Privacy Policy

PRIVACY POLICY

Last Updated: January 1, 2026

1. INTRODUCTION

ViaVia UG (haftungsbeschränkt) ("ViaVia," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our travel planning platform and services (collectively, the "Services").

Our Details:

- Company Name: ViaVia UG (haftungsbeschränkt)

- Registered Address: Marchgrabenplatz 4, 80805 München, Germany

- Registration Number: HRB [to be completed upon registration]

- Email: info@viavia.travel

- Managing Director: Klemen Kocic

This Privacy Policy applies to all users of our Services, regardless of where you are located. We process personal data in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection laws.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

2. LEGAL BASIS FOR PROCESSING

We process your personal data on the following legal bases:

- Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide our Services to you

- Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent for specific processing activities

- Legitimate Interests (Art. 6(1)(f) GDPR): For improving our Services, security, and fraud prevention

- Legal Obligations (Art. 6(1)(c) GDPR): To comply with legal requirements such as tax and accounting obligations

3. PERSONAL DATA WE COLLECT

3.1 Information You Provide Directly

Account Information:

- Name

- Email address

- Password (encrypted)

- Profile image (optional)

- Phone number (optional)

Trip Planning Information:

- Trip details (destinations, dates, number of travelers, budget, transportation preferences)

- Travel interests and preferences

- Accessibility needs

- Special requests and requirements

- Trip notes and customizations

Booking Information:

- First and last name

- Email address

- Phone number

- Payment information (processed securely by our payment providers)

- Booking confirmations and itinerary details

User-Generated Content:

- Comments on places and activities

- Photos you upload

- Ratings and reviews

- Notes and annotations on your trips

- Messages in AI-assisted trip planning conversations

Communications:

- Newsletter subscription email

- Waitlist registration email

- Support requests and correspondence

- Feedback and survey responses

3.2 Information Collected Automatically

Usage Data:

- IP address

- Browser type and version

- Device information (type, operating system, unique device identifiers)

- Pages visited and features used

- Time and date of visits

- Referring website addresses

- Clickstream data

Location Data:

- Geographic location data derived from IP address

- Location data from places you search for and save

- Trip route information

Authentication Data:

- Session tokens

- Login timestamps

- Authentication provider information (if using OAuth)

Technical Data:

- Cookies and similar tracking technologies

- Log files

- Error reports and debugging information

3.3 Information from Third Parties

Google Places API:

- Place information (names, addresses, ratings, photos, opening hours)

- Geographic coordinates

- Place types and categories

Booking Providers (Nuitee):

- Accommodation availability and pricing

- Booking confirmations

- Reservation details

AI Service Providers:

- AI-generated trip recommendations and suggestions

- Conversation history with our AI trip planning assistant

4. HOW WE USE YOUR PERSONAL DATA

We use your personal data for the following purposes:

4.1 Service Delivery

- Creating and managing your account

- Providing trip planning and itinerary creation tools

- Processing and managing bookings

- Generating personalized travel recommendations

- Providing AI-assisted trip planning

- Enabling collaboration features with other users

- Displaying relevant place information and suggestions

4.2 Communication

- Sending booking confirmations and trip updates

- Responding to your inquiries and support requests

- Sending service announcements and important updates

- Sending marketing communications (with your consent, and you may opt out at any time)

- Sending newsletters about travel tips and platform updates (with your consent)

4.3 Improvement and Personalization

- Analyzing usage patterns to improve our Services

- Personalizing your experience based on your preferences and past behavior

- Developing new features and functionality

- Conducting research and analysis

- A/B testing and optimization

4.4 Security and Fraud Prevention

- Detecting and preventing fraud and abuse

- Protecting against security threats

- Verifying user identity

- Investigating suspicious activity

- Enforcing our Terms of Service

4.5 Legal Compliance

- Complying with legal obligations (tax, accounting, regulatory reporting)

- Responding to legal processes (subpoenas, court orders)

- Protecting our legal rights and interests

- Resolving disputes

5. SHARING YOUR PERSONAL DATA

We do not sell your personal data. We share your personal data only in the following circumstances:

5.1 Service Providers

We work with third-party service providers who process personal data on our behalf:

Hosting and Infrastructure:

