Privacy Policy

Last updated: November 27, 2025

1. Introduction

Welcome to Kairo Travel. We respect your privacy and are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and applicable data protection laws.

This privacy policy explains how we collect, use, store, and protect your information when you use our mobile application. It also describes your rights regarding your personal data.

2. Information We Collect

We collect the following types of personal data:

2.1 Account Information (GDPR Art. 6(1)(b) - Contract Performance)

• Email address: For account creation and authentication
• Display name: For personalizing your experience
• Profile picture: Optional, if you choose to upload one
• Password: Encrypted and managed by Firebase Authentication

2.2 Travel Plans and Preferences (GDPR Art. 6(1)(b) - Contract Performance)

• Travel destinations and dates: For creating your itineraries
• Travel preferences: Interests, travel style, companion type
• Saved travel plans: Your created and saved itineraries
• Place collections: Places you've saved or bookmarked

2.3 AI Conversation Data (GDPR Art. 6(1)(a) - Consent)

• Chat conversations: Your messages with AI travel companions
• Planning requirements: Your inputs during trip planning
• AI query history: Your interactions with AI features

2.4 Location Data (GDPR Art. 6(1)(a) - Consent)

With your explicit permission, we collect location data on-demand to power our AI travel companion and provide personalized travel experiences.

When We Access Your Location:

• Opening the Explore tab: We fetch your current location once to show relevant nearby attractions and recommendations
• Chatting with AI: Each message includes your location so the AI can provide contextual, location-aware advice
• Creating community posts: Your location can be tagged to posts you share (optional)
• Completing trips: Location is recorded when you mark travel plans as complete for your travel history

How We Use Location:

• Accuracy: Balanced (not high-precision GPS) to conserve battery
• Temporary cache: Last known location is cached for up to 10 minutes to avoid repeated GPS requests
• No continuous tracking: We do NOT track your location continuously in the background
• No background tracking: Location is only accessed when you're actively using the app

You have full control: You can disable location permissions at any time through your device settings. Some features will be limited without location access, but the app remains fully functional.

2.5 Usage and Analytics Data (GDPR Art. 6(1)(f) - Legitimate Interests)

• Device information: Device type, OS version, app version
• Usage patterns: Features used, session duration, navigation paths
• Technical data: IP address, crash logs, error reports

2.6 Community and Social Features (GDPR Art. 6(1)(b) - Contract Performance)

• Posts and comments: Content you share publicly in the community
• Photos: Images you upload to posts (compressed and optimized for web viewing)
• Social connections: Users you follow and who follow you
• Likes and interactions: Your engagement with community content

3. How We Use Your Information

3.1 To Provide Our Services

• Generate personalized travel itineraries using AI technology
• Provide location-based recommendations for places to visit
• Enable AI companion chat features for travel assistance
• Save and manage your travel plans and collections
• Facilitate community sharing and social features

3.2 To Improve and Personalize Your Experience

• Use your saved travel preferences to provide relevant recommendations
• Remember your interests and travel style
• Analyze usage patterns to enhance app features
• Provide your conversation context to AI for more relevant responses

3.3 To Communicate With You

• Service updates: Important account and security notifications via email
• Customer support: Responses to your inquiries and support requests

4. Third-Party AI Service Providers

4.1 What Data is Shared With AI Providers

When you use AI-powered features (plan generation, chat companions), we share:

• Your travel destinations and dates
• Your travel preferences and interests
• Your chat messages and planning requirements
• Contextual information (time of day, location context)

This data is processed by third-party AI technology providers to generate personalized travel recommendations and itineraries.

4.2 International Data Transfers

Our AI service providers may process your data outside the UK/EU. We ensure appropriate safeguards are in place in accordance with GDPR requirements for international data transfers.

5. Other Third-Party Services

We use the following third-party services with appropriate data processing agreements (GDPR Art. 28):

5.1 Firebase (Google Cloud)

• Services: Authentication, database (Firestore), file storage, cloud functions
• Location: EU/US (Data Privacy Framework certified)
• Safeguards: Google Cloud Standard Contractual Clauses
• Data: All user account data, plans, messages, and uploaded files

5.2 RevenueCat

• Services: Subscription management and in-app purchase processing
• Location: US (SOC 2 Type II certified)
• Data: User IDs, subscription status, purchase transactions
• Privacy Policy: https://www.revenuecat.com/privacy

5.3 Google Places API

• Services: Place information, photos, and reviews
• Data: Search queries, location data
• Privacy Policy: https://policies.google.com/privacy

6. Data Storage and Security

6.1 Security Measures

We implement industry-standard security measures to protect your personal data:

• Encryption at rest: All data stored in Firebase Firestore is encrypted
• Encryption in transit: All data transfers use HTTPS/TLS encryption
• Authentication: Firebase Authentication with secure password hashing
• Access controls: Strict database rules limiting data access to authorized users only

6.2 Data Breach Notification

In the unlikely event of a data breach, we will notify affected users and the UK Information Commissioner's Office (ICO) within 72 hours as required by GDPR Art. 33.

