Find a Ski School

Privacy Policy

Last updated: March 2026

1. Introduction

Find a Ski School ("we", "us", or "our") operates the findaskischool.com website (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services, including our AI-powered features, booking tools, voice input, and embeddable widgets.

2. Information We Collect

Personal Information

We may collect personal information that you voluntarily provide when you:

  • Create an account or sign in
  • Submit a school listing or claim request
  • Make a booking through our platform
  • Contact us via our contact form
  • Subscribe to our newsletter
  • Join our signup waitlist or register as an instructor
  • Submit a data correction or missing resort information
  • Leave a review or rating for a ski school, resort, or instructor
  • Use the school comparison tool

This information may include your name, email address, phone number, and payment information.

Automatically Collected Information

When you visit our website, we may automatically collect certain information about your device, including:

  • IP address and browser type
  • Pages visited and time spent on pages
  • Referring website or search terms
  • Device type and operating system
  • Language preference and locale settings
  • Theme preference (light or dark mode)
  • Recently viewed schools and resorts

AI and Voice Input Data

When you use our AI-powered features (AI School Finder, AI Concierge chatbot), we process the text or voice queries you submit to provide personalised recommendations and answers. Specifically:

  • AI School Finder: Your preferences (activity type, experience level, age group, language, country, group size, budget) are sent to our AI service to generate personalised school recommendations. These queries are processed in real time and are not stored beyond the duration of your session.
  • AI Concierge: Your chat messages are processed by our AI service to answer questions about ski schools, resorts, weather conditions, and other platform data. Conversation history is maintained for the duration of your browser session only.
  • Voice Input: When you use the voice input feature (available on search bars and text fields), your device's built-in Web Speech API processes your speech locally on your device. We do not record, store, or transmit raw audio data. Only the transcribed text is sent to our servers as a standard text query.

Sponsored Placement and Analytics Data

We track anonymised impression and click data for sponsored school placements in our directory. This data is used to measure the effectiveness of sponsored placements and is shared with the sponsoring school in aggregate form only. No personally identifiable information is included in these analytics.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process bookings and payments
  • Send you relevant communications about your account or bookings
  • Respond to your inquiries and support requests
  • Monitor and analyse usage patterns to improve user experience
  • Protect against fraud and unauthorised access
  • Power AI-driven school recommendations and chatbot responses
  • Send email notifications about bookings, reviews, certifications, and account activity via our email service provider (EmailIt)
  • Send push notifications (with your explicit consent) about booking updates and platform announcements
  • Screen user-submitted data corrections for spam using automated AI checks
  • Display weather information for resorts using third-party weather data (Visual Crossing)
  • Manage the signup waitlist and instructor registration process

4. Information Sharing

We do not sell your personal information. We may share your information with:

  • Ski Schools: When you make a booking or submit a contact form inquiry, we share your contact details with the relevant ski school to facilitate the lesson or respond to your inquiry. Contact form submissions are also accessible to the Find a Ski School team for quality assurance and support purposes.
  • Contact Form Inquiries: When you submit a contact form inquiry on a school profile page, your name, email address, and message are shared with the ski school you are contacting, the Find a Ski School team, and may be processed by AI language models (LLMs) for spam detection and quality assurance purposes. By submitting the form, you consent to this data sharing as described in the consent checkbox on the form.
  • Payment Processors: We use Stripe to process payments. Your payment information is handled directly by Stripe in accordance with their privacy policy.
  • Email Service Provider: We use EmailIt to send transactional emails (booking confirmations, review notifications, certification approvals, sponsored placement expiry notices). EmailIt processes your email address and name solely to deliver these communications.
  • AI Service Provider: Your AI queries (text only, not audio) are processed by our AI service provider (a large language model / LLM) to generate recommendations and chatbot responses. Queries are processed in real time and are not retained by the provider beyond the request lifecycle. Additionally, contact form submissions may be processed by AI language models for spam detection and quality assurance purposes.
  • Weather Data Provider: We use Visual Crossing to display resort weather conditions. No personal data is shared with this provider; only resort location data is used.
  • Service Providers: We may share information with third-party service providers who assist us in operating our website and services.
  • Legal Requirements: We may disclose information if required by law or to protect our rights and the safety of our users.

Legal Basis for Processing

Under the General Data Protection Regulation (GDPR) and UK GDPR, we process your personal data on the following legal bases:

  • Contract performance: processing necessary to fulfil our contract with you, including managing your account, processing bookings, and providing the Platform's core services.
  • Legitimate interests: processing necessary for our legitimate business interests, including fraud prevention, platform security, service improvement, analytics, and direct marketing to existing customers. We balance our interests against your rights and freedoms.
  • Consent: processing based on your explicit consent, including marketing communications to non-customers, non-essential cookies, push notifications, and voice input recording. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Legal obligation: processing necessary to comply with our legal obligations, including tax reporting, fraud prevention, and responding to lawful requests from authorities.
  • Vital interests: in rare circumstances, processing necessary to protect someone's life or physical safety.

Payment Processor

We use Stripe, Inc. as our payment processor. When you make a payment through the Platform, your payment card details are collected and processed directly by Stripe and are never stored on our servers. Stripe is a PCI DSS Level 1 certified payment processor, the highest level of certification available. We store only Stripe customer IDs and transaction reference IDs in our database to link payments to your account. For more information about how Stripe handles your data, please review Stripe's Privacy Policy at https://stripe.com/privacy.

