Your data, your control. Here's how we handle it.
Last updated: May 28, 2026
At PINYA, we take your privacy seriously. This Privacy Policy explains what personal data we collect, how we use it, with whom we share it and your rights regarding your information. By using our Service at pinyatravel.com, you agree to the collection and use of information in accordance with this policy. We also maintain an AI Transparency page with additional details about how AI processes your data.
Data controller. PINYA Travel LLC, a District of Columbia limited liability company, is the controller of personal data collected through pinyatravel.com. References to "PINYA," "we," "us," or "our" in this Privacy Policy refer to PINYA Travel LLC. Privacy-related correspondence: travel.sweeter@gmail.com.
When you create an account with PINYA, we collect information depending on your authentication method. If you sign in with Google OAuth, we receive your name, email address, and profile picture URL from your Google account, along with your Google account ID for authentication purposes only. We do not receive your Google password, contacts, calendar, or any other Google data. If you sign in with email and password (when available), we collect and securely store your email address and an encrypted version of your password. If you sign in with Apple ID or other social providers (when available), we collect similar basic profile information as permitted by those services.
You may voluntarily provide additional information including your display name, location and bio, a custom profile picture if you choose to upload one, and travel preferences. These preferences may include budget level, travel pace, accommodation type, interests, dining preference, travel motivations, favorite airlines, favorite hotels, dietary restrictions, accessibility needs, family-friendly settings, travel type, distance preference and any special requirements you choose to share. Profile pictures are stored in Supabase Storage and are visible on your profile and any community content you share.
When you use PINYA, we collect and store the trip details you create including destinations, dates, budgets and notes. We also store your saved destinations and wishlists, generated and saved itineraries and globe pin locations you set.
When you use our AI assistant, we temporarily process the messages you send to the PINYA AI chatbot, AI-generated responses and session context to provide relevant recommendations. Chat sessions are stored in memory during your active session and expire after 30 minutes of inactivity. We do not permanently store your chat conversations.
When you submit a concierge booking request, we collect your name, travel details, destination, travel dates and any special requests you include. This information is stored in our database and sent to us so we can assist with your booking. Priority status is determined by your subscription tier.
When you choose to share an itinerary with the PINYA community, certain data becomes publicly visible to other users. This includes the full itinerary content, your display name and your profile picture. You control whether to share each itinerary and can remove shared content at any time. Saved counts on your shared itineraries are also visible to other users.
When you search for destinations or venues within PINYA, your search queries are sent to the Google Places API for venue verification and location data. These queries are subject to Google's Privacy Policy. We do not store your raw search queries on our servers. Google may collect data about these requests as described in their privacy policy.
The Budget Calculator and Group Travel Expenses tools run entirely in your browser. No data from these tools is sent to or stored on our servers. All calculations happen locally on your device and are discarded when you leave the page.
We automatically collect certain technical information including browser type and version, device type, IP address for rate limiting and security purposes only, and pages visited and features used within the Service.
PINYA uses cookies and local storage technologies to enhance your experience. We use essential cookies to maintain your authentication session and remember your login status. We use functional cookies to remember your preferences such as theme settings and language preferences. We use personalization cookies to track your travel preferences, saved destinations and interests to provide personalized itinerary recommendations and content. We may use analytics cookies to understand how users interact with our Service so we can improve features and performance. You can control cookie settings through your browser, but disabling certain cookies may affect the functionality of personalized features.
| Data Category | Purpose |
|---|---|
| Account Information | Authentication, account management and communication |
| Travel Preferences | Personalizing itinerary suggestions and match scores |
| Trip & Destination Data | Storing your travel plans and powering planning tools |
| AI Chat Messages | Providing AI-powered travel recommendations |
| Concierge Booking Data | Fulfilling your booking requests and coordinating with travel providers |
| Community Shared Content | Displaying your shared itineraries to other PINYA users |
| Destination Search Queries | Verifying venues and retrieving location data via Google Places API |
| Technical Data | Security, rate limiting and improving performance |
PINYA uses Anthropic's Claude AI models to power our chat assistant and itinerary generator. When you use AI features, we send to Anthropic your chat messages, travel preferences when generating itineraries and destination context. We do not send to Anthropic your email address, Google account ID, payment information, or any personally identifying information beyond what is necessary for the AI response. Anthropic does not use API inputs to train their models. For more details, see Anthropic's Privacy Policy. Chat session data is stored in memory during your session and expires after 30 minutes of inactivity. For complete details about AI usage, see our AI Transparency page.
