Privacy Policy
Last updated: 19 April 2026
1. Introduction
VoyageTrail ("we", "us", "our") is a cruise and flight travel tracking service operated from the United Kingdom. We are committed to protecting your personal data and respecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have in relation to your data when you use our service at my.voyagetrail.app and related subdomains (collectively, the "Service").
By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
The data controller responsible for your personal data is VoyageTrail, contactable at:
- Email: hello@voyagetrail.app
3. Personal Data We Collect
3.1 Account Information
When you create an account, we collect:
- Email address — used for authentication, email verification, and service communications.
- Display name — your chosen name displayed within the Service.
- Password — stored securely using Argon2 hashing. We never store your password in plain text and cannot retrieve it. If you sign in via a third-party identity provider (see below), no password is stored.
- Account role — your permission level within the Service (e.g. user, admin).
3.1.1 Third-Party Sign-In (Identity Providers)
You may create an account or sign in using a third-party identity provider. We currently support:
- Google (via Google OAuth 2.0)
When you sign in with a third-party provider, we receive your email address, display name, and profile picture URL from that provider. We do not receive or store your password for that provider. The provider may also share a unique account identifier which we use solely to link your VoyageTrail account to your provider account.
Your use of a third-party identity provider is governed by that provider's own privacy policy and terms of service. We encourage you to review them:
- Google: policies.google.com/privacy
You can disconnect a third-party provider from your account at any time via Settings. Disconnecting removes the stored link between your VoyageTrail account and the provider but does not delete your VoyageTrail account or travel data.
3.2 Travel Data
When you use the Service, you may voluntarily provide:
- Cruise voyage records — ship names, itineraries, ports of call, dates, cabin details, and related notes.
- Flight records — departure and arrival airports, dates, airlines, seat information, and related notes.
- Visited countries — countries derived from your travel records or manually added.
- Custom fields — any additional data you choose to add to your travel records.
3.3 AIS Ship Tracking Data
To enhance your cruise records with accurate route and port data, we use Automatic Identification System (AIS) satellite data provided by third-party APIs. This data relates to ship positions, not to you personally. We cache ship position data to improve service performance. AIS data is associated with your cruise records only when you use the route-building feature.
3.4 Billing Information
If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not collect or store your credit card number, bank account details, or other payment instrument data on our servers. We receive from Stripe:
- Your Stripe customer ID.
- Subscription status (active, cancelled, trialling, past due).
- Current billing period dates.
- The plan and price you are subscribed to.
Stripe processes your payment data under its own privacy policy, available at stripe.com/privacy.
3.5 Technical Data
When you access the Service, our hosting infrastructure may automatically log:
- IP address (for security and abuse prevention).
- Browser type and version.
- Request timestamps.
3.6 Advertising Measurement (Consent-Based)
On our marketing website (voyagetrail.app), we use Google
Ads conversion tracking to measure the effectiveness of our
advertising campaigns. This tracking is disabled by default
and loads only if you explicitly accept via our cookie consent banner.
If you accept, Google Ads may set cookies (for example
_gcl_au) that allow Google to attribute a waitlist
signup or registration on our site to a specific ad click. Google
also receives your IP address and basic browser metadata as part of
serving the script. We do not pass your email address, travel
records, or any other personal data to Google.
You can withdraw consent at any time by clearing the
vt_consent item from your browser's site storage for
voyagetrail.app, which will re-display the banner on
your next visit. Conversion tracking is not used anywhere on the
logged-in application (my.voyagetrail.app).
Google's processing is governed by Google's own privacy policy at policies.google.com/privacy.
4. How We Use Your Data
We process your personal data on the following lawful bases under UK GDPR:
4.1 Performance of Contract (Article 6(1)(b))
- Providing and maintaining the Service.
- Managing your account and authentication.
- Processing subscriptions and managing your billing relationship via Stripe.
- Displaying your travel data on the interactive map and in statistics.
- Fetching AIS data and itinerary information to populate your cruise records.
- Enabling data export and account deletion.
4.2 Legitimate Interests (Article 6(1)(f))
- Sending transactional emails (email verification, password-related communications, important service updates).
- Preventing fraud, abuse, and unauthorised access.
- Improving the Service based on aggregate, anonymised usage data.
4.3 Consent (Article 6(1)(a))
Where we rely on your consent for any processing activity, you may withdraw consent at any time by contacting us at hello@voyagetrail.app. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
5. Cookies and Local Storage
We use a minimal number of cookies and local storage items:
| Name | Purpose | Type | Duration |
|---|---|---|---|
| Session cookie | Authenticates your logged-in session | Strictly necessary | 30 days |
| Theme preference | Stores your light/dark mode choice | Functional | Persistent |
| Beta acceptance | Records whether you have accepted beta terms | Functional | Persistent |
vt_consent | Records your choice from the consent banner (marketing site only) | Functional | Persistent |
_gcl_au and related Google Ads cookies | Ads conversion tracking — loaded on the marketing site only if you accept via the consent banner | Advertising (consent required) | Up to 90 days |
On the logged-in application (my.voyagetrail.app), we
use only strictly necessary and functional cookies. On the marketing
site (voyagetrail.app), advertising cookies are loaded
only after you explicitly accept them via the consent banner — if
you decline, no advertising cookies are set.
