Privacy Policy
Last updated: April 2026
1. Data controller
DIYTravel is operated by [Your Trading Entity]. For data-related enquiries, contact us at privacy@diytravel.co.uk.
2. What we collect & why
We collect only the data necessary to provide our service. We do not sell your data to third parties.
| Data | Legal basis | Purpose |
|---|---|---|
| Email address | Contractual necessity | Account & communication |
| Trip preferences & itinerary data | Contractual necessity | Core service delivery |
| Google OAuth profile (name, avatar) | Consent | Account creation & display |
| Affiliate click data (hashed IP, timestamp, partner) | Legitimate interest | Revenue attribution |
| Payment data | Contractual necessity | Processed by Stripe (we do not store card details) |
3. Third-party processors
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | EU |
| Stripe | Payment processing | US / EU |
| OAuth sign-in | US | |
| Anthropic | AI itinerary generation (Premium only) | US |
| Vercel | Hosting & CDN | US / EU |
When you use AI features, your trip preferences are sent to Anthropic for processing. No personally identifiable information beyond trip content is shared.
4. Data retention
- Account data: kept while your account is active.
- Account deletion: personal data removed within 30 days of request.
- Affiliate click logs: retained 24 months, then purged.
- Hashed IPs: one-way hash, cannot be reversed to identify you.
- Backups: may persist up to 30 days after deletion.
5. Cookies
We currently use only strictly necessary cookies for authentication (Supabase session tokens). We do not use marketing, analytics, or advertising cookies.
If we introduce non-essential cookies in the future, we will implement appropriate consent mechanisms before doing so.
6. Data security
We take appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS), secure authentication, and access controls. No system is completely secure, and we cannot guarantee absolute security.
7. Collaboration & sharing
- When you share a trip, collaborators see your display name, avatar, and trip content.
- Public share links make trip content visible to anyone with the URL.
- Removing a collaborator revokes their access.
- You control what you share — do not include sensitive personal information in trip notes.
8. International transfers
Your data may be processed in the US (Supabase, Vercel, Anthropic, Stripe). These transfers are covered by appropriate safeguards including standard contractual clauses.
9. Your rights (UK GDPR)
You have the right to: access, rectification, erasure, restriction, portability, and objection. Contact privacy@diytravel.co.uk and we will respond within 30 days.
You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
10. Children
DIYTravel is not directed at anyone under 16. We do not knowingly collect data from children.
11. Changes to this policy
We will update the “last updated” date when this policy changes. Material changes will be notified by email.