Byline Travel is currently in alpha. Some features described below (e.g., data export) are still being built. This policy is otherwise fully effective.

Privacy Policy

Byline Travel, Inc. • Last Updated: March 18, 2026

This policy describes how we collect, use, and protect your information when you use Byline Travel.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name
  • Email address
  • Profile photo (optional)
  • Authentication credentials (hashed passwords or OAuth tokens)

1.2 Profile & Travel Information

To provide personalized travel recommendations, we collect:

  • Birth year (not full date of birth)
  • Gender, citizenship, country of residence
  • Home city and preferred airports
  • Phone number and emergency contacts
  • Travel preferences (accommodation, dining, activities)
  • Hobbies and interests
  • Loyalty program information (airlines, hotels)
  • Budget preferences

1.3 Trip & Reservation Data

When you plan trips, we collect:

  • Trip details (destinations, dates, descriptions)
  • Reservation information (flights, hotels, restaurants, activities)
  • Booking confirmation numbers and costs
  • Trip participants and sharing permissions

1.4 Communication & AI Data

We store your interactions with our AI features:

  • Chat conversations with our AI assistant
  • Natural language queries (e.g., “Find me a hotel in Paris”)
  • AI-generated trip intelligence and recommendations
  • User feedback on AI suggestions

1.5 OAuth Connected Accounts

With your permission, we access data from connected accounts:

  • GitHub: Profile information (name, email, avatar) for authentication
  • Google: Profile information (name, email, profile photo) and YouTube data (channel information, subscriptions, playlists, liked videos, and activity history) via the youtube.readonly scope. See Section 1.7 for full details on Google user data.
  • Spotify: Profile information, top artists and tracks, recently played tracks, and saved library items. We use this data to personalize activity and experience recommendations.
  • Facebook: Profile information and page likes. We use this data to understand your interests for travel recommendations.

You can disconnect any connected account at any time from your Account Settings.

1.6 Usage & Analytics Data

We automatically collect:

  • Device information (browser, OS, device type)
  • IP address and approximate location data
  • Pages visited and features used
  • Performance metrics and error logs
  • Session replay data (with text and media masked for privacy)

1.7 Google User Data

Byline Travel’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Data We Access

When you connect your Google account, we request the following scopes:

  • openid, profile, email — Your name, email address, and profile photo for authentication
  • youtube.readonly — Read-only access to your YouTube channel information, subscriptions, playlists, liked videos, and activity history

How We Use Google Data

We use your Google profile data to authenticate your account and your YouTube data to understand your interests and provide personalized travel recommendations (e.g., suggesting destinations, activities, or dining experiences that match topics you follow on YouTube). Google user data is used solely to provide and improve user-facing features within Byline Travel.

How We Store Google Data

Google user data is stored in our encrypted database (Neon PostgreSQL with encryption at rest) and cached in Upstash Redis with automatic expiration. Data is retained while your account is active and deleted within 30 days of account deletion.

How We Share Google Data

We do not sell, rent, or trade your Google user data. We do not share Google user data with third parties except as necessary to provide the Service (e.g., our database and caching infrastructure). We do not use Google user data for advertising, retargeting, or any form of interest-based advertising.

Limited Use Disclosure

Our use of Google user data complies with Google’s Limited Use requirements. Specifically:

  • We only use Google user data to provide or improve user-facing features that are prominent in our application
  • We do not transfer Google user data to third parties except to provide or improve user-facing features, for security purposes, or to comply with applicable law
  • We do not use Google user data for serving advertisements or for retargeting, personalized, or interest-based advertising
  • We do not use Google user data to train artificial intelligence or machine learning models
  • We do not allow humans to read Google user data unless the user has given affirmative consent, it is necessary for security purposes, or it is required by law

How to Revoke Access

You can disconnect your Google account and revoke our access to your YouTube data at any time from Settings → Accounts → Connected Accounts. You can also revoke access from your Google Account permissions page.

2. How We Use Your Information

2.1 Provide Travel Planning Services

  • Create and manage your trips and reservations
  • Search for flights, hotels, restaurants, and activities
  • Generate trip itineraries and timelines
  • Facilitate trip sharing with other travelers

2.2 Personalize Your Experience

We use your travel history, preferences, and connected account data (such as YouTube subscriptions and Spotify listening history) to generate personalized recommendations and trip intelligence, including:

  • Destination suggestions based on your interests
  • Activity and dining recommendations
  • Packing lists customized to your destination
  • Cultural insights and local customs
  • Weather forecasts and what to expect

2.3 Analytics & Product Improvement

  • Understand how users interact with our platform
  • Identify and fix bugs and performance issues
  • Test new features and improvements
  • Analyze usage patterns to enhance user experience

2.4 Communications

We may use your contact information to send:

  • Trip reminders and updates
  • Product updates and new features
  • Marketing communications (with opt-out option)
  • Security and policy notifications

2.5 Legal Compliance

  • Comply with legal obligations
  • Prevent fraud and abuse
  • Enforce our terms of service
  • Respond to legal requests

3. How We Share Your Information

3.1 Service Providers

We share data with third-party services that help us operate the platform:

