Privacy Policy

Kova Travel ("Kova", "we", "us") builds AI-personalised travel itineraries based on a profile you create. We collect only what we need to generate your trips and run the service. We do not sell your data.

• Account information: email address, password hash, and authentication metadata managed by Supabase Auth.
• Traveler profile: answers to onboarding questions (travel group, motivation, pace, budget, crowd tolerance, planning style) and any nickname you set.
• Trip data: destinations, dates, generated itineraries, notes, packing lists, and bookmarks you create in the app.
• Subscription data: Stripe customer ID and subscription status. Stripe stores all payment-card details on our behalf — we never see your card number.
• Push subscription:if you enable notifications, your browser's push endpoint and keys.
• Operational logs: request metadata (IP address, timestamp, route) for security, abuse prevention, and debugging.

• To generate personalised itineraries via OpenAI's API.
• To send transactional emails (welcome, account, billing) via Resend.
• To deliver push notifications when generation completes.
• To process subscriptions and billing through Stripe.
• To enforce rate limits and detect abuse.

Kova relies on the following processors. Each has their own privacy terms; we recommend reviewing them if you have concerns:

• Supabase — database, authentication, file storage
• Vercel — application hosting
• OpenAI — AI generation (your profile + destination is sent so the AI can write an itinerary; we don't opt OpenAI training in)
• Stripe — payments, subscription management
• Resend — transactional email delivery
• Unsplash — destination photos (no personal data shared)
• GetYourGuide / Booking.com — affiliate partners for experience and hotel bookings; we forward you to their site for the transaction

Account and trip data is kept for as long as your account is active. If you delete your account, all associated data is removed from our database within 30 days, except where retention is required by law (e.g. invoices for tax purposes).

You can request access, correction, export, or deletion of your data at any time by emailing privacy@kovatrips.com. EU and California residents have additional rights under GDPR / CCPA; we honour those on request.

Data is encrypted in transit (TLS) and at rest. We use Supabase Row-Level Security to ensure users can only access their own data. We never store credit-card numbers. If we ever detect a breach affecting you, we will notify you within 72 hours.

Kova is not directed at children under 16. We do not knowingly collect information from anyone under 16. If you believe we have, please email us so we can delete it.

We may update this policy as the product evolves. Material changes will be announced via email and reflected in the "Effective" date at the top of this page.

Questions? Email hello@kovatrips.com.