1. Introduction
NovaXplora ("we," "us," or "our") is an AI-powered trip planning web application. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use NovaXplora. By using our service, you agree to the collection and use of information in accordance with this policy.
Data Controller: DeviceCortex is the data controller responsible for your personal data. For any questions about how your data is processed, or to exercise your rights under applicable data protection law, please contact us at [email protected].
2. Information We Collect
We collect the following categories of information:
- Account Information: Name, email address, and date of birth (for accounts created directly on our platform).
- Profile Information: Profile photo and display preferences.
- Trip and Travel Data: Dreams, trip plans, destinations, activities, notes, and comments you create within the app.
- Location Data: Locations you search for and save as destinations in your plans.
- Photos and Attachments: Images and files you upload to your trips and dreams.
- Usage Data: Login timestamps, feature interactions, and general usage patterns to help us improve the service.
- Authentication Data: Session information and, for social login users, limited data provided by your social login provider (e.g., Google, Facebook).
3. How We Use Your Information
- Provide the Service: To operate, maintain, and deliver the core trip planning features of NovaXplora.
- AI-Powered Suggestions: To generate personalized activity and destination recommendations using AI models (see Section 5 for details).
- Collaboration: To enable you to share trip plans and dreams with other users you invite.
- Account Security: To verify your identity, protect against fraud, and maintain the security of your account.
- Improvements: To understand how users interact with the service and make improvements.
4. Legal Basis for Processing
Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:
- Contractual Necessity (Art. 6(1)(b)): Processing necessary to provide the service you have signed up for, including account management, trip planning features, collaboration, and data export.
- Legitimate Interest (Art. 6(1)(f)): Processing necessary for our legitimate interests, such as service improvement, security monitoring, and abuse prevention, where those interests are not overridden by your rights.
- Consent (Art. 6(1)(a)): Where we send your data to third-party AI providers to generate personalised suggestions. You provide this consent when you use AI-powered features. You may withdraw consent at any time (see Section 9).
- Legal Obligation (Art. 6(1)(c)): Where we are required to process data to comply with applicable laws.
5. AI and Automated Processing
NovaXplora uses third-party AI models to generate destination and activity suggestions for your trips. When you use AI-powered features:
- Data sent to AI providers: Trip descriptions, trip type (e.g., adventure, relaxation), destination context, and search queries. We do not send your name, email address, date of birth, or other account information to AI providers.
- AI providers used: OpenAI, Google Gemini, and OpenRouter. The specific provider used may vary. OpenRouter is an AI model routing service that provides access to various AI models through a unified API. Self-hosted models (Ollama) may also be used, in which case data is not sent to any third party.
- How outputs are used: AI-generated suggestions are presented as recommendations only. No automated decisions are made that produce legal or similarly significant effects on you.
- Data retention by AI providers:Our AI providers process data under business API terms that prohibit using your data for model training. Data sent via API calls is subject to each provider's data processing agreement and retention policies.
6. Information Sharing
- With Other Users: Only the content you explicitly share through collaboration features is visible to invited collaborators.
- Legal Requirements: We may disclose your information if required by law or in response to valid legal process.
We do not sell your personal data to third parties.
We use the following third-party service providers who may process your data on our behalf:
| Provider | Data Processed | Purpose |
|---|
| OpenAI | Trip descriptions, trip type, destination context | AI-powered suggestions |
| Google Gemini | Trip descriptions, trip type, destination context | AI-powered suggestions |
| OpenRouter | Trip descriptions, trip type, destination context | AI-powered suggestions (model routing) |
| Nominatim (OpenStreetMap) | Search queries, coordinates | Place search and geocoding |
| Photon (Komoot) | Search queries | Place autocomplete |
| Google Places | Search queries, coordinates | Place search enrichment |
| TripAdvisor | Place identifiers | Destination enrichment |
| AWS S3 | Data exports, attachments | File storage |
| Microsoft Graph | Email addresses | Transactional email delivery |
| Stadia Maps | Destination coordinates (latitude/longitude) | Route calculation between destinations |
| Geoapify | Destination coordinates, search criteria (meal type, cuisine, radius) | Restaurant and place discovery |
7. International Data Transfers
Some of our service providers operate outside the European Economic Area (EEA). When your data is transferred to countries that have not been deemed to provide an adequate level of data protection by the European Commission, we ensure appropriate safeguards are in place:
- US-based providers:OpenAI, Google, OpenRouter, AWS, Microsoft, and Stadia Maps process data in the United States. Transfers are protected by Standard Contractual Clauses (SCCs) and/or the provider's Data Processing Agreement.
- EU-based providers: Nominatim (OpenStreetMap) and Photon (Komoot) are operated within the EU and do not involve cross-border transfers.
8. Data Retention
- Active Accounts: Your data is retained for as long as your account remains active.
- Deleted Accounts: When you delete your account, it enters a 30-day grace period during which you can recover it. After 30 days, your data is permanently deleted from our systems.
- Route Data: Route calculation results from Stadia Maps are cached locally for up to 24 hours to improve performance. No user data is stored with Stadia Maps beyond their standard API request logging.
9. Your Rights
You have the right to:
- Access: View your personal data through your profile and trip history.
- Correction: Update your personal information via your profile settings.
- Deletion: Delete your account and all associated data at any time.
- Export: Download a complete copy of all your data at any time from your profile settings.
- Withdraw Consent: Where processing is based on consent (such as AI-powered suggestions), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
If you are located in the European Union, you also have the right to data portability, restriction of processing, and objection to processing under the General Data Protection Regulation (GDPR). To exercise any of these rights, please contact us at [email protected].
10. Children's Privacy
NovaXplora is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us and we will promptly delete that information from our systems.
11. Cookies and Local Storage
NovaXplora uses minimal browser storage, limited to what is strictly necessary for the service to function:
- Authentication Cookies: Set by our authentication provider to maintain your login session. These are strictly necessary cookies and are exempt from consent requirements.
- Local Storage:Your color scheme preference and UI layout settings are stored in your browser's local storage to remember your display preferences across visits.
- Session Storage: Authentication tokens are stored temporarily in session storage for the duration of your browser session.
- IndexedDB:Trip plan and dream data may be cached in your browser's IndexedDB for offline access. This data remains on your device and is not transmitted to any third party.
We do not use analytics cookies, marketing cookies, or any third-party tracking technologies. No cookie consent banner is required because all storage is strictly necessary for the service to function.
12. Security
We take reasonable measures to protect your information, including encrypting data in transit via HTTPS, enforcing Content Security Policy headers, and using industry-standard authentication protocols. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly with information about the nature of the breach and the steps you can take to protect yourself.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of NovaXplora after changes are posted constitutes your acceptance of the updated policy.
15. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at [email protected].
DeviceCortex has not appointed a Data Protection Officer (DPO) as it does not meet the thresholds requiring one under GDPR Art. 37. For all data protection inquiries, please use the email address above.