Legal
Privacy policy.
Effective 20 May 2026
Who we are
Jourami (“Jourami”, “we”, “us”) provides an AI-assisted travel planning service.Legal entity name and registered office to be confirmed once the operating company is incorporated.
For privacy questions, contact privacy@jourami.com.
What we collect
- Account data: email address, hashed password (via Supabase Auth), display name, and date of birth (used only to verify the 16+ minimum age — the day and month are not retained beyond the verification record).
- Profile data: home city, travel style, interests, dietary preferences, accessibility needs, preferred currency. All optional. Dietary preferences and accessibility needs are encrypted at rest with an application-managed key.
- Trip data: destinations, dates, traveller information, budget, notes, uploaded documents (e.g. flight confirmations, tickets), expense records, and AI-generated itineraries. Free-text fields (notes, flight info, accommodation) and uploaded documents are encrypted at rest with an application-managed key.
- Device and security data: a hashed form of your IP address and your browser user-agent string, captured on security-relevant events only (sign-in, password change, consent recording, data export, account deletion). The raw IP is never stored. We do not log device data on every page view.
- Cookies: strictly-necessary cookies only — authentication session cookies set by Supabase Auth and a consent-record cookie. No analytics or marketing cookies in this version.
Why we collect it
Under UK GDPR / EU GDPR Article 6, our lawful bases are:
- Contract (Article 6(1)(b)): account data, profile data, and trip data are processed to provide the service you’ve signed up for.
- Legitimate interests (Article 6(1)(f)): device/security data is processed to keep accounts and trip data secure, prevent abuse, and maintain operational logs.
- Compliance with a legal obligation (Article 6(1)(c)): the 16+ age check and consent records are processed to meet our duties under UK GDPR, the EU AI Act, and UK online-safety law.
- Consent (Article 6(1)(a)): marketing email (if you opt in), and any future analytics or marketing cookies.
Where we process special-category data under Article 9 — specifically dietary preferences (which can reveal religion) and accessibility needs (which can reveal health information) — we rely on your explicit consent (Article 9(2)(a)) given at the point you enter the information, and we encrypt the values at rest with a key only we hold.
Who we share it with
We use the following sub-processors. Each handles only the data they need to deliver their part of the service:
- Supabase (database, authentication, file storage) — supabase.com/privacy
- Anthropic (Claude, itinerary generation) — anthropic.com/legal/privacy
- Perplexity (search-grounded travel intel and deals) — perplexity.ai/hub/legal/privacy-policy
- Google (Places API and OAuth sign-in) — policies.google.com/privacy
- OpenWeather (forecasts) — openweather.co.uk/privacy-policy
- Resend (transactional email) — resend.com/legal/privacy-policy
- Vercel (hosting) — vercel.com/legal/privacy-policy
Where data is stored
Database and file storage are hosted by Supabase; the hosting platform is Vercel’s global edge with origin functions provisioned in the region we deploy to. AI providers and external APIs may process data in their own regions; see the linked policies above.Specific Supabase and Vercel regions to be confirmed and listed here once the production deployment is fixed.
Security
Everything in our database and file storage is encrypted at rest by the platform (AES-256). On top of that we apply our own AES-256-GCM column and document encryption to passports / visas / tickets, trip notes, flight info, accommodation, dietary preferences, and accessibility needs — so even with full database access an attacker would see ciphertext for those fields. IP addresses on security logs are HMAC-hashed with a server-only salt; the raw values are never written.
How long we keep it
- Trip and profile data: kept until you delete the trip or your account.
- Account data: kept until you delete your account.
- Security and audit logs: 12 months.
- Consent records: kept for the lifetime of the account plus 24 months.
Your rights
Under UK GDPR / EU GDPR, you have the right to:
- Access the personal data we hold about you
- Have inaccurate data corrected
- Have your data erased
- Restrict or object to certain processing
- Receive your data in a portable format
- Withdraw consent where processing relies on it
You can exercise the access, portability, and erasure rights directly from your profile page once the corresponding self-service flows are available; until then, email privacy@jourami.com and we’ll respond within 30 days. You also have the right to complain to your local supervisory authority (in the UK, the ICO).Wire the in-app Export-my-data and Delete-account flows on the profile page, then remove the “until then” clause above.
Children
Jourami requires every user to confirm a date of birth at signup. Accounts that resolve to an age under 16 are refused. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, contact privacy@jourami.com and we’ll remove the account.
Changes
If we make material changes to this policy, we’ll notify signed-in users by email and post an updated version here with a new effective date.