Privacy Policy
1. Introduction
This Privacy Policy (“Policy”) describes how Vamo (“Company,” “we,” “us,” or “our”) collects, uses, discloses, retains, and protects your personal information when you access or use our website at vamo.travel, our web application at app.vamo.travel, our application programming interfaces, and all related services, features, content, and applications (collectively, the “Service”).
This Policy is incorporated into and forms part of our Terms of Service. By accessing or using the Service, you acknowledge that you have read, understood, and consent to the practices described in this Policy.
We are committed to protecting your privacy and handling your personal information in compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020, Cal. Civ. Code §§ 1798.100–1798.199.100 (“CCPA/CPRA”), the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506 (“COPPA”), the CAN-SPAM Act, 15 U.S.C. §§ 7701–7713, and other applicable federal, state, and international privacy laws.
2. Information We Collect
2.1 Information You Provide Directly
(a) Account Information
When you create an Account, we collect:
- Full name
- Email address
- Password (hashed and salted; we do not store plaintext passwords)
- Preferred display name
- Profile preferences (travel style, budget preferences, pace preferences)
(b) Traveler Identity and Travel Documents
When you make Bookings or create traveler profiles, we may collect:
- Full legal name (as it appears on government-issued identification)
- Date of birth
- Gender
- Nationality
- Passport number and expiration date
- Other government-issued identification numbers
- Visa information
- Known Traveler Numbers (TSA PreCheck, Global Entry)
- Frequent flyer program numbers and airline loyalty information
This information is classified as sensitive personal data and is encrypted at rest using industry-standard Fernet symmetric encryption. It is accessed only when necessary to fulfill Bookings and is shared only with the applicable Third-Party Providers.
(c) Payment Information
When you make a Booking, our third-party payment processor, Stripe, Inc. (“Stripe”), collects payment card number, card expiration date, card verification value (CVV), and billing name and address.
Vamo does not store complete payment card numbers. Payment information is processed and stored by Stripe in accordance with Payment Card Industry Data Security Standards (PCI DSS). We retain only a tokenized reference to your payment method, the last four digits of your card, and the card brand.
(d) Trip and Travel Information
When you use the Service to plan trips, we collect:
- Trip destinations, dates, and itinerary details
- Activity preferences and selections
- Hotel and flight preferences
- Budget information
- Travel companion information (names, email addresses of invited participants)
- Reviews, ratings, and travel notes
- Bucket list destinations
(e) Communications
We collect information you provide when you contact our support team, interact with the JANICE AI assistant (chat messages and conversation context), respond to surveys, or provide feedback about the Service.
(f) User Content
We collect content you submit, post, or upload to the Service, including travel reviews, photos, comments, notes, and trip descriptions.
2.2 Information Collected Automatically
(a) Device and Browser Information
Device type, model, and operating system; browser type and version; screen resolution; language preferences; and time zone setting.
(b) Usage Information
Pages and features accessed; date and time of access; referring URL; click patterns and navigation paths; search queries; features used; and session duration.
(c) Network Information
Internet Protocol (IP) address; internet service provider; and approximate geographic location derived from IP address.
(d) Cookies and Similar Technologies
We use essential cookies that are strictly necessary for the operation of the Service, including session management and authentication cookies. For details, see Section 12.
2.3 Information from Third Parties
We may receive information about you from authentication providers (Supabase Auth), Third-Party Providers (booking confirmations and status updates), and our payment processor (Stripe — transaction status and limited payment method information).
3. How We Use Your Information
3.1 Providing and Operating the Service
- Creating and managing your Account
- Processing and fulfilling Bookings (flights, hotels, activities)
- Enabling collaborative trip planning with other users
- Generating AI-powered travel recommendations and itineraries
- Operating the JANICE AI travel assistant
- Processing payments and refunds
- Sending booking confirmations, reminders, and updates
- Providing customer support
3.2 Improving and Personalizing the Service
- Analyzing usage patterns to improve features and user experience
- Developing new features and services
- Personalizing content and recommendations
- Conducting internal analytics and research
- Improving the accuracy and relevance of AI-generated content
We may use anonymized and aggregated data derived from your use of the Service to improve our AI models and algorithms. This data is stripped of all personally identifiable information and cannot be used to identify you.
3.3 Communications
Sending transactional emails (booking confirmations, account notifications, security alerts); sending marketing communications (only with your opt-in consent); responding to your inquiries; and sending trip-related notifications.
3.4 Security and Fraud Prevention
Detecting, investigating, and preventing fraudulent or illegal activity; protecting the security of the Service; enforcing our Terms of Service; and verifying user identity in connection with Bookings.
3.5 Legal Compliance
Complying with applicable laws and regulations; responding to lawful government requests; establishing, exercising, or defending legal claims; and meeting tax and regulatory reporting obligations.
4. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland, we process your personal data based on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Performance of contract (Art. 6(1)(b)) |
| Booking fulfillment and payment processing | Performance of contract (Art. 6(1)(b)) |
| Customer support | Performance of contract (Art. 6(1)(b)) |
| Service improvement and analytics | Legitimate interest (Art. 6(1)(f)) |
| Fraud prevention and security | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
| AI-generated recommendations | Performance of contract (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)) |
| Processing of identity documents | Performance of contract (Art. 6(1)(b)) and explicit consent (Art. 9(2)(a)) where required |
Where we rely on legitimate interests, we have conducted balancing tests to ensure that your rights and freedoms do not override those interests. You may request information about these balancing tests by contacting us at admin@vamo-group.com.
6. Data Security
6.1 Security Measures
We implement appropriate technical and organizational measures to protect your personal information, including:
- Encryption at rest — Sensitive personal data (including passport information and government IDs) is encrypted using Fernet symmetric encryption
- Encryption in transit — All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
- Access controls — Role-based access controls limit employee access to personal information on a need-to-know basis
- Authentication security — Passwords are hashed and salted; JWT tokens are used with automatic expiration and refresh
- Payment security — Payment card data is handled by our PCI DSS-compliant payment processor (Stripe)
- Database security — Database connections are encrypted and routed through connection pooling with session-mode isolation
- Rate limiting — API endpoints are rate-limited to prevent abuse
- Audit logging — Access to sensitive data is logged for security monitoring
6.2 No Absolute Security
While we use commercially reasonable measures to protect your information, no method of transmission over the Internet or electronic storage is completely secure. In the event of a data breach, we will notify you and applicable regulatory authorities in accordance with applicable law.
7. Data Retention
7.1 Active Accounts
We retain your personal information for as long as your Account is active and as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements.
7.2 Account Deletion
Upon account deletion or upon your request:
- 30-Day Grace Period — Your Account will be deactivated for thirty (30) days, during which you may reactivate it.
- Anonymization — After the grace period, we will permanently anonymize your personal information. Anonymized, aggregated data may be retained indefinitely for analytics and service improvement.
- Exceptions — Certain information may be retained where required by applicable law (tax records, fraud prevention data, legal compliance).
7.3 Booking Records
Booking records, transaction history, and associated financial data are retained for a minimum of seven (7) years from the date of the transaction to comply with tax, accounting, and regulatory requirements.
7.4 AI Interaction Data
Chat messages with the JANICE AI assistant are retained in association with your trip for the duration of the trip's existence. Upon trip or account deletion, AI interaction data is anonymized in accordance with Section 7.2.
8. Your Rights
8.1 Rights for All Users
Regardless of your location, you have the following rights:
- Access — Request a copy of the personal information we hold about you
- Correction — Request correction of inaccurate or incomplete personal information
- Deletion — Request deletion of your personal information, subject to certain exceptions
- Opt-Out of Marketing — Opt out of marketing communications at any time
- Account Closure — Close your Account at any time
To exercise these rights, contact us at admin@vamo-group.com. We will respond within thirty (30) days.
8.2 Rights for EEA, UK, and Swiss Residents (GDPR)
If you are located in the EEA, UK, or Switzerland, you have the following additional rights under the GDPR:
- Right of Access (Article 15) — Obtain confirmation of processing and receive a copy of your data in a structured, machine-readable format
- Right to Rectification (Article 16) — Request correction of inaccurate personal data
- Right to Erasure (Article 17) — Request deletion of your personal data in certain circumstances
- Right to Restriction of Processing (Article 18) — Request restriction of processing in certain circumstances
- Right to Data Portability (Article 20) — Receive your personal data in a machine-readable format and transmit it to another controller
- Right to Object (Article 21) — Object to processing based on legitimate interests, including profiling
- Right Not to Be Subject to Automated Decision-Making (Article 22) — Our AI recommendations are informational only and do not constitute automated decision-making with legal effects
- Right to Withdraw Consent — Withdraw consent at any time where processing is based on consent
- Right to Lodge a Complaint — Lodge a complaint with a supervisory authority in your jurisdiction
To exercise your GDPR rights, contact us at admin@vamo-group.com. We will respond within one (1) month, which may be extended by two (2) additional months for complex requests, per Article 12(3) GDPR.
