Privacy Policy

The data controller — the entity that determines the purposes and means of processing your personal data — is the operator of Travel DNA. For inquiries or to exercise your rights, contact us at email.travel.parser@gmail.com.

If you are located in the European Economic Area (EEA) and we have not designated a local EU representative, you may direct requests to us at the email above. We will respond to all data subject requests within 30 days as required by GDPR Article 12(3).

We collect and process the following categories of personal data:

• Account identifiers — your name, email address, and Google user ID, obtained at OAuth authentication.
• Gmail email content — sender, subject, date, and body of emails that match travel-related senders and keywords. This content is processed temporarily in memory during a scan and is never written to our database.
• Structured travel data — destination city names, travel dates, airline/hotel names, and booking categories derived from email content by automated extraction. This is the only email-derived data we store.
• OAuth tokens — Google access and refresh tokens, stored encrypted, used solely to query the Gmail API on your behalf.
• Technical data — IP address, browser type, and session data collected incidentally by our hosting infrastructure (Railway, Cloudflare).

We access Gmail under a read-only scope. We never write, compose, send, delete, or modify emails or any other Gmail data.

Under GDPR Article 13(1)(c), we are required to specify the lawful basis for each processing activity. The table below sets out each activity, its purpose, and its legal ground.

Where we rely on consent as the lawful basis, you have the right to withdraw that consent at any time (see Section 8). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

In accordance with Google’s Limited Use requirements, Gmail data is:

• Used only to provide you with your travel itinerary summary within the Service.
• Not used for advertising, credit assessment, or any purpose beyond the user-facing feature.
• Not sold to data brokers, information resellers, or any third party.
• Not transferred to third parties except as necessary to operate the Service (see Section 6).
• Not used to train, improve, or fine-tune any AI or machine learning model — including models operated by OpenRouter or its downstream providers.

During a scan, email content matching travel criteria is transmitted to OpenRouter — an AI inference routing service — which forwards it to a large language model (LLM) for automated extraction of structured travel details (destination, dates, booking type).

OpenRouter Zero Data Retention (ZDR) is enabled on our integration where supported, meaning prompts (which include email content) are not logged or retained by OpenRouter or its downstream model providers for training purposes. OpenRouter may route requests to various underlying model providers; their current list is available at openrouter.ai/models.

This automated processing does not constitute automated decision-making with legal or similarly significant effects on you within the meaning of GDPR Article 22. It produces only a personal travel summary for your own use; no profiling, scoring, or consequential decisions about you are made.

As a data controller, we engage the following data processors who process personal data on our behalf under data processing agreements (DPAs):

• OpenRouter, Inc. (United States) — AI inference routing. Email content is transmitted during scans. ZDR enabled. Privacy policy: openrouter.ai/privacy.
• Railway Corp. (United States) — backend API hosting and database. Stores structured travel data and encrypted OAuth tokens. Privacy policy: railway.app/legal/privacy.
• Cloudflare, Inc. (United States) — frontend CDN and hosting. Processes technical data (IP, headers) incidentally. No personal data stored. Privacy policy: cloudflare.com/privacypolicy.
• Google LLC (United States) — OAuth authentication and Gmail API. Google acts as a separate data controller for your Google Account data under its own Privacy Policy.

We do not sell, rent, or share your personal data with any other third party for their own purposes.

Our infrastructure is operated in the United States. If you are located in the EEA, United Kingdom, or Switzerland, your personal data is transferred to a country that may not provide the same level of data protection as your home jurisdiction.

These transfers are safeguarded by the European Commission’s Standard Contractual Clauses (SCCs) (Commission Decision 2021/914), which our processors — including Cloudflare, Railway, and OpenRouter — have implemented in their DPAs. Where applicable, processors certified under the EU-US Data Privacy Framework (adequacy decision of July 2023) provide an additional legal transfer mechanism.

