Legal

Privacy policy.

Effective 20 May 2026

Who we are

Jourami ("Jourami", "we", "us") provides an AI-assisted travel planning service. The data controller responsible for processing your personal data is {{TO_FILL: legal entity name and registered address}}.

For privacy questions, contact privacy@jourami.com.

What we collect

• Account data: email address, hashed password (via Supabase Auth), display name.
• Profile data: home city, travel style, interests, dietary preferences, accessibility needs, preferred currency. All optional.
• Trip data: destinations, dates, traveller information, budget, notes, uploaded documents (e.g. flight confirmations, tickets), expense records, AI-generated itineraries.
• Device and security data: IP address and browser user-agent string, captured on security-relevant events (sign-in, password change, consent recording, data export, account deletion) only. We do not log these on every page view.
• Cookies: strictly-necessary cookies only — authentication session cookies set by Supabase Auth, a CSRF token, and a consent-record cookie. No analytics or marketing cookies in this version.

Why we collect it

Under UK GDPR / EU GDPR Article 6, our lawful bases are:

• Contract (Article 6(1)(b)): account data, profile data, and trip data are processed to provide the service you've signed up for.
• Legitimate interests (Article 6(1)(f)): device/security data is processed to keep accounts and trip data secure, prevent abuse, and maintain operational logs.
• Consent (Article 6(1)(a)): marketing email (if you opt in), and any future analytics or marketing cookies.

Who we share it with

We use the following sub-processors. Each handles only the data they need to deliver their part of the service:

• Supabase (database, authentication, file storage) — supabase.com/privacy
• Anthropic (Claude, itinerary generation) — anthropic.com/legal/privacy
• Perplexity (search-grounded travel intel and deals) — perplexity.ai/hub/legal/privacy-policy
• Google (Places API and OAuth sign-in) — policies.google.com/privacy
• OpenWeather (forecasts) — openweather.co.uk/privacy-policy
• Resend (transactional email) — resend.com/legal/privacy-policy
• Vercel (hosting) — vercel.com/legal/privacy-policy

Where data is stored

Database and file storage live in {{TO_FILL: Supabase project region}}. Hosting runs on Vercel's global edge with origin functions in {{TO_FILL: Vercel function region}}. AI providers and external APIs may process data in their own regions; see the linked policies above.

How long we keep it

• Trip and profile data: kept until you delete the trip or your account.
• Account data: kept until you delete your account.
• Security and audit logs: 12 months.

Your rights

Under UK GDPR / EU GDPR, you have the right to:

• Access the personal data we hold about you
• Have inaccurate data corrected
• Have your data erased
• Restrict or object to certain processing
• Receive your data in a portable format
• Withdraw consent where processing relies on it

You can exercise the access, portability, and erasure rights directly from the profile page (Export my data, Delete account). For everything else, email privacy@jourami.com and we'll respond within 30 days. You also have the right to complain to your local supervisory authority (in the UK, the ICO).

Children

Jourami is not directed at users under 16, and we do not knowingly collect data from them. If you believe a child has created an account, contact us and we'll remove the account.

Changes

If we make material changes to this policy, we'll notify signed-in users by email and post an updated version here with a new effective date.