Privacy Policy

TravelM8 ("we", "us") is a travel planning tool operated from the Netherlands. Contact: hello@thetravelm8.com.

Only what the service needs to function:

• Email address — for magic-link sign-in. Stored in Supabase auth.
• Trip data — the trips you save: destination, dates, traveler counts, style. Stored in our database.
• Preferences — the defaults you set on /profile (origin city, travel style, dietary, accessibility, sustainability).
• An anonymous-trip cookie (tm8_anon_trip) — stores the destination slug of your first trip if you haven't signed up yet. Used to gate at the second destination per our free-tier model.
• A consent cookie (tm8_cookie_consent) — reserved for future opt-in tracking. No third-party attribution scripts run on this site at the moment, so the value is currently unused; the cookie is kept so the banner state survives across visits if/when we add an opt-in tracker.
• Authentication cookies (sb-*) — Supabase session cookies, HttpOnly + Secure + SameSite=Lax.
• Email-funnel state— for each trip you save, we keep a record of which automated emails we sent (post-trip feedback at T+3, packing reminder at T-3, visa nudge at T-90 when applicable, retro at T+30) so you don't get duplicates. Your feedback ratings are stored against the trip if you submit the survey.
• Special-occasion dates (optional) — birthday and/or anniversary, both opt-in via /profile. Stored as plain dates and used only to fire one short annual email per occasion with three trip ideas. Leave blank to skip; the unsubscribe link in any email also stops these.
• Marketing-emails preference — a single boolean on your profile, plus a per-account opaque unsubscribe token used by the one-click unsubscribe link. Toggling it off stops the post-trip and pre-trip emails immediately; sign-in magic-links and billing receipts always send regardless.

What we don't collect: your real name, phone number, address, payment info (Premium will use Stripe when launched — we never see card numbers), location, browser fingerprints, advertising IDs.

• Email → identify you across sessions, send the sign-in link.
• Trip data → so you can save and revisit trips.
• Preferences→ so the planner doesn't ask twice.
• Special-occasion dates→ fire one short yearly email per occasion (birthday or anniversary). That's the only use; we don't derive age, share them with anyone, or surface them anywhere in the UI outside your own /profile.
• Cookies → make the free-tier gating + auth + optional attribution actually work.

We do not use your data for advertising, profiling, or anything outside what's necessary to run the service.

The minimum needed to run the product. Each is a separate data processor under GDPR.

• Supabase (EU region, standard contractual clauses) — database + authentication
• Resend — sends two kinds of email on our behalf: transactional (magic-link sign-in, billing receipts) and marketing (the post-trip feedback survey at T+3, the pre-trip packing reminder at T-3, the visa nudge at T-90 when applicable, and the +30-day retro). The marketing strand respects a one-click unsubscribe link in every footer; transactional emails always send.
• Vercel — hosts the website (US + EU edge)
• Cloudflare — DNS + inbound email routing (forwards hello@ to our team mailbox)

We do not sell your data. We do not share it with any party not on this list.

• While your account is active — we keep your profile + saved trips.
• If you delete your account — data is soft-deleted for 30 days (recoverable), then permanently removed. Use /profile → Delete my account.
• If your account is inactive 24 months — we email you a warning at month 21; if no response by month 24, we soft-delete + purge.
• Anonymous preview trips — never persisted server-side. They live in URL params + a single cookie.

You can:

• Access / Export — download all your data as JSON via /profile → Export my data
• Erasure — delete everything via /profile → Delete my account
• Rectification — edit any preference on /profile; edit/delete trips on /trips
• Portability — same as Export (machine-readable JSON)
• Withdraw cookie consent — clear your browser cookies; the consent banner will reappear on next visit
• Lodge a complaint with the Dutch Data Protection Authority autoriteitpersoonsgegevens.nl

All data in transit uses HTTPS. Supabase stores data encrypted at rest (AES-256). Session cookies are HttpOnly + Secure + SameSite=Lax. We currently load no third-party tracking or attribution scripts.

If you discover a security issue, please email hello@thetravelm8.com rather than filing it publicly. We aim to respond within 48 hours.

We'll update this page when our practices change. The "Last updated" date at the top reflects the most recent change. For material changes (new third parties, new data categories), we'll email signed-in users.

Email hello@thetravelm8.com — we read every message.