Privacy Policy

TravelM8 ("we", "us") is a travel planning tool operated from the Netherlands. Contact: hello@thetravelm8.com.

Only what the service needs to function:

• Email address — for magic-link sign-in. Stored in Supabase auth.
• Trip data — the trips you save: destination, dates, traveler counts, style. Stored in our database.
• Preferences — the defaults you set on /profile (origin city, travel style, dietary, accessibility, sustainability).
• An anonymous-trip cookie (tm8_anon_trip) — stores the destination slug of your first trip if you haven't signed up yet. Used to gate at the second destination per our free-tier model.
• A consent cookie (tm8_cookie_consent) — your accept/decline choice for the Travelpayouts attribution pixel.
• Authentication cookies (sb-*) — Supabase session cookies, HttpOnly + Secure + SameSite=Lax.

What we don't collect: your real name, phone number, address, payment info (Premium will use Stripe when launched — we never see card numbers), location, browser fingerprints, advertising IDs.

• Email → identify you across sessions, send the sign-in link.
• Trip data → so you can save and revisit trips.
• Preferences→ so the planner doesn't ask twice.
• Cookies → make the free-tier gating + auth + optional attribution actually work.

We do not use your data for advertising, profiling, or anything outside what's necessary to run the service.

The minimum needed to run the product. Each is a separate data processor under GDPR.

• Supabase (EU region, standard contractual clauses) — database + authentication
• Resend — sends magic-link emails on our behalf
• Vercel — hosts the website (US + EU edge)
• Cloudflare — DNS + inbound email routing (forwards hello@ to our team mailbox)
• Travelpayouts (only if you accept the cookie banner) — affiliate-conversion attribution

We do not sell your data. We do not share it with any party not on this list.

• While your account is active — we keep your profile + saved trips.
• If you delete your account — data is soft-deleted for 30 days (recoverable), then permanently removed. Use /profile → Delete my account.
• If your account is inactive 24 months — we email you a warning at month 21; if no response by month 24, we soft-delete + purge.
• Anonymous preview trips — never persisted server-side. They live in URL params + a single cookie.

You can:

• Access / Export — download all your data as JSON via /profile → Export my data
• Erasure — delete everything via /profile → Delete my account
• Rectification — edit any preference on /profile; edit/delete trips on /trips
• Portability — same as Export (machine-readable JSON)
• Withdraw cookie consent — clear your browser cookies; the consent banner will reappear on next visit
• Lodge a complaint with the Dutch Data Protection Authority autoriteitpersoonsgegevens.nl

All data in transit uses HTTPS. Supabase stores data encrypted at rest (AES-256). Session cookies are HttpOnly + Secure + SameSite=Lax. The Travelpayouts attribution pixel only loads if you accept it.

If you discover a security issue, please email hello@thetravelm8.com rather than filing it publicly. We aim to respond within 48 hours.

We'll update this page when our practices change. The "Last updated" date at the top reflects the most recent change. For material changes (new third parties, new data categories), we'll email signed-in users.

Email hello@thetravelm8.com — we read every message.