Your data is stored securely using industry-standard practices. Your primary database is Supabase (PostgreSQL) with Row Level Security (RLS), meaning your data is cryptographically isolated from other users. Profile pictures are stored in Supabase Storage. Client-side data such as JWT tokens and minimal session data is stored in your browser's localStorage. Your email address may be used to deliver itineraries and transactional notifications. All payment data is handled by Stripe and we never see or store your credit card information.
We want to be clear about what we do not collect. We never collect or store credit card numbers or financial account details (all payments are handled by Stripe), passwords from third-party authentication providers such as Google or Apple, real-time location tracking or GPS data, your contacts, phone numbers, or social media connection data, third-party advertising cookies or cross-site tracking technologies, or any data that is sold to advertisers or data brokers.
PINYA uses your travel preferences, saved destinations and activity history to provide personalized itinerary recommendations, destination suggestions and curated content tailored to your interests. When you share an itinerary with the community, the following becomes publicly visible to other PINYA users: the full itinerary content, your display name and your profile picture. Other users can save your shared itineraries, and the total save count is visible. You control what you share and can remove shared content at any time. We may send you personalized emails with travel recommendations based on your preferences if you have opted in to marketing communications in your notification settings.
We do not sell, rent or trade your personal data to third parties. We share data only with the following service providers who help us operate the Service: Anthropic (Claude AI) receives chat messages and preferences to provide AI responses and does not use this data for model training; Google Places API receives destination search queries for venue verification and location data; Supabase provides database hosting with data encrypted at rest; Stripe handles payment processing and is PCI-compliant; and our email provider delivers transactional emails such as itinerary delivery and notifications. We will never share your data with advertisers, data brokers or any other third parties for marketing purposes.
You have the right to access your data by viewing all your profile, preferences, trips and destinations in your account. You have the right to correct your data by editing any information through your profile page. You have the right to delete your data by deleting your account through Settings, which removes all of your data. You have the right to export your data by requesting a copy of your data by contacting our support team. You have the right to opt out of marketing emails through notification settings in your account.
We retain your data according to the following schedule. Active account data is retained while your account is active. Deleted account data is deleted within 30 days of account deletion. AI chat sessions expire after 30 minutes of inactivity and are not permanently stored. Server logs are retained for 90 days for security purposes. Anonymized analytics data may be retained indefinitely for product improvement.
We protect your data with multiple security measures including JWT-based authentication with 1-hour token expiry, Row Level Security (RLS) in the database ensuring users can only access their own data, HTTPS encryption for all data in transit, rate limiting to prevent abuse at 20 requests per minute for chat and 10 per minute for sensitive endpoints, input validation and sanitization on all API endpoints and regular security reviews and updates.
PINYA is not intended for users under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at travel.sweeter@gmail.com and we will take steps to remove that information from our systems.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR). Our legal basis for processing your personal data is your consent when you create an account and legitimate interest for service improvement and security purposes. Data may be transferred to the United States where our servers are hosted, and we take appropriate safeguards for international data transfers. You have additional rights under GDPR including data portability and the right to lodge a complaint with a supervisory authority in your jurisdiction.
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA). You have the right to know what personal information we collect and how we use it. You have the right to request deletion of your personal information. You have the right to opt out of the sale of personal information, though we do not sell personal information. You have the right to non-discrimination for exercising your CCPA rights. To exercise these rights, contact us at travel.sweeter@gmail.com.
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes via email to the address associated with your account or through a prominent notice within the Service. The "Last updated" date at the top of this policy will reflect the most recent revision. Your continued use of the Service after any changes constitutes acceptance of the updated policy.
If you have any questions about this Privacy Policy, your personal data or wish to exercise your rights, please contact us at travel.sweeter@gmail.com.