Your data, on your terms.

ReelTrip AI (“ReelTrip,” “we,” “us”) is an AI-powered travel discovery and planning platform, operated from Sydney, Australia by an Australian-registered sole trader — ABN 65 969 184 287. We are the data controller for personal information processed through reeltripai.com and the ReelTrip AI service. For privacy and data-protection enquiries, contact legal@reeltripai.com. For all other enquiries, contact connect@reeltripai.com.

ReelTrip AI is an AI-powered travel discovery and planning platform. We turn short-form social video and natural-language inputs into reasoned, day-by-day travel blueprints. We curate themed Travel Worlds from public travel content, personalise recommendations using your stated and inferred preferences, and surface accommodation and experience options through partner booking providers.

We are an intelligence layer, not a booking provider. When you book a hotel, experience, or activity, your transaction is executed by the booking partner you choose, on their own platform, under their terms.

We collect the minimum data necessary to deliver, personalise, and protect the service. Each category below answers why it is collected and how long it is kept.

Account

Email address, display name, sign-in provider identity, and account creation date. Authentication is delegated to Clerk (our identity provider); passwords and OAuth secrets are never stored on our infrastructure.

Trip content

Reels and URLs you submit, destinations and dates you specify, generated itineraries, customisation preferences (group type, pace, budget, dietary needs), and any notes or annotations you add to your trips.

Travel preferences

Explicit preferences you select (travel styles, budget tiers, group composition) and inferred signals from your interactions (worlds you save, trips you fork, recommendations you accept or dismiss). Together these form your Travel DNA — described in Section 5.

Discovery activity

Searches you run, Travel Worlds you save, AI Concierge queries, and collections you build. Used to refine the next round of recommendations and to compute marketplace ranking signals.

Operational data

IP address (truncated to the /24 subnet after 30 days), user-agent, browser language, basic request timing. Used for security, abuse prevention, and service reliability — not for advertising.

Payment data

Payment processing is handled end-to-end by Stripe. We never see or store card numbers, CVVs, or bank details. We store only a Stripe customer reference so we can issue refunds and reconcile subscriptions.

Communications

Email correspondence with support, partnership enquiries, and product feedback — kept for the duration of the conversation plus 24 months for recordkeeping.

What we do not collect

• Precise device location, outside the trips you explicitly create.
• Social-graph data beyond the identity used to sign in.
• Microphone, camera, or biometric data.
• Browsing activity outside our domain.
• Sensitive personal data (health, political views, religion) — unless you voluntarily disclose it as part of trip preferences (e.g. accessibility requirements), and only then to deliver the requested trip.

We process personal data for the following purposes, each with a defined legal basis under GDPR Article 6:

Service delivery

Generating itineraries, resolving destinations, displaying maps, surfacing saved trips. Legal basis: performance of contract.

Personalization

Refining Travel Worlds, ranking recommendations, learning your preferences over time. Legal basis: legitimate interest (with opt-out via account settings).

Security & abuse prevention

Rate limiting, fraud detection, audit logging. Legal basis: legitimate interest + legal obligation.

Communications

Transactional emails (trip generated, password reset), product updates you have opted into, support replies. Marketing and product-update emails are sent from noreply@reeltripai.com — do not reply to that address; use connect@reeltripai.com instead. Legal basis: contract + consent for marketing.

Compliance & legal claims

Responding to lawful requests, defending claims, meeting tax obligations. Legal basis: legal obligation.

Travel DNA is the model we build of your travel preferences from your interactions with ReelTrip AI. It is a private, account-scoped signal — not a shareable profile and not visible to other users.

How Travel DNA is built

From your interactions we derive lightweight numeric weights across travel dimensions: pace (relaxed → fast), budget tier (budget → luxury), group context (solo / couple / family / friends / business), themes (cultural, foodie, wellness, adventure, nightlife, hidden gems), and seasonal preference. These weights update gradually as you save worlds, fork trips, or dismiss recommendations.

How Travel DNA is used

To rank which Travel Worlds appear in your Discovery Hub, to suggest customisations on the Blueprint screen, and to power the AI Concierge's "because you like..." recommendations. Travel DNA never leaves your account context; it is not shared with booking partners, advertisers, or other users.

How to control Travel DNA

You can reset your Travel DNA at any time from Account → Privacy → Reset preferences, or disable personalization entirely — in which case Discovery Hub ranks worlds by editorial score only.

Travel Worlds are AI-curated thematic collections (e.g. Tokyo After Dark, Hidden Bali, Luxury Patagonia). They are generated from public sources — primarily public travel reels on supported platforms — and ranked by our Discovery scoring engine using six factors: travel-content validation, place density, video quality, engagement, uniqueness, and editorial signals.

Travel Worlds are not personalised at the world-content level. The same world shows the same curated content to every viewer. Personalization affects only which worlds appear in your hub and in what order — not which reels appear inside a given world.

