This Privacy Policy explains how Tourismo LLC (operating the GMC Shield service, the “Company”, “we”, “us”, “our”) collects, uses, shares, and protects your personal information when you visit gmc-shield.com or use the GMC Shield service (the “Service”).
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.
1. Data Controller
For the purposes of the EU General Data Protection Regulation (“GDPR”) and the UK GDPR, the controller of your personal information is:
- Tourismo LLC, a New Mexico limited liability company;
- 2105 Vista Oeste NW, Suite E #3758, Albuquerque, NM 87120, USA;
- Business registration number: 0008010424;
- Contact for privacy matters: contact@gmc-shield.com.
2. Personal Information We Collect
We design the Service to operate on a minimal-data basis. Depending on how you interact with us, we collect or process the following categories of personal information:
- Contact details — the email address you provide when you request an audit. We use it to deliver the audit report and the appeal letter, and to send transactional notifications. Optionally, a billing address if provided through the Stripe checkout for tax purposes.
- Submitted URL and merchant context — the public URL of the storefront you ask us to audit, the optional answers to our 4-question pre-audit questionnaire (suspension status, CMS, market context).
- Audit content — the public HTML and metadata of the storefront pages fetched by our crawler, the AI agent verdicts, the findings, the risk score, and the generated appeal letter. We retain these to allow you to access your report, to grant you the free re-scan within 30 days, and for Service quality monitoring.
- Payment information — payment is handled by Stripe. We do not store your full payment card details. We retain a Stripe transaction identifier, the amount, the currency, and the date for accounting and refund purposes.
- Technical data — when you visit the Site, our hosting provider (Cloudflare) collects standard server logs that may include your IP address, browser identifiers, and pages visited, for security and anti-abuse purposes.
- Communications with us — the content of emails you send to contact@gmc-shield.com.
We do not collect special category data (e.g. health, religion, political opinions). We do not knowingly collect data from minors.
3. Sources of Personal Information
- Directly from you when you submit a URL, provide your email, fill the merchant-context modal, complete a Stripe checkout, or contact us;
- From the public storefront URL you submit — our crawler fetches the publicly accessible HTML of that URL;
- From public databases — for the Forensic Crawler agent, we query the public RDAP / WHOIS records of the domain (operated by rdap.org and the IANA registries);
- Automatically through the Service — server logs collected by our hosting providers.
4. How We Use Your Personal Information
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the Audit, deliver the report and the appeal letter to your email. | Performance of a contract. |
| Process payments and issue refunds. | Performance of a contract; legal obligation. |
| Grant you the 30-day free re-scan and respond to support requests. | Performance of a contract. |
| Improve the Service quality (e.g. fine-tune prompts, debug crawlers). We do this with aggregated or de-identified data whenever possible. | Legitimate interest in operating and improving the Service. |
| Security, fraud prevention, and protection of our infrastructure. | Legitimate interest. |
| Comply with applicable law and respond to lawful requests. | Legal obligation. |
| Send service-related transactional emails (receipts, report delivery). | Performance of a contract. |
We do not use your personal information for behavioral advertising. We do not sell your personal information. We do not use your data to train our AI models.
5. Automated Decision-Making
The Service uses artificial intelligence to produce an automated risk score and an automated appeal letter. These Outputs are informational only and do not produce legal effects concerning you or significantly affect you within the meaning of GDPR Article 22; they are designed to support — not replace — your own decision-making and your own communication with Google. You remain free to disregard, edit, or contest any element of the report.
6. Sub-Processors and Disclosure of Personal Information
We share your personal information only with the carefully selected service providers (the “Sub-processors”) listed below, who process it on our behalf strictly to enable the operation of the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Site hosting, DNS, Workers runtime, CDN, security/anti-DDoS. | United States (with global edge nodes) |
| Supabase, Inc. | Database storing audits, Edge Functions running the scan and webhooks. | European Union (Frankfurt, Germany) |
| Stripe, Inc. | Payment processing and PCI-compliant card storage. | United States & European Union |
| Resend, Inc. | Transactional email delivery (audit reports, receipts). | European Union (Ireland, eu-west-1) |
| OpenRouter | Routing AI inference requests to Anthropic. | United States |
| Anthropic PBC | Large language model inference for the AI agents. | United States |
| Browserless | Optional dynamic rendering of single-page storefronts. | European Union |
| rdap.org | Public WHOIS / RDAP lookups (no personal data sent). | Public registry infrastructure |
We may also disclose personal information when required by law, to respond to lawful requests from public authorities, to enforce our Terms of Service, to protect our rights, or in connection with a business transaction (e.g. merger, acquisition, or sale of assets), in which case we will notify you and ensure that the new entity is bound by privacy commitments at least as protective as this Policy.
