overplanned.← Back to sign in

Privacy Policy

Last updated: April 8, 2026 | Effective: April 8, 2026

Introduction

Overplanned ("we," "us," or "our") operates a travel planning web application that generates personalized itineraries using behavioral signals and artificial intelligence. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services (collectively, the "Service").

We are committed to protecting your privacy and being transparent about our data practices. By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Personal Information

When you create an account, we collect the following personal information through Google OAuth:

  • Name
  • Email address
  • Google profile picture URL
  • Google account identifier

We do not collect demographic information such as your age, income, home city, gender, or ethnicity. Our recommendation system is built entirely on behavioral signals, not demographic profiling.

1.2 Information You Provide

When you use the Service, you may provide:

  • Trip descriptions and travel preferences
  • Venue ratings and reviews
  • Notes, comments, and trip diary entries
  • Photos uploaded to your trips
  • Search queries and destination selections
  • Payment information (processed by Stripe; we do not store card numbers)

1.3 Behavioral Signals

To personalize your experience, we collect behavioral signals based on how you interact with the Service. These include:

  • Click patterns and navigation behavior
  • Time spent viewing venues, itineraries, and recommendations
  • Preferences expressed through choices (e.g., which venues you save, skip, or reorder)
  • Itinerary modifications and slot swaps
  • Category and tag interactions

Behavioral signals are used to build a travel preference profile that improves your recommendations over time. These signals are never linked to demographic data.

1.4 Device and Usage Information

We automatically collect certain technical information, including:

  • Browser type and version
  • Device type (mobile, desktop, tablet)
  • Operating system
  • IP address (used for security and approximate geolocation at the country level)
  • Referral URLs
  • Pages visited and features used
  • Error logs and performance data (via Sentry)

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Generate personalized itineraries, display venue recommendations, and manage your trips.
  • Personalize recommendations: Use behavioral signals and ML models to tailor venue and activity suggestions to your travel style.
  • Improve our models: Train and refine our recommendation algorithms using aggregated and anonymized behavioral data.
  • Communicate with you: Send transactional emails (trip confirmations, account updates) via Resend.
  • Process payments: Handle billing through Stripe for premium features.
  • Maintain security: Detect and prevent fraud, abuse, and unauthorized access.
  • Monitor performance: Track errors and service health through Sentry to ensure reliability.
  • Comply with legal obligations: Respond to lawful requests and enforce our terms.

3. AI and Machine Learning Disclosures

3.1 How AI Powers Overplanned

Overplanned uses artificial intelligence at multiple layers of the Service:

  • Itinerary generation: We use Anthropic Claude (a large language model) to parse your trip descriptions, generate day-by-day itineraries, and create narrative summaries.
  • Venue recommendations: Custom ML models analyze your behavioral signals to rank and suggest venues that match your travel preferences.
  • Classification: Lightweight AI models categorize venues, detect trip intent, and organize content.

3.2 What Data Trains Our Models

Our recommendation models are trained on:

  • Aggregated, anonymized behavioral signals (click patterns, time spent, preference choices) — never tied to your identity in training datasets.
  • Venue metadata and quality signals from public sources (not your personal notes or diary entries).

Your personal content (trip notes, diary entries, uploaded photos) is never used to train our models. This content is only processed to deliver the Service to you.

3.3 Behavioral Embeddings

We generate anonymized behavioral embeddings — mathematical representations of travel preference patterns — and store them in a vector database (Qdrant). These embeddings:

  • Do not contain your name, email, or other personal identifiers
  • Cannot be reverse-engineered to reconstruct your identity
  • Are used solely to power venue similarity and recommendation features

3.4 Third-Party AI Providers

We send trip descriptions and venue data to Anthropic (Claude API) for itinerary generation. Anthropic processes this data under their Privacy Policy. Per Anthropic's commercial API terms, your data is not used to train their models.

3.5 Automated Decision-Making

Our AI systems make automated recommendations but do not make decisions that produce legal effects or similarly significant effects on you. All itineraries and recommendations are suggestions that you can modify, reorder, or reject. You always have full control over your travel plans.

4. Information Sharing and Third Parties

We do not sell, rent, or trade your personal information. We share data only with the following categories of service providers, solely to operate the Service:

ProviderPurposeData Shared
Google OAuthAuthenticationOAuth tokens (we receive name, email, profile picture)
Anthropic (Claude)AI itinerary generationTrip descriptions, venue names, preference context
Google PlacesVenue data and detailsSearch queries, location coordinates
MapboxMap renderingMap viewport coordinates, route data
UnsplashVenue and destination imagesImage search queries
StripePayment processingEmail, payment method (card details go directly to Stripe)
SentryError monitoringError logs, device info, anonymized user ID
ResendTransactional emailEmail address, email content
Google Cloud PlatformHosting and storageAll service data (encrypted at rest and in transit)

We may also disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Overplanned, our users, or others.

5. Data Retention

We retain your data for the following periods:

  • Account data (name, email): retained while your account is active and for 30 days after deletion request.
  • Trip data (itineraries, notes, diary entries): retained while your account is active. Deleted within 30 days of account deletion.
  • Uploaded photos: retained while your account is active. Permanently deleted from cloud storage within 30 days of account deletion.
  • Behavioral signals: raw signals retained for 12 months, then aggregated and anonymized. Anonymized data may be retained indefinitely for model improvement.
  • Behavioral embeddings: anonymized embeddings in our vector database are retained indefinitely as they contain no personal identifiers.
  • Payment records: retained as required by tax and financial regulations (typically 7 years).
  • Error logs: retained for 90 days via Sentry.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal data.
  • Deletion: Request deletion of your personal data (subject to legal retention requirements).
  • Portability: Request your data in a structured, machine-readable format.
  • Restriction: Request that we limit the processing of your personal data.
  • Objection: Object to processing of your personal data for certain purposes.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time.
  • Opt out of behavioral profiling: Request that we stop collecting behavioral signals for recommendation personalization. Your experience will default to non-personalized recommendations.