5. Cookies

We use cookies and similar tracking technologies to enhance your experience on our website. Cookies are small data files stored on your device. You can control cookie settings through your browser preferences or our cookie consent banner. For full details, please see our Cookie Policy.

6. Push Notifications

With your explicit consent, we may send push notifications to your browser or device. These notifications may include booking confirmations, status updates, and platform announcements. You can manage or revoke push notification permissions at any time through your browser settings. We use the Web Push protocol (VAPID) to deliver notifications securely.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal information, including:

  • All data is transmitted over encrypted HTTPS connections
  • Authentication is handled through secure OAuth 2.0 protocols via our identity provider
  • Session tokens are signed with industry-standard JWT encryption and stored in secure, HTTP-only cookies
  • Payment information is processed directly by Stripe and never stored on our servers
  • Database access is restricted and connections are encrypted with TLS
  • Content Security Policy (CSP) headers are enforced to prevent cross-site scripting attacks
  • Input validation and sanitisation is applied to all user-submitted data

We do not store passwords directly. Authentication is managed through our secure OAuth provider, which implements industry-standard security measures including rate limiting, brute-force protection, and secure credential storage. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

8. Service Workers and Offline Data

Our website uses a service worker to improve performance and enable certain offline features. The service worker may cache static assets (images, stylesheets, scripts) and previously viewed page data on your device. This cached data remains on your device and can be cleared by unregistering the service worker or clearing your browser's site data.

9. Multi-Language Support

Our platform is available in multiple languages (English, German, Spanish, French, Italian, Dutch, Japanese, and Arabic). Your language preference is stored locally on your device and is not transmitted to our servers. Some content, including AI-generated recommendations and certain policy documents, may only be available in English.

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are as follows:

  • Account data (name, email, profile information): retained for the duration of your active account plus 12 months after account deletion, to allow for account recovery and to resolve any outstanding disputes.
  • Booking and transaction records: retained for 7 years after the transaction date, as required for tax, accounting, and legal compliance purposes.
  • Contact form submissions: retained for 24 months from the date of submission, after which they are permanently deleted.
  • Signup waitlist data: retained until your application is processed and your account is created, or for a maximum of 12 months if your application is not processed.
  • Analytics and usage data: retained in anonymised or aggregated form for up to 26 months. Individual session data is not linked to your identity after anonymisation.
  • AI conversation logs and voice transcriptions: retained for up to 90 days for service improvement and quality assurance, then permanently deleted.
  • Reviews and ratings: retained for as long as your account is active or the reviewed school remains listed. You may request deletion of your reviews at any time.
  • Email communication records: retained for 36 months for customer support and dispute resolution purposes.

When retention periods expire, your data is either permanently deleted or irreversibly anonymised. You may request early deletion of your data at any time, subject to our legal obligations.

International Data Transfers

Find a Ski School operates globally and your personal data may be transferred to, stored in, and processed in countries outside of your country of residence, including countries outside the European Economic Area (EEA) and the United Kingdom. Specifically:

  • Our servers and databases are hosted by cloud infrastructure providers with data centres in the United States and Europe.
  • Payment processing is handled by Stripe, Inc., which may process data in the United States and other jurisdictions. Stripe is certified under the EU-US Data Privacy Framework.
  • AI features are powered by third-party language model providers whose servers may be located in the United States.
  • Email communications are processed through our email service provider, which may operate servers outside the EEA.

Where we transfer personal data outside the EEA or UK, we ensure appropriate safeguards are in place, including: Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions where applicable, and contractual obligations requiring our service providers to protect your data to the same standard as required under GDPR and UK GDPR.

10. Your Rights

Under the General Data Protection Regulation (GDPR) and UK GDPR, you have the following rights regarding your personal data:

  • Right of access: You have the right to request a copy of the personal data we hold about you, along with information about how we process it.
  • Right to rectification: You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
  • Right to erasure ("right to be forgotten"): You have the right to request deletion of your personal data where there is no compelling reason for us to continue processing it.
  • Right to restrict processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest its accuracy.
  • Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
  • Right to object: You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.
  • Rights related to automated decision-making: You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. Our AI features provide recommendations only and do not make binding decisions about you.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Withdraw consent for push notifications at any time
  • Withdraw consent for non-essential cookies via the cookie consent banner

To exercise any of these rights, please contact us at [email protected].

Self-Service: You can also submit a data privacy request directly through our Data Privacy Request Form.

11. Third-Party Links

Our website may contain links to third-party websites, including ski school websites, resort websites, and external booking platforms. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

12. Embeddable Booking Widget

Ski schools may embed our booking widget on their own websites. When you interact with an embedded booking widget, the same privacy practices described in this policy apply. The ski school's website may have its own cookies and tracking; please review their privacy policy separately.

9. Children's Privacy

Our services are not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected such information, please contact us immediately. Bookings for minors must be made by a parent or legal guardian.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. For material changes, we may also notify you via email or a prominent notice on our website.

Data Protection Contact

For any questions, concerns, or requests regarding your personal data or this Privacy Policy, you may contact our Data Protection lead:

Email: [email protected] โ€” Please include "Data Protection" in the subject line. We aim to respond to all data protection requests within 30 days, as required by GDPR. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk.