Privacy Policy

How TravelSwallow processes personal data — account, travel plans, BYOK AI keys, AI processing, cookies, and your rights under the GDPR and DSG.

We take the protection of your personal data seriously. This Privacy Policy informs you, in accordance with the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG), which data we process when you use TravelSwallow, for what purpose and on what legal basis.

1. Controller

The controller within the meaning of Art. 4(7) GDPR is:

For all questions concerning data protection and the exercise of your rights you can reach us at hello@webhoch.com.

2. General

We process personal data only to the extent necessary. “Personal data” means any information relating to an identified or identifiable natural person. Processing only takes place if there is a legal basis or you have consented. Where we obtain your consent for the processing, Art. 6(1)(a) GDPR serves as the legal basis; for processing to perform a contract, Art. 6(1)(b) GDPR; to comply with legal obligations, Art. 6(1)(c) GDPR; and to safeguard legitimate interests, Art. 6(1)(f) GDPR.

3. Server log files

When you access our website, the server (nginx) automatically collects information that your browser transmits and temporarily stores it in so-called server log files. The following is recorded:

• the anonymized or truncated IP address of the requesting device,
• the date and time of access,
• the URL or file requested,
• the referrer URL (the previously visited page),
• the browser used and its version,
• the operating system,
• the host name of the accessing computer.

This data serves to deliver the website, to ensure stability and security, and for error analysis. The legal basis is our legitimate interest in secure operation (Art. 6(1)(f) GDPR). Log files are deleted after a short time, unless they are needed to investigate a security incident.

4. Hosting

Our application and database are operated on servers in Austria or within the European Union. A data processing agreement pursuant to Art. 28 GDPR is in place with the hosting service provider, ensuring that the data is processed exclusively in accordance with our instructions and in compliance with the GDPR. The legal basis for hosting is Art. 6(1)(b) and (f) GDPR.

5. Account / Registration

To publish and permanently store travel plans, you can create an account. In doing so we process your e-mail address and your password, which is stored exclusively as a secure hash (method: scrypt) — we do not know your password in plain text. The legal basis is the performance of the user agreement (Art. 6(1)(b) GDPR). Without an account you can use the builder locally in your browser.

6. Travel-plan and user content

When you create and save travel plans, we process the content you enter (e.g. titles, days, agenda items, places, notes) as well as optional PDF attachments (such as tickets) that you upload yourself. We process this data in order to provide you with the “create, save and share travel plan” function. The legal basis is Art. 6(1)(b) GDPR. Content of published plans is accessible via the link you share or — where password protection is enabled — only after entering the password.

7. Your own AI key (BYOK)

TravelSwallow follows the “Bring Your Own Key” principle: for AI features you use your own API key from the respective provider. By default, this key is kept exclusively locally in your browser. If you choose to conveniently store the key in your account, we store it AES-256-GCM-encrypted. The key is never logged and never returned to the client side. The legal basis is your consent or the performance of the contract (Art. 6(1)(a) and (b) GDPR). You can delete a stored key at any time in the settings.

8. AI/LLM processing

When you trigger an AI generation, the inputs required for it (prompt content, e.g. travel preferences) are transmitted to the respective AI provider and processed there. Two situations must be distinguished:

• Generations funded by us (default): Free generations in the free tier as well as generations from paid plans and packages are processed via our AI provider Anthropic (Claude), at our expense and with our key.
• With your own key (BYOK): If you have stored your own API key, processing takes place via the provider you have chosen (Anthropic, OpenAI or Google) using your key.

The data protection provisions of the respective provider used apply. Depending on the provider, a transfer to a third country (in particular the USA) may take place; in that case the providers rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCC). We do not store the prompt content for longer than is necessary to provide the function. Please do not include any sensitive personal data of third parties in AI inputs. The legal basis is Art. 6(1)(b) GDPR (provision of the function) or (a) (consent).

9. Live weather

Travel plans can display current weather data. This request is made client-side (in your browser) directly to api.open-meteo.com, transmitting the coordinates of the respective travel-plan location. In doing so, the provider Open-Meteo may, for technical reasons, process your IP address. The data protection provisions of Open-Meteo apply. The legal basis is Art. 6(1)(f) GDPR (provision of the requested function).

10. Cookies

We use only technically necessary cookies. Specifically, these are:

• a session cookie that keeps you logged in after login, and
• unlock cookies that remember that you have already correctly entered the password of a password-protected plan.

