Privacy Policy

What We Collect

• Without an account: Itineraries are saved in your browser's local storage only. We don't collect any personal info.
• With an account: We store your name, email, and hashed password (or Google profile if using OAuth). Itineraries are synced to our database.
• URLs or preferences you submit are processed by our AI but not stored after the request completes.
• We do not use tracking cookies. We may use Google Analytics for anonymous usage metrics (page views only).

Authentication & Security

• Passwords are hashed with bcrypt (12 rounds) and never stored in plain text.
• Google sign-in uses OAuth 2.0 — we never receive or store your Google password.
• Password reset tokens are single-use and expire after 1 hour.
• Sessions use secure JWT tokens.

Third-Party Services

• AI processing: Anthropic (Claude) and Groq for itinerary generation.
• Maps: OpenStreetMap & Nominatim for geocoding.
• Email: Resend for transactional emails (password resets only).
• Hosting: Vercel (app) and Neon (database).
• Each service has its own privacy policy.

Data Sharing & Retention

• We never sell or share your data for marketing or advertising.
• Signed-in users' itineraries are stored in our database and can be deleted from the dashboard at any time.
• Anonymous itineraries exist only in your browser — clear your browser data to remove them.
• Shared itineraries are accessible via their unique link. Anyone with the link can view (but not edit) them.

Your Rights

• You can delete your itineraries from the dashboard.
• To delete your account entirely, contact us via the contact page.

Changes & Contact

This policy may be updated occasionally. Questions? Reach us via our contact page.