Privacy Policy

Clear For Travel is the data controller for the personal data processed via the Service. For any privacy-related question, contact us at support@clearfortravel.com.

We collect three categories of data.

(a) Information you give us directly:

• your email address (to deliver the Brief and to send purchase confirmation);
• your selections inside the form or chat — passport country, destination country, travel purpose, optional travel date, optional full name (used to personalise the PDF watermark);
• any message you send via the contact form or the chat assistant.

(b) Information about your purchase, collected via Stripe:

• Stripe checkout session ID, payment status, amount, currency;
• billing country / postal code (when Stripe collects it);
• We do NOT receive or store your full card number, CVC, or bank credentials. Stripe is the payment processor and stores those directly.

(c) Information collected automatically when you visit the Service:

• technical data: IP address (truncated for analytics), user-agent, language, timezone, approximate region;
• usage data: pages viewed, referrer, click events, search inputs, errors, and performance metrics;
• cookies and similar technologies (see Section 8 below).

We use personal data only for these purposes:

• Deliver the Brief. Generate your Travel Brief (server-side, using the country pair + purpose you provided), email you the PDF, and host the post-paywall web view.
• Run the chat assistant. Send your messages to our LLM provider (currently Google’s Gemini API) to produce a reply. The full message content is sent; we ask providers to use a zero-retention configuration where available.
• Process payments. Route the transaction through Stripe, receive the webhook confirmation, and link the purchase to the email you provided.
• Send transactional email. Purchase confirmation, the PDF attachment, refund notifications. These cannot be unsubscribed from for the duration of an active purchase because they are necessary to deliver the product.
• Marketing (opt-in only). If — and only if — you explicitly opt in, we may send occasional product updates or travel tips. Every marketing email has an unsubscribe link.
• Analytics and product improvement. Understand how the Service is used in aggregate so we can fix bugs, improve performance (e.g. INP optimisations on the brief page), and prioritise new features.
• Security and fraud prevention. Detect abusive scraping, rate-limit bursts, prevent webhook-replay attacks, and respond to security incidents.
• Legal compliance. Satisfy tax, accounting, anti-fraud, and consumer-rights obligations.

If you are in the EU, UK, or another GDPR-aligned jurisdiction, our legal bases are:

• Contract performance (Art. 6(1)(b)). Delivering the Brief you paid for, sending purchase confirmation, handling refunds.
• Legitimate interests (Art. 6(1)(f)). Running analytics in aggregate, securing the Service, debugging, and preventing fraud. We balance our interest against your rights and freedoms and do not process data for purposes you would not reasonably expect.
• Consent (Art. 6(1)(a)). Marketing email and non-essential cookies (analytics, performance). You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation (Art. 6(1)(c)). Tax record retention, responding to lawful authority requests.

We share personal data only with the service providers we depend on to deliver the Service:

• Stripe — payment processing. Receives the data necessary to take payment and may use it to prevent fraud. (Stripe’s privacy policy: stripe.com/privacy.)
• Google (Gemini API) — LLM provider that produces parts of the Brief and the chat assistant’s replies. We send the country pair, purpose, and any chat messages you typed.
• Resend — transactional email delivery (purchase confirmation + PDF attachment). Sees your email address and the email contents we send to you.
• Vercel — hosting + edge runtime, processes your HTTP requests to deliver the site.
• Neon — managed Postgres database where Purchase records, Brief contents, and operational data are stored.
• Vercel Blob — public-bucket storage for the generated PDF. The PDF URL is public-by-knowledge (unguessable path), not searchable.
• Google Analytics 4 and Microsoft Clarity — anonymised analytics. IP is truncated; you can opt out via the cookie banner.
• Apify (occasionally) — content-refresh actors that fetch publicly available government source pages for our own ingestion pipeline. No personal data is sent to Apify.

We do not sell personal data and we do not share it with advertisers for behavioural advertising. We may disclose data when required by law (court order, regulator request, fraud investigation) and in connection with a corporate transaction (merger, acquisition, asset sale), in which case the acquirer is bound by this Policy.