8.3 Rights for California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the CCPA/CPRA (Cal. Civ. Code §§ 1798.100–1798.199.100):
- Right to Know (§ 1798.100) — Request disclosure of the categories and specific pieces of personal information we have collected
- Right to Delete (§ 1798.105) — Request deletion of personal information, subject to certain exceptions
- Right to Correct (§ 1798.106) — Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing (§ 1798.120) — We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising
- Right to Limit Use of Sensitive Personal Information (§ 1798.121) — We collect sensitive personal information solely for the purpose of fulfilling Bookings
- Right to Non-Discrimination (§ 1798.125) — We will not discriminate against you for exercising your CCPA/CPRA rights
Categories of Information Collected and Disclosed
| Category | Collected | Disclosed To |
|---|---|---|
| Identifiers (name, email, IP address) | Yes | Service providers, travel providers |
| Government IDs (passport, ID numbers) | Yes | Travel providers (for bookings only) |
| Financial information (payment method details) | Yes | Payment processor (Stripe) |
| Commercial information (booking history) | Yes | Service providers, travel providers |
| Internet/electronic activity (usage data) | Yes | Service providers |
| Geolocation data (approximate, from IP) | Yes | Service providers |
| Inferences (travel preferences) | Yes | AI service providers (anonymized) |
| Sensitive personal information (passport data) | Yes | Travel providers (for bookings only) |
To exercise your CCPA/CPRA rights, email admin@vamo-group.com with the subject line “California Privacy Rights Request.” We will verify your identity and respond within forty-five (45) days.
8.4 Rights Under Other Jurisdictions
If you are located in a jurisdiction with additional data protection rights (such as Brazil's LGPD, Canada's PIPEDA, or Australia's Privacy Act 1988), we will comply with those laws as they apply to you. Please contact us at admin@vamo-group.com to exercise your rights.
9. Children's Privacy
9.1 COPPA Compliance
In accordance with COPPA, 15 U.S.C. §§ 6501–6506:
- We do not knowingly collect personal information from children under the age of thirteen (13) without verifiable parental consent.
- If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take prompt steps to delete such information.
- Parents or legal guardians who believe their child under 13 has provided personal information to Vamo may contact us at admin@vamo-group.com to request review, deletion, or cessation of collection.
- Parents have the right to consent to the collection and use of their child's personal information without consenting to disclosure to third parties, except as necessary to provide the Service.
9.2 Users Ages 13–17
Users between the ages of thirteen (13) and seventeen (17) may use the Service with the consent of a parent or legal guardian. We do not knowingly allow minors to make Bookings or financial transactions without parental supervision.
10. International Data Transfers
10.1 Data Storage Location
Your personal information is primarily stored and processed in the United States, specifically in data centers located in the US West region (operated by Supabase via Amazon Web Services).
10.2 Cross-Border Transfers
If you are located outside the United States, your personal information will be transferred to and processed in the United States. The United States may not have data protection laws equivalent to those in your jurisdiction.
10.3 Transfer Safeguards (GDPR)
For transfers from the EEA, UK, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs) — We enter into the European Commission's Standard Contractual Clauses with our service providers that process personal data outside the EEA.
- UK International Data Transfer Agreement — For transfers from the UK, we rely on the UK Secretary of State's International Data Transfer Agreement or the UK Addendum to the EU SCCs.
- Supplementary Measures — Where required, we implement supplementary technical and organizational measures (including encryption and access controls).
11. Do Not Track
Some web browsers transmit “Do Not Track” (DNT) signals. Because there is no universally accepted standard for how to respond to DNT signals, the Service does not currently respond to browser DNT signals. However, you may exercise the privacy rights described in Section 8.
13. Third-Party Links
The Service may contain links to third-party websites and services not operated by Vamo. This Policy does not apply to third-party websites. We are not responsible for the privacy practices of any third party. We encourage you to review the privacy policies of any third-party websites you visit.
14. Marketing Communications
14.1 Opt-In
We send marketing communications only to users who have affirmatively opted in. You may opt in during Account registration or through your Account settings.
14.2 Opt-Out
You may opt out of marketing communications at any time by: (a) clicking the “unsubscribe” link in any marketing email; (b) updating your communication preferences in your Account settings; or (c) contacting us at admin@vamo-group.com. We will process your opt-out request within ten (10) business days, in compliance with the CAN-SPAM Act, 15 U.S.C. §§ 7701–7713.
14.3 Transactional Communications
Opting out of marketing communications does not affect transactional communications, such as booking confirmations, security alerts, and account notifications necessary for the operation of the Service.
15. Changes to This Privacy Policy
We may update this Policy from time to time. When we make material changes, we will: (a) send an email notification to the address associated with your Account; (b) post a prominent notice on the Service; and (c) update the “Last Updated” date at the top of this Policy. Your continued use of the Service after the effective date constitutes your acceptance of the updated Policy.
16. Contact Information
If you have any questions about this Privacy Policy, please contact us at:
Vamo GroupAttn: Privacy Inquiries
15 White Oak Rd
Wellesley, MA 02481
United States
Email: admin@vamo-group.com
Data Protection Inquiries (EU/UK)
If you are located in the EEA, UK, or Switzerland and have questions about our data processing practices, you may contact us at the address above. Vamo does not currently have a designated Data Protection Officer. This Policy will be updated with DPO contact information if one is appointed.
California Privacy Inquiries
California residents may submit CCPA/CPRA requests by emailing admin@vamo-group.com with the subject line “California Privacy Rights Request.”