Privacy Policy

This Privacy Policy explains how GoTravelHiking ("GoTravelHiking", "we", "us", or "our") collects, uses, discloses, and protects personal information when you visit gotravelhiking.com, its sub-domains, and related services (the "Service"). GoTravelHiking is operated from the State of Maryland, United States.

We comply with applicable U.S. federal and state privacy laws — including the Maryland Online Data Privacy Act (MODPA), the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), the Virginia CDPA, the Colorado CPA, the Connecticut CTDPA, and other comparable state laws — as well as the EU and UK General Data Protection Regulation (GDPR) where it applies to our processing of personal data of individuals in the EEA or UK.

1. Who we are and how to contact us

GoTravelHiking is the business responsible for the personal information described in this policy ("controller" under GDPR; "business" under CCPA/MODPA).

• Privacy contact: privacy@gotravelhiking.com
• Mailing address: GoTravelHiking, State of Maryland, USA (full mailing address available on request)
• EU/UK representative (GDPR Art. 27): if/when required, will be designated and listed here; until then, EU/UK residents may contact us directly at the email above.

2. Personal information we collect

We collect the categories of personal information listed below.

• Identifiers & account data: name, email address, password (hashed), account preferences, and authentication identifiers from Google sign-in if you use it.
• Trip planning data you provide: destinations, dates, group size, ages, interests, budget, and itineraries you generate or save.
• Commercial & billing data: subscription tier, transaction history, and the last four digits of your payment card. Full card numbers and bank details are handled exclusively by Stripe and never stored on our servers.
• Precise geolocation (opt-in, Pro Safety Check-In only): GPS coordinates and emergency-contact information you choose to share during an active check-in. We do not collect precise location at any other time.
• Internet/network activity: IP address, browser type, device identifiers, pages viewed, referring URL, approximate (city-level) location derived from IP, and diagnostic/crash logs.
• Communications: support emails, feature-request submissions, and newsletter subscriptions.
• Inferences: trip preferences inferred from your inputs and saved trips to personalize recommendations.

We do not knowingly collect "sensitive personal information" as defined by California or Maryland law (such as government IDs, precise health data, race, religion, sexual orientation, biometric or genetic data, or contents of your private communications), except for the opt-in precise-location data described above, which we treat as sensitive and process only with your consent and only for the safety feature you requested.

3. Sources of personal information

• Directly from you (when you create an account, plan a trip, contact us, or subscribe).
• Automatically from your device (cookies, server logs, analytics tools).
• From service providers acting on our behalf (Stripe for payment status, Supabase for authentication, Google for sign-in identifiers if you use Google auth).

4. How and why we use personal information

• To create and maintain your account and provide the planning tools you request.
• To generate itineraries, packing lists, maps, and recommendations.
• To process payments and manage memberships.
• To send transactional messages (receipts, password resets, trip reminders, safety alerts).
• To send marketing or newsletter emails only if you opt in; you can unsubscribe at any time using the link in every marketing email.
• To secure the Service, prevent fraud, and enforce our Terms.
• To comply with legal obligations and respond to lawful requests.
• To improve the Service through aggregated, de-identified analytics. We do not use raw personal data to train third-party AI models for unrelated purposes.

GDPR lawful bases (EEA/UK users)

• Performance of a contract — to deliver the planner, account, and paid memberships you request.
• Legitimate interests — to keep the Service secure, prevent abuse, and improve product quality; balanced against your rights.
• Consent — for marketing emails, non-essential cookies, and precise location sharing. You can withdraw consent at any time.
• Legal obligation — to retain tax, billing, and security records.

5. How we share personal information

We share personal information only with vetted service providers ("processors" / "service providers" / "contractors") that are contractually bound to use it solely for the services they provide to us and to protect it under standards consistent with this policy:

• Supabase — authentication, database, and storage hosting
• Stripe — payment processing
• Resend — transactional email delivery
• Cloudflare — content delivery, hosting infrastructure, and DDoS protection
• Lovable — application hosting and AI gateway infrastructure
• OpenAI and similar model providers — generating itineraries from your inputs
• WordPress.com — blog content hosting
• Travelpayouts and affiliate networks — only when you click an affiliate link

We may also disclose personal information (a) to comply with law, valid legal process, or governmental requests; (b) to protect the rights, property, or safety of GoTravelHiking, our users, or others; or (c) in connection with a merger, acquisition, financing, or sale of business assets, in which case we will notify affected users.

