Privacy Policy

Last updated: October 14, 2025

1. Introduction

KorVoya ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our travel planning service.

This policy complies with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA).

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, preferred name, email address, password (if you create an account)
  • Trip Details: Destination, travel dates, group size, interests, budget, special requirements
  • Voting Information: Email address and preferred name for group voting features
  • Payment Information: Processed securely through Stripe (we never store full payment card details)

2.2 Automatically Collected Information

  • Usage Data: Pages visited, features used, time spent on the Service
  • Device Information: IP address, browser type, operating system, device identifiers
  • Cookies: Session cookies, preference cookies (see our Cookie Policy for details)

3. How We Use Your Information

We use your information to:

  • Provide Services: Generate AI-powered itineraries, manage group voting, process payments
  • Communications: Send itinerary notifications, voting updates, service announcements via MailerSend
  • AI Processing: Submit trip preferences to OpenAI for intelligent itinerary generation
  • Improvements: Analyze usage patterns to enhance the Service
  • Legal Compliance: Comply with applicable laws and regulations
  • Security: Prevent fraud, abuse, and unauthorized access

4. Third-Party Service Providers

We share your information with trusted third-party providers:

4.1 OpenAI (AI Processing)

Your trip preferences (destination, dates, interests, budget) are sent to OpenAI to generate personalized itineraries. OpenAI processes this data according to their Privacy Policy.

4.2 Stripe (Payment Processing)

Payment information for Premium and Concierge tiers is processed by Stripe. We do not store full payment card details. Stripe's data handling is governed by their Privacy Policy.

4.3 MailerSend (Email Communications)

We use MailerSend to send itinerary notifications and group voting updates. Your email address and name are shared with MailerSend for this purpose. See MailerSend's Privacy Policy.

5. Data Retention

We retain your information for as long as necessary to provide the Service and comply with legal obligations:

  • Account Data: Retained while your account is active, plus 1 year after closure
  • Trip Data: Retained for 3 years from trip creation for service improvement
  • Payment Records: Retained for 7 years for tax and accounting purposes
  • Anonymous Analytics: May be retained indefinitely in aggregated form

6. Your Rights (GDPR/CCPA)

You have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request limitation of data processing
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to processing of your data
  • Withdraw Consent: Withdraw consent for data processing (where applicable)
  • Opt-Out (CCPA): California residents can opt-out of data "sales" (we do not sell data)

To exercise these rights, contact us at privacy@korvoya.com. We will respond within 30 days (GDPR) or 45 days (CCPA).

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • HTTPS encryption for data in transit
  • Encrypted password storage using industry-standard hashing
  • Secure payment processing through PCI-DSS compliant Stripe
  • Regular security audits and updates
  • Access controls and authentication for admin systems

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

8. International Data Transfers

Your data may be transferred to and processed in countries outside the UK/EU, including the United States (where OpenAI and Stripe are based). We ensure appropriate safeguards are in place through:

  • Standard Contractual Clauses (SCCs) with third-party processors
  • Adequacy decisions by the UK/EU for certain jurisdictions
  • Data Processing Agreements (DPAs) with service providers

9. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware of such collection, we will delete the information immediately.

10. Cookies and Tracking

We use cookies and similar tracking technologies. For detailed information, please see our Cookie Policy.

11. Changes to Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the Service after changes constitutes acceptance.

12. Contact & Complaints

For privacy-related questions or concerns, contact us at:

Email: privacy@korvoya.com
Data Protection Officer: dpo@korvoya.com
Address: KorVoya Ltd, London, United Kingdom

You also have the right to lodge a complaint with your local data protection authority:

  • UK: Information Commissioner's Office (ICO) - ico.org.uk
  • EU: Your national data protection authority
  • California: California Attorney General - oag.ca.gov/privacy/ccpa
Back to Home