Skip to content

Privacy Policy

How Tourist SOS collects, uses, shares, and protects your information — including how SOSA, our AI assistant, processes the conversations and data that flow through our platform.

Last updated: May 15, 2026

Table of Contents

About SOSA — Our AI Assistant

Most interactions with Tourist SOS go through SOSA, our AI assistant. Conversations with SOSA are stored, used to deliver our services, and may be used to improve and refine the underlying AI models. The data flow is described in detail in Sections 2.4, 3.3, and 4.4. Your rights — including the right to access or delete this data — are described in Section 8.

1

Introduction

Tourist SOS, Inc. (“Tourist SOS,” “Company,” “we,” “us,” or “our”), a Nevada corporation with its principal office at 401 Ryland Street, Ste 200A, Reno, NV 89502, USA, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, retain, and safeguard your information when you access or use our coordination platform — anchored by SOSA, our AI assistant — and our four customer-facing surfaces: SOS Travel, SOS Pro, SOS Safe, and our internal Command Center (collectively, our “Services”).

Our Services connect travelers with vetted healthcare providers, hotels, and insurers across multiple jurisdictions. Our current operational footprint includes countries in Southeast Asia, with continued expansion. Because tourist medical emergencies inherently cross borders, your information may move between the country you are traveling in, your country of residence, the country of the providers and partners assisting you, and the jurisdictions where our infrastructure operates.

By accessing, downloading, or using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree, please discontinue use of our Services.

This Privacy Policy is incorporated into and forms part of our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service.

2

Information We Collect

2.1Personal Information

We collect personal information that you voluntarily provide to us:

Identity Information

  • • Full name and contact information
  • • Date of birth and nationality
  • • Passport and identification numbers
  • • Emergency contact details

Contact Information

  • • Email address and phone numbers
  • • Mailing address and location data
  • • Preferred communication methods
  • • Language preferences

Travel Information

  • • Travel itineraries and accommodation details
  • • Transportation information
  • • Travel insurance details
  • • Destination preferences

Health Information

  • • Medical conditions and allergies
  • • Medications
  • • Healthcare provider preferences
  • • Insurance and payment information

Payment Information

  • • Credit and debit card information
  • • Billing addresses and payment history
  • • Financial account details
  • • Transaction records

Account Information

  • • Username, password, profile preferences
  • • Account settings and notification preferences
  • • Service usage history
  • • Support interactions

2.2Location and Usage Information

We automatically collect certain information when you use our Services:

  • Device data: IP address, browser type, device identifiers, operating system
  • Location data: GPS coordinates, Wi-Fi access points, cell tower information (used to route emergency response and find nearby providers)
  • Usage data: Pages visited, features used, time spent, click patterns
  • Communication data: Messages sent through our platform, call logs, support interactions
  • Cookies and similar technologies: Session data, preferences, analytics information (see Section 10)

2.3Third-Party Information

We may receive information about you from third parties:

  • • Healthcare providers and medical facilities in our network
  • • Hotels, resorts, and tour operators using SOS Safe
  • • Insurance companies and third-party administrators (TPAs)
  • • Travel booking platforms and accommodation providers
  • • Payment processors and financial institutions
  • • Analytics providers and infrastructure partners
  • • Embassy and consular services (in emergency situations)
  • • Local emergency responders coordinated through our network

2.4SOSA Conversation Data

When you interact with SOSA — whether through our website chat, mobile apps, or any other surface where SOSA is integrated — we collect and store:

  • Messages you send: Text input, voice transcripts (if voice features are used), and any attachments or photos shared with SOSA
  • SOSA's responses: The conversational outputs generated by SOSA in reply to your messages
  • Inferred metadata: Detected language, sentiment, urgency, and triage category derived from the conversation
  • Structured records: Case summaries, provider matches, and insurance verification artifacts that SOSA produces from your conversation
  • Session metadata: Timestamps, session identifiers, device context, and location at the time of the interaction

Conversation data is the operational backbone of every case we coordinate. It is necessary to deliver the service, and it is also one of the inputs to AI model improvement (see Section 3.3). Your rights with respect to this data are described in Section 8.

