Privacy Policy

1. What Personal Data We Collect

We collect only what is necessary to provide the service. Here is a specific breakdown:

We do not collect payment card numbers (handled entirely by our PCI-DSS certified payment partners), passport or government ID details, precise GPS location, or any sensitive special-category data as defined under GDPR Article 9.

2. Legal Basis for Processing (GDPR & UK GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we rely on the following legal bases under GDPR Article 6:

• Performance of a contract — processing your travel preferences and generating your itinerary is necessary to provide the service you requested.
• Legitimate interests — we process technical and operational data to maintain security, prevent fraud and abuse, enforce rate limits, and improve the service. Our legitimate interests do not override your fundamental rights.
• Legal obligation — we may retain certain records (such as cost logs without personal identifiers) where required by applicable law.
• Consent — where we rely on consent (e.g., optional analytics), you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

3. How We Use Your Data

• To generate personalised travel itineraries based on your stated preferences
• To save and retrieve your itineraries when you are signed in
• To authenticate your identity and manage your account session
• To enforce rate limits and prevent abuse of the service
• To monitor service health, fix errors, and improve quality
• To display anonymised analytics about overall usage trends
• To present hotel and accommodation recommendations and earn affiliate commission if you complete a booking via our links — this does not affect the price you pay

We do not sell your personal data. We do not use your data for targeted advertising. We do not build profiles about you beyond what is needed to run this service.

4. Third-Party Services & Data Processors

We share limited data with the following processors, solely to operate the service:

• Anthropic — powers itinerary generation. Your travel preferences (destination, dates, pace, dietary needs, interests) are transmitted to Anthropic's API solely to generate your itinerary. Anthropic does not use API inputs to train its public models by default, per its API usage policy.
• Clerk — handles user authentication. Clerk stores your email address and manages session tokens. Clerk is SOC 2 Type II certified. Subject to Clerk's Privacy Policy.
• Supabase — hosts our PostgreSQL database where your saved itineraries are stored. Data is encrypted at rest and in transit. Subject to Supabase's Privacy Policy.
• Vercel — hosts the application and processes request logs and anonymised analytics. Subject to Vercel's Privacy Policy.
• Google (Maps & Places) — we use Google's Maps and Places APIs server-side to enrich place data (photos, ratings, opening hours). Your search preferences may be transmitted to Google. Subject to Google's Privacy Policy.
• Upstash (Redis) — stores short-lived rate-limiting counters keyed by user identifier or IP. Data expires automatically within one hour and is never used for any other purpose.
• Booking.com (Affiliate Programme) — hotel recommendation links use our affiliate ID. If you click through and book, we earn a commission. No personal data from our platform is shared with Booking.com beyond the standard HTTP referrer. Subject to Booking.com's Privacy Policy.

5. International Data Transfers

TravalBee operates globally and uses service providers based in the United States. If you are located in the EEA, UK, or other regions with data transfer restrictions, your personal data may be transferred to and processed in the United States or other countries that may not offer the same level of data protection as your home country.

Where we transfer data internationally, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, the UK's International Data Transfer Agreement (IDTA), or other legally recognised transfer mechanisms. Our key processors (Clerk, Supabase, Vercel, Anthropic) are all subject to SCCs or equivalent frameworks. You may request a copy of the relevant safeguards by contacting us.

6. Data Retention

• Account & itinerary data: retained for as long as your account is active. If you request deletion of your account, all personal data and associated itineraries will be permanently removed from our database within 30 days.
• Place cache: automatically purged after 14 days via our nightly cleanup process.
• Rate-limiting counters: expire automatically after 1 hour.
• Cost logs: retained for internal financial record-keeping. These logs contain destination names and aggregate cost figures but no other personal data.
• Infrastructure logs (Vercel, Clerk): retained per each provider's own retention policy (typically 30–90 days).

7. Cookies & Local Storage

• Authentication cookies: set by Clerk to manage your login session. These are strictly necessary and cannot be opted out of while signed in.
• Local storage (offline cache): we store your saved itineraries in your browser's local storage for offline access. This is first-party only and never transmitted to third parties.
• Analytics: Vercel Analytics uses cookieless, privacy-preserving techniques to measure aggregate page performance. No cross-site tracking cookies are used.

We do not use third-party advertising cookies, retargeting pixels, or social media tracking cookies.

8. Your Rights

Depending on where you live, you have the following rights regarding your personal data. We honour these rights for all users worldwide, not just those in regulated jurisdictions.

9. How to Exercise Your Rights

To exercise any of the rights listed above — including requesting deletion of your account and all associated data — please email us at:

travalbee@outlook.com

Please include your registered email address and a brief description of your request. We may need to verify your identity before processing the request to protect your data from unauthorised access.

Response times: We will acknowledge your request within 72 hours and respond in full within 30 days(as required by GDPR and UK GDPR). For CCPA requests, we will respond within 45 days. If we need additional time due to complexity, we will notify you of the extension before the deadline.

10. Supervisory Authority & Complaints

If you believe we have not handled your personal data in accordance with applicable privacy law, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction. Examples include:

• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
• European Union: your national Data Protection Authority (DPA) — find your authority at edpb.europa.eu
• Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
• Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca
• Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
• California (USA): California Privacy Protection Agency (CPPA) — cppa.ca.gov

We ask that you contact us first at travalbee@outlook.com so that we have an opportunity to resolve your concern directly.

11. Automated Decision-Making

We use an AI model (Anthropic's Claude) to generate travel itinerary content. This is an assistive tool — the output is a creative suggestion based on your stated preferences and does not produce any legal or similarly significant decision about you. No automated profiling is used to make decisions that affect your rights or access to services.

12. Children's Privacy

TravalBee is not directed at children. We do not knowingly collect personal data from anyone under the age of 13, or under 16 in the EEA and UK. If you believe a child has provided us with personal information, please contact us at travalbee@outlook.com and we will delete it promptly.

13. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include HTTPS encryption for all data in transit, encryption at rest on our database provider, strict API key separation (no server-side keys are exposed to the browser), role-based access controls, and rate limiting to prevent abuse. No method of transmission or storage is 100% secure; if you have concerns about a specific security issue, please contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. For material changes, we will notify signed-in users by email where we hold your address. Continued use of the service after changes are posted constitutes your acceptance of the revised policy.

15. Contact Us

For any privacy-related questions, data access requests, or deletion requests:

Email: travalbee@outlook.com

We will respond to all privacy requests within 30 days. For urgent matters regarding a potential data breach affecting you, please mark your email "URGENT — Data Privacy" and we will prioritise your request.