Privacy Policy
How we collect, use, and protect your data. No legalese traps — just honest disclosure.
Bee.Travel ("we," "us," or "our") operates the website beetravel.co and the Bee.Travel platform (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the choices you have.
By using our Service, you agree to the collection and use of information as described here. If you do not agree, please do not use the Service.
1. Data We Collect
1.1 Data you provide directly
| Data | When | Purpose |
|---|---|---|
| Email address | Account registration | Authentication, account recovery, transactional emails |
| Password (hashed) | Account registration | Authentication only — stored as Argon2id hash, never in plaintext |
| Route preferences | Route generation | Mood, duration, intensity, transport modes — used to generate your route |
| City / location text | Route generation | Determining which city to build a route for |
1.2 Data collected automatically
| Data | Mechanism | Purpose |
|---|---|---|
| Geolocation (latitude/longitude) | Browser Geolocation API — only with your explicit consent | Center route generation around your current location |
| IP address | Server logs, Cloudflare | Security, rate limiting, abuse prevention |
| Browser/device info | HTTP headers | Compatibility, debugging |
1.3 Payment data
We do not collect, store, or process your credit card number, bank account, or other financial instruments. All payment processing is handled entirely by PayPal. When you subscribe or purchase credits, you are redirected to PayPal's checkout. We only receive a transaction confirmation (order ID, payer email, amount, and status) after payment completes.
1.4 Data we do NOT collect
- We do not use analytics trackers (no Google Analytics, no Meta Pixel)
- We do not sell, rent, or share your data with advertisers
- We do not build advertising profiles
- We do not track you across other websites
2. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
| Basis | Applies to |
|---|---|
| Contract performance (Art. 6(1)(b) GDPR) |
Account creation, route generation, subscription management — necessary to deliver the service you signed up for |
| Consent (Art. 6(1)(a) GDPR) |
Geolocation access — you explicitly grant permission via browser prompt; you can revoke at any time |
| Legitimate interest (Art. 6(1)(f) GDPR) |
Security logging (IP addresses), rate limiting, abuse prevention — minimal data, proportionate to security needs |
3. How We Use Your Data
- Route generation: Your location, mood, and preferences are sent to our AI to create personalized walking routes.
- Account management: Email for authentication, password recovery, and service notifications.
- Payment processing: Transaction data to activate subscriptions and credit purchases.
- Security: IP addresses and request metadata for rate limiting, fraud prevention, and server monitoring.
- Service improvement: Aggregated, anonymized usage patterns to improve route quality. We do not profile individual users.
4. Third-Party Data Processors
We share data with the following third-party services, each under their own privacy policy and data processing agreements:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| OpenAI | AI route generation | City name, mood, duration, transport preferences (no email, no account data) | United States |
| Google Maps Platform | Place search, geocoding | Location coordinates, search queries | United States |
| PayPal | Payment processing | Handled on PayPal's domain — we receive only transaction confirmations | United States / EU |
| Render | Application hosting | All server-side data (encrypted at rest and in transit) | United States (Oregon) |
| Cloudflare | CDN, DDoS protection, DNS | IP address, HTTP request metadata | Global edge network |
For EU users: transfers to US-based processors are covered by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable.
5. Cookies and Local Storage
5.1 Cookies we set
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
access_token |
Strictly necessary (httpOnly, Secure) | Authentication session | 15 minutes |
refresh_token |
Strictly necessary (httpOnly, Secure) | Session renewal | 7 days |
Both authentication cookies are httpOnly (inaccessible to JavaScript), Secure (HTTPS only), and SameSite=Lax. They cannot be used for tracking.
5.2 Local Storage
We store non-sensitive user metadata (user ID, email, account type) in your browser's localStorage to maintain UI state. This data is never sent to third parties and is cleared when you log out.
5.3 Third-party cookies
Cloudflare may set a __cf_bm cookie for bot detection. PayPal sets cookies
during the checkout flow on their own domain. We do not set any advertising or analytics cookies.
6. Data Retention
| Data | Retention period |
|---|---|
| Account data (email, hashed password) | Until you delete your account |
| Saved routes | Until you delete them, or until account deletion |
| Payment records | 7 years (legal/tax obligation) |
| Server logs (IP, requests) | 30 days, then automatically purged |
| Geolocation data | Not stored — used in-memory for route generation only |
7. Your Rights
7.1 GDPR rights (EU/EEA users)
Under the General Data Protection Regulation, you have the right to:
- Access — Request a copy of all personal data we hold about you
- Rectification — Correct inaccurate or incomplete data
- Erasure ("right to be forgotten") — Request deletion of your account and associated data
- Restriction — Request that we limit processing of your data
- Portability — Receive your data in a structured, machine-readable format
- Objection — Object to processing based on legitimate interest
- Withdraw consent — Revoke geolocation or other consent at any time (via browser settings)
To exercise any of these rights, email us at the address below. We will respond within 30 days as required by law.
7.2 CCPA rights (California residents)
Under the California Consumer Privacy Act, you have the right to:
- Know — Request what personal information we collect, use, and disclose
- Delete — Request deletion of your personal information
- Opt-out of sale — We do not sell your personal information to any third party
- Non-discrimination — We will not discriminate against you for exercising your rights
To submit a CCPA request, email us at the address below. We will verify your identity and respond within 45 days.
8. Data Security
We implement the following security measures to protect your data:
- Encryption in transit: All connections use TLS 1.2+ (HTTPS enforced via HSTS with preload)
- Encryption at rest: Database hosted on Render with encrypted storage
- Password hashing: Argon2id with 64 MiB memory cost — industry-leading password protection
- Authentication tokens: httpOnly, Secure cookies — no tokens in JavaScript-accessible storage
- Content Security Policy: Nonce-based CSP preventing cross-site scripting (XSS)
- CORS: Restricted to beetravel.co — no wildcard origins
- Rate limiting: Protection against brute-force and abuse
No system is 100% secure. If we discover a data breach affecting your personal data, we will notify you and relevant authorities within 72 hours as required by GDPR.
9. AI-Generated Routes and Data Processing
When you generate a route, we send your city, mood, duration, and transport preferences to OpenAI's API. We do not send your email address, account information, or any personally identifiable information to OpenAI.
Per OpenAI's API data usage policy, data sent through their API is not used to train their models. Route generation inputs are processed in real-time and not retained by OpenAI beyond the API request lifecycle.
10. Children's Privacy
Bee.Travel is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. International Data Transfers
Our servers are located in the United States (Render, Oregon region). If you are accessing the Service from the EU/EEA, UK, or other jurisdictions with data protection laws, your data will be transferred to and processed in the United States.
We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the EU-US Data Privacy Framework to ensure adequate protection for international transfers.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and update the "Effective date" below. Continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact Us
For privacy-related questions, data requests, or concerns:
- Email: privacy@beetravel.co
- Subject line: "Privacy Request" (for GDPR/CCPA requests, include your account email)
If you are in the EU and are unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority (DPA).
Effective date: March 1, 2026 · Last updated: March 1, 2026