To exercise any of these rights, contact us at privacy@overplanned.app. We will respond within 30 days (or sooner if required by applicable law).

7. Cookies and Tracking

Overplanned uses a minimal cookie approach. We do not use advertising cookies, social media tracking pixels, or third-party analytics trackers.

7.1 Cookies We Use

  • Authentication session cookie: A strictly necessary, httpOnly cookie that maintains your login session. This cookie is essential for the Service to function and cannot be disabled.
  • CSRF token: A security cookie that prevents cross-site request forgery attacks.

7.2 What We Do Not Use

  • No advertising or retargeting cookies
  • No third-party analytics (Google Analytics, Mixpanel, etc.)
  • No social media tracking pixels
  • No fingerprinting techniques
  • No cross-site tracking of any kind

7.3 Do Not Track

We honor Do Not Track (DNT) browser signals. Since we do not engage in cross-site tracking, our practices are consistent with DNT requests by default.

8. Children's Privacy

The Service is not directed at children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under the applicable age threshold, we will take steps to delete that information promptly.

If you believe a child has provided us with personal information, please contact us at privacy@overplanned.app.

9. International Data Transfers

Overplanned is based in the United States. Your data is processed and stored on Google Cloud Platform servers located in the United States.

If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. We rely on the following mechanisms to ensure adequate protection of your data:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA/UK
  • Data Processing Agreements with all third-party service providers
  • Technical safeguards including encryption in transit (TLS 1.2+) and at rest (AES-256)

By using the Service, you acknowledge that your data will be processed in the United States, which may have different data protection laws than your country of residence.

10. Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption in transit via TLS 1.2+ for all connections
  • Encryption at rest via AES-256 for stored data on Google Cloud Platform
  • Authentication via OAuth 2.0 (no passwords stored)
  • CSRF protection on all state-changing requests
  • Rate limiting on API endpoints to prevent abuse
  • HMAC-signed administrative operations
  • Regular security monitoring and error tracking
  • Access controls limiting employee access to production data

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify you by email (for material changes affecting your rights or data use)
  • Provide a summary of changes when you next log in (for significant updates)

Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy. We encourage you to review this page periodically.

12. Contact Information

For privacy-related inquiries, data requests, or complaints, contact us:

We aim to respond to all privacy inquiries within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

13. Additional Disclosures for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights.

13.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected:

  • Identifiers: Name, email address, Google account ID
  • Internet activity: Browsing history within the Service, search queries, interaction data
  • Inferences: Travel preferences and behavioral profiles derived from your activity
  • Commercial information: Payment transaction records
  • User-generated content: Trip notes, diary entries, uploaded photos

13.2 Sale and Sharing of Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Under the CCPA definition of "sale" and "sharing," Overplanned does not engage in either practice.

13.3 Your California Privacy Rights

As a California resident, you have the right to:

  • Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Delete: Request deletion of your personal information (subject to exceptions).
  • Correct: Request correction of inaccurate personal information.
  • Limit use of sensitive data: We do not collect sensitive personal information as defined by the CPRA.
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights.

To submit a request, email privacy@overplanned.app. We will verify your identity before processing your request and respond within 45 days.

13.4 Authorized Agents

You may designate an authorized agent to submit a request on your behalf. The agent must provide written authorization signed by you. We may require you to verify your identity directly with us.

13.5 Financial Incentive Programs

We do not offer financial incentives in exchange for the retention or sale of personal information.

14. Additional Disclosures for EEA and UK Residents (GDPR)

14.1 Data Controller

Overplanned is the data controller responsible for your personal data. For contact details, see Section 12.

14.2 Legal Bases for Processing

We process your personal data on the following legal bases:

  • Contract performance (Article 6(1)(b)): Processing necessary to provide the Service you requested, including account management, itinerary generation, and trip features.
  • Legitimate interests (Article 6(1)(f)): Processing for our legitimate interests in improving the Service, preventing fraud, and ensuring security, where these interests do not override your rights. This includes behavioral signal collection for recommendation personalization.
  • Consent (Article 6(1)(a)): Where required by law, we obtain your consent before processing. You may withdraw consent at any time.
  • Legal obligation (Article 6(1)(c)): Processing necessary to comply with legal requirements (e.g., tax records).

14.3 Your GDPR Rights

In addition to the rights listed in Section 6, EEA and UK residents have:

  • The right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, CNIL in France, or your national Data Protection Authority)
  • The right to obtain information about cross-border transfers and applicable safeguards
  • The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see Section 3.5 regarding our use of automated recommendations)

14.4 Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that pose a high risk to your rights, including our use of behavioral profiling for travel recommendations.

14.5 Data Retention under GDPR

We retain personal data only for as long as necessary for the purposes set out in this policy (see Section 5). When personal data is no longer required, it is securely deleted or anonymized.

This privacy policy was last updated on April 8, 2026. For questions about this policy or your data, contact us at privacy@overplanned.app.