Popular destinations

DestinationsIslandsProgramsCalculatorAdvisorBlog

Privacy Policy

Last updated: March 18, 2026

At Travel.free ("we," "us," or "our"), we take your privacy seriously. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights — when you visit our website at travel-free.ai and use our services (the "Service").

1. Information We Collect

1.1 Information You Provide Directly

  • Newsletter Subscription: Email address and optional name when you sign up for our newsletter. We also generate a unique confirmation token and unsubscribe token for each subscription.
  • AI Advisor Conversations: The messages you send to our AI Travel Advisor. These are transmitted to our AI provider for processing and may be temporarily stored for the duration of your session.
  • Account Information: If you create an account, we collect your name, email address, and optional profile data such as loyalty program preferences and points balances.
  • Contact Communications: Any information you provide when contacting us via email or forms.

1.2 Information Collected Automatically

  • IP Address: We collect your IP address for rate limiting (to prevent abuse of the AI advisor, newsletter signup, and admin login), security logging, and analytics. IP addresses are stored in our database in the RateLimit and AuditLog tables.
  • Analytics Data: We use Vercel Analytics to collect anonymized page view data, including pages visited, referrer, browser type, device type, and country. We also record certain interaction events (such as credit card link clicks and blog post views) in our AnalyticsEvent table.
  • Theme Preference: We store your light/dark mode preference locally in your browser using cookies set by the next-themes library.

1.3 Information We Do Not Collect

We do not collect payment card numbers, bank account details, Social Security numbers, or any government-issued identity documents. We do not use tracking cookies for cross-site advertising.

2. How We Use Your Information

  • Deliver the Service: Process your newsletter subscription (including sending the confirmation email and periodic updates), power the AI Travel Advisor with your conversation context, and display personalized recommendations.
  • Security & Abuse Prevention: Enforce rate limits on API endpoints, detect and prevent unauthorized access to admin areas, and log security-relevant events (login attempts, content moderation actions).
  • Service Improvement: Analyze aggregated usage patterns to improve our content, AI advisor quality, and user experience.
  • Legal Compliance: Comply with applicable laws, respond to legal process, and enforce our Terms of Service.

3. Third-Party Services & Data Sharing

We do not sell your personal information. We share data with the following third-party services only as necessary to operate the Service:

  • Anthropic (Claude API): Your AI advisor messages are sent to Anthropic's Claude API for processing. Anthropic's data handling is governed by their privacy policy. We use the API in a configuration where your conversations are not used to train their models.
  • Resend: We use Resend to send newsletter confirmation and update emails. Your email address and name are transmitted to Resend for email delivery.
  • Vercel: Our website is hosted on Vercel. We also use Vercel Analytics for anonymized page-view analytics. Vercel's data handling is governed by their privacy policy.
  • Neon (PostgreSQL): Our database is hosted on Neon, a managed PostgreSQL provider. All data described in this policy (subscriber emails, rate limit records, audit logs, analytics events) is stored in Neon.

We may also disclose your information if required by law, court order, or governmental authority, or in connection with a merger, acquisition, or sale of assets.

4. Cookies & Local Storage

We use minimal cookies and browser storage:

  • Theme Preference Cookie: Stores your light/dark mode selection. This is a functional cookie essential to the user experience.
  • Vercel Analytics: May set a first-party cookie for anonymized visitor counting. No cross-site tracking is performed.

We do not use third-party advertising cookies, social media tracking pixels, or cross-site tracking technologies. You can control cookies through your browser settings; disabling them may affect theme persistence.

5. Data Retention

  • Rate Limit Records: Automatically deleted within 1 hour of creation via probabilistic cleanup.
  • Newsletter Subscriber Data: Retained until you unsubscribe. After unsubscribing, your record is retained in an anonymized state (status set to UNSUBSCRIBED) to prevent re-sending. You may request full deletion.
  • AI Conversations: Not persistently stored on our servers. Messages are sent to the AI provider for real-time processing and are not retained in our database after the session ends.
  • Audit Logs: Retained for up to 12 months for security and compliance purposes, then deleted.
  • Analytics Events: Retained for up to 12 months for service improvement, then deleted.
  • Account Data: Retained for the life of your account. You may request deletion at any time.

6. Data Security

We implement technical and organizational measures to protect your data, including: HTTPS encryption for all data in transit; nonce-based Content Security Policy to prevent cross-site scripting; CSRF protection via Origin header validation; database-backed rate limiting to prevent brute-force attacks; timing-safe comparison for API key and password verification; and IP-based lockout after repeated failed admin login attempts. However, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Your Rights

7.1 All Users

Regardless of your location, you may:

  • Unsubscribe from our newsletter at any time by clicking the unsubscribe link in any email
  • Request a copy of the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your personal data

7.2 European Economic Area (GDPR)

If you are in the EEA, our legal bases for processing your data are: your consent (newsletter subscription); legitimate interest (security, rate limiting, service improvement); and contract performance (providing the Service). You additionally have the right to data portability, the right to restrict processing, the right to object to processing, and the right to lodge a complaint with your local data protection authority.

7.3 California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect and how it is used, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise these rights, contact us at privacy@travel-free.ai.

7.4 Exercising Your Rights

To exercise any privacy right, email privacy@travel-free.ai with your request. We will respond within 30 days. We may ask you to verify your identity before processing the request.

8. Children's Privacy

The Service is not intended for children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we learn that we have collected information from a child under the applicable age, we will delete it promptly. If you believe a child has provided us with personal information, please contact us.

9. International Data Transfers

Our servers and third-party service providers are located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We ensure that any such transfer is done in compliance with applicable data protection laws.

10. Do Not Track

Our website does not respond to "Do Not Track" browser signals. However, as described above, we use only minimal first-party analytics and do not engage in cross-site tracking.

11. Third-Party Links

The Service contains links to third-party websites, including hotel booking platforms, loyalty program sites, and credit card issuers. We are not responsible for their privacy practices. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top of this page. For material changes, we will make reasonable efforts to notify newsletter subscribers via email. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at privacy@travel-free.ai.