3

How We Use Your Information

We use your information for the following purposes:

3.1Core Services

  • Healthcare coordination: Connect you with vetted healthcare providers, facilitate medical appointments, coordinate emergency medical care
  • Travel support: Provide assistance, coordinate with local responders and (where appropriate) embassies and consulates
  • Emergency response: Coordinate non-immediate emergency services, facilitate medical evacuations when necessary
  • Payment processing: Process payments, manage billing, handle insurance claims and guarantees of payment
  • Case and patient management: Maintain case records, track treatment history, coordinate follow-up care
  • Communication: Facilitate communication between travelers, providers, hospitality operators, insurers, and our internal ops team

3.2Digital Operations

  • Account management: Create and maintain user accounts, authenticate users, manage preferences
  • Service improvement: Analyze usage patterns, conduct research, develop new features
  • Communications: Send service notifications, provide customer support, deliver important updates
  • Security and compliance: Detect and prevent fraud, ensure regulatory compliance, maintain data security
  • Legal compliance: Comply with applicable laws, respond to lawful requests, protect our rights
  • Business operations: Manage partnerships, conduct business analysis, support corporate functions

3.3AI Model Training and Improvement

SOSA improves with use. We use SOSA conversation data and operational records (see Section 2.4) to:

  • • Evaluate response quality, accuracy, and safety
  • • Train, fine-tune, and refine the AI models that power SOSA
  • • Identify failure modes, edge cases, and patterns of misuse
  • • Improve provider matching, language handling, triage accuracy, and case routing
  • • Build and maintain evaluation datasets and benchmarks

What we do not do:

  • • We do not sell your conversation data or train models for other companies
  • • We do not use your data to target you with third-party advertising
  • • We do not use voluntary medical information for secondary purposes unrelated to your care or service improvement

You may request that your conversation data be deleted from our active systems at any time (see Section 8). Note that data already incorporated into model weights generally cannot be fully extracted from a trained model — this is a known limitation of current AI technology and we will be transparent about what is and is not technically possible.

4

How We Share Your Information

4.1Healthcare and Emergency Services

  • Medical providers: We share relevant medical information with clinics, hospitals, and transport operators in our network to facilitate your care
  • Emergency services: We coordinate with local emergency services and emergency medical transport providers
  • Hospitality operators: Where you are staying at a hotel or resort using SOS Safe, we may share necessary information with that operator to coordinate your incident
  • Insurance providers and TPAs: We share information necessary for insurance verification, guarantee-of-payment workflows, and claims processing

4.2Government and Regulatory Bodies

  • Embassies and consulates: In serious emergencies, we may coordinate with the embassy or consulate of your country of residence
  • Lawful requests: We share information with government agencies and law enforcement only in response to valid legal process or as otherwise required by applicable law
  • Regulatory compliance: Where required, we share information to comply with healthcare regulations, data-protection laws, and reporting obligations in the jurisdictions where we operate

We do not voluntarily share user data with government agencies for surveillance or intelligence purposes.

4.3Service Providers and Partners

  • Cloud and infrastructure providers: AWS, Vercel, Supabase, and comparable infrastructure used to host and operate our Services
  • Communication tools: Email, SMS, and notification providers used to deliver service messages
  • Payment processors: Financial institutions and payment-processing services
  • Analytics: Privacy-respecting analytics providers used to understand product usage in aggregate
  • Professional services: Legal advisors, auditors, and consultants bound by confidentiality

All service providers operate under written contracts that limit their use of your information to the purposes for which we engage them.

