Skip to main content

Legal

Privacy Policy

Last updated: March 27, 2026

1. Introduction

LokaLens (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains what personal data we collect when you use the LokaLens travel itinerary platform (the “Service”), how we use it, and your rights regarding that data.

This policy applies to all users of the Service, including visitors and registered account holders, wherever you are located. It should be read alongside our Terms of Service.

2. Information We Collect

Account data

When you sign in with Google, we receive your name, email address, and profile photo from Google as part of the OAuth 2.0 authentication flow. We store this information to identify your account and personalise your experience.

Taste profile

When you complete the onboarding quiz, we store your responses (e.g., preferred vibe, activity level, food interest, budget style). We generate a numerical “taste embedding” — a mathematical representation of your preferences — using OpenAI's embedding API. This embedding is stored in our database and used to rank venue recommendations. We also collect interaction signals (saves, skips, visited markers, thumbs-down feedback) to refine your taste profile over time.

Itinerary and trip data

We store itineraries you generate, including destination, travel dates, stay address (if provided), transport preferences, and the resulting day-by-day schedule. This data is associated with your account and used to display your trip history.

Usage data

We collect information about how you use the Service — features accessed, itineraries generated, Trama-it adjustments applied, and subscription tier changes. This data is used for service improvement and is not sold to third parties.

Technical data

When you use the Service, our hosting provider (Vercel) and error monitoring tool (Sentry) may automatically collect your IP address, browser type, operating system, and request logs. Sentry error reports are configured to mask personal information where possible. Server logs are retained for up to 30 days.

3. How We Use Your Information

  • Providing the Service: Your account data and taste profile are used to generate personalised itineraries and display your trip history.
  • Personalisation: Your taste embedding and interaction signals are used to rank venue candidates by cosine similarity — surfacing places most aligned with your preferences.
  • Billing: Your email is shared with Stripe to manage your subscription. We do not store or process card details directly.
  • Error monitoring: Technical error data is sent to Sentry to help us diagnose and fix issues. Sentry is configured to mask text content and block media captures in session replays.
  • Service improvement: Aggregated, anonymised usage patterns help us understand which features are most useful and where the product can be improved.
  • Legal compliance: We may process data where required by applicable law or to defend against legal claims.

We do not use your personal data for advertising, profiling for third-party purposes, or automated decision-making that produces legal effects.

4. Data Sharing and Third Parties

We do not sell your personal data. We share data only with the following service providers, strictly to operate the Service:

  • Anthropic (Claude API) — We send destination, preference constraints, and pre-filtered venue lists to Claude to generate itinerary narratives. We do not send your name, email, or account identifiers to Anthropic.
  • OpenAI (Embeddings API) — We send your quiz responses (serialised to text) and venue descriptions to OpenAI's text-embedding-3-small model to generate taste and venue embeddings. We do not send your name or email to OpenAI.
  • Stripe — Your email address and payment details are shared with Stripe to process subscriptions. Stripe is a PCI DSS Level 1 certified provider.
  • Google — We use Google OAuth for authentication and Google Places API for venue data. Your use of Google sign-in is subject to Google's Privacy Policy.
  • Foursquare — Venue metadata (names, categories, ratings) is retrieved from the Foursquare Places API. No personal data is shared with Foursquare.
  • Mapbox — Map tiles and geocoding requests are processed by Mapbox. Your IP address may be transmitted to Mapbox as part of tile requests.
  • Sentry — Application error reports, including stack traces and anonymised request data, are sent to Sentry. Session replay content is masked.
  • Vercel — The Service is hosted on Vercel's infrastructure. Request logs including IP addresses are retained for up to 30 days.
  • Neon — Your account, itinerary, and taste profile data is stored in a PostgreSQL database hosted by Neon on AWS us-east-1.
  • Cloudflare R2 — Venue photos are served from Cloudflare's R2 CDN. No personal data is stored in R2.

We may also disclose data if required by law, court order, or to protect the safety, rights, or property of LokaLens or others.

5. Data Retention

We retain your account data and itineraries for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g., financial records for 7 years). Anonymised, aggregated usage data may be retained indefinitely.

Interaction signals (saves, skips, etc.) and taste embeddings are deleted when you delete your account. You may also reset your taste profile at any time from your profile settings without deleting your account.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Ask us to correct inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data (“right to be forgotten”). You can initiate this by deleting your account in profile settings.
  • Portability: Request your data in a machine-readable format.
  • Objection / Restriction: Object to or request restriction of certain processing activities.
  • CCPA (California residents): You have the right to know what personal information we collect, the right to delete it, and the right to opt out of the “sale” of personal information. We do not sell personal information.

To exercise any of these rights, email us at privacy@lokalens.com. We will respond within 30 days. We may need to verify your identity before processing your request.

7. Cookies and Local Storage

We use the following storage mechanisms:

  • Session cookies: Set by NextAuth to maintain your authenticated session. These are strictly necessary and cannot be disabled while using the Service.
  • localStorage: Used to save partial quiz state across page reloads so you don't lose progress. This data stays on your device and is not transmitted to our servers until you submit the quiz.

We do not currently use advertising cookies or cross-site tracking. If we add analytics cookies in the future, we will update this policy and seek consent where required.

8. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will promptly delete it.

9. International Data Transfers

LokaLens is operated from the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal basis for these transfers, where applicable through our sub-processors.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including TLS encryption in transit, encrypted database connections (SSL required), JWT-based session management, and access controls limiting who can query production data.

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately.

11. Legal Basis for Processing (EEA/UK Users)

For users in the EEA and UK, we process personal data under the following legal bases:

  • Contract: Processing necessary to provide the Service you requested (account management, itinerary generation, billing).
  • Legitimate interests: Error monitoring, fraud prevention, and service improvement, where not overridden by your rights.
  • Legal obligation: Retention of financial records as required by law.
  • Consent: Where we ask for your consent (e.g., optional analytics in future), you may withdraw it at any time.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page and, where required by law, by sending you an email notification. Your continued use of the Service after any changes indicates your acceptance of the updated policy.

13. Contact and Data Controller

LokaLens is the data controller for personal data processed through the Service. If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: privacy@lokalens.com
Mailing address: LokaLens, Legal Department, [Address]

EEA and UK users may also lodge a complaint with their local supervisory authority. A list of supervisory authorities is available at edpb.europa.eu.

This Privacy Policy was last updated on March 27, 2026. Previous versions are available upon request.