When you generate a trip from a world, the AI processes the world's metadata plus your customisations (duration, group, pace, budget, dietary needs) to produce a day-by-day itinerary. Generated itineraries belong to you for personal use under the terms in our Terms of Service.

We use multiple AI providers to deliver the service. Each is bound by a zero-retention contract — your inputs are processed in-flight to produce the AI output and are not retained, logged, or used to train provider models.

Anthropic Claude

Itinerary reasoning, Travel World curation, AI Concierge responses. Zero-retention via API.

Google Gemini

Vision intelligence, audio transcription, place extraction from videos. Zero-retention via Vertex AI.

OpenAI (where applicable)

Embedding generation for semantic search. Zero-retention via API; data not used for training.

Google Places API

Place resolution, photos, opening hours. Place names sent to Google are not tied to your account identity.

Mapbox

Map tile rendering. We send aggregate viewport coordinates; no per-user identifier.

Pexels

Editorial destination photography. Queries are destination names, not user identifiers.

ReelTrip AI surfaces accommodation, experience, and activity options through third-party booking partners. When you click an option, we redirect you to the partner's website where you complete the booking. We earn an affiliate commission if you book — but the price you pay is the partner's standard price; we do not mark it up.

Current and intended partners

Booking.com · Expedia · GetYourGuide · Viator · Klook · Skyscanner · Hotels.com. Additional partners may be added as integrations launch; the current list is maintained at /partners.

What happens on the partner site

Once you arrive on a partner site, that partner's privacy policy and terms apply. Their cookies, their account, their booking. We have no visibility into whether you complete a booking unless the partner shares that signal back via their affiliate API — and when they do, we receive only aggregate counts and a hashed reference, never your personal payment or contact data.

What cookies we set

Essential

Authentication session, CSRF tokens, cookie-consent state. Cannot be disabled — the service does not work without them. Cleared on sign-out.

Functional

Locale, theme preference, last-viewed-trip. Persistent for 12 months.

Analytics (opt-in)

Privacy-preserving page-view counting via Plausible Analytics — no cross-site tracking, no fingerprinting, no personal data. Only set when you accept analytics in the cookie banner.

Marketing (opt-in)

Currently none. We do not run third-party ad pixels (no Meta Pixel, no Google Ads, no TikTok Pixel). If we ever add one, it will require fresh explicit consent.

Cookie preferences can be revisited at /cookies or by clicking the floating “Privacy choices” control in the page footer.

We share data only with:

Sub-processors

The hosting, identity, AI, payment, and analytics services listed throughout this policy — each under a Data Processing Agreement.

Booking partners

Only the redirect signal described in Section 8. No PII.

Legal authorities

When required by a valid legal process. We publish a transparency report annually summarising the number of requests received.

Successor entity

If ReelTrip AI is acquired or merged, your data may transfer to the successor under the same protections; you will be notified at least 30 days in advance with the option to delete your account first.

For affiliate and booking partners

We operate strict data-minimisation on partner integrations. The only signals we send on a redirect are our affiliate ID and the destination + dates the user has already chosen on ReelTrip AI. We do not share user identifiers, contact information, payment data, or Travel DNA. This is by design: partners can attribute the referral and serve a relevant landing experience; users retain control of what they share on your platform.

For tourism boards and destination partners

Aggregate, fully anonymised destination interest metrics are available to verified tourism board partners — never individual user behaviour. See /partners for the data-sharing framework.

You hold control over your data, regardless of where you live. The rights below are available to every ReelTrip AI user; regional supplements appear in Sections 17–19.

Access

Download a copy of all data we hold on you via Account → Privacy → Export my data. JSON output, fulfilled within 7 days; legal maximum is 30.

Rectify

Correct any inaccurate or outdated data via your profile or by contacting legal@reeltripai.com.

Erase

Permanently delete your account and all associated data via Account → Privacy → Delete account. Hard deletion completes within 30 days; only audit-log entries referencing your former user ID are retained (see Section 13).

Restrict / object

Pause processing for personalisation or marketing without deleting your account. Available from privacy settings.

Portability

Receive your data in a machine-readable JSON format, suitable for transfer to another service.

Withdraw consent

For any processing based on consent (analytics cookies, marketing emails). Withdrawal does not affect prior processing.

Complain

To us first via legal@reeltripai.com, or directly to your supervisory authority (EU national DPA, the California AG, or the Australian OAIC).

Account & trip content

For as long as your account exists. Deleted within 30 days of account erasure.

Travel DNA

Continuously updated while active; deleted within 30 days of account erasure or on manual reset.

Operational logs (IP, user-agent)

IP truncated after 30 days; full log records purged after 90 days.

Audit logs (security forensics)

3 years from the event date. Hashed user references are retained without account-identifying detail.

