← Back to home

Privacy Policy

Last updated: April 13, 2026

This Privacy Policy describes what data the WaysToTravel web service ("Service") collects, why it is used, and with whom it may be shared. It is written in plain language and does not replace professional legal advice.

1. Who is responsible

The operator of personal data for the Service is the person or organisation that publishes the Service on the Internet and provides a contact point for users (see "Contact").

2. Data we process

  • Account: email address, name, profile image (if you sign in with Google), and optionally a password if you register with email.
  • Google sign-in: Google account identifier, access tokens and granted OAuth scopes needed for authentication and requested features.
  • YouTube (read-only): connecting YouTube is a separate action in your account settings ("Profile → Connections"), not part of the sign-in flow. If you grant permission, we may receive limited information related to your YouTube account to improve personalization and video suggestions. We do not post content on your behalf or manage your channel. You can revoke this connection at any time from the same settings page.
  • Preferences and activity: travel-style settings (including slider preferences), interest tags, saved and liked places, destination search parameters, companion-related data you choose to share, reviews and feedback, and technical logs needed for recommendations.
  • Content you type: for example free-text trip wishes — used to generate recommendations and may be sent to AI providers (see below).

3. AI and recommendations

The Service may call external AI model providers (e.g. OpenAI or similar) to suggest destinations, tags, explanations and search hints. Requests may include preferences and search context. Output is informational only and is not a contract or professional travel advice.

4. Analytics

We may use analytics and performance tools (e.g. Vercel Analytics, Vercel Speed Insights) and send aggregated or pseudonymous usage events (e.g. onboarding completed, place saved) to improve the Service.

5. Cookies and session

We use cookies and similar technologies for sign-in sessions (e.g. NextAuth.js), CSRF protection, and language preferences. You can restrict cookies in your browser; some features may stop working.

6. Storage and security

Data is stored on secured servers (including a PostgreSQL database at our hosting provider). We use common safeguards (HTTPS, access control), but no online service is perfectly secure.

7. Sharing

Data may be processed by:

  • Google — sign-in, OAuth, YouTube API (per your consent in Google's UI);
  • AI providers — to generate recommendations;
  • hosting/infrastructure (e.g. Vercel) — to run the Service;
  • map/video/event providers — as needed to show content.

We do not sell your personal data.

8. Retention

We keep data while your account exists and we need it for the purposes above, or as required by law. You may request deletion — see "Your rights".

9. Your rights

Depending on your region you may have rights to access, rectify, erase, restrict, object or export data. Contact us using the details below; we will respond within a reasonable time.

10. Children

The Service is not directed at children under 16 (or the age required in your jurisdiction). Contact us if you believe we have collected a child's data without appropriate consent.

11. Changes

We may update this policy. The current version is always on this page; the "Last updated" date is shown at the top.

12. Contact

For privacy questions, set the environment variable NEXT_PUBLIC_LEGAL_CONTACT_EMAIL in your deployment — it will be shown here. Until then, use the contact published on your OAuth consent screen or app store listing.

This text is based on common open templates and the Service's actual features; it is not legal advice. Have it reviewed by a lawyer if you need binding compliance.