Privacy Policy

Effective: April 1, 2026

At Travelese ("we," "us," or "our"), we value your privacy and are committed to being fair, accountable, and transparent in how we handle your personal information. This Privacy Policy describes how we collect, use, share, and protect your personal information when you use our AI-powered travel planning platform at travelese.ai and chat.travelese.ai (our "Service"). It also describes your privacy rights.

For individuals in the European Economic Area, United Kingdom, and Switzerland (collectively, "Europe"), additional Europe-specific information is provided in Section 10 of this policy.

1. Personal Information We Collect

We ask that you do NOT include unnecessary personal information in your prompts and inputs to our Service; however, we cannot control what you provide to us.

We may collect personal information from you and about you. Below are examples of the information we may collect, how we collect it, how we use it, and how we may disclose it.

Account Data. If you create an account, we collect your name, email address, account credentials, and authentication method. If you log into our Service using a third-party service such as Google or X, that third-party will send your information to us at your direction, which may include your name, email address, and profile information.

• How we collect it: Directly from you or from a third-party (Google, X).
• How we use it: To provide, analyze, and maintain our Service; to provide support; to communicate with you; to ensure security; for legal purposes.
• How we may disclose it: To our service providers; in connection with business transfers; for legal purposes.

Traveler Profile Data. To facilitate travel bookings, we collect your full legal name (as on travel documents), date of birth, nationality, gender, passport information (number, issuing country, expiration date), loyalty program numbers, and contact phone number.

• How we collect it: Directly from you.
• How we use it: To process travel bookings; to provide our Service; to communicate with travel providers on your behalf.
• How we may disclose it: To Duffel and underlying travel providers (airlines, accommodation providers); to our service providers; for legal purposes.

Payment Data. Subscription payments are processed by Stripe. Travel booking payments are processed through Duffel's payment infrastructure. We receive only tokenized references, the last four digits of your card, card brand, and billing address. We do not store full card numbers on our servers.

• How we collect it: Through third-party processors (Stripe, Duffel).
• How we use it: To process subscription and booking payments; to provide support; for legal purposes.
• How we may disclose it: To our payment processors; for legal purposes.

User Content. You may provide personal information in prompts and other content you input to the Service ("Input"). Outputs of the Service ("Output"), including AI-generated travel recommendations and itineraries, are based on your Input. Together, Input and Output are "User Content." If you include personal information in Inputs, this information may appear in Output.

• How we collect it: Directly from you.
• How we use it: To provide our Service; to improve our Service; to ensure security; for legal purposes.
• How we may disclose it: To xAI (for AI processing); to our service providers; for legal purposes.

Voice Data. When you use voice features, your speech is processed and converted to text. We do not permanently store raw audio recordings. Text-to-speech output is generated using xAI's voice synthesis technology.

• How we collect it: Directly from you when you use voice features.
• How we use it: To provide voice interaction features; to deliver AI responses.
• How we may disclose it: To xAI (for voice processing).

Travel and Booking Data. We collect flight and accommodation search history, confirmed booking records (itineraries, confirmation numbers, booking status), trip information (destinations, dates, notes), and associated traveler assignments.

• How we collect it: Through your use of the Service; from Duffel (booking confirmations and status updates).
• How we use it: To provide and maintain our Service; to fulfill bookings; to provide trip management features.
• How we may disclose it: To Duffel and travel providers; to our service providers; for legal purposes.

Technical Data. We collect your IP address, device type, browser type and version, operating system, country and timezone (derived from IP address), pages visited, features used, session duration, and interaction data.

• How we collect it: Automatically when you use or interact with the Service, including through analytics tools.
• How we use it: To provide and maintain our Service; to improve our Service; to ensure security; for legal purposes.
• How we may disclose it: To our service providers (Vercel, analytics providers); for legal purposes.

Anonymous User Data. If you use the Service in demo mode without creating an account, we collect limited data including your IP address, device information, and the content of your chat messages (up to five messages). This data is associated with a temporary session identifier, not a persistent account.

• How we collect it: Automatically through your use of the Service.
• How we use it: To provide the demo experience; to ensure security (Turnstile bot protection).

Cookies and Similar Technologies. We and our service providers use cookies and similar technologies to operate and improve our Service. For details, please read our Cookie Policy.

2. How We Use Personal Information

We may use your personal information for the following purposes:

• To provide, analyze, and maintain our Service. To authenticate your identity, manage your account, process travel searches and bookings, deliver AI-powered travel planning assistance, provide voice features, store traveler profiles, and maintain chat history.
• To provide support and assistance. To troubleshoot problems, respond to inquiries, and provide customer support.
• To develop and improve our Service. To analyze usage patterns, identify and fix technical issues, develop new features, and improve AI quality and user experience.
• To communicate with you. To send transactional emails about your account, bookings, and subscriptions; to notify you of changes to our Terms or this Privacy Policy; to send service announcements and booking-related alerts.
• To ensure security and integrity. To detect and prevent unauthorized access, fraud, abuse, and misuse; to enforce our Terms of Service and usage limits; to monitor for suspicious activity.
• For legal purposes. To comply with applicable laws, regulations, and legal processes; to respond to lawful government requests; to maintain records as required for tax, financial, and travel industry regulations.