- DigitalOcean LLC (USA): Cloud hosting and database services

- Processing location: EU data centers (Frankfurt, Amsterdam) and USA

- Purpose: Hosting our platform and storing data

- Safeguards: EU-U.S. Data Privacy Framework certification, Standard Contractual Clauses

Booking Services:

- Nuitee (location varies by specific accommodation provider): Accommodation booking API

- Purpose: Processing accommodation searches and bookings

- Safeguards: Data Processing Agreement, GDPR compliance obligations

- Note: All booking data remains with Nuitee and is not stored in our database

Payment Processing:

- Nuitee's integrated payment system (via Nuitee's payment partners)

- Purpose: Processing payments for bookings

- Safeguards: PCI-DSS compliance, encryption

Place Information:

- Google LLC (USA): Google Places API for location data

- Purpose: Providing place information, photos, ratings, and reviews

- Safeguards: Google's Data Processing Terms, Standard Contractual Clauses

AI Services:

- OpenAI, L.L.C. (USA): ChatGPT API

- Anthropic PBC (USA): Claude API  

- Google LLC (USA): Gemini API

- Mistral AI (France/EU): Mistral AI API

- Purpose: Providing AI-assisted trip planning and recommendations

- Safeguards: Data Processing Agreements, Standard Contractual Clauses

- Note: Conversation data is sent to these providers for processing

Email Services:

- Resend, Inc. (USA): Transactional and marketing email delivery

- Purpose: Sending booking confirmations, newsletters, and service emails

- Safeguards: Data Processing Agreement, GDPR compliance

Authentication:

- BetterAuth (self-hosted): Authentication and session management

- Purpose: Managing user authentication and sessions

- Processing location: Our own servers

5.2 Trip Collaborators

When you share a trip with other users or invite collaborators, we share trip information with those users according to the permissions you grant (Viewer, Editor, Owner).

5.3 Legal Requirements

We may disclose your personal data if required by law or in response to:

- Valid legal processes (subpoenas, court orders, search warrants)

- Government or regulatory requests

- Protection of our legal rights

- Investigation of fraud or security issues

- Emergency situations involving danger to persons

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5.5 With Your Consent

We may share your personal data with third parties when you give us explicit consent to do so.

6. INTERNATIONAL DATA TRANSFERS

ViaVia is based in Germany (EU), and we primarily store data within the European Economic Area (EEA). However, some of our service providers are located outside the EEA, particularly in the United States.

When we transfer personal data outside the EEA, we ensure adequate protection through:

- EU-U.S. Data Privacy Framework: For transfers to certified U.S. companies (DigitalOcean)

- Standard Contractual Clauses (SCCs): EU-approved contract terms ensuring GDPR-level protection

- Data Processing Agreements (DPAs): Contractual obligations with processors to protect your data

- Adequacy Decisions: Transfers to countries deemed adequate by the European Commission

Specific International Transfers:

To the United States:

- DigitalOcean (hosting): EU-U.S. Data Privacy Framework certified

- OpenAI (AI services): Standard Contractual Clauses

- Anthropic (AI services): Standard Contractual Clauses

- Google (Places API, AI services): Standard Contractual Clauses

- Resend (email): Data Processing Agreement

Within the EU:

- Mistral AI (France): No cross-border transfer, remains in EU

You have the right to obtain information about these safeguards by contacting us at info@viavia.travel.

7. DATA RETENTION

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law.

Account Data: Retained while your account is active and for 30 days after account deletion (to allow for recovery)

Trip Data: Retained while your account is active and for 30 days after account deletion

Booking Data: Retained as required for accounting and tax purposes (typically 10 years under German law)

AI Conversation History: Retained while your account is active; deleted 30 days after account deletion

Newsletter/Waitlist Data: Retained until you unsubscribe or request deletion

Legal Compliance Data: Retained as long as required by applicable laws (e.g., 10 years for tax records)

Analytics Data: Aggregated and anonymized after 24 months

After the retention period, we securely delete or anonymize your personal data. Anonymized data may be retained indefinitely for statistical and analytical purposes.

8. YOUR RIGHTS UNDER GDPR

Under the GDPR and applicable data protection laws, you have the following rights:

8.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation of whether we process your personal data and to access that data, including information about:

- The purposes of processing

- The categories of data

- The recipients of your data

- The retention period

- Your rights

8.2 Right to Rectification (Art. 16 GDPR)

You have the right to correct inaccurate or incomplete personal data. You can update most information directly in your account settings.

