Your privacy is not negotiable
We believe your travel data belongs to you. This policy explains exactly what we collect, why we collect it, and how you stay in control — always.
Last Updated: March 2026
Information We Collect
We collect only what we need to provide you with a great travel planning experience. Here's a transparent breakdown of each category:
Account & Profile Information
When you create an account, we collect your name, email address, and a password (stored as a secure hash — we never see your plain-text password). If you sign in via Google or another OAuth provider, we receive only the profile information that provider shares with us.
Trip & Itinerary Data
Everything you create in sootcase — trips, itineraries, notes, packing lists, destination preferences — is stored and associated with your account. This is the core of what makes sootcase useful.
Uploaded Documents & Photos
Documents you upload (passports, visas, booking confirmations, photos) are stored securely. We process metadata such as file name, size, and upload date. We do not perform OCR or AI analysis on your uploaded documents without your explicit action.
Usage & Interaction Data
- Pages and features you visit within the app
- Features you interact with and how frequently
- Error logs and performance data to help us improve stability
- Peggy AI conversation history (stored to improve context across sessions)
Device & Technical Data
- IP address (used for security and fraud prevention)
- Browser type and version
- Device type and operating system
- Timezone and general region (not precise GPS location)
We do not collect precise GPS location, financial data, or biometric information. We do not access your device contacts, camera, or microphone except when you explicitly initiate an upload.
How We Use It
Every piece of data we collect has a specific, intentional purpose. We do not use your data for advertising or share it with data brokers — ever.
Providing the Service
Operating your trips, syncing itineraries, powering Peggy AI responses, and enabling group collaboration.
Personalisation
Learning your travel preferences so Peggy can make smarter, more relevant recommendations over time.
Security & Fraud Prevention
Detecting unauthorised access, investigating suspicious activity, and protecting your account.
Product Improvement
Understanding which features are most useful, identifying bugs, and prioritising our roadmap.
Communications
Sending transactional emails (password resets, trip invites) and, if you opt in, product update newsletters.
Legal Compliance
Meeting our obligations under applicable laws, including GDPR, CCPA, and other regional regulations.
Data Storage & Security
We take security seriously and have designed our infrastructure with multiple layers of protection.
Encryption
All data is encrypted in transit using TLS 1.3. All data at rest is encrypted using AES-256. This includes your documents, trip data, and personal information.
Infrastructure
sootcase is built on infrastructure provided by Vercel (hosting and serverless functions), Neon (PostgreSQL database), and Vercel Blob (document and photo storage). All providers are SOC 2 Type II certified and maintain their own robust security programmes.
Access Controls
- Employee access to production data is strictly limited and logged
- We use the principle of least privilege — employees only access what they need
- All internal access requires multi-factor authentication
- Database credentials are rotated regularly and never committed to code
Data Retention
We retain your data for as long as your account is active. If you delete your account, we remove your personal data within 30 days. Anonymised, aggregated analytics may be retained indefinitely as they cannot be linked back to you. Backups are retained for 90 days.
Breach Response
In the unlikely event of a data breach affecting your personal information, we will notify you within 72 hours of becoming aware, in compliance with GDPR and applicable regulations. We will provide clear information about what was affected and what we are doing to address it.
Third-Party Services
sootcase integrates with carefully selected third-party services. We share only the minimum data necessary for each integration to function.
We do not use advertising networks, sell data to data brokers, or embed third-party tracking pixels. All AI processing through OpenAI is governed by a data processing agreement that prohibits using your data for model training.
Your Rights
Depending on where you live, you may have specific legal rights regarding your personal data. We honour these rights for all users regardless of jurisdiction.
Right to Access
Request a complete export of all personal data we hold about you, delivered in a machine-readable format within 30 days.
Right to Correction
Update or correct any inaccurate personal information directly in your account settings, or by contacting us.
Right to Deletion
Request deletion of your account and all associated personal data. We process deletion requests within 30 days.
Right to Portability
Export your trips, itineraries, documents, and profile data in standard formats (JSON, PDF) at any time from your account.
Right to Opt-out of Marketing
Unsubscribe from non-essential communications at any time using the link in any email, or via account settings.
Right to Restriction of Processing
Request that we limit how we use your data while a complaint or correction request is being processed.
Right to Object to Processing
Object to processing of your data where we rely on legitimate interests as our legal basis. We will comply unless we have compelling grounds.
To exercise any of these rights, email us at privacy@sootcase.com. We will respond within 30 days. We may need to verify your identity before processing certain requests.
EU/EEA & UK users: You have additional rights under the GDPR and UK GDPR respectively, including the right to lodge a complaint with your local supervisory authority. Our legal basis for processing is generally contract performance, legitimate interests, or your consent (for optional features).
Children's Privacy
sootcase is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@sootcase.com and we will delete that information promptly.
For users between 13 and 18, we encourage parental involvement in understanding how the service works. Certain features, such as group trip collaboration, may involve sharing information with other users, which parents should be aware of.
Changes to Policy
We may update this Privacy Policy from time to time as sootcase evolves. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Send an email notification to all registered users
- Show an in-app banner for 30 days following the change
- Maintain a changelog of substantive changes on this page
For non-material changes (such as fixing typos or clarifying existing language), we may update this page without formal notice. We encourage you to review this policy periodically.
Your continued use of sootcase after a policy change constitutes your acceptance of the updated terms. If you do not agree with a change, you may delete your account at any time.
Previous Versions
This is the initial version of our Privacy Policy, effective March 2026. As we publish updates, previous versions will be archived and available on request by emailing privacy@sootcase.com.
Contact Us
If you have any questions, concerns, or requests related to this Privacy Policy or your personal data, we want to hear from you.
Privacy Team
privacy@sootcase.com
Response within 2 business days
General Support
support@sootcase.com
For account and product questions
Questions about your account data?
You can export or delete your data directly from your account settings.