We may aggregate, pseudonymize, or de-identify your information so that it no longer identifies you and use this information for the purposes described above. We will not attempt to re-identify such information.

3. How We Share Personal Information

We do not sell your personal information to third parties. We share your information only as described below.

Service providers. We share data with third-party service providers who process data on our behalf:

Each provider processes data under their own privacy policies and in accordance with data processing agreements we maintain with them.

Travel providers. When you make a booking, your traveler information (name, passport details, date of birth, contact information, loyalty numbers) is shared with the relevant airline or accommodation provider through Duffel. These travel providers are independent data controllers and process your data under their own privacy policies.

Analytics providers. We use analytics services to understand how our platform is used. Analytics data is aggregated and does not directly identify individual users. See our Cookie Policy for details.

Legal requirements. We may disclose your information if required by law, court order, or government regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a lawful government request.

Business transfers. In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your data.

4. Retention of Personal Information

We retain your personal information where we have an ongoing legitimate business need to do so:

When retention periods expire, data is permanently deleted or irreversibly anonymized.

If you choose to delete your account, we will delete your data within 30 days unless it is necessary to retain the data for legal, compliance, or safety purposes.

5. Security of Personal Information

We implement commercially reasonable technical, administrative, and organizational measures to protect your personal information:

• All data in transit is encrypted using TLS 1.2 or higher
• Data at rest is encrypted in our database infrastructure (Supabase/PostgreSQL)
• Authentication sessions use secure, HTTP-only cookies
• Row-level security policies restrict database access to authorized users
• Payment data is handled by PCI DSS-compliant processors (Stripe and Duffel)
• Bot protection via Cloudflare Turnstile prevents unauthorized automated access
• We conduct regular security reviews of our platform and dependencies

However, no security measure or method of data transmission over the internet is 100% secure. You are solely responsible for protecting your login credentials, limiting access to your devices, and signing out after sessions.

6. Links to Other Websites

Our Service may contain links to external websites, including airline and hotel websites. Third-party websites have their own terms and privacy policies. We are not responsible for their privacy practices, and we encourage you to review their policies before providing personal information to them.

7. Children's Privacy

Our Service is not directed at anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a person under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at hey@travelese.ai.

8. AI-Specific Privacy Considerations

How AI processes your data. When you interact with our AI assistant, your messages are sent to xAI's Grok language models for processing. xAI processes your input to generate responses in accordance with our data processing agreement with them.

Voice data. When you use voice features, your speech is converted to text and processed by the AI. Text-to-speech responses are generated by xAI's voice synthesis. Voice personas (Eve, Ara, Rex, Sal, and Leo) are AI-generated voices, not recordings of real individuals.

Automated decision-making. Travelese uses AI to provide travel recommendations and search results. These are suggestions and do not constitute automated decision-making with legal or similarly significant effects. All booking decisions are made by you.

9. Privacy Rights and Choices

Depending on where you are located and subject to applicable legal exceptions, you may have certain rights in relation to your personal information.

Rights for all users. Regardless of your location, you have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate or incomplete personal data
• Deletion — request deletion of your personal data, subject to our legal retention obligations
• Data portability — request your data in a structured, machine-readable format
• Withdraw consent — withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing

Exercising your rights. To exercise any of these rights, contact us at hey@travelese.ai. We will respond within thirty (30) days, or within the timeframe required by applicable law. We may need to verify your identity before processing your request.

Please note that your personal information may be exempt from such requests in certain circumstances, for example if we need to retain it to comply with our legal obligations or to establish, exercise, or defend legal claims.

Do Not Track. Because there is no consistent industry standard for responding to "Do Not Track" signals, we do not alter our privacy practices when we detect such a signal from your browser.

10. Region-Specific Rights

European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in Europe, you additionally have the right to:

• Restrict processing — request that we limit how we use your data in certain circumstances
• Object to processing — object to processing based on legitimate interests, including profiling
• Lodge a complaint — file a complaint with your local data protection authority

Legal bases for processing. We process your data based on: (a) contractual necessity (to provide our services and fulfill bookings), (b) legitimate interests (to improve our services and ensure security), (c) consent (for optional features like voice input and analytics cookies), and (d) legal obligations (tax records, financial reporting).

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know — request disclosure of the categories and specific pieces of personal information we have collected
• Delete — request deletion of your personal information
• Opt out of sale — we do not sell your personal information
• Non-discrimination — we will not discriminate against you for exercising your privacy rights

Categories of personal information collected. Identifiers (name, email, IP address), commercial information (booking and payment records), internet activity (usage data, chat history), sensitive personal information (passport data, precise geolocation). We collect this data directly from you and through your use of our services.

11. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States, where our service providers operate. When we transfer data internationally, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, data processing agreements with our service providers, and the data protection measures described in this policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will publish an updated version and effective date on this page. Material changes will be communicated to registered users via email or in-app notification at least thirty (30) days before they take effect. Your continued use of Travelese after changes take effect constitutes acceptance of the updated policy. If you do not agree, you must stop using the platform.

13. How to Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Email: hey@travelese.ai Website: travelese.ai