Legal

Privacy policy.

Effective 20 May 2026

Who we are

Jourami (“Jourami”, “we”, “us”) provides an AI-assisted travel planning service.Legal entity name and registered office to be confirmed once the operating company is incorporated.

For privacy questions, contact privacy@jourami.com.

What we collect

Why we collect it

Under UK GDPR / EU GDPR Article 6, our lawful bases are:

Where we process special-category data under Article 9 — specifically dietary preferences (which can reveal religion) and accessibility needs (which can reveal health information) — we rely on your explicit consent (Article 9(2)(a)) given at the point you enter the information, and we encrypt the values at rest with a key only we hold.

Who we share it with

We use the following sub-processors. Each handles only the data they need to deliver their part of the service:

Where data is stored

Database and file storage are hosted by Supabase; the hosting platform is Vercel’s global edge with origin functions provisioned in the region we deploy to. AI providers and external APIs may process data in their own regions; see the linked policies above.Specific Supabase and Vercel regions to be confirmed and listed here once the production deployment is fixed.

Security

Everything in our database and file storage is encrypted at rest by the platform (AES-256). On top of that we apply our own AES-256-GCM column and document encryption to passports / visas / tickets, trip notes, flight info, accommodation, dietary preferences, and accessibility needs — so even with full database access an attacker would see ciphertext for those fields. IP addresses on security logs are HMAC-hashed with a server-only salt; the raw values are never written.

How long we keep it

Your rights

Under UK GDPR / EU GDPR, you have the right to:

You can exercise the access, portability, and erasure rights directly from your profile page once the corresponding self-service flows are available; until then, email privacy@jourami.com and we’ll respond within 30 days. You also have the right to complain to your local supervisory authority (in the UK, the ICO).Wire the in-app Export-my-data and Delete-account flows on the profile page, then remove the “until then” clause above.

Children

Jourami requires every user to confirm a date of birth at signup. Accounts that resolve to an age under 16 are refused. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, contact privacy@jourami.com and we’ll remove the account.

Changes

If we make material changes to this policy, we’ll notify signed-in users by email and post an updated version here with a new effective date.

Privacy · Jourami