Privacy Policy
Last updated: April 7, 2026
Serendipity Nippon Travel ("we," "us," or "our") operates an AI-powered travel planning platform specializing in Japan itineraries. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.
1. Information We Collect
1.1 Information You Provide
- Account information: Name, email address, and password when you create an account.
- Travel preferences: Destinations, dates, budget, dietary restrictions, accessibility needs, and other preferences you share to generate itineraries.
- Communication data: Messages you send through our contact forms or email correspondence.
- Payment information: Processed securely through our third-party payment processor. We do not store full payment card details on our servers.
1.2 Information Collected Automatically
- Device and usage data: IP address, browser type, operating system, referring URLs, pages viewed, and interaction patterns.
- Cookies and similar technologies: See Section 5 below for details.
2. How We Use Your Information
We use the information we collect to:
- Generate personalized AI-crafted Japan travel itineraries.
- Facilitate review and refinement of itineraries by our local Japan travel specialists.
- Process transactions and send related notifications.
- Send transactional emails such as booking confirmations and itinerary updates.
- Improve our AI models and service quality.
- Respond to your inquiries and provide customer support.
- Analyze usage trends to improve the platform experience.
- Comply with legal obligations.
3. AI Data Processing
Our platform uses artificial intelligence to generate travel recommendations. Your travel preferences and inputs are processed by our AI systems to create personalized itineraries. We ensure that:
- AI-generated itineraries are reviewed by human travel specialists.
- Your personal data is not used to train third-party AI models without your explicit consent.
- You can request a human-only review of any AI-generated recommendation.
4. Third-Party Services & Data Processors
We share data with the following third-party service providers (data processors) to operate our platform. Each processor receives only the minimum data necessary for its specific purpose, under a Data Processing Agreement (DPA).
| Service | Data Received | Purpose | Processing Location |
|---|---|---|---|
| Google Analytics 4 | IP address (anonymized), browsing behavior, device info | Website analytics and usage tracking | United States |
| AI Provider (Anthropic / OpenAI) | Travel preferences, dates, party size, budget | AI itinerary generation | United States |
| Resend | Name, email address | Transactional email delivery | United States |
| Supabase | All lead and trip data | Database storage | Tokyo, Japan |
| Stripe | Payment card details, billing info | Payment processing | United States |
We do not sell your personal data to third parties. Data shared with service providers is limited to what is necessary for the specific service they provide.
5. Cookies
We use the following types of cookies:
You can manage your cookie preferences through our cookie consent banner. You may also configure your browser to block or delete cookies, though this may affect your experience on our site.
- Strictly necessary cookies: Required for the website to function, such as session management and security tokens.
- Analytics cookies: Help us understand how visitors interact with our website, including Google Analytics 4.
- Functional cookies: Remember your preferences such as language and theme settings.
6. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:
To exercise any of these rights, please contact us at the email address below. We will respond to your request within 30 days.
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate data.
- Right to erasure: Request deletion of your personal data.
- Right to restrict processing: Request limitation of how we process your data.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests or direct marketing.
- Right to withdraw consent: Withdraw consent at any time where processing is based on consent.
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law. Account data is retained for the duration of your account and for up to 3 years after account deletion for legal compliance purposes. Analytics data is retained for up to 14 months.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS), secure database access controls, and regular security assessments.
9. International Data Transfers
Your primary data is stored in Tokyo, Japan (Supabase database). Certain processing activities involve transfers to the United States, specifically:
For EU/EEA users: Japan has been granted an adequacy decision by the European Commission (January 2019, renewed), meaning transfers from the EU to Japan are considered to provide an adequate level of data protection. For transfers from Japan to the United States, each US-based service provider operates under a Data Processing Agreement (DPA) that includes Standard Contractual Clauses (SCCs) or equivalent safeguards.
Under Japan's APPI: Cross-border transfers to the US are covered by our contractual arrangements with each processor, ensuring equivalent protection as required under Article 28 of the Act on the Protection of Personal Information.
- AI itinerary generation: Travel preferences are sent to US-based AI providers for processing and immediately discarded after generation.
- Email delivery: Name and email address are transmitted to send transactional notifications.
- Analytics: Anonymized browsing data is processed in the US under Google consent mode v2.
- Payment processing: Payment data is handled in the US under PCI DSS compliance.
10. Children's Privacy
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised last-updated date. We encourage you to review this page periodically.
12. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
- Email: [email protected]
- Service: Serendipity Nippon Travel