Privacy

Two-tier data classification

VacationOS divides trip data into two categories so the rules can be precise:

• Shared trip logistics — flight numbers, airports, hotel name + address, restaurant reservation time, tee times, saved places, general trip notes. Visible to authorized trip members.
• Private / sensitive traveler data — passports, visas, TSA PreCheck / Known Traveler Numbers, redress numbers, frequent-flyer / loyalty numbers, ticket numbers (when sensitive), payment fragments, billing addresses, medical notes, date of birth, and any original confirmation email containing the above. Private by default — only the uploader, the subject-linked user, and explicit grantees can see them.

Who can see private artifacts

A user can read a private artifact when, and only when, one of:

1. They uploaded it.
2. They are the user linked to the artifact's subject traveler.
3. They have an active, explicit grant from the uploader or the subject-linked user. Grants are audited.

The following do not grant access: workspace owner / admin role, vacation planner role, plain vacation membership, platform admin role. If an admin needs to read a private artifact for support, they must be granted access explicitly.

Encryption at rest

Sensitive artifact payloads are encrypted server-side with AES-256-GCM before they're written to the database. A fresh 96-bit IV is used per encryption (NIST SP 800-38D); the authentication tag is stored alongside so tampering or wrong keys fail decryption. Keys live in environment variables and Google Secret Manager, never in the browser bundle and never in logs.

What we store

• Account — your email and display name (managed by Clerk), your platform role, and audit log entries for actions you take in the app.
• Trip data — vacation, traveler, booking, itinerary, place, and memory rows you create or that are derived from forwarded emails / uploaded documents you approve.
• Vault files — passports, visas, insurance documents, anything you upload. Stored in a private Google Cloud Storage bucket, accessible only via short-lived signed URLs we generate per-request.
• Smart Intake emails / documents — the original raw email or document you forwarded, plus the AI-extracted draft. Sensitive items route to private artifacts; safe logistics route to the trip plan.
• Audit log — IDs and high-level metadata for security-relevant events. Never includes raw email bodies, document contents, transcripts, or signed URL strings.

AI providers and what they see

VacationOS uses AI to make draft suggestions you confirm. AI never silently mutates your records. Today we use:

• Google Gemini for Smart Intake parsing, document understanding, and recommendations. Gemini sees the email or document content you forward / upload.
• Deepgram for voice transcription. Deepgram receives the audio you record in the Translate utility.
• Google Cloud Translation for short English↔Japanese phrase translation in the same utility.

We don't send these providers data they don't need. Provider outputs (transcripts, translations, AI extractions) are not logged to our own server logs.

Tenant isolation

Workspaces and vacations are tenant-isolated at the query boundary. Even the platform admin role does not bypass tenant isolation — administrative access requires an explicit workspace membership row. Tenant data never crosses workspaces by design.

Data retention, export, and deletion

During the private beta, account deletion is handled manually — email sri.subra+support@gmail.comand we'll remove your account, trips, vault files, and intake history. A self-service flow is on the roadmap.

We don't expire trip data automatically. Vault files persist until you delete them or your account.

PWA caching

When the offline service worker is enabled, it explicitly skips Vault routes, original email viewers, signed-URL endpoints, and private-artifact pages. Sensitive content never lives in your device's offline cache.

Contact

Questions, deletion requests, or security reports: sri.subra+support@gmail.com.