We use no analytics, tracking or marketing cookies and do not integrate any such services. Since the cookies mentioned are strictly necessary for the operation of the functions you have requested, they do not require consent; the legal basis is Art. 6(1)(f) GDPR.

11. Payment processing

For paid plans (Plus, Pro), the “+5 plans” add-on and one-time AI-generation packages, we process payments via the payment service provider Stripe Payments Europe, Ltd. (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland). In particular, the following data is processed:

• your name and e-mail address,
• the payment data (e.g. credit card or bank details) that you enter directly with Stripe and which we ourselves cannot view or store,
• customer, subscription and payment IDs that Stripe returns to us to assign your order.

The legal basis is the performance of the contract for the paid service (Art. 6(1)(b) GDPR). Stripe processes the data as an independent controller under its own terms; you can find details in Stripe’s privacy policy at stripe.com/privacy. As long as you do not order a paid service, no data is processed via Stripe.

12. Affiliate partners & booking links

Travel plans may contain booking or ticket links to third-party providers (e.g. GetYourGuide, Tiqets). These are affiliate links labelled as “advertisement” (“Anzeige”): if you book something via such a link, we may receive a commission — at no extra cost to you. When you click an affiliate/booking link, you are redirected to the respective partner; you yourself initiate the call to the partner’s site. In doing so, we do not actively transmit any personal data to the partner. On the destination site, however, the partner’s cookies or tracking mechanisms may take effect, over which we have no influence; the data protection provisions of the respective partner apply to these. The legal basis is our legitimate interest in financing the free offering (Art. 6(1)(f) GDPR).

13. Transactional e-mails

As part of the performance of the contract, we send necessary transactional e-mails to the e-mail address you have provided (e.g. confirmations relating to orders, subscriptions or account operations). These are sent via our own mail server. The legal basis is Art. 6(1)(b) GDPR (performance of the contract) or (f) GDPR (legitimate interest in informing you about service-relevant operations).

14. Storage period

We store account and plan data until the end of the user relationship or until your account is deleted. You can delete your account and all associated data yourself at any time in the settings; the data is then deleted. Data relating to paid orders is retained to comply with statutory retention obligations (in particular under tax and commercial law) for the respective prescribed period. Server log files are deleted promptly, as described under point 3.

15. Recipients / categories of recipients

Your data is disclosed only to the recipients required for operation, in particular:

• the hosting service provider (processor, servers in Austria/EU),
• our AI provider Anthropic (for generations funded by us) or the AI provider you have chosen (Anthropic, OpenAI or Google) when using your own key,
• the payment service provider Stripe (only for paid orders, see point 11),
• affiliate partners — only through your own click on a booking link (see point 12),
• Open-Meteo (client-side weather request),
• authorities, insofar as we are legally obliged to do so.

We rule out any sale of your data or disclosure for advertising purposes.

16. Data transfer to third countries

A transfer to third countries takes place in particular in connection with the AI processing (see point 8), where the provider used processes data there, and where applicable in the course of payment processing via Stripe. This transfer is based on appropriate safeguards (in particular the EU Standard Contractual Clauses) or an adequacy decision, where one exists.

17. Technical & organizational measures (TOMs)

We take appropriate technical and organizational measures to protect your data, including transport encryption (TLS/HTTPS), hashed password storage (scrypt), AES-256-GCM encryption of stored AI keys, access restrictions and regular updates of the software used.

18. Your rights

As a data subject, you have the following rights:

• right of access (Art. 15 GDPR),
• right to rectification (Art. 16 GDPR),
• right to erasure (Art. 17 GDPR),
• right to restriction of processing (Art. 18 GDPR),
• right to data portability (Art. 20 GDPR),
• right to object to processing (Art. 21 GDPR),
• right to withdraw a given consent with effect for the future (Art. 7(3) GDPR).

To exercise your rights, an informal message to hello@webhoch.com is sufficient.

19. Right to lodge a complaint

Without prejudice to any other remedy, you have the right to lodge a complaint with a supervisory authority. For Austria this is the Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna (www.dsb.gv.at).

20. No automated decision-making

No automated decision-making, including profiling within the meaning of Art. 22 GDPR, takes place. The results of the AI features are mere suggestions and produce no legal effect concerning you.

21. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy so that it always complies with current legal requirements or to implement changes to our services. The version then in force will apply to your next visit.