7. International Transfers
Some of our Sub-processors are located outside the European Economic Area (“EEA”) or the United Kingdom, in particular in the United States. When we transfer personal information out of the EEA or the UK, we rely on appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, and the UK International Data Transfer Addendum where applicable;
- Supplementary technical measures such as encryption in transit (TLS) and at rest;
- Vendor due-diligence and contractual obligations imposed on each Sub-processor.
8. Retention
We retain personal information only as long as necessary for the purposes set out above:
- Audit data (URL, findings, report, appeal letter): retained for twelve (12) months after the date of purchase, then anonymized or deleted unless you specifically request retention.
- Email address and Stripe identifier: retained for the duration of the commercial relationship, plus the statutory retention period applicable in New Mexico for accounting records (typically ten years).
- Support communications: retained for up to three (3) years from the last interaction.
- Server logs: retained by Cloudflare per its data retention policy, typically a few days to a few weeks.
9. Security
We implement reasonable technical and organizational security measures designed to protect your personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include encryption in transit (HTTPS / TLS), encryption at rest (AES-256 in our Supabase database provider), the principle of least privilege for credentials, and the use of managed secrets stored in vendor-side keystores. No security measure is, however, perfect; we cannot guarantee absolute security.
10. Your Rights
Depending on where you reside, you may have some or all of the following rights in relation to your personal information. These rights are subject to legal exceptions and limitations.
- Right of access — request a copy of the personal information we hold about you;
- Right to rectification — request that we correct inaccurate or incomplete information;
- Right to erasure — request that we delete your personal information;
- Right to restriction — request that we restrict our processing of your personal information;
- Right to data portability — receive a structured, machine-readable copy of your data, or have it transmitted to another controller;
- Right to object — object to our processing of your personal information for legitimate-interest purposes;
- Right to withdraw consent — where we rely on your consent, withdraw it at any time without affecting the lawfulness of prior processing;
- Right not to be subject to a solely automated decision with legal effects — note that, as stated in Section 5, our AI Outputs are informational only and do not produce such effects;
- Right to lodge a complaint with a supervisory authority — see Section 13.
California residents (CCPA / CPRA): you have the right to know what categories of personal information we collect, the right to delete, the right to correct, the right to opt out of any “sale” or “sharing” of your personal information, and the right to limit the use of sensitive personal information. We do not sell or share your personal information for cross-context behavioral advertising.
To exercise any of these rights, contact us at contact@gmc-shield.com. We may need to verify your identity before fulfilling your request. We will respond within the time limits required by applicable law (typically one month under GDPR, forty-five days under CCPA).
11. Cookies and Similar Technologies
We use a minimal number of cookies and similar technologies, almost exclusively strictly necessary ones. See our Cookie Policy for the full list and how to manage them.
12. Children
The Service is not directed to individuals under the age of 18 and we do not knowingly collect personal information from minors. If you are a parent or legal guardian and believe your child has provided us with personal information, contact us at contact@gmc-shield.com and we will delete that information.
13. Complaints
If you believe we have not handled your personal information in accordance with this Policy or applicable law, please contact us first at contact@gmc-shield.com. You also have the right to lodge a complaint with the supervisory authority of your country of residence.
In the European Economic Area, you can find the list of national data protection authorities at edpb.europa.eu. In the United Kingdom, the competent authority is the Information Commissioner's Office ( ico.org.uk).
14. Third-Party Websites
The Service may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to read their privacy policies before providing them with personal information.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time, for example to reflect changes in our practices or for legal or regulatory reasons. We will post the revised version on this page, update the “Last updated” date, and, where the change is material, provide additional notice (such as an email).
16. Contact
For any question regarding this Privacy Policy or the processing of your personal information, please contact us at:
Tourismo LLC
2105 Vista Oeste NW, Suite E #3758
Albuquerque, NM 87120, USA
Email: contact@gmc-shield.com