Privacy Policy

This Privacy Policy explains what data DayHop collects, how we use it, and your rights. We keep it straightforward — no 40-page legal documents.

1. Data We Collect

Account information

When you create an account, we collect:

• Email address — for login, verification, and transactional emails (password resets, subscription confirmations).
• Password — stored as a bcrypt hash. We never see or store your plaintext password.
• Display name — optional, shown on shared itineraries.
• OAuth data — if you sign in with Google or Facebook, we receive your email and profile name from the OAuth provider. We don't access your contacts, photos, or other account data.

Usage data

We collect anonymous analytics to understand how people use DayHop:

• Events: Page views, searches, itinerary saves, feature usage. Stored with a hashed IP (not your actual IP) and a random visitor ID.
• Device info: Device type (mobile/desktop/tablet), browser, referrer URL.
• Cities searched: Which cities you plan trips for — used to improve recommendations.

Itinerary data

Itineraries you save include the city, selected places, notes, and preferences. Shared itineraries are publicly accessible via their URL. Private itineraries are only visible to you.

Payment data

Pro subscriptions are processed by Stripe. We store your Stripe customer ID and subscription status. We never see or store your credit card number, CVV, or billing address — that's handled entirely by Stripe.

Cookies

We use the following cookies:

• Session cookie (dh_token) — HTTP-only, secure JWT for authentication. Expires when you log out or after 30 days.
• Visitor ID (dh_visitor) — anonymous random ID for analytics. No personal data.
• Theme preference — remembers your light/dark mode choice.

We do not use third-party tracking cookies, advertising cookies, or cross-site tracking pixels.

2. How We Use Your Data

• Provide the service: Generate itineraries, save your trips, process payments.
• Improve recommendations: Aggregate (non-personal) search patterns help us improve city coverage and place quality.
• Transactional email: Account verification, password resets, subscription receipts. Sent via our email provider.
• Drip campaigns: If you provide your email (e.g., via lead capture), we may send a limited series of travel tips. You can unsubscribe from any email with one click.
• Web push notifications: Only if you explicitly opt in. Morning trip reminders and travel tips.
• Security: IP hashing and rate limiting to prevent abuse.

We do not sell your data. We do not share personal data with advertisers. We do not build advertising profiles.

3. Third-Party Services

DayHop shares limited data with these services to function:

• Google Places API: Your searched city name is sent to Google to fetch place data. Google's Privacy Policy applies.
• Stripe: Payment and subscription data. Stripe's Privacy Policy applies.
• OpenWeatherMap: City name sent for weather data.
• Ticketmaster: City name sent for event listings.
• Google/Facebook OAuth: If you use social login, the OAuth provider shares your email and name with us per their policies.

We do not share your email, password, itineraries, or personal data with any of these services beyond what's described above.

4. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account deletion.
• Itineraries: Retained while your account is active. Shared itineraries remain accessible until you delete them or your account.
• Analytics events: Retained for 12 months, then automatically purged.
• Email tokens: Verification and reset tokens expire within 1 hour and are single-use.
• API caches: Place data and search results are cached for performance and expire automatically.

5. Your Rights

Regardless of where you live, you have these rights:

• Access: Request a copy of your data by emailing us.
• Correction: Update your email, name, or password from your account settings.
• Deletion: Request complete account and data deletion by emailing us. We'll process it within 30 days.
• Portability: Request your itinerary data in a machine-readable format (JSON).
• Opt out of marketing: Unsubscribe from any email with one click. Transactional emails (password resets, billing) are not marketing.

GDPR (EU/EEA users)

If you're in the EU or EEA, you have additional rights under GDPR:

• Legal basis: We process your data based on (a) your consent (account creation, email opt-in), (b) contract performance (providing the service you signed up for), and (c) legitimate interest (security, analytics).
• Right to object: You can object to processing based on legitimate interest.
• Right to restrict processing: You can request we limit how we use your data.
• Data Protection Authority: You have the right to lodge a complaint with your local data protection authority.
• Data transfers: Your data is processed on servers in the United States. By using DayHop, you consent to this transfer.

CCPA (California users)

If you're a California resident:

• We do not sell your personal information.
• You have the right to know what data we collect and request its deletion.
• We will not discriminate against you for exercising your privacy rights.

6. Children's Privacy

DayHop is not intended for children under 16. We don't knowingly collect data from children under 16. If you believe a child has provided us personal data, contact us and we'll delete it promptly.

7. Security

We take reasonable measures to protect your data:

• Passwords are bcrypt-hashed (never stored in plaintext).
• Authentication cookies use Secure and HttpOnly flags.
• API endpoints are rate-limited.
• Sensitive tokens (email verification, password reset) are SHA-256 hashed, single-use, and expire within 1 hour.
• All connections use HTTPS/TLS encryption.

No system is 100% secure. If we become aware of a data breach affecting your personal data, we'll notify you within 72 hours as required by GDPR.

8. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email (if you have an account) or a notice on the site. The "Last updated" date at the top reflects the most recent revision.

9. Contact

Privacy questions, data requests, or concerns:

• Email: dayhop@polsia.app
• Subject line: "Privacy Request" for data access/deletion requests.

We aim to respond to all privacy requests within 30 days.