Legal

Privacy policy

Effective · 24 April 2026Last updated · 24 April 2026

The short version. Your data is yours. We collect what we need to help you discover places to travel, we tell you exactly what that is and why, and we never sell it. You can see, download, correct, or delete your data at any time. If you want the detail, keep reading.

1. Who we are

Veyago is a travel destination discovery app and website. This policy explains how Veyago Inc. ("Veyago", "we", "us") handles personal data when you use our mobile apps (iOS and Android) and our website at veyago.app (together, the "Service").

Data controller. Veyago Inc., a New York corporation with its operational headquarters in Belgium. Contact: hello@veyago.app.

Data protection contact. Until we appoint a formal Data Protection Officer, all privacy questions are handled directly by our CEO and founder, Cassian Drefke, at hello@veyago.app.

UK representative (Article 27 UK GDPR). If you are in the United Kingdom and wish to contact our UK representative, email hello@veyago.app with "UK Representative" in the subject line and we will route your request accordingly.

2. What we collect and why

We only collect information we actually use. Most of it you give us directly when you sign up, swipe on destinations, or turn on optional features like the Explorer Map. A smaller amount is collected automatically so the app works and so we can fix bugs.

Account information you give us. When you create an account we collect your email address, name, display name, and, optionally, a profile photo. We use this to identify you, secure your account, and let you sign in across devices.

Travel preferences you give us. To match you to destinations we collect your home city or airport (IATA code), vibe preferences, budget tier, trip-length preference, and travel style. You can edit or clear these any time in Settings.

Session and swipe data. As you use the Service we record your swipe events (right, left, up on destination cards), your bracket choices, your participation in group sessions, and invite codes you use. This is how the matching engine learns what you want.

Group session data. When you join a group session we record your session membership, round results, bracket outcomes, and the winning destination. Per-member budget inputs in group sessions are collected privately — other members never see them — and are deleted 30 days after the session ends.

Passport and nationality (per-session only). To filter destinations by visa requirements we ask for your passport country/nationality at the start of each session. We store this only for the duration of the session and for visa-filtering logic, and we delete it 30 days after the session ends. We do not keep it in your user profile.

Explorer Map and travel footprint (opt-in). If you turn on the Explorer Map we collect GPS location data and photo metadata you choose to import, and we store the countries and cities you've visited. These features are strictly opt-in, can be turned off at any time in Settings, and deleting the Explorer Map removes this data immediately.

Subscription and payment data. If you buy a premium subscription the payment is processed by Stripe, Apple App Store, or Google Play. Veyago never sees or stores your raw payment card data. We receive only your subscription tier (free or premium), start and end dates, and transaction identifiers needed for support and accounting.

Device data. Automatically, we collect device type, OS version, app version, and (if you allow notifications) your push notification token. We use this to deliver the app, push notifications you've opted into, and debug issues.

Analytics and crash data. We use PostHog (EU-hosted) to understand which features people use and Sentry to catch crashes. Event data includes page views, feature usage, and session starts. Crash reports include stack traces and device context.

Affiliate click data. When you click an outbound link to Booking.com, Skyscanner/Travelpayouts, or GetYourGuide, the URL carries a session ID and destination ID as parameters so we can attribute any resulting commission. See our Affiliate Disclosure.

What we do not collect. We do not collect special category data (health, religion, political opinions, biometrics, etc.). We do not track you across other apps or websites. We do not buy personal data from data brokers.

3. Legal bases (GDPR Article 6)

European law requires us to tell you the "legal basis" for each thing we do with your data. Most of what we do is either (a) necessary to give you the Service you signed up for, or (b) based on your consent for optional features.

What we do	Legal basis
Create and manage your account; run matching and bracket logic; deliver group sessions	Contract performance (Art. 6(1)(b))
Send service emails (password resets, receipts, session invites)	Contract performance (Art. 6(1)(b))
Fraud prevention, abuse detection, keeping the Service secure	Legitimate interests (Art. 6(1)(f))
Product analytics via PostHog; marketing emails (if you opt in); Explorer Map; push notifications	Consent (Art. 6(1)(a)) — withdraw any time
Crash reporting via Sentry	Legitimate interests (Art. 6(1)(f))
Financial records, tax, accounting	Legal obligation (Art. 6(1)(c))
AI itinerary generation (if you use the feature)	Consent (Art. 6(1)(a))

You have the right to object to any processing based on legitimate interests — see Section 7.

4. Automated decisions and AI features

Our matching engine sorts destinations for you based on your preferences. If you use the AI itinerary feature, we send the destination name and your preferences (not your identity) to OpenAI's GPT-4o model to generate a suggested plan. None of this produces legal or similarly significant effects on you — you make the final booking decision.

Under GDPR Article 22 you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We don't make any such decisions. Our recommendations are suggestions. You choose whether to act on them.

Our AI itinerary feature is an AI system within the meaning of the EU AI Act. Under Article 50, we confirm: content generated by the itinerary feature is produced by artificial intelligence (OpenAI GPT-4o). We display an AI indicator on generated content. Always verify time-sensitive details (opening hours, visa requirements, safety) from official sources.

5. Who we share your data with

We don't sell your data. We share it only with the small set of vendors that help us run the Service, and only to the extent they need to do their job. Every one of them is contractually bound to protect your data.

We never sell your personal information. We don't share it with advertisers, data brokers, or third parties for their own marketing.