Our service providers are based in several countries, including the United States and the European Union. Where data leaves your jurisdiction, we rely on appropriate safeguards: the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and our providers’ own certifications and binding corporate rules. You can request a copy of the relevant safeguards by contacting us.

• Purchase records (email, country pair, Stripe session ID, amount): retained for 7 years to comply with EU/UK/Swiss tax-record laws. After that they are deleted or anonymised.
• Generated Brief JSON + PDF: retained for 2 years so we can resend by request. After that the Brief is deleted from our database and blob storage.
• Email logs (delivery receipts from Resend): retained for 90 days.
• Server logs (request paths, errors): retained for 30 days, then deleted.
• Analytics events: retained for the lifetime of your cookie consent (up to 14 months for GA4 by default).
• Contact-form messages: retained for 2 years after the conversation closes.
• Marketing list: retained until you unsubscribe.

We use three categories of cookies and similar storage:

• Strictly necessary — keep you logged into your purchase session, remember your cookie preference, store CSRF and Stripe checkout tokens. These cannot be disabled.
• Functional — remember your language preference and the A/B greeting variant assigned to your visit (cookie: cft-greet-variant, 1-year sticky).
• Analytics — Google Analytics 4 and Microsoft Clarity, loaded only after you accept the cookie banner. IP truncation is enforced; ad personalisation is disabled.

You can change your choice at any time by clicking the cookie banner footer link. Browser controls (Do Not Track, Global Privacy Control) are also respected for analytics cookies where the browser exposes them.

The chat assistant and parts of the Travel Brief are generated by large language models operated by third-party providers (currently Google Gemini). When you chat with the assistant or buy a Brief, the country pair + purpose + your chat messages are sent to the provider so it can produce a reply or build the Brief content.

These models are not used to make automated decisions that have legal or similarly significant effects on you within the meaning of GDPR Article 22. The Brief is informational only (see our Terms) and does not approve or refuse any application.

We do not use your data to train any AI model and we configure our providers to use zero-retention APIs where they are available.

You have the following rights regardless of where you live. We apply them universally so the jurisdiction labels are for clarity, not for limitation.

GDPR / UK GDPR (EEA, UK, Switzerland):

• Access — get a copy of the data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — “right to be forgotten” (subject to legal retention obligations like tax records).
• Restriction — pause processing while a dispute is resolved.
• Portability — receive your data in a machine-readable format.
• Object — to processing based on legitimate interests, including direct marketing.
• Withdraw consent — at any time, with no effect on prior processing.
• Lodge a complaint with your local Data Protection Authority — e.g. CNIL (France), ICO (UK), Federal Data Protection and Information Commissioner (Switzerland), Garante (Italy), AEPD (Spain), etc.

CCPA / CPRA (California):

• Right to know what personal information we collect, use, share, and disclose.
• Right to delete personal information (subject to legal exceptions).
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing. We do not sell or share personal information as defined by the CCPA.
• Right to non-discrimination for exercising any of these rights.

To exercise any right, email support@clearfortravel.com with “Privacy request” in the subject line. We respond within 30 days for GDPR requests and 45 days for CCPA requests; we may ask you to verify your identity before we fulfil the request.

The Service is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, email support@clearfortravel.com and we will delete it.

We use industry-standard safeguards to protect personal data: HTTPS / TLS for all traffic, encryption at rest for the database and blob storage, signed webhooks, scoped API keys rotated regularly, principle of least privilege for internal access, and per-IP rate limiting on sensitive endpoints. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant DPA and affected users within 72 hours as required by GDPR Article 33–34.

We may update this Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes — for example, adding a new category of data we collect or a new processor — are announced on the Service before they take effect.

For any privacy question, complaint, or rights request, contact us at support@clearfortravel.com or via the contact page. If you believe we have not addressed your request adequately, you can also contact your local Data Protection Authority.