7. Data Retention Periods

We retain your data only for as long as necessary to fulfill the purposes outlined in this policy:

7.1 Account Data

• Active accounts: Retained while your account is active
• Deleted accounts: Permanently deleted promptly following your request

7.2 Behavioral and Analytics Data

• AI conversation history: Retained temporarily and deleted when no longer needed for service improvement
• Planning requirements: Retained temporarily and deleted when no longer needed for service improvement
• Usage analytics: Retained for service improvement purposes, then anonymized
• Technical logs: Retained briefly for debugging purposes, then deleted

7.3 Travel Plans and Collections

• Saved plans: Retained until you delete them
• Shared content: Anonymized (not deleted) when account is deleted to preserve community value

7.4 Legal Records

• Financial records: Up to 7 years (UK legal requirements)
• Legal disputes: As required to comply with legal obligations

8. Your Rights Under GDPR

Under the UK GDPR, you have the following rights regarding your personal data:

8.1 Right to Access (GDPR Art. 15)

You can access all your personal data through the app or by contacting us for a complete data export.

8.2 Right to Rectification (GDPR Art. 16)

You can update your account information, profile, and preferences at any time in app settings.

8.3 Right to Erasure / "Right to be Forgotten" (GDPR Art. 17)

You can delete your account and all associated personal data through Settings → Account → Delete Account. This will:

• Permanently delete your account
• Delete all your travel plans and saved collections
• Delete all your AI conversation history
• Delete all your photos and uploaded files
• Anonymize (not delete) your public posts to preserve community discussions
• Remove all personally identifiable information

8.4 Right to Restriction of Processing (GDPR Art. 18)

You can restrict certain types of data processing by disabling location permissions in your device settings or by contacting us at support@traversepath.ai.

8.5 Right to Data Portability (GDPR Art. 20)

You can request a copy of your data in a structured, machine-readable format by contacting us at support@traversepath.ai.

8.6 Right to Object (GDPR Art. 21)

You can object to data processing based on legitimate interests. Contact us at support@traversepath.ai to exercise this right.

8.7 Right to Withdraw Consent

For processing based on consent (location tracking, AI processing, analytics), you can withdraw consent at any time through app settings or by contacting us.

8.8 Right to Lodge a Complaint (GDPR Art. 77)

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have violated your data protection rights:

• Website: https://ico.org.uk/make-a-complaint/
• Phone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9. Automated Decision-Making and Profiling

We use AI to generate travel recommendations and itineraries. However:

• No binding decisions: AI-generated plans are suggestions only. You decide whether to save, use, or discard them.
• User control: You can choose to regenerate plans with different preferences or not use AI-generated suggestions at all.
• Personalization approach: We provide your saved preferences (travel style, interests) as context to AI providers when generating recommendations, allowing for more relevant suggestions.

We do not make automated decisions that produce legal effects or significantly affect you (GDPR Art. 22).

10. Children's Privacy

Our service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13.

If we become aware that a child under 13 has provided us with personal data, we will delete it immediately. If you believe a child has provided us with personal information, please contact us at support@traversepath.ai.

11. Cookies and Tracking Technologies

Our mobile app does not use traditional browser cookies. However, we use similar technologies:

• Local storage: For app preferences and cached data
• Device identifiers: For analytics and rate limiting
• Session tokens: For authentication

You can clear cached data through your device's app settings.

12. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Art. 6):

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:

• We will update the "Last updated" date at the top of this policy
• We will notify you through the app or via email
• For material changes, we may request your renewed consent
• Your continued use of the app after changes constitutes acceptance of the updated policy

We encourage you to review this policy periodically.

14. Contact Us and Data Protection Rights Requests

If you have questions about this privacy policy or wish to exercise your data protection rights, please contact us:

When contacting us about data protection rights, please include:

• Your account email address
• The specific right you wish to exercise
• Any relevant details to help us process your request

15. Data Processing Register

In accordance with GDPR Art. 30, we maintain records of our processing activities. You can request a copy by contacting support@traversepath.ai.

16. Governing Law

This privacy policy is governed by the laws of the United Kingdom, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

---

This privacy policy complies with UK GDPR and follows industry best practices for AI-powered services.
Last reviewed: November 27, 2025