Vendor	What they do	Where they process	Safeguard
Supabase (on AWS)	Database, authentication, file storage	eu-west-1 (Ireland, EEA)	Intra-EEA — no transfer safeguard needed
OpenAI	AI itinerary generation (destination + anonymised preferences only)	United States	EU-US DPF (if certified) or SCCs + encryption
PostHog	Product analytics	EU Cloud	Intra-EEA
Sentry	Crash reporting	United States	SCCs + encryption
Stripe	Payment processing	EU / United States	DPF / SCCs; PCI DSS Level 1
Apple / Google	In-app purchases on iOS and Android	Global	Contractual safeguards under Apple / Google terms
Booking.com, Skyscanner / Travelpayouts, GetYourGuide	Affiliate partners (click referral only)	EU / Global	Partner-controller relationship; see Affiliate Disclosure
Resend	Transactional email delivery	EU / United States	SCCs
Mapbox	Map rendering (Explorer Map)	United States	SCCs
Cloudflare	CDN and DDoS protection	Global edge	SCCs; data processed at the edge

We may also disclose personal data where legally required (valid court orders, tax filings) or necessary to enforce our Terms of Service or protect users from harm. We disclose only what is necessary and push back on overbroad requests.

In the event of a merger, acquisition, or sale of assets, your data may transfer to the successor, which will be bound by this policy or give you notice and choice.

6. How long we keep your data

We keep your data only as long as we need it. Here's the full schedule.

Data type	Retention
Account data (email, name, display name, profile photo)	For the life of your account; deleted within 60 days of account deletion
Travel preferences	Same as account data
Swipe events and session data	2 years, then deleted or aggregated into non-identifiable statistics
Group session memberships and results	2 years
Passport / nationality (per session)	30 days after session ends, then deleted
Group session budget data (per session)	30 days after session ends, then deleted
Explorer Map data (GPS, photo metadata, visited places)	Until you turn off Explorer Map or delete your account; deleted within 60 days
Subscription and transaction metadata	7 years (Belgian and US tax/accounting obligations)
Analytics event data (PostHog)	24 months
Crash reports (Sentry)	90 days
Push notification token	Until device is unlinked or notifications are disabled
Affiliate click logs	13 months (commission reconciliation window)
Support emails	3 years from last contact

If you ask us to erase your data and we have a legal duty to keep some of it (for example, invoices), we'll keep only the minimum required and delete the rest.

7. Your rights

You have a full set of rights over your data — see, fix, export, delete, restrict, and object. We'll respond within 30 days. No fees for reasonable requests. Full details on our dedicated GDPR Rights page.

If you're in the EU, UK, EEA, or Switzerland, you have the following rights under GDPR and UK GDPR: access, rectification, erasure, restriction of processing, data portability, objection, not to be subject to solely automated decisions with legal or similarly significant effects, and to withdraw consent at any time.

How to exercise any right. Email hello@veyago.app from the address associated with your account, or use the in-app Settings menu for self-service export and deletion. We respond within one month.

Data portability format. We export your data as a machine-readable JSON file containing your account data, preferences, swipe history, and group session participation.

Right to lodge a complaint. You can complain to a data protection authority:

Belgium (our lead authority): Gegevensbeschermingsautoriteit / Autorité de protection des données — contact@apd-gba.be — dataprotectionauthority.be
United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
Other EU/EEA: your national supervisory authority — edpb.europa.eu

We'd rather fix a problem before you need to complain — email us first at hello@veyago.app.

8. International data transfers

Most of your data stays in Ireland, inside the EEA. Some vendors are in the US. When that happens, we use EU-approved legal protections so your data travels with the same rights it had in Europe.

Our primary backend (Supabase on AWS eu-west-1) and our analytics platform (PostHog EU cloud) are located in the EEA, so your data generally stays in Europe.

For vendors based in the United States (currently OpenAI, Sentry, Mapbox, and some Cloudflare edge processing), we rely on one of: the EU-US Data Privacy Framework where the vendor is actively self-certified (and, for UK data, the UK-US Data Bridge); otherwise, the European Commission's Standard Contractual Clauses (2021/914) combined with supplementary measures including encryption in transit (TLS 1.2+) and at rest (AES-256), access minimisation, and pseudonymisation where feasible.

You can request a copy of the relevant safeguards by emailing hello@veyago.app.

9. California privacy rights (CCPA / CPRA)

If you live in California, you have the same core rights described above plus a few California-specific ones. We don't sell your data, and we don't "share" it for cross-context behavioural advertising.

Categories of personal information collected in the last 12 months: (A) Identifiers; (F) Internet or electronic network activity; (G) Geolocation data (approximate via IP; precise only if you opt in to Explorer Map); (K) Inferences drawn from preferences to recommend destinations.

We do not sell or share your personal information within the meaning of the CCPA, and we have not done so in the preceding 12 months. We honour the Global Privacy Control (GPC) signal on our website as a valid opt-out of sale/sharing.

Your California rights: to know, to delete, to correct, to portability, to opt out of sale/sharing, to limit use of sensitive personal information, and to non-discrimination. Exercise them at hello@veyago.app. We respond within 45 days.

10. Other US state residents

If you are a resident of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Delaware, Iowa, Tennessee, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Indiana, Kentucky, or Rhode Island, you have substantially equivalent rights under your state's privacy law. Exercise them at hello@veyago.app.

11. Children

Veyago is for users aged 16 and older. We do not knowingly collect personal data from anyone under 16. If we learn we have, we delete it promptly. If you are a parent or guardian and believe your child has given us data, email hello@veyago.app.

12. Security

We encrypt data in transit (TLS 1.2+) and at rest (AES-256). We use Supabase Row Level Security on every database table. Authentication is via Supabase Auth with short-lived JWTs and refresh-token rotation. Full details at veyago.app/security.

13. Changes to this policy

When we make material changes we will notify you by email and through an in-app notice at least 14 days before they take effect. Minor clarifications are reflected in the "Last updated" date above.

14. Contact

Veyago Inc. — Belgium (operational HQ) / New York, USA (incorporated) — hello@veyago.app