6. Data Processors and Third-Party Services
We share your personal data with the following third-party service providers ("data processors") who process data on our behalf:
| Category | Purpose | Data Shared | Location |
|---|---|---|---|
| Cloud hosting provider | Application and database hosting | All Service data (encrypted in transit and at rest) | EU/UK region |
| Payment processor | Subscription billing and payment processing | Email, subscription details, payment information | United States (with EU/UK safeguards) |
| Email delivery provider | Transactional email delivery | Email address, email content | United States (with EU/UK safeguards) |
| Maritime data provider | AIS ship position data | Ship identifiers only (no personal data) | EU |
| CDN and DNS provider | Content delivery and DNS for marketing site | IP address, request metadata | Global (with EU/UK safeguards) |
| Identity provider (Google) | Account authentication via OAuth 2.0 | Email address, display name, profile picture URL, unique account identifier | United States (with EU/UK safeguards) |
| Error tracking provider | Application error monitoring and diagnostics | IP address, browser metadata, error context (no travel data) | EU (Frankfurt) |
| Advertising platform (Google Ads) | Conversion tracking on the marketing site — consent-based only | IP address, browser metadata, conversion events (no email, travel records, or account data) | United States (with EU/UK safeguards) |
Each processor is contractually obligated to protect your data and process it only on our instructions. Where processors are located outside the UK, appropriate safeguards are in place (such as Standard Contractual Clauses or UK International Data Transfer Agreements).
7. Public Cruise and Flight Sharing
When you create a public share link for a cruise or flight, the selected cruise information becomes accessible to anyone who has the link. You control what's included via privacy toggles — by default, ship name, cruise line, ports visited, dates, and sailing statistics are shown, while cabin number and personal notes are hidden.
For flight shares, you can similarly control what's visible via privacy toggles. By default, the flight number, airports, airline, and aircraft type are shown. Seat number, cabin class, and personal notes are hidden by default — you can opt to include them before sharing.
For flights with multiple passengers (e.g. you and a partner sharing the same flight), each passenger can create their own independent share link. A share link only ever shows the information belonging to the passenger who created it — other passengers' seat data and notes are never included in someone else's share.
You can revoke any share link at any time from Settings → Shared cruises, which immediately disables the link and removes the cached social preview image from our CDN.
Share links may be cached by third-party services (such as Facebook or X/Twitter) for preview purposes. VoyageTrail does not control third-party caches; revoked shares may continue to show a cached preview on those services until their cache expires.
8. International Data Transfers
Our primary hosting infrastructure is located in the EU/UK region. Some of our data processors operate globally and may transfer data outside the UK and the European Economic Area (EEA). Where such transfers occur, we ensure that adequate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- UK International Data Transfer Agreements (IDTAs) or Addenda.
- The processor's participation in recognised data protection frameworks.
9. Data Retention
We retain your personal data for as long as your account is active.
- Account data and travel records are retained until you delete your account.
- Billing records may be retained for up to 7 years after your last transaction to comply with UK tax and accounting obligations.
- Server logs containing IP addresses are retained for no longer than 90 days.
- AIS ship position data (which does not contain personal data) is retained indefinitely to improve service quality.
When you delete your account, all personal data is permanently erased from our database within 30 days, except where retention is required by law.
10. Your Rights Under UK GDPR
As a data subject, you have the following rights under UK GDPR. You can exercise any of these rights by contacting us at hello@voyagetrail.app.
10.1 Right of Access (Article 15)
You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of that data. You can export all your data at any time from your account settings in JSON or CSV format.
10.2 Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected. You can update your email address, display name, and travel records directly within the Service at any time.
10.3 Right to Erasure (Article 17)
You have the right to request the deletion of your personal data. You can delete your account and all associated data at any time from your account settings. Deletion is permanent and cannot be reversed.
10.4 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. The data export feature in your account settings provides your data in JSON and CSV formats.
10.5 Right to Restrict Processing (Article 18)
You have the right to request the restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
10.6 Right to Object (Article 21)
You have the right to object to the processing of your personal data where we rely on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
10.7 Right to Lodge a Complaint
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Passwords are hashed using Argon2 (an industry-leading hashing algorithm). We cannot view or retrieve your password.
- All data in transit is encrypted using TLS (HTTPS).
- Database connections are encrypted.
- Session-based authentication with secure, HTTP-only cookies.
- Role-based access controls to restrict data access to authorised personnel.
While we take all reasonable precautions, no method of electronic storage or transmission is 100% secure. If you become aware of any security breach, please notify us immediately at hello@voyagetrail.app.
12. Children's Privacy
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at hello@voyagetrail.app.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (using the address associated with your account) or by placing a prominent notice within the Service at least 14 days before the changes take effect.
We encourage you to review this page periodically. Your continued use of the Service after changes take effect constitutes acceptance of the revised Privacy Policy.
14. Contact Us
If you have any questions about this Privacy Policy, your personal data, or wish to exercise any of your rights, please contact us:
- Email: hello@voyagetrail.app