Privacy Policy

TravlBox is a mobile application that helps you manage travel bookings in one place. You connect TravlBox by forwarding booking confirmation emails to a dedicated address. We extract the trip details from those emails, store them securely, and present them as a structured itinerary inside the app. An AI assistant lets you ask questions about your bookings.

Because your emails may contain sensitive personal and financial information, we treat this policy seriously. Please read it in full.

a. Account information

You can sign in with Apple or Google. The information we receive depends on the provider:

• Sign in with Apple — Apple may share your name and email address, or a private relay address it generates on your behalf.
• Sign in with Google — Google shares your name, email address, and profile picture associated with your Google account.

We use this information solely to create and identify your account. We do not receive your password from either provider.

b. Forwarded email content

When you forward a booking confirmation to TravlBox, we receive and store the full content of that email, including subject, body, sender, and any attachments you include. These emails typically contain: passenger or guest names, travel dates and times, flight numbers and airline names, hotel and property names, physical addresses, confirmation and reservation codes, and fare or rate details. They may also incidentally contain partial payment information or loyalty program numbers.

c. Structured trip data

We extract structured records from your emails (for example, a flight object with departure city, arrival city, date, and carrier). This structured data is stored separately and drives the itinerary view and AI chat features.

d. Usage and device data

We collect standard app analytics: which features you use, how often, crash reports, and device type and operating system version. This data is not linked to your email content.

Email processing is the core of how TravlBox works. This section explains the full technical pipeline so you understand exactly where your email content travels.

The processing pipeline

• Step 1 — Receipt (Twilio SendGrid).When you forward a booking email to your TravlBox address, it is received by Twilio SendGrid, a transactional email service operated by Twilio Inc. SendGrid delivers the raw email content to our systems via a secure inbound parse webhook. Twilio's privacy practices are described at twilio.com/legal/privacy.
• Step 2 — Queuing (Redis on Railway). The received email is placed onto an internal job queue backed by Redis, hosted on Railway. This decouples receipt from processing and ensures no emails are lost under load.
• Step 3 — Extraction (Celery worker + LLM). A Celery worker running on Railway picks up the job and sends the email content to a large language model (LLM) API — one of OpenAI (OpenAI, L.L.C.), Anthropic (Anthropic, PBC), or Google (Google LLC) — to extract structured trip data such as flight numbers, dates, hotel names, and confirmation codes. We send only the email text necessary for extraction. We do not permit these providers to use your content to train their models, and we enforce this contractually where supported by their data processing agreements.
• Step 4 — Storage (Supabase). The extracted structured data is written to a PostgreSQL database hosted by Supabase, Inc. The original email text is stored in Supabase Storage. Both are associated with your account and are not accessible to other users.

Other important facts

• Forwarding is always intentional. We do not access, read, or connect to your email inbox. We only receive emails you explicitly forward to your TravlBox address.
• What we extract vs. discard. We extract only travel-related fields. Once extraction is complete, the raw email text passed to the LLM is not retained by us beyond what Supabase Storage holds as your original record.
• Deletion. You can delete any booking or your entire account from within the app at any time. Deletion removes both the structured record and the stored original email from our active systems within 30 days.

• To provide the service. Parse your booking emails, populate your itinerary, and power the AI chat so you can ask questions about your trips.
• To maintain your account. Authenticate you, store your preferences, and keep your data available across your devices.
• To improve TravlBox. Understand which email formats and booking types we parse successfully (and which we fail on), fix bugs, and prioritise new features. We do this using aggregate, de-identified signals — not by reading your personal emails.
• To communicate with you. Send service announcements, security alerts, and, with your consent, product updates. We do not send marketing emails unless you explicitly opt in.
• To comply with the law. Respond to lawful requests from courts or regulatory authorities.

We do not sell your personal information. We do not use your email content for advertising.

We do not sell your personal information. We share it only with the sub-processors required to operate the Service (listed below), and in the limited circumstances described after the table.

Sub-processors

All sub-processors act as data processors under our instruction and are contractually prohibited from using your data for any purpose other than providing their service to us.

Other disclosure circumstances

• Legal requirements. We may disclose your information if required by law, court order, or subpoena, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers. If Ovearching AI, LLC is acquired or merges with another company, your information may transfer as part of that transaction. We will notify you via email or prominent in-app notice before your data becomes subject to a materially different privacy policy.

We retain your account information and trip data for as long as your account is active. When you delete a specific booking, we remove it from active systems within 30 days and from backups within 90 days. When you delete your account, all personal data associated with it is removed from active systems within 30 days and from all backups within 90 days.

We may retain anonymised, aggregated records (for example, the number of email formats we successfully parsed) indefinitely, as these cannot identify you.

We use industry-standard security measures including encryption in transit (TLS) and at rest. Access to your data within our infrastructure is restricted to personnel and systems that need it to operate the service. We conduct periodic reviews of our security practices.

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to [email protected] before disclosing it publicly.

Regardless of where you live, you may at any time:

• Access the personal information we hold about you by contacting us or using the export feature in the app.
• Correct inaccurate information by updating it in the app or contacting us.
• Delete specific bookings or your entire account from within the app settings.
• Opt out of non-essential communications via the notification settings in the app.

California residents (CCPA). You have the right to know what personal information we collect and how it is used, to request deletion, and to opt out of the sale of your personal information (we do not sell it). To exercise these rights, contact us at the address below. We will not discriminate against you for exercising your privacy rights.

EEA / UK residents (GDPR/UK GDPR). Our legal basis for processing your data is performance of our contract with you (to provide the service), our legitimate interest in improving the service, and compliance with legal obligations. You have rights of access, rectification, erasure, restriction, portability, and to object to processing. You may also lodge a complaint with your local supervisory authority. To exercise these rights, contact us below.

TravlBox is not directed to children under 13 (or under 16 in the EEA and UK). We do not knowingly collect personal information from children. If you believe a child has provided us with their information, please contact us and we will delete it promptly.

TravlBox is operated from the United States. All sub-processors listed in Section 5 — including Supabase, Railway, Vercel, Twilio SendGrid, OpenAI, Anthropic, Google, and Cloudflare — are headquartered in the United States and process data there (or on globally distributed infrastructure operated under US law). If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

EEA and UK users. Where required by the GDPR or UK GDPR, we rely on appropriate transfer mechanisms for international data transfers, such as Standard Contractual Clauses (SCCs) issued by the European Commission. You may request a copy of the applicable transfer safeguards by contacting us at [email protected].

We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page. For material changes — particularly those that affect how we process your email content — we will provide prominent in-app notice at least 14 days before the change takes effect. Your continued use of TravlBox after the effective date constitutes acceptance of the updated policy.

For privacy-related questions, requests, or complaints:

We aim to respond to all privacy requests within 30 days.