"Sale" and "sharing" of personal information

We do not sell your personal information for money, and we do not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA, MODPA, and similar state laws. We have not done so in the preceding 12 months. We also do not knowingly sell or share personal information of consumers under 16.

6. Cookies and tracking technologies

We use strictly necessary cookies to keep you signed in and to remember settings. Any analytics or marketing cookies are set only after you give consent through our cookie banner (required for EEA/UK visitors; available to all visitors).

Global Privacy Control (GPC): We honor recognized opt-out preference signals such as GPC. When detected, we treat the signal as a request to opt out of any sale or sharing of personal information and of targeted advertising for that browser.

7. International data transfers

We are based in the United States, and several of our service providers operate internationally. When we transfer personal data from the EEA, UK, or Switzerland to the United States or other jurisdictions, we rely on appropriate safeguards such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and (where applicable) the EU–U.S. Data Privacy Framework adequacy decision.

8. Data retention

• Account data — for the life of your account, then deleted within 90 days of closure.
• Saved trips — until you delete them or up to 24 months after account closure.
• Safety Check-In location data — automatically deleted 30 days after the check-in ends.
• Billing and tax records — 7 years (U.S. tax/IRS requirement).
• Server and security logs — up to 90 days.
• Newsletter subscribers — until you unsubscribe.

9. Your privacy rights

Depending on where you live, you may have some or all of the following rights with respect to your personal information:

• Right to know / access the personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to delete personal information ("right to be forgotten").
• Right to data portability — receive your data in a portable format.
• Right to opt out of (i) sale or sharing of personal information, (ii) targeted advertising, and (iii) certain profiling — although we do not engage in these activities.
• Right to limit use of sensitive personal information to what is necessary to provide the requested service.
• Right to withdraw consent at any time where processing relies on consent.
• Right to non-discrimination for exercising your privacy rights.
• Right to appeal a denial of a request (Maryland, Virginia, Colorado, Connecticut, and similar state laws). To appeal, reply to our response email within 45 days. If your appeal is denied, you may contact your state Attorney General.
• Right to lodge a complaint with your local supervisory authority (EEA/UK) or state Attorney General (U.S.).

To submit a request, email privacy@gotravelhiking.com or use the "Delete my account" control in your account settings. We will verify your request using information associated with your account and respond within 45 days (extendable by an additional 45 days when reasonably necessary). You may use an authorized agent; authorization will be verified.

Notice for Maryland residents (MODPA)

In addition to the rights above, MODPA prohibits the sale of sensitive personal information and the targeted advertising or sale of personal data of consumers known to be under 18. We do not engage in any of those activities. MODPA also requires us to limit the collection of personal data to what is "reasonably necessary and proportionate" to provide the Service — a standard we apply globally.

Notice for California residents (CCPA/CPRA)

Categories of personal information collected, sources, business purposes, and recipients are listed in Sections 2–5. We have not sold or shared personal information (as those terms are defined under the CCPA/CPRA) in the preceding 12 months. California residents may also designate an authorized agent and have a right to non-discrimination.

10. Security

We protect your personal information with TLS in transit, encryption at rest, row-level security in our database, salted and hashed passwords, least-privilege access controls, and routine vulnerability monitoring. No system is perfectly secure. We will notify affected users and the relevant authorities of any confirmed personal-data breach as required by applicable law (within 72 hours under GDPR; without unreasonable delay under U.S. state breach-notification laws).

11. Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13 in violation of the Children's Online Privacy Protection Act (COPPA). We also do not knowingly process personal data of users between 13 and 16 for targeted advertising or sale. If you believe a child has provided us personal information, contact us and we will delete it.

12. Third-party links

The Service contains links to third-party websites (e.g., booking partners, affiliate retailers, the National Park Service). We are not responsible for the privacy practices of those sites; please review their policies before providing personal information.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the new version on this page and update the "Last updated" date above. Material changes will be communicated by email or in-app notice at least 14 days before they take effect.

14. Contact us

Privacy questions, requests, or complaints:
privacy@gotravelhiking.com