Privacy Policy

Last updated: April 27, 2026

This Privacy Policy describes how MyTripWish ("we", "us", "the service") collects, uses, and protects your information when you use our website at mytripwish.com or our Android app.

1. What we collect

Information you provide

Search queries - the natural-language travel descriptions you type (e.g. "honeymoon in Europe under $3000").
Email and Google account info - if you sign in with Google, we receive your email address, name, and profile picture from Google. We never receive your Google password.
Email subscription - if you sign up for our newsletter, your email is stored to send you travel deal alerts.

Information collected automatically

IP address - used for rate limiting and to detect your nearest airport (via geolocation lookup) so we can default the origin city.
Device identifier - the Android app generates a random device ID stored locally to track searches against rate limits.
Usage analytics - we use Vercel Analytics and Google Analytics to understand how the website is used (page views, traffic sources). These services may set cookies.

Information we do not collect

We do not collect precise GPS location.
We do not collect payment information - bookings happen directly on our partners' websites (Aviasales, Expedia, Klook).
We do not access your contacts, photos, microphone, or camera.

2. How we use your information

To process your search query and return destination, flight, and hotel suggestions.
To enforce daily search limits (3 free searches/day for anonymous users, 50/day for signed-in users).
To save your trip history so you can return to past searches.
To send you travel deal newsletters if you have subscribed.
To detect and prevent abuse of the service.

3. Third parties we share data with

We use a small number of third-party services to deliver the product. Each only receives the minimum needed to do its job:

Google AI (Gemma) - your search query is sent to Google's Gemma model to parse it into structured fields (destinations, dates, budget). Queries are not used to train models.
Travelpayouts / Aviasales - origin and destination airport codes plus dates are sent to find flight prices and booking links.
Expedia (via RapidAPI) - city name and dates are sent to find hotel availability and pricing.
Klook - city name is used to display activity recommendations.
Upstash Redis - we store user account data, search history, and rate-limit counters in Redis (hosted by Upstash on AWS).
Vercel - hosts our backend and stores access logs.
Google Analytics / Vercel Analytics - aggregate website usage statistics.

We do not sell your personal information to anyone.

4. How long we keep your data

Account data (email, name, picture, last seen) is automatically deleted after 90 days of inactivity.
Search rate-limit counters reset every day at midnight UTC.
Newsletter subscribers stay until they unsubscribe.
If you delete your account (see below), all of the above is removed immediately.

5. Your rights and account deletion

Delete your account: you can request full deletion of your account and all associated data at any time, in two ways:

From the app: open the Android app, go to Settings → Delete account, and confirm.
From the web: visit mytripwish.com/account/delete.html and follow the instructions.

Deletion happens immediately and includes your profile, search history, trip history, and any newsletter subscriptions tied to your account email. The action cannot be undone.

You also have the right to:

Request a copy of the data we hold about you.
Correct any inaccurate data.
Withdraw newsletter consent at any time via the unsubscribe link in any email.
Lodge a complaint with your local data protection authority.

For any of the above other than account deletion, email us at hello@mytripwish.com and we will respond within 30 days.

6. Cookies

The website uses cookies for analytics and to remember your origin airport between visits. The Android app does not use cookies; it stores device ID and trip history in encrypted local storage.

7. Children

MyTripWish is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has submitted information to us, please contact us and we will delete it.

8. Security

All data is transmitted over HTTPS. Account data is stored on Upstash Redis with access controlled by token-based authentication. We follow industry-standard practices but cannot guarantee absolute security - report any vulnerability to hello@mytripwish.com.

9. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Significant changes will be announced on the website.

10. Contact

If you have any questions about this Privacy Policy or your data, contact us at hello@mytripwish.com.