Privacy Policy

1. Who we are

Travelime is an AI-powered travel itinerary planning service. We are the data controller responsible for your personal data. If you have questions about this policy or wish to exercise your rights, contact us through our Support page contact form.

2. Data we collect

• Account data: your email address and hashed password when you create an account.
• Trip data: destination, travel dates, preferences, and itinerary content you create or save.
• Usage data: IP address, browser type, and session metadata collected automatically by our authentication provider (Supabase) as part of normal sign-in and security logging.
• Browser storage: currency preference and draft trip form state saved locally in your browser's localStorage. This data never leaves your device.

3. How we use your data

• To authenticate your account and keep your session secure (contractual necessity).
• To generate, store, and display your personalised travel itineraries (contractual necessity).
• To remember your display preferences across sessions (legitimate interest).

We do not sell your data, use it for advertising, or share it with third parties except as described below.

4. Third-party processors

We use the following sub-processors to deliver the service. Each processes only the minimum data necessary for its function.

• Vercel — our hosting infrastructure. Vercel processes connection data (IP address, HTTP headers) for every page request as part of normal web hosting. See the Vercel Privacy Policy.
• Supabase — database and authentication hosting. Your account data and trip data are stored on Supabase infrastructure. See the Supabase Privacy Policy.
• Google (Gemini AI) — your trip preferences and destination details are sent to Google's Gemini API to generate itinerary content. See Google's Privacy Policy.
• Google (Places API) — venue names and locations are queried to verify and enrich activity details. See Google's Privacy Policy.
• OpenStreetMap / Nominatim — when you search for a destination, the text you type is sent to the OpenStreetMap Nominatim geocoding API to return matching locations. No account data is included. See the OSM Foundation Privacy Policy.
• Mapbox — destination and activity coordinates are sent to Mapbox's Static Images API to render static map thumbnails within criteria and itinerary views. No personal user data is included. See the Mapbox Privacy Policy.
• Pexels — activity images are fetched using generic search terms (activity type and destination name, e.g. “beach Bali”). No personal user data is included in these queries. See the Pexels Privacy Policy.
• Unsplash — destination hero images are fetched using the destination name as a search term (e.g. “Thailand”). No personal user data is included in these queries. See the Unsplash Privacy Policy.
• Travelpayouts — we load a Travelpayouts site-verification script on every page. This script runs in your browser and is used to authenticate our affiliate account with Travelpayouts. Some booking and transport links on the site contain a Travelpayouts affiliate marker; if you click through and make a booking, Travelpayouts may record the referral for commission purposes. See the Travelpayouts Privacy Policy.

4a. Affiliate & outbound links

Itineraries include links to third-party booking platforms (including Booking.com, Airbnb, Viator, GetYourGuide, Kiwi.com, Omio, and others). These are affiliate links — if you click through and make a purchase, we may earn a commission at no extra cost to you. Once you leave our site, the destination platform's own privacy policy applies. We do not share your personal data with these platforms; the affiliate identifier is embedded in the link URL only.

5. Cookies and local storage

We use limited browser storage:

• Authentication cookies — strictly necessary session cookies set by Supabase to keep you signed in. These cannot be disabled without breaking authentication.
• Preference storage — localStorage entries for your selected display currency, in-progress trip draft data, cookie notice dismissal, and telemetry consent state.
• Optional telemetry (consent-based) — if you opt in, we enable anonymous product/performance telemetry via Vercel Analytics, Vercel Speed Insights, and Sentry replay-on-error (with text masking and media blocking).

We do not use advertising cookies.

6. Data retention

• Account and trip data is retained for as long as your account is active.
• Itineraries generated by guest users (without an account) are automatically deleted within 48 hours.
• Upon account deletion, your personal data is removed from our systems within 30 days.

7. Your rights (GDPR)

If you are in the EU, UK, or a jurisdiction with equivalent privacy laws, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate data.
• Deletion — request deletion of your account and associated data.
• Portability — request your data in a machine-readable format.
• Objection — object to processing based on legitimate interest.

To exercise any of these rights, use our Support page contact form. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. Changes to this policy

We may update this policy from time to time. The date at the top of this page reflects the latest revision. Continued use of the service after changes constitutes acceptance of the updated policy.