Back to the map
TravintSecurity

Privacy Policy

What we collect, how we use it, and your rights.

Last updated: 2026-04-22 — DRAFT pending legal review

1. Who is responsible for your data

TravintSecurity ("we", "us") is the controller of the personal data collected via this Service. For GDPR purposes, you can reach our privacy lead at privacy@travintsecurity.com. Our EU representative (if/when required) will be listed on this page before any commercial EU launch.

2. What we collect

2.1 Account data (required)

  • Email address (used to sign you in and for essential service notifications)
  • Password hash (we never see your plaintext password)
  • Subscription tier and billing metadata

2.2 Product usage (only with consent)

If you accept the analytics cookie banner, we collect aggregated product-usage data via self-hosted PostHog:

  • Which pages and countries you view
  • Which features you interact with
  • Performance and error telemetry to catch bugs

We do not use third-party ad trackers. No Google Analytics, no Facebook Pixel, no cross-site retargeting. If you decline the analytics cookie, none of the above is recorded.

2.3 Flag submissions (when you use them)

If you flag a scoring error or missing event via the in-product flag form, we store your submission (comment, category, evidence URL, and a hashed short identifier of your IP address for abuse prevention). If you provide your email in the flag form for follow- up, we retain it with the flag.

2.4 What we don't collect

  • Your physical location (we never request GPS)
  • Your travel itineraries (we don't ask and don't know where you're going)
  • Contact lists or device identifiers

3. Why we use your data

  • To operate the Service: sign you in, gate paid content, bill you accurately.
  • To improve the Service: understand which countries and features are used most, identify bugs.
  • To respond to you: handle flags, support requests, legal notices.
  • To meet legal obligations: tax records, anti-fraud compliance.

4. Our legal bases (GDPR)

  • Contract — account and subscription data (you can't use the paid Service without it).
  • Consent — analytics cookies (you can withdraw at any time via the banner).
  • Legitimate interest — security logs, fraud prevention, service health.
  • Legal obligation — tax and accounting records.

5. How long we keep your data

  • Account data: for the duration of your subscription, plus 6 months after cancellation (to handle disputes). After that, deleted or anonymised.
  • Analytics data: aggregated events retained 18 months, then purged. Raw session-level data retained 90 days.
  • Flag submissions: 2 years (for audit and pattern analysis). After that, anonymised.
  • Billing records: 7 years (tax requirement).

6. Who we share data with

We use a small number of subprocessors, listed here and updated when material changes occur:

  • Supabase — authentication and primary database (EU region / US region — to be confirmed in final deployment)
  • Vercel — application hosting and CDN
  • Stripe or equivalent — subscription billing (we never see your full card number)
  • Resend — transactional email (sign-up confirmations, password resets, billing receipts)
  • PostHog (self-hosted) — product analytics, only if you consent

We do not sell or rent your personal data. We do not share data with advertisers, data brokers, or third parties for their own marketing.

7. Language model providers

TravintSecurity's backend uses language models from Anthropic (Claude), OpenAI (GPT-4.1), and Google (Gemini / Vertex AI) to generate threat assessments and support product workflows.

What we DO NOT send to model providers: your email, password, IP address, subscription / billing status, payment method, or any account metadata.

What CAN be sent to model providers:

  • Flag submissions:the text of your flag comment and any evidence URL you include are sent to Google Gemini (“Flash Lite” variant) for a quick pre-screen that classifies the submission as legitimate / spam / duplicate / unclear before a human reviews it. This filter is what prevents low-quality or abusive flags from flooding our review queue. The flag text is not retained by the model provider for training (we use their no-retention endpoint).
  • Public-source briefing material used to generate country assessments. This is general news and reference content, not anything specific to you.

If you prefer your flag not to be processed by an automated pre-screen, email the flag directly to flags@travintsecurity.com instead of using the in-product form. We will handle it manually.

8. Your rights (GDPR + CCPA)

You have the right to:

  • Access the personal data we hold about you (email privacy@travintsecurity.com with the subject “Data access request”).
  • Correct inaccurate data.
  • Delete your account and associated data. We comply within 30 days barring legal obligations (e.g. tax records).
  • Export your data in a portable format (JSON or CSV).
  • Object to or restrict certain processing.
  • Withdraw consent for analytics at any time via the cookie banner.
  • Complain to a supervisory authority in your country (e.g. in the EU, your national Data Protection Authority).

9. International transfers

Some of our subprocessors (e.g. Vercel, Stripe, OpenAI) are US-based. We rely on Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable to ensure GDPR-equivalent protection during cross-border transfers.

10. Data security

We take reasonable measures to protect your data: TLS encryption in transit, encryption at rest via the underlying cloud providers, least-privilege access controls, secret rotation, and audit logging of admin actions. No system is perfectly secure — if we become aware of a breach affecting your data, we will notify affected users within 72 hours and comply with applicable breach- notification laws.

11. Children's data

The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, contact privacy@travintsecurity.com for immediate deletion.

12. Changes to this policy

We will update this policy from time to time. Material changes are notified in-product at least 14 days before they take effect. Non-material clarifications may be made without prior notice; the “last updated” date at the top of this page reflects the most recent revision.

13. Contact

Privacy requests and questions: privacy@travintsecurity.com
Data access / deletion: privacy@travintsecurity.com (subject: “Data request”)
Security incidents: security@travintsecurity.com

This document is a good-faith operator draft as of 2026-04-22. It will be reviewed and updated by qualified privacy counsel before any commercial launch.