CostaTrip AIBack

Privacy Policy

Last updated · May 2026

This Privacy Policy explains how CostaTrip AI S.L. (en constitución) collects, uses and protects your personal data when you use our website and AI itinerary services. We comply with the EU General Data Protection Regulation (GDPR) and the Spanish Organic Law 3/2018 on Data Protection (LOPDGDD).

1. Data controller

CostaTrip AI S.L. (en constitución), Costa del Sol, Málaga, España. Contact: info@costatripai.com.

2. Data we collect

  • Registration data: name, email address, password, Google OAuth identifier.
  • Usage data: chat conversations, generated itineraries, trip preferences and destination searches.
  • Payment data: billing information processed exclusively by Stripe — we never store full card details.
  • Technical data: IP address, browser type, device information and cookies.

3. Legal basis for processing

  • Contract performance: to provide the itinerary service you signed up for.
  • Legitimate interest: fraud prevention, service security and analytics.
  • Consent: marketing communications and non-essential cookies.
  • Legal obligation: accounting, tax and regulatory requirements.

4. Third-party processors

  • Supabase — database and authentication hosting within the EU.
  • Stripe — payment processing. PCI-DSS Level 1 certified.
  • Anthropic — AI itinerary generation. Data is not used for model training.
  • Cloudflare — DNS, caching and email routing.
  • Unsplash — royalty-free photography for itinerary PDFs.

5. Your rights

Under the GDPR you may at any time request access, rectification, erasure, portabilityor object to the processing of your personal data. Write to info@costatripai.com. You may also lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.

6. Data retention

  • Account data: retained while your account is active and for 30 days after deletion.
  • Payment data: retained for 5 years per Spanish accounting law.
  • Chat and itinerary data: deleted 30 days after account deletion.

7. International transfers

All third-party providers listed above operate under EU Standard Contractual Clauses (SCCs) or are based within the European Economic Area. Your data is not transferred to jurisdictions without adequate protection.

8. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice. Last updated: May 2026.