  • Authentication: GitHub OAuth, Google OAuth, Facebook OAuth, Apple, Spotify
  • Travel APIs: Amadeus (flights), Duffel (flights/stays), Google Maps/Places (locations), Yelp (restaurants), Viator (activities), OpenWeatherMap (weather)
  • AI Services: OpenAI (chat and recommendations), Google Vertex AI (content generation)
  • Analytics: Sentry (error tracking), Vercel Analytics (web analytics), PostHog (product analytics, session replay)
  • Infrastructure: UploadThing (file uploads), Neon PostgreSQL (database), Upstash (Redis caching, job queues)

3.2 Trip Participants

When you share a trip with others:

  • Trip participants can see trip details, itineraries, and reservations
  • Your name and profile photo are visible to participants
  • You control who has access to each trip via sharing settings

3.3 Public Trip Templates

If you publish a trip as a public template:

  • Trip destination, dates, and itinerary become publicly visible
  • Your name and profile appear as the creator
  • Personal reservation details (confirmation numbers, costs) are NOT shared

3.4 Legal Requirements

We may disclose your information if required by law or to:

  • Comply with legal process or government requests
  • Enforce our terms of service
  • Protect our rights, property, or safety
  • Prevent fraud or abuse

3.5 Business Transfers

If Byline Travel is acquired or merged, your information may be transferred to the new entity. We will notify you of any such change and any choices you may have regarding your information.

3.6 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information or Google user data to third parties. We do not share your data with advertising platforms, data brokers, or information resellers.

4. Data Retention

We retain your data as follows:

  • Account Data: Retained while your account is active
  • Trip Data: Retained while your account is active, or until you delete individual trips
  • Chat Conversations: Retained to provide and improve the Service’s user-facing features
  • Connected Account Data (Google, Spotify, etc.): Retained while the account is connected; deleted when you disconnect the account or delete your Byline account
  • Analytics Data: Aggregated and anonymized data may be retained indefinitely
  • Deleted Accounts: Personal data is deleted within 30 days of account deletion, though some aggregated or anonymized data may remain

To delete your account, go to Settings → Account → Delete Account. This action is irreversible.

5. Your Rights

You have the following rights regarding your personal information:

5.1 Access Your Data

You can view and manage most of your data through your Account Settings and Profile pages. You may also request a copy of your data by contacting us at info@byline.travel.

5.2 Correct Inaccuracies

You can update your profile information, travel preferences, and trip data at any time through the app.

5.3 Delete Your Account

You can delete your account from Settings → Account → Delete Account. This will remove your personal information within 30 days.

5.4 Manage Connected Account Permissions

You can disconnect linked accounts (GitHub, Google, Spotify, Facebook) from Settings → Accounts → Connected Accounts. Disconnecting Google will revoke YouTube data access. Disconnecting Spotify will revoke music listening data access.

5.5 Opt Out of Analytics

You can opt out of PostHog session replay and analytics tracking via Cookie Settings (link in footer).

5.6 GDPR & CCPA Rights

If you are in the EU, UK, or California, you have additional rights:

  • Right to access your personal data
  • Right to erasure/deletion
  • Right to data portability
  • Right to restrict processing
  • Right to object to processing
  • Right to withdraw consent

To exercise any of these rights, contact us at info@byline.travel. We will respond within 30 days.

6. Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it. Our current security practices include:

  • HTTPS/TLS encryption for all data in transit
  • Database encryption at rest
  • Password hashing (bcrypt)
  • OAuth 2.0 authentication with secure token storage
  • Role-based access controls
  • Automated error monitoring and alerting (Sentry)
  • Regular security reviews and continuous improvement

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. If you suspect a security issue, please report it immediately to info@byline.travel.

Breach Notification

If we discover a data breach affecting your personal information, we will notify you via email and comply with all applicable breach notification laws.

7. Cookies and Tracking

We use cookies and similar technologies for:

7.1 Essential Cookies

  • Authentication and session management
  • Security features
  • Load balancing

7.2 Analytics Cookies

We use PostHog for product analytics, which includes:

  • Page view tracking
  • Feature usage analytics
  • Session replay (with text and media automatically masked for privacy)
  • Performance monitoring

You can opt out of analytics via Cookie Settings in the footer.

7.3 Vercel Analytics

We use Vercel Analytics for web vitals and performance metrics. Vercel does not use cookies and does not track users across sites.

8. International Data Transfers

Byline Travel is based in the United States. Our infrastructure and service providers are primarily located in the US:

  • Database: Neon PostgreSQL (US region)
  • Hosting: Vercel (US region)
  • AI Services: OpenAI (US), Google Vertex AI (US)

If you access our service from outside the United States, your information will be transferred to, stored, and processed in the US. We rely on Standard Contractual Clauses and other lawful transfer mechanisms to protect your data when transferred internationally.

9. Children’s Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will delete such information from our systems.

10. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes:

  • We will update the “Last Updated” date at the top of this policy
  • We will notify active users via email
  • We will post a prominent notice on the Service

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy. If you do not agree with the changes, you should stop using the Service and may delete your account.

11. Contact Us

If you have questions, concerns, or requests regarding this privacy policy or your personal information, please contact us:

Byline Travel, Inc.

Email: info@byline.travel

We will respond to privacy inquiries within 5–7 business days.

This privacy policy is effective as of March 18, 2026. Version: 2.0

Back to Top ↑