Privacy Policy
Your data, your control. Here's how we handle it.
Last updated: February 5, 2026
At PINYA, we take your privacy seriously. This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, and your rights regarding your information. By using our Service at pinyatravel.com, you agree to the collection and use of information in accordance with this policy. We also maintain an AI Transparency page with additional details about how AI processes your data.
1. Information We Collect
1.1 Account Information
When you create an account with PINYA, we collect information depending on your authentication method. If you sign in with Google OAuth, we receive your name, email address, and profile picture URL from your Google account, along with your Google account ID for authentication purposes only. We do not receive your Google password, contacts, calendar, or any other Google data. If you sign in with email and password (when available), we collect and securely store your email address and an encrypted version of your password. If you sign in with Apple ID or other social providers (when available), we collect similar basic profile information as permitted by those services.
1.2 Profile Information You Provide
You may voluntarily provide additional information including your display name, location, and bio, a custom profile picture if you choose to upload one, and travel preferences such as budget level, interests, accommodation type, favorite airlines and hotels, and travel style.
1.3 Travel Data You Create
When you use PINYA, we collect and store the trip details you create including destinations, dates, budgets, and notes, your saved destinations and wishlists, generated and saved itineraries, and globe pin locations you set.
1.4 AI Chat Data
When you use our AI assistant, we temporarily process the messages you send to the PINYA AI chatbot, AI-generated responses, and session context to provide relevant recommendations. Chat sessions are stored in memory during your active session and expire after 30 minutes of inactivity. We do not permanently store your chat conversations.
1.5 Technical Data Collected Automatically
We automatically collect certain technical information including browser type and version, device type, IP address for rate limiting and security purposes only, and pages visited and features used within the Service.
1.6 Cookies and Local Storage
PINYA uses cookies and local storage technologies to enhance your experience. We use essential cookies to maintain your authentication session and remember your login status. We use functional cookies to remember your preferences such as theme settings and language preferences. We use personalization cookies to track your travel preferences, saved destinations, and interests to provide personalized itinerary recommendations and content. We may use analytics cookies to understand how users interact with our Service so we can improve features and performance. You can control cookie settings through your browser, but disabling certain cookies may affect the functionality of personalized features.
2. How We Use Your Data
| Data Category | Purpose |
|---|---|
| Account Information | Authentication, account management, and communication |
| Travel Preferences | Personalizing itinerary suggestions and match scores |
| Trip & Destination Data | Storing your travel plans and powering planning tools |
| AI Chat Messages | Providing AI-powered travel recommendations |
| Technical Data | Security, rate limiting, and improving performance |
3. How AI Processes Your Data
PINYA uses Anthropic's Claude AI models to power our chat assistant and itinerary generator. When you use AI features, we send to Anthropic your chat messages, travel preferences when generating itineraries, and destination context. We do not send to Anthropic your email address, Google account ID, payment information, or any personally identifying information beyond what is necessary for the AI response. Anthropic does not use API inputs to train their models. For more details, see Anthropic's Privacy Policy. Chat session data is stored in memory during your session and expires after 30 minutes of inactivity. For complete details about AI usage, see our AI Transparency page.
4. Where We Store Your Data
Your data is stored securely using industry-standard practices. Your primary database is Supabase (PostgreSQL) with Row Level Security (RLS), meaning your data is cryptographically isolated from other users. Profile pictures are stored in Supabase Storage. Client-side data such as JWT tokens and minimal session data is stored in your browser's localStorage. All payment data is handled by Stripe and we never see or store your credit card information.
5. Data We Never Collect or Store
We want to be clear about what we do not collect. We never collect or store credit card numbers or financial account details (all payments are handled by Stripe), passwords from third-party authentication providers such as Google or Apple, real-time location tracking or GPS data, your contacts, phone numbers, or social media connection data, third-party advertising cookies or cross-site tracking technologies, or any data that is sold to advertisers or data brokers.
6. Personalized Recommendations and Content Sharing
PINYA uses your travel preferences, saved destinations, and activity history to provide personalized itinerary recommendations, destination suggestions, and curated content tailored to your interests. When you use features like "Share Itinerary" or publish an itinerary publicly, the shared content becomes accessible to other users or via a public link. You control what you share and can delete shared content at any time. We may send you personalized emails with travel recommendations based on your preferences if you have opted in to marketing communications in your notification settings.
7. Data Sharing with Third Parties
We do not sell, rent, or trade your personal data to third parties. We share data only with the following service providers who help us operate the Service: Anthropic (Claude AI) receives chat messages and preferences to provide AI responses and does not use this data for model training; Supabase provides database hosting with data encrypted at rest; Stripe handles payment processing and is PCI-compliant; and our email provider delivers transactional emails such as itinerary delivery and notifications. We will never share your data with advertisers, data brokers, or any other third parties for marketing purposes.
8. Your Rights
You have the right to access your data by viewing all your profile, preferences, trips, and destinations in your account. You have the right to correct your data by editing any information through your profile page. You have the right to delete your data by deleting your account through Settings, which removes all of your data. You have the right to export your data by requesting a copy of your data by contacting our support team. You have the right to opt out of marketing emails through notification settings in your account.
9. Data Retention
We retain your data according to the following schedule. Active account data is retained while your account is active. Deleted account data is deleted within 30 days of account deletion. AI chat sessions expire after 30 minutes of inactivity and are not permanently stored. Server logs are retained for 90 days for security purposes. Anonymized analytics data may be retained indefinitely for product improvement.
10. Security
We protect your data with multiple security measures including JWT-based authentication with 1-hour token expiry, Row Level Security (RLS) in the database ensuring users can only access their own data, HTTPS encryption for all data in transit, rate limiting to prevent abuse at 20 requests per minute for chat and 10 per minute for sensitive endpoints, input validation and sanitization on all API endpoints, and regular security reviews and updates.
11. Children's Privacy
PINYA is not intended for users under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@pinyatravel.com and we will take steps to remove that information from our systems.
12. International Users (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR). Our legal basis for processing your personal data is your consent when you create an account and legitimate interest for service improvement and security purposes. Data may be transferred to the United States where our servers are hosted, and we take appropriate safeguards for international data transfers. You have additional rights under GDPR including data portability and the right to lodge a complaint with a supervisory authority in your jurisdiction.
13. California Privacy Rights (CCPA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA). You have the right to know what personal information we collect and how we use it. You have the right to request deletion of your personal information. You have the right to opt out of the sale of personal information, though we do not sell personal information. You have the right to non-discrimination for exercising your CCPA rights. To exercise these rights, contact us at privacy@pinyatravel.com.
14. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes via email to the address associated with your account or through a prominent notice within the Service. The "Last updated" date at the top of this policy will reflect the most recent revision. Your continued use of the Service after any changes constitutes acceptance of the updated policy.
15. Contact Us
If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us at privacy@pinyatravel.com.