1. Who we are
Kaia (kaia.cr) is Costa Rica's travel marketplace, operated by Papagayo Studio, domiciled in Costa Rica. Papagayo Studio is the controller of your personal data under Costa Rica's Law on the Protection of Individuals regarding the Processing of their Personal Data (Law No. 8968) and its regulations.
Kaia connects travelers with independent tour operators. We don't run tours of our own: we're the intermediary that makes it possible to search, book, and pay in one place. That defines which data we need and why.
2. What information we collect
- Account data. Your name, email address, and preferred language. Your password is stored only as an encrypted hash managed by Supabase Auth — we never see it in plain text. If you sign in with Google, Apple, or Microsoft, the provider shares your name, email, and basic profile photo; we never receive your password for those services.
- Booking data. The experience requested, date, party size (adults and children), amounts, booking code, and the booking's status history (request, confirmation, payment, completed, reviewed).
- Payment data. Card, Apple Pay, Google Pay, and PayPal payments are processed by Stripe; crypto payments are processed by MoonPay. Kaia never sees or stores your full card number or your private keys — we receive only the payment confirmation, the method used, the last digits where applicable, and the amounts. When we enable SINPE Móvil, we will also process the phone number tied to the transfer.
- Operator data. To verify marketplace operators we collect business details, identity documents, ICT certification where applicable, and the bank or SINPE details needed to send payouts. This data is used exclusively for verification, running the marketplace, and the legal obligations that come with it.
- Reviews. The content and rating you leave after completing an experience. Reviews are tied to a completed, paid booking — that's how we guarantee they're real — and are shown publicly alongside your name.
- Technical data. IP address, browser type, and basic device data, logged by our infrastructure (Cloudflare) to serve the site, protect it from abuse, and diagnose errors.
- Device preferences. We keep interface preferences in your browser's local storage (localStorage) — for example, whether you muted the homepage audio. That information never leaves your browser.
3. How we use your information
We use your data only to:
- Run the marketplace: create your account, manage your booking requests, process payments, and coordinate confirmation with the operator.
- Verify operators and sustain the marketplace's trust layer (identity verification, the ICT badge, verified reviews).
- Hold payments in escrow: keep the amount paid until the experience is completed, then release it to the operator.
- Contact you for transactional reasons: confirmations, booking status changes, refunds, and support.
- Generate AI-assisted recommendations and itineraries (planned feature, built on Anthropic's Claude API). When it goes live, we will send the model only the information needed for the recommendation; we don't use your data to train models.
- Prevent fraud and protect the platform.
- Meet Costa Rican legal obligations, including electronic invoicing of the marketplace's commissions with the Ministry of Finance (Ministerio de Hacienda).
We do not sell your personal data to third parties. We do not send third-party advertising.
4. Cookies and local storage
Kaia uses a deliberately small set of mechanisms in your browser:
- Session cookies (essential). Supabase Auth sets cookies to keep you securely signed in. Without them you can't book or see your bookings.
- localStorage (preferences). Interface preferences such as muting the homepage audio.
We use no advertising cookies and no third-party tracking pixels today. If that ever changes, we'll update this policy and tell you first.
5. Third-party services
To operate, Kaia relies on providers that process data on our behalf. Each has its own privacy policy:
- Supabase. Authentication and database. Hosts your account data, bookings, itineraries, and reviews, including Google, Apple, and Microsoft sign-ins (OAuth).
- Stripe. Card, Apple Pay, Google Pay, and PayPal payment processing. Stripe receives your card details directly; Kaia never stores them.
- MoonPay. Crypto payment processing. MoonPay may run its own identity verification (KYC) under its own policy.
- Cloudflare. Hosting and content delivery network (CDN). Processes site traffic, including IP addresses, to serve pages and mitigate attacks.
- Google Maps. Zone, route, and transfer-time calculations between the experiences in your itinerary. We work with the experiences' coordinates; we don't share your personal location unless you enter it yourself.
- Anthropic (planned). Claude API for smart recommendations and itineraries. When it goes live, we'll send only the minimum context needed.
- SINPE Móvil (planned). Local transfer payments through the Costa Rican banking system, subject to BCCR and SUGEF regulations.
6. Data retention
We keep your account data for as long as your account exists. Booking, payment, and invoicing records are kept for the periods required by Costa Rican tax and accounting law, even if you close your account. Operator verification data is kept while the operator is active on the marketplace and for the legally required period afterward.
You can request deletion of your account and of any data we are not legally required to keep by writing to hola@kaia.cr.
7. Security
We protect your data with encryption in transit (TLS), row-level access control in the database (each user can only read their own records), hashed password storage, and restricted team access. Payment data lives in Stripe's and MoonPay's certified systems, not in ours.
Said honestly: no method of internet transmission or electronic storage is 100% secure. We commit to notifying you without undue delay if an incident affecting your data ever occurs.
8. Your rights (Law 8968)
Under Law 8968 and its regulations, you have the right to access your personal data, rectify it, update it, request its deletion, and revoke any consent you have given us. To exercise any of these rights, write to hola@kaia.cr and we'll respond within the legal deadlines.
If you believe we are not handling your data lawfully, you can also file a complaint with the Agencia de Protección de Datos de los Habitantes (PRODHAB), Costa Rica's data protection authority.
9. International transfers
Our providers (Supabase, Stripe, MoonPay, Cloudflare, Google, and — once live — Anthropic) process data on servers located outside Costa Rica, mainly in the United States and the European Union. We require these providers to give contractual data-protection guarantees equivalent to those offered by this policy.
10. Minors
Kaia is a service for people 18 and older. Bookings that include minors are always managed by a responsible adult; the only thing we process about a minor is the head count declared in the booking — we never create profiles of minors.
11. Changes to this policy
We may update this policy as the product or the law changes — for example, when SINPE Móvil or the AI features go live. The last-updated date always appears at the top. If a change is substantial, we'll notify you by email or inside the platform before it takes effect.
12. Contact
Controller: Papagayo Studio — Kaia
Email: hola@kaia.cr
Costa Rica · kaia.cr
You can also reach us through the contact page.