Privacy Policy

Holaday helps you turn travel booking emails into organised trips. This policy explains what we collect, why, who processes it on our behalf, and the control you have. The short version: we only ever process the booking emails you choose to forward or upload — never the rest of your inbox — and you can delete everything, anytime.

Who we are

Holaday (“we”, “us”) is the data controller for the personal data described here. The operating entity is Holaday (legal entity to be confirmed). For any privacy question or request, contact privacy@holaday.app.

What we collect

• Account details — when you sign in with Google we receive your name, email address and profile photo. We do not receive your Google password.
• The booking emails you send us — the confirmations you forward to your import address or upload as files, and the trip details we extract from them (flights, stays, cars, reservations, dates, places and amounts).
• Trips you create, save or clone, the people you follow, and any notes or edits you add.
• Minimal product analytics — first-party events (e.g. “a landing page was viewed”, “an import started”) tied to an anonymous device id, so we can understand and improve the product. These carry no email content, prices, booking codes or names. We use no third-party advertising or tracking services.

How we use it

• To read your booking confirmations and file them into the right trip, automatically.
• To show, cost, time-line and map your trips, and to power optional AI trip planning.
• To run the optional Public Trips feature — if (and only if) you publish a trip, we show an anonymised version (places and a rough budget band, never your identity or exact prices) so others can discover and clone it.
• To keep the service secure, working and improving.

Automated processing & AI

To read a confirmation we can’t parse directly, and to generate AI trip plans you ask for, the relevant text is sent to Google’s Gemini API for extraction. We send only what’s needed for that task. Results may occasionally be imperfect, so always check important details against your original booking.

Who processes data for us (sub-processors)

• Supabase — our database, authentication and storage, hosted in the European Union.
• Google — Google sign-in (OAuth) and the Gemini API used for booking extraction and AI plans.
• Google Firebase App Hosting — runs the Holaday app (European region).
• ipwho.is — when you first sign in, we send your IP address to ipwho.is to estimate your country, so we can set your default currency and units. We do not store your IP address.

Your data is stored in the EU. Where a processor transfers data internationally, that transfer relies on appropriate safeguards (such as the European Commission’s standard contractual clauses).

Cookies

We use only the essential cookies needed to keep you signed in. We do not use advertising or cross-site tracking cookies.

Keeping & deleting your data

We keep your data for as long as your account is active. You are in control at any time from Settings:

• Delete email data — removes your imported emails and the data derived from them.
• Delete account — permanently removes your account and associated data.

You can also ask us to access, correct or export your personal data by emailing privacy@holaday.app. If you’re in the UK or EU you have rights under the UK GDPR / GDPR, including the right to complain to your local data protection authority.

Children

Holaday isn’t intended for children under 16, and we don’t knowingly collect their data.

Changes

We’ll update this page if our practices change and revise the “last updated” date above. Questions? privacy@holaday.app.