• Raw email content — never stored; processed in memory during extraction only and discarded immediately afterwards.
• Structured travel data — retained for as long as your account is active, or until you request deletion.
• OAuth tokens — retained until you revoke access via Google or delete your account.
• Server access logs — retained for up to 30 days for security and debugging, then automatically deleted.
• Account identifiers (name, email, Google user ID) — retained until account deletion.

If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access (Art. 15) — Request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16) — Request correction of inaccurate or incomplete personal data.
• Right to Erasure / “Right to be Forgotten” (Art. 17) — Request deletion of your personal data. We will delete all stored data within 30 days of a verified request.
• Right to Restriction of Processing (Art. 18) — Request that we limit how we use your data in certain circumstances.
• Right to Data Portability (Art. 20) — Receive your stored travel data in a structured, machine-readable format (JSON).
• Right to Object (Art. 21) — Object to processing based on legitimate interests.
• Right to Withdraw Consent (Art. 7(3)) — Withdraw consent at any time without affecting prior lawful processing. You can withdraw Gmail access immediately at myaccount.google.com/permissions. To delete stored data, email us at email.travel.parser@gmail.com.

To exercise any of these rights, email email.travel.parser@gmail.com. We will respond within 30 days. We may ask you to verify your identity before processing the request.

You also have the right to lodge a complaint with your national supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:

• Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete — Request deletion of your personal information.
• Right to Correct — Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing — We do not sell personal information and do not share it for cross-context behavioral advertising. No opt-out link is required, but we acknowledge Global Privacy Control (GPC) signals.
• Right to Limit Use of Sensitive Personal Information — Email content (temporarily processed) may constitute sensitive personal information. We do not use it beyond the Service’s core function.
• Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email email.travel.parser@gmail.com. We will respond within 45 days (extendable to 90 days with notice). You may designate an authorized agent to make requests on your behalf.

Categories of personal information collected (CCPA statutory categories): Identifiers; Internet or electronic network activity information; Geolocation data (travel destinations); Inferences drawn from personal information (structured travel profile).

Source: Directly from you via Google OAuth and your Gmail account.

Business purpose for collection: To provide you with a personal travel itinerary summary derived from your booking confirmation emails.

We use only strictly necessary cookies required to operate the Service:

• Session cookie — maintains your authenticated session with our backend. Duration: session (expires when you close your browser or after 7 days of inactivity). Set by: email-discoverer.up.railway.app.
• Theme preference — stores your light/dark mode preference in localStorage (not a cookie; no network transmission). Duration: persistent until cleared.

We do not use analytics, advertising, or tracking cookies. We do not use third-party tracking scripts. Cloudflare may process your IP address and headers as part of its CDN function; see Cloudflare’s privacy policy.

The Service is not directed to children under the age of 13 (or under 16 in EEA member states where the higher age applies under GDPR Article 8). We do not knowingly collect personal data from children below these ages. If you believe a child has provided us with personal data, contact us at email.travel.parser@gmail.com and we will delete it promptly.

We implement appropriate technical and organisational measures (GDPR Art. 32) to protect your personal data:

• All data in transit is encrypted using TLS 1.2 or higher (HTTPS).
• OAuth tokens are encrypted at rest in our database.
• Raw email content is never written to disk or database storage.
• Access to production systems is restricted by role-based access controls.
• We use OpenRouter’s Zero Data Retention configuration to prevent prompt logging by AI providers.

No method of transmission or storage is 100% secure. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours where required by GDPR Article 33.

We will notify you of material changes to this policy by email (at the address associated with your Google account) at least 30 days before changes take effect. Where changes affect consent-based processing, we will seek fresh consent before the new processing begins.

For non-material changes (e.g., clarifications, corrected links), updating the “Last updated” date at the top of this page constitutes sufficient notice.

For any privacy questions, data subject requests, or to report a concern, email our privacy team at email.travel.parser@gmail.com.

We will acknowledge your request within 5 business days and resolve it within 30 days (GDPR) or 45 days (CCPA).