4.4Third-Party AI Providers

SOSA is built on a combination of proprietary systems and third-party AI services, including:

  • • Large language model providers (for conversation, reasoning, and generation)
  • • Speech recognition and synthesis providers (where voice features are used)
  • • Translation services (for our multilingual support)
  • • Embedding and search providers (for matching providers and cases)

These providers process your data on our behalf as data processors under our instructions, governed by data processing agreements (DPAs). They are not permitted to use your data to train their own foundation models for general use, nor to use it for any purpose beyond delivering the contracted service to us.

The specific list of providers may change as we improve the platform. A current list is available on request from our Data Protection contact (see Section 12).

We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes. All third-party data sharing is limited to what is strictly necessary to deliver our Services or as required by applicable law.

5

Data Security and Protection

We implement administrative, technical, and physical security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

5.1Technical Safeguards

  • Encryption: Encryption in transit (TLS) and at rest for personal and health data
  • Access controls: Multi-factor authentication, role-based access, regular access reviews
  • Network security: Firewalls, intrusion detection, hardened network configuration
  • Backup and recovery: Automated backups, disaster recovery testing
  • Row-level data isolation: Database-level controls so each user's data is logically isolated

5.2Organizational Safeguards

  • Staff training: Privacy and security training, confidentiality agreements
  • Policies and procedures: Documented data-protection policies and incident-response procedures
  • Vendor management: Due diligence on processors, contractual data-protection requirements
  • Compliance monitoring: Internal reviews and (where applicable) third-party audits

Important Notice: While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is completely secure. In the event of a data breach affecting your personal information, we will notify you and applicable regulatory authorities as required by law — typically within 72 hours of discovery for breaches affecting EEA residents.

6

Data Retention

We retain personal information only for as long as necessary to deliver our Services, comply with our legal obligations, resolve disputes, and enforce our agreements.

  • Account data: Retained for the duration of your account, plus 30 days after a deletion request to allow for reversal
  • Medical and case records: Retained for the minimum period required by applicable law in the jurisdiction where care was delivered (typically 5–10 years)
  • SOSA conversation logs: Active conversation logs retained for up to 24 months for service quality and AI improvement, then anonymized or deleted unless retention is required by law
  • Transaction and billing records: Retained for 7 years for tax and regulatory compliance
  • Usage analytics: Aggregated and anonymized after 24 months
  • Backups: Standard backups are retained on a 30–90 day rotation; deletion requests propagate to backups in the next regular cycle

Where data has been incorporated into trained AI models, we follow current best practices for handling deletion requests; however, the technical reality is that information embedded in model weights cannot always be perfectly extracted. We will explain what is and is not possible when you submit a request.

7

International Data Transfers

Tourist medical emergencies are inherently cross-border. By using our Services you acknowledge that your information may be transferred to, processed in, and stored in jurisdictions outside your country of residence — including the United States and the countries in Southeast Asia where we operate.

For users in the EEA, UK, or Switzerland

Where we transfer your personal data outside the EEA, UK, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, we rely on appropriate safeguards including:

  • • Standard Contractual Clauses (SCCs) approved by the European Commission
  • • UK International Data Transfer Agreement (IDTA) where applicable
  • • Supplementary safeguards based on transfer impact assessments

For users in Southeast Asia

We endeavor to comply with local data-protection laws in the jurisdictions where we operate, including:

  • • Singapore PDPA
  • • Thailand PDPA
  • • Indonesia PDP Law
  • • Vietnam Personal Data Protection Decree
  • • Comparable local regimes in other regional markets

Where local law provides additional rights (for example, the right to data localization), those rights apply alongside the rights described in Section 8.

