Privacy Policy

1. Introduction

Welcome to RoamWeave. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services. RoamWeave is operated by a sole trader based in the United Kingdom.

We are committed to protecting your privacy and handling your data transparently. This policy applies to all users worldwide, including those in the United Kingdom, European Economic Area (EEA), California (USA), and all other jurisdictions.

By creating an account or using RoamWeave, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for your personal data is:

• RoamWeave (sole trader)
• Based in the United Kingdom
• Contact: privacy@roamweave.com

If you have any questions about this policy or how we handle your data, please contact us at the email address above.

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Account Information

• Full name
• Email address
• Encrypted password (we never store passwords in plain text)

3.2 Travel Preferences

• Preferred destinations and travel dates
• Airline loyalty programme selections
• Home airport
• Preferred currency
• Trip type preferences (leisure, status run)

3.3 Generated Content

• AI-generated travel itineraries
• AI-generated status run plans
• Associated metadata (creation dates, parameters used)

3.4 Technical Data

• Authentication tokens (managed by Amazon Cognito)
• Cloudflare Turnstile verification tokens (anti-bot only, not used for tracking)

3.5 Data We Do Not Collect

• Payment or financial information
• Precise geolocation data
• Data from third-party analytics or advertising platforms
• Social media profiles or contacts

4. How We Use Your Data

We use your personal data for the following purposes:

• To create and manage your account, including email verification and two-factor authentication
• To generate personalised travel itineraries and status run plans using AI models based on your inputs and preferences
• To store and display your generated itineraries and plans
• To enable you to share itineraries with others via share links
• To protect our service from abuse using Cloudflare Turnstile verification
• To maintain the security and integrity of our service

We do not use your data for marketing, advertising, profiling, or automated decision-making that produces legal effects.

5. Lawful Basis for Processing

Under the UK GDPR and EU GDPR, we rely on the following lawful bases to process your personal data:

• Contract performance: Processing your data is necessary to provide the RoamWeave service you signed up for, including account creation, itinerary generation, and data storage.
• Consent: You provide consent when you create an account and submit your travel preferences for AI processing. You may withdraw consent at any time by deleting your account.
• Legitimate interest: We have a legitimate interest in maintaining the security of our service, preventing fraud and abuse, and improving our systems. We balance these interests against your rights and freedoms.

6. AI Processing and Generated Content

RoamWeave uses artificial intelligence to generate travel itineraries and airline status run plans. Here is how this works:

• When you request an itinerary or status run plan, your inputs (destinations, dates, preferences, loyalty programme selections, home airport) are sent to AI models hosted on Amazon Bedrock (Claude and Nova models by Anthropic and Amazon).
• The AI models process your inputs to generate personalised travel suggestions. Your data is processed in accordance with AWS service terms. Amazon Bedrock does not use your inputs or outputs to train its models.
• Generated itineraries and plans are stored in your account so you can access them later.

7. Data Storage and Security

7.1 Where Your Data Is Stored

Your personal data is stored in AWS DynamoDB in the eu-west-2 (London) region, within the United Kingdom. Authentication data is managed by Amazon Cognito, also hosted in the eu-west-2 region.

7.2 Security Measures

• All data is encrypted at rest and in transit (TLS/HTTPS)
• Passwords are securely hashed by Amazon Cognito (never stored in plain text)
• Two-factor authentication (TOTP) is available for additional account security
• Access to data is restricted through AWS Identity and Access Management (IAM)
• API endpoints are protected by JWT-based authentication
• Input validation and sanitisation is applied to all user-submitted data

7.3 International Data Transfers

Your data is primarily stored and processed in the United Kingdom (eu-west-2 London region). For users in the European Economic Area, the UK has been granted an adequacy decision by the European Commission, meaning data transfers between the EEA and UK are permitted without additional safeguards.

When you use the AI generation feature, your inputs are processed by Amazon Bedrock. AWS processes this data in accordance with their Data Processing Addendum and applicable Standard Contractual Clauses where required. We do not transfer your data to any other third parties or countries.

