Privacy Policy

1. Who We Are

Twavel (“we”, “us”, “our”) is a collaborative trip planning application operated by:

90P Lab SLU
Passeig de l'Arnaldeta de Caboet, 11, 6, 1
AD700, Escaldes-Engordany, Andorra
Email: privacy@twavel.me

We are the data controller under the General Data Protection Regulation (GDPR), meaning we decide how and why your personal data is processed.

2. What Data We Collect

2.1 Data You Provide Directly

Data	When	Purpose
Email address	Account registration	Authentication, communication
Password	Account registration	Stored securely as an irreversible hash — we never see or store your actual password
First name, last name	Profile setup	Personalization, display
Bio	Profile editing	Optional self-description on your profile
Profile picture URL	Profile editing	Display on your profile
Travel preferences (budget, pace, interests, travel style)	Personalization flow	Tailoring trip suggestions and AI recommendations
Trip details (title, cities, dates, itinerary events)	Trip creation and editing	Core service functionality
AI conversation messages	Using the AI trip planner	Generating personalized trip itineraries
Waitlist email	Joining the waitlist	Notifying you when access is available

2.2 Data Collected Automatically

Data	How	Purpose
Authentication token (cookie)	When you log in	Keeping you signed in across pages
User agent (browser/device info)	During active sessions	Session security and management
Session refresh tokens	During active sessions	Maintaining your login session

2.3 Security and Operational Data

To protect the service and our users, we may also process the following data under our legitimate interest (GDPR Art. 6(1)(f)):

IP addresses during login and API requests
Login timestamps and failed login attempts
Rate-limiting and abuse-detection logs
Server access logs

This data is used solely for security monitoring, fraud prevention, and maintaining the stability of the service. It is retained for a limited period (typically up to 90 days) and is not used for any other purpose.

When we introduce Google and Facebook login, we will receive from those providers:

Your name
Your email address
Your profile picture

We will only request the minimum data needed to create your account. We never receive or store your Google or Facebook password.

Payments will be processed by Paddle (Paddle.com Market Limited), which acts as our Merchant of Record. This means Paddle — not Twavel — collects and processes your payment details (card number, billing address, etc.).

We may receive from Paddle:

Your name and email (for order confirmation)
Transaction details (plan type, amount, date)
Subscription status

We do not have access to your full card number or bank details.

2.6 Push Notifications (Planned)

When we introduce push notifications, we will collect:

Device token (a technical identifier for delivering notifications)
Notification preferences (which types of notifications you want to receive)

You can opt out of push notifications at any time through your device settings or within the app.

3. How We Use Your Data

Purpose	Legal Basis (GDPR Art. 6)
Providing the trip planning service	Performance of a contract (Art. 6(1)(b))
Authenticating your account and sessions	Performance of a contract (Art. 6(1)(b))
AI-powered trip planning conversations	Performance of a contract (Art. 6(1)(b))
Personalizing your experience (travel preferences)	Performance of a contract (Art. 6(1)(b))
Sending transactional emails (verification, password reset)	Performance of a contract (Art. 6(1)(b))
Processing payments via Paddle	Performance of a contract (Art. 6(1)(b))
Security monitoring, fraud prevention, and abuse detection	Legitimate interest (Art. 6(1)(f))
Improving our service and fixing bugs	Legitimate interest (Art. 6(1)(f))
Sending marketing communications	Your consent (Art. 6(1)(a)) — you can withdraw at any time
Complying with legal obligations	Legal obligation (Art. 6(1)(c))

We do not sell your personal data. We share data only with the following service providers, who process it on our behalf under GDPR-compliant Data Processing Agreements (DPAs) in accordance with Article 28 of the GDPR:

Service Provider	Purpose	Location	Safeguard
OpenAI	AI trip planning assistant	United States	Standard Contractual Clauses (SCCs)
Google Maps / Google Places	Map views, place search, location data	United States	Standard Contractual Clauses (SCCs)
Mapbox	Map rendering	United States	Standard Contractual Clauses (SCCs)
Brevo	Transactional emails	France (EU)	EU/EEA — no transfer mechanism required
Paddle	Payment processing (Merchant of Record)	United Kingdom	UK GDPR adequacy + SCCs
Google / Facebook (planned)	Social login authentication	United States	Standard Contractual Clauses (SCCs)
Hostinger	Server hosting and infrastructure	Germany (Frankfurt)	Data stays within the EU
Posthog	Usage tracking	EU	Data stays within the EU

International Data Transfers

Your data is stored on servers in Frankfurt, Germany (EU). However, some of our service providers are based in the United States. When your data is transferred outside the EU/EEA, we ensure it is protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission
Additional technical and organizational safeguards where appropriate

5. Cookies

We use a minimal number of cookies:

Cookie	Purpose	Duration	Type
auth_token	Keeps you logged in (authentication)	7 days	Strictly necessary

This cookie is strictly necessary for the service to function — you cannot use Twavel without being logged in. No consent is needed for this cookie under GDPR.