8.3 Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)

You have the right to request deletion of your personal data when:

- The data is no longer necessary for the purposes for which it was collected

- You withdraw consent and there is no other legal basis for processing

- You object to processing and there are no overriding legitimate grounds

- The data has been unlawfully processed

- Deletion is required by legal obligation

To request deletion, email us at: info@viavia.travel

Note: We may retain certain data if required by legal obligations (e.g., tax records).

8.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request that we restrict processing of your personal data when:

- You contest the accuracy of the data

- Processing is unlawful but you don't want erasure

- We no longer need the data, but you need it for legal claims

- You have objected to processing pending verification of our legitimate grounds

8.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit that data to another controller.

8.6 Right to Object (Art. 21 GDPR)

You have the right to object to:

- Processing based on legitimate interests

- Direct marketing (including profiling)

- Processing for scientific/historical research or statistical purposes

8.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you can withdraw your consent at any time. This does not affect the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

Lead Supervisory Authority for ViaVia:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 18

91522 Ansbach, Germany

Phone: +49 (0) 981 180093-0

Email: poststelle@lda.bayern.de

Website: www.lda.bayern.de

You may also contact your local data protection authority in your country of residence.

8.9 Automated Decision-Making

We use AI to provide trip recommendations and suggestions. However, these AI-generated recommendations do not result in automated decision-making with legal or similarly significant effects on you. You always have control over your trip planning decisions.

9. EXERCISING YOUR RIGHTS

To exercise any of your rights, please contact us at:

Email: info@viavia.travel

Subject Line: "Data Protection Request - [Your Right]"

Please include:

- Your name and email address associated with your account

- A description of your request

- Proof of identity (if necessary to verify your identity)

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will inform you of the extension.

We do not charge a fee for exercising your rights unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

10. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to provide and improve our Services.

10.1 Types of Cookies We Use

Strictly Necessary Cookies:

- Authentication cookies (session management)

- Security cookies (CSRF protection)

- Load balancing cookies

These cookies are essential for the Services to function and cannot be disabled.

Analytics Cookies:

- Usage analytics

- Performance monitoring

- Error tracking

These cookies help us understand how users interact with our Services.

Preference Cookies:

- Language preferences

- Display settings

- User preferences

These cookies remember your choices to improve your experience.

10.2 Managing Cookies

You can control cookies through your browser settings:

- Chrome: Settings > Privacy and security > Cookies and other site data

- Firefox: Settings > Privacy & Security > Cookies and Site Data

- Safari: Preferences > Privacy > Cookies and website data

- Edge: Settings > Cookies and site permissions

Note: Disabling strictly necessary cookies may prevent you from using essential features of our Services.

10.3 Third-Party Cookies

We do not use third-party advertising cookies or tracking pixels from social media platforms.

11. CHILDREN'S PRIVACY

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16.

If you are under 16, please do not use our Services or provide any personal data. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at info@viavia.travel.

12. SECURITY MEASURES

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

Technical Measures:

- Encryption in transit (TLS/SSL)

- Encryption at rest for sensitive data

- Secure password hashing

- Regular security updates and patches

- Firewall protection

- Intrusion detection systems

Organizational Measures:

- Access controls and authentication

- Employee training on data protection

- Data Processing Agreements with processors

- Regular security audits

- Incident response procedures

- Data minimization principles

Database Security:

- PostgreSQL with role-based access control

- Regular backups with encryption

- Geographic replication for disaster recovery

While we strive to protect your personal data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

13. DATA BREACH NOTIFICATION

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach

- Notify affected users without undue delay if the breach poses a high risk

- Describe the nature of the breach, the likely consequences, and measures taken or proposed to address it

14. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes:

- We will update the "Last Updated" date at the top of this policy

- We will notify you by email (if you have provided an email address)

- We will notify you through a prominent notice on our platform

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after changes constitutes acceptance of the updated policy.

15. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

ViaVia UG (haftungsbeschränkt)

Marchgrabenplatz 4

80805 München, Germany

Email: info@viavia.travel

Managing Director: Klemen Kocic

For data protection inquiries specifically, please use the subject line: "Privacy/Data Protection Inquiry"