8. Data Retention

We retain your data for the following periods:

• Account data (name, email, preferences): retained for as long as your account is active. Deleted when you delete your account.
• Generated itineraries and plans: retained for as long as your account is active. Deleted when you delete your account.
• Generation job records: temporary records created during itinerary generation are automatically deleted within 24 hours.
• Authentication logs: managed by Amazon Cognito in accordance with AWS retention policies.

When you delete your account, all associated personal data, itineraries, and plans are permanently removed from our systems. This action is irreversible.

9. Cookies and Tracking

RoamWeave uses a minimal approach to cookies:

• Essential authentication cookies: We use strictly necessary cookies to manage your login session and authentication state. These are required for the service to function and cannot be disabled.
• No tracking cookies: We do not use any cookies for analytics, advertising, or user tracking.
• No third-party analytics: We do not use Google Analytics, Meta Pixel, or any other third-party analytics or tracking services.

Cloudflare Turnstile is used on our signup page to prevent automated abuse. It operates as an invisible challenge and does not place tracking cookies or collect personal data for advertising purposes.

10. Third-Party Services

We use the following third-party services to operate RoamWeave:

• Amazon Web Services (AWS): Cloud infrastructure, including data storage (DynamoDB), authentication (Cognito), content delivery (CloudFront), and AI processing (Bedrock). Data is processed under the AWS GDPR Data Processing Addendum.
• Cloudflare Turnstile: Anti-bot verification on the signup page. Cloudflare processes minimal data for challenge verification only. See Cloudflare's Privacy Policy.

We do not sell, rent, or share your personal data with any third parties for their own marketing or commercial purposes.

11. Your Rights

Depending on your location, you have the following rights regarding your personal data:

11.1 Rights Under UK GDPR and EU GDPR

If you are in the United Kingdom or European Economic Area, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate or incomplete data
• Erasure — request deletion of your personal data (you can do this directly by deleting your account)
• Restriction — request that we limit how we process your data in certain circumstances
• Data portability — request your data in a structured, commonly used, machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@roamweave.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In the EU, you may contact your local data protection authority.

11.2 Rights Under the California Consumer Privacy Act (CCPA)

If you are a California resident, you have the following additional rights:

• Right to know — you may request details about the categories and specific pieces of personal information we have collected about you
• Right to delete — you may request deletion of your personal information
• Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights
• Right to opt out of sale — we do not sell your personal information to third parties. No opt-out is necessary.

To exercise your CCPA rights, contact us at privacy@roamweave.com.

12. Account Deletion

You can delete your account at any time from your profile settings page. When you delete your account:

• Your account credentials are permanently removed from Amazon Cognito
• All personal data (name, email, preferences) is deleted from our database
• All generated itineraries and status run plans are permanently deleted
• All associated job records and metadata are removed
• Any shared itinerary links will stop working

This action is permanent and cannot be undone. We cannot recover your data after deletion.

13. Children's Privacy

RoamWeave is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you are under 18, please do not create an account or submit any personal information.

If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@roamweave.com.

14. Email Communications

We currently use email only for essential account-related purposes:

• Account verification during signup (sent by Amazon Cognito)
• Password reset requests (sent by Amazon Cognito)

We do not send marketing emails, newsletters, or promotional communications. If this changes in the future, we will update this policy and obtain your explicit consent before sending any marketing communications.

15. Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (the ICO in the UK) within 72 hours of becoming aware of the breach, as required by the UK GDPR
• Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms
• Take immediate steps to contain and remediate the breach

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Your continued use of RoamWeave after any changes constitutes acceptance of the updated policy.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Email: privacy@roamweave.com
• Website: https://roamweave.com

We aim to respond to all enquiries within 30 days.

18. Governing Law

This Privacy Policy is governed by the laws of England and Wales. For users in the European Economic Area, nothing in this policy affects your rights under the EU GDPR. For users in California, nothing in this policy limits your rights under the CCPA.