies — to keep you logged in. Strictly necessary.
• Session cookies — to remember your preferences during a session. Strictly necessary.
• Local storage drafts — autosaves unsaved form data so you don't lose work if your browser crashes. Stored in your browser only, never sent to us.

We do not use advertising cookies, third-party analytics cookies, or cross-site tracking pixels. Since our cookies are strictly necessary for the Service to function, we do not show a consent banner.

• Active workspaces: we keep your data as long as your Account is active.
• After cancellation: read-only for 14 days, then permanently deleted 30 days after termination (including all backups).
• Billing records: retained for the period required by Costa Rican tax law (currently 5 years).
• Support communications: retained for up to 3 years so we can reference past conversations if you come back with a follow-up.
• Security logs: retained for up to 1 year for incident investigation.

Depending on where you live (Costa Rica Ley 8968, GDPR in the EU, LGPD in Brazil, CCPA in California), you may have the following rights:

• Access — ask for a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your personal data (subject to legal retention requirements).
• Portability — ask for your data in a machine-readable format.
• Restriction — ask us to pause processing while you contest something.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — for anything you opted into.
• Lodge a complaint — with your local data protection authority.

To exercise any of these rights, email privacy@amandasolutions.com. We will respond within 30 days. We will verify your identity before acting on a request.

• Row-level security on every database, enforced at the Postgres level.
• TLS 1.2+ encryption for all data in transit.
• Encryption at rest for databases and file storage.
• Access controls limiting engineering access to production systems.
• Daily backups with 7-day retention (14-day point-in-time recovery on Scale).
• Regular review of our subprocessors' security posture.

No system is perfectly secure. In the event of a breach affecting your personal data, we will notify you without undue delay — within 72 hours of becoming aware of the incident.

The Service is for business use and is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, email us and we will delete it.

We may update this Privacy Policy from time to time. For material changes, we will notify you by email and post a notice in the Service at least 30 days before the change takes effect. The “Last updated” date at the top of this page always reflects the most recent version.

Questions? Concerns? Data access requests?

Email: privacy@amandasolutions.com
Postal: Amanda Solutions, San José, Costa Rica