For analytics and non-essential cookies that may be introduced in the future, we will ask for your consent before placing them. See our Cookie Policy for more details.

You may choose to share a trip via a public link. When you do:

The trip details (title, cities, dates, itinerary, places) become visible to anyone with the link
No account is required to view a shared trip
The viewer sees the trip in a read-only mode and cannot access any other part of the app
You can disable the shared link at any time

Important: Only share trips if you are comfortable with the itinerary details being publicly accessible. We recommend not including sensitive personal information in trip titles or event descriptions.

7. AI Trip Planning

Our AI trip planning feature uses OpenAI to generate personalized travel itineraries. When you use this feature:

Your conversation messages are sent to OpenAI's API for processing
Your travel preferences may be included to improve suggestions
OpenAI processes this data under their data processing agreement with us

We do not use your conversations to train AI models. OpenAI's API usage policy prevents them from using API data for model training.

Important: Please do not share sensitive personal information in your AI conversations, such as passport numbers, ID documents, health or medical conditions, financial details, or other data that is not necessary for trip planning. We cannot guarantee how such data might be processed by third-party AI providers.

7.2 Personalization and Automated Recommendations

Twavel uses your travel preferences (budget, pace, interests, travel style) and your interactions with the service to personalize trip recommendations and AI-generated itineraries. This may be considered “profiling” under GDPR.

We want to be transparent about this:

This personalization is used solely to improve your trip planning experience
It does not produce legal effects or similarly significant effects on you (e.g., it does not affect your access to services, pricing, creditworthiness, or any other consequential decision)
You can reset your travel preferences at any time through the personalization settings
You have the right to object to this processing (see Section 9)

8. Data Retention

Data Type	Retention Period
Active account data	As long as your account exists
AI conversations	As long as your account exists
Session data	Until the session expires or you log out
Verification tokens	Automatically expire after their validity period
Waitlist entries	Until we remove the waitlist or you request removal
Consent records (legal doc acknowledgments)	Lifetime of account + 3 years after deletion (for legal compliance evidence)
Security/operational logs	Up to 90 days

When You Delete Your Account

When you request account deletion:

Personal data is removed: Your name, email, bio, avatar, and travel preferences are permanently erased
AI conversations are deleted: All your chat messages with the AI assistant are permanently removed
Trip data is anonymized: Your trips and itineraries are kept for internal service improvement, but we take reasonable steps to remove identifying information and disconnect them from your identity. However, due to the nature of travel data (specific destinations, dates, and itineraries), we cannot guarantee that such data is fully anonymous under all circumstances. We treat any retained data with the same level of care as personal data until we are confident it cannot be re-linked to an individual.
Sessions are terminated: All active sessions and tokens are invalidated immediately

This process is irreversible. Once your account is deleted, we cannot recover your personal data.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Right	What It Means
Access	Request a copy of all personal data we hold about you
Rectification	Ask us to correct inaccurate or incomplete data
Erasure (“Right to be forgotten”)	Ask us to delete your personal data
Restriction	Ask us to temporarily stop processing your data
Data portability	Receive your data in a structured, machine-readable format
Objection	Object to processing based on legitimate interest
Withdraw consent	Withdraw consent at any time (for consent-based processing)
Complaint	File a complaint with the Andorran Data Protection Authority (APDA)

How to Exercise Your Rights

Email us at privacy@twavel.me with your request. We will respond within 30 days. We may ask you to verify your identity before processing your request.

Supervisory Authority

If you believe we have not handled your request properly, you have the right to lodge a complaint with:

Agència Andorrana de Protecció de Dades (APDA)
Website: www.apda.ad

10. Children's Privacy

Twavel is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a user is under 16, we will promptly delete their account and associated data.

If you believe a child under 16 has created a Twavel account, please contact us at privacy@twavel.me.

11. Data Security

We protect your data using:

Password hashing with bcrypt (your password is never stored in plain text)
JWT-based authentication with encrypted tokens
HTTPS encryption for all data in transit
Server hosted in Germany within the EU, with Hostinger's security infrastructure
Access controls limiting who can access the production database

While we take reasonable measures to protect your data, no system is 100% secure. If a data breach occurs that poses a risk to your rights, we will notify you and the relevant authorities as required by GDPR (within 72 hours).

12. Analytics

We do not currently use any analytics or tracking tools. When we introduce analytics in the future, this section will be updated to include:

The analytics tool used
What data it collects
How to opt out

We will request your consent before any non-essential analytics tracking is activated.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

We will update the “Last Updated” date at the top
For significant changes, we will notify you via email or an in-app notification
You will be asked to acknowledge the updated policy when you next use the app
Your continued use of Twavel after being notified of changes constitutes acceptance

14. Contact Us

For any questions about this Privacy Policy or your personal data: