Privacy Policy
Last updated: 13 June 2026
1. Data controller
DIYTravel is operated by Applit Ltd. For data-related enquiries, contact us at support@diytravel.io.
2. What we collect & why
We collect only the data necessary to provide our service. We do not sell your data to third parties.
| Data | Legal basis | Purpose |
|---|---|---|
| Email address | Contractual necessity | Account & communication |
| Trip preferences & itinerary data | Contractual necessity | Core service delivery |
| Google OAuth profile (name, avatar) | Consent | Account creation & display |
| Profile details (first/last name, travel interests) | Contractual necessity / consent | Personalisation & display |
| Location searches (place text you type when setting a day's base location) | Contractual necessity | Look up places via our maps provider (Mapbox) |
| Collaboration invitations (email of people you invite, including non-users) | Legitimate interest / contractual necessity | Send and manage trip invitations |
| Notification preferences | Contractual necessity | Respect your email choices |
| Support & problem reports (description, page URL, browser/device info, optional contact email) | Legitimate interest | Diagnose and fix issues you report |
| Affiliate click data (hashed IP, timestamp, partner) | Legitimate interest | Revenue attribution |
| AI chat messages (text you send to the AI Edit Assistant — capped at 1000 characters with basic redaction of obvious email addresses and phone numbers; AI responses are not stored) | Legitimate interest | Service improvement & identifying patterns in how users adapt our curated itineraries. Delete anytime via Settings → Account; auto-deleted after 180 days. |
| Payment data (subscriptions and one-time purchases such as the Trip Pass) | Contractual necessity | Processed by Stripe (we do not store card details) |
3. Third-party processors
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | EU |
| Stripe | Payment processing | US / EU |
| OAuth sign-in | US | |
| Anthropic | AI itinerary generation, destination comparison, match explanations, result reframing, day refinement, trip-health analysis, and packing recommendations (Premium only) | US |
| Mapbox | Place / location search (when you set a day's base location). Receives the search text you type and a search session token. | US |
| Resend | Transactional email delivery (welcome, invitations, reminders, digests). Receives the recipient email address and email content. | US |
| Vercel | Hosting & CDN | US / EU |
When you use Premium AI features, we may send trip preferences, optimiser answers, deterministic scoring signals, derived trip-health signals, and deterministic packing and cultural-prep cues to Anthropic for processing. We do not intentionally send account details such as your email address to Anthropic for these features, but trip content and free-text inputs you provide may contain personal information.
To reduce cost and latency, AI responses may be cached in our database and reused for identical or materially similar inputs. Cache keys use SHA-256 hashes of the relevant inputs where appropriate, and raw optimiser answers are not stored in the AI cache.
Anthropic states that, by default, inputs and outputs submitted through commercial products such as the Anthropic API are not used to train Anthropic's models.
4. Data retention
- Account data: kept while your account is active.
- Account deletion: personal data removed within 30 days of request.
- Affiliate click logs: retained 24 months, then purged.
- Hashed IPs: one-way hash, cannot be reversed to identify you.
- AI edit messages: raw text deleted after 180 days. Anonymous numeric metadata (edit counts, ops counts) retained indefinitely. You can delete your stored messages at any time from Settings → Account.
- Backups: may persist up to 30 days after deletion.
5. Cookies
We currently use only strictly necessary cookies for authentication (Supabase session tokens). We do not use marketing, analytics, or advertising cookies.
If we introduce non-essential cookies in the future, we will implement appropriate consent mechanisms before doing so.
6. Data security
We take appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS), secure authentication, and access controls. No system is completely secure, and we cannot guarantee absolute security.
7. Collaboration & sharing
- When you share a trip, collaborators see your display name, avatar, and trip content.
- Public share links make trip content visible to anyone with the URL.
- Removing a collaborator revokes their access.
- You control what you share — do not include sensitive personal information in trip notes.
8. International transfers
Your data may be processed in the US (Supabase, Vercel, Anthropic, Stripe, Mapbox, Resend). These transfers are covered by appropriate safeguards including standard contractual clauses.
9. Your rights (UK GDPR)
You have the right to: access, rectification, erasure, restriction, portability, and objection. Contact support@diytravel.io and we will respond within 30 days.
You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
10. Children
DIYTravel is not directed at anyone under 16. We do not knowingly collect data from children.
11. Email communications
We send transactional service emails via Resend — for example a welcome email, trip-collaboration invitations, summaries of changes collaborators make to your trips, departure reminders, and trip-preparation prompts. To send these, your email address and the email content are shared with Resend.
You can manage which optional emails you receive in your account settings, and every digest or reminder email includes a one-click unsubscribe link. When you invite someone to collaborate on a trip, their email address is stored and shared with Resend so we can send the invitation. Some messages (such as invitations and essential account notices) are necessary to provide the service.
12. Changes to this policy
We will update the “last updated” date when this policy changes. Material changes will be notified by email.