Skip to main content

Capy Trips

Your chill guide to the perfect getaway.

Privacy Policy

Last updated: May 4, 2026

This Privacy Policy explains how Capy Trips ("we," "us," or "our") collects, uses, stores, and protects information when you use capytrips.com (the "Site").

1. Information We Collect

a. Account Information You Provide

When you create an account, we collect:

  • Email address
  • Password (stored as a one-way cryptographic hash — we never store or see your plaintext password)
  • Marketing communication preference (opt-in checkbox at signup)

If you sign in with a third-party provider (Google or GitHub), we receive your email address and basic profile information (name, avatar URL) from that provider. We do not receive or store your third-party password.

No payment information is collected by us.

b. User-Generated Data

When you use the Site while logged in, we store:

  • Saved cities and saved city comparisons
  • Marketing consent status and timestamp

If you use the Site without an account, saved cities and comparisons are stored locally in your browser. If you later sign in or create an account, some of that saved data may be associated with your account so it can persist across sessions and devices.

c. Automatically Collected Information

We collect limited technical information automatically, including:

  • Pages viewed and feature interactions
  • Device type, browser, and operating system
  • IP address and related network metadata used for security, rate limiting, bot protection, and approximate location features
  • Approximate location, such as city, region, country, or timezone, used to personalize certain results and display local context on the Site
  • Precise location coordinates (latitude and longitude) only when you grant browser location permission for "near me" searches. These coordinates may be included in the search request to improve results, but we do not store them long-term in our systems.
  • Referral source

We use privacy-focused analytics and security tools to understand aggregate site usage, prevent abuse, and improve the Site. We do not use cookies for analytics, and we do not sell personal information.

2. How We Use Information

We use collected information to:

  • Operate and maintain the Site and your account
  • Authenticate your identity and manage sessions
  • Persist your saved cities, comparisons, and preferences across devices
  • Send transactional emails (account verification, password resets, security alerts)
  • Send marketing or feature-update emails if you opted in (you can unsubscribe at any time)
  • Personalize search results using your approximate location (e.g., "near me" queries)
  • Improve content, rankings, and features
  • Enforce rate limits and protect against abuse
  • Monitor performance and prevent misuse

We do not use personal data for profiling or automated decision-making that produces legal or similarly significant effects.

3. Cookies, Local Storage, and Tracking Technologies

a. Authentication Cookies

When you log in, we set a session cookie to keep you authenticated. This cookie is:

  • HttpOnly — not accessible to JavaScript
  • Secure — only sent over HTTPS
  • SameSite=Lax — limited cross-site sending

Session cookies expire automatically according to our authentication settings. You can log out at any time to clear your session.

b. Local Storage

We use browser localStorage to store your preferences, recently viewed cities, and (for anonymous users) saved cities and comparisons. This data stays on your device and is not sent to our servers unless you create an account and choose to sync it.

c. Bot Protection

We use Cloudflare Web Application Firewall (WAF) and managed challenge/rate-limiting rules on authentication endpoints to reduce bot traffic and abuse. These protections are managed by Cloudflare at the edge.

d. Analytics

We use privacy-focused analytics tools to understand aggregate usage and improve the Site. These tools are configured not to use cookies for analytics and not to track you across unrelated websites.

e. Affiliate Tracking Cookies

Affiliate partners (including Viator, Booking.com, and others) may use cookies or tracking parameters to:

  • Attribute referrals
  • Track bookings or purchases
  • Calculate commissions

These cookies are set and controlled by third parties, not by us.

4. Third-Party Services and Data Processors

We use third-party service providers only as needed to operate the Site. Depending on the feature you use, these providers