Billing & invoices

7 years to satisfy Australian tax law obligations.

Support correspondence

24 months from last message.

Marketing consent records

For the duration of consent + 24 months after withdrawal, as proof of compliance.

We treat security as a product-quality property, not an afterthought. The measures below match the P0 + P1 controls described in our internal security architecture documentation.

Encryption in transit

TLS 1.2+ enforced on every endpoint. HSTS with preload. HTTP-to-HTTPS redirect at the edge.

Encryption at rest

AES-256 on all primary data stores (Postgres) and backup snapshots.

Authentication

Delegated to Clerk. MFA available; SSO available on enterprise plans.

Access control

Principle of least privilege. Production access requires hardware-key MFA and is audit-logged. Customer data is segregated by tenant ID at the row level.

Application security

Strict Content-Security-Policy, X-Frame-Options DENY, Permissions-Policy, signed cookies, CSRF tokens, structured rate limiting on every write endpoint.

AI provider isolation

Zero-retention contracts with every AI provider. No customer data flows into model training pipelines.

Logging & monitoring

Structured logging with PII scrubbing, anomaly alerts on auth + privacy endpoints, trace IDs for incident forensics.

Backup & recovery

Daily encrypted backups with documented restore drills; RPO ≤ 24h, RTO ≤ 4h.

Incident response

Documented playbook with notification commitments — Section 18 of the security policy. We will notify affected users within 72 hours of a confirmed personal-data breach.

ReelTrip AI is operated from Australia. Personal data may be processed in Australia, the European Economic Area, the United Kingdom, and the United States, depending on where our sub-processors operate the relevant service.

Transfer safeguards

• EU/UK → US transfers rely on Standard Contractual Clauses (2021/914) plus supplementary measures (encryption, access controls).
• EU/UK → Australia transfers rely on the equivalent Standard Contractual Clauses for non-adequate countries.
• Sub-processor lists and DPAs available on request to legal@reeltripai.com.

ReelTrip AI is intended for users aged 16 or older (or the higher digital-consent age in your jurisdiction). We do not knowingly collect data from anyone under that age. If you believe a minor has created an account, contact legal@reeltripai.com and we will delete the account and associated data without delay.

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation gives you the rights summarised in Section 12 plus:

• Right to lodge a complaint with your national supervisory authority — list at edpb.europa.eu/members.
• Right to object to processing based on legitimate interest, including all personalisation.
• Right to automated-decision review — note: ReelTrip AI does not make legally significant automated decisions. AI-generated trip recommendations are advisory only and require your action to take effect.

Our EU representative under GDPR Article 27 will be appointed if and when our EU user base passes the threshold requiring one; contact details will be published here at that time. Until then, EU users may reach us directly at legal@reeltripai.com.

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the rights summarised in Section 12 plus:

• Right to know what categories of personal information we collect, the sources, the purposes, and any disclosures.
• Right to delete personal information we hold.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing — not applicable to ReelTrip AI: we do not sell or share personal information as defined by the CCPA. You have nothing to opt out of, but the right exists.
• Right to limit sensitive information use — not applicable; we do not use sensitive personal information for inference beyond the service itself.
• Right to non-discrimination for exercising any of the above.

To exercise CCPA rights, email legal@reeltripai.com with the subject “CCPA request”. We will verify your identity through the email associated with your account and respond within 45 days (extendable once to 90 days if needed, with notice).

ReelTrip AI applies the 13 Australian Privacy Principles (APPs) under the Australian Privacy Act 1988 (Cth) as a matter of practice — regardless of whether the Act binds us by turnover threshold. Australian users hold the rights summarised in Section 12. In addition:

• Anonymity option — you can browse our public marketing surfaces, Travel Worlds, and Discovery Hub without an account. Account creation is required only to save trips, generate itineraries, and access personalisation.
• Direct marketing opt-out — every marketing email contains an unsubscribe link. You can also opt out from Account → Communications.
• Cross-border disclosure — listed in Section 15.
• Complaint process — to us first at legal@reeltripai.com. If unresolved within 30 days, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

We will notify registered users of material changes by email at least 14 days before they take effect, with a plain-language summary of what changed and why. The full version history is maintained in our public repository for transparency. Continued use of the service after the effective date constitutes acceptance of the updated policy.

Privacy & data protection

legal@reeltripai.com
Data subject requests · GDPR / CCPA / APP enquiries · security disclosures · breach notifications

General contact

connect@reeltripai.com
All other enquiries · product feedback · partnership questions

Marketing sender

noreply@reeltripai.com
Marketing and product-update emails originate from this address. Do not reply — use the contact addresses above.

Business identification

ReelTrip AI · ABN 65 969 184 287
Sydney, NSW, Australia
Registered postal address provided to verified regulators and enterprise partners on request. ABN verifiable at abr.business.gov.au.