8

Your Privacy Rights

8.1Universal Rights

Regardless of your jurisdiction, you have the following rights with respect to your personal information:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data (subject to legal retention obligations)
  • Portability: Request your data in a structured, machine-readable format
  • Objection and restriction: Object to or restrict certain types of processing
  • Withdraw consent: Where processing is based on consent, withdraw that consent at any time

8.2AI-Specific Rights

  • Human review: You have the right to request human review of any material decision that has been substantially driven by SOSA's automated outputs
  • Conversation deletion: You can request deletion of your stored conversation logs at any time, subject to operational and legal retention rules
  • Information about AI processing: You can request meaningful information about the logic involved in any AI-driven decisions affecting you
  • Opt-out from training use: Where technically feasible, you can request that your future conversations not be used to train or refine our AI models; this may degrade certain personalized features

8.3Jurisdiction-Specific Rights

EEA / UK (GDPR)

  • • All universal rights above
  • • Right to lodge a complaint with your supervisory authority
  • • Right against solely automated decision-making (Art. 22)

California (CCPA / CPRA)

  • • Right to know, delete, and correct
  • • Right to opt out of sale or sharing (we do not sell)
  • • Right to limit use of sensitive personal information
  • • Right to non-discrimination for exercising your rights

Brazil (LGPD)

  • • Equivalent rights to those described above
  • • Right to information about public and private entities with whom data has been shared

Other jurisdictions

  • • Local data-protection law applies in your jurisdiction
  • • We will honor any additional rights provided by local law

8.4How to Exercise Your Rights

To exercise any of these rights, contact us at johnny@tourist-sos.com. We will acknowledge your request within 5 business days and respond substantively within 30 calendar days. We may need to verify your identity before processing the request. There is no fee for reasonable requests; we may charge a reasonable fee for excessive or repetitive requests as permitted by law.

9

Children's Privacy

Our Services are not directed to children under the age of 13 (or under 16 in the EEA and comparable jurisdictions). We do not knowingly collect personal information from children for marketing or general account creation purposes.

In emergency situations, we may receive and process information about minors when they are the patient and a parent, guardian, or authorized adult is coordinating their care through our platform. This processing is limited to what is necessary to facilitate the emergency response and is governed by the same protections that apply to all health data on the platform.

If you are a parent or guardian and believe a child has provided personal information through our Services without appropriate authorization, contact johnny@tourist-sos.com and we will take prompt steps to delete that information.

10

Cookies and Tracking

We use cookies and similar technologies to operate, secure, and improve our website and applications. Where required by law, we obtain consent for non-essential cookies via a consent banner.

Strictly Necessary

Required for the site to function — authentication, security, load balancing, and session management. These cannot be disabled.

Functional

Remember preferences such as language, theme, and accessibility settings. Disabling these may affect your experience.

Analytics

Help us understand how the platform is used in aggregate. We use privacy-respecting analytics (Google Analytics with IP anonymization). Optional and may be disabled.

You can manage cookies via your browser settings. We honor “Do Not Track” browser signals and Global Privacy Control (GPC) signals by treating them as opt-out requests where applicable law requires it.

11

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

  • Notice: Material changes will be communicated via email or in-app notification at least 30 days before they take effect
  • Effective date: The “Last updated” date at the top of this Policy will be revised
  • Version control: The most current version will always be posted at this URL; previous versions are available on request
  • Continued use: Your continued use of our Services after the effective date constitutes acceptance of the updated Policy

If you object to changes, you may discontinue use of our Services and request deletion of your account and data prior to the effective date.

12

Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection team:

Email

johnny@tourist-sos.com

For all privacy inquiries

Phone

+1 619 865 0445

Business hours support

Mailing Address

Tourist SOS, Inc.

401 Ryland Street, Ste 200A

Reno, NV 89502, USA

Response Timeline

We acknowledge privacy-related inquiries within 5 business days and provide a substantive response within 30 calendar days. If additional time is needed, we will notify you of the reason for the delay. For urgent data-protection matters, please call our phone support line during business hours (Monday–Friday, 9:00 AM – 5:00 PM PT).

Related documents: See our Terms of Service (including Section 5 on AI-Powered Assistance) and our Medical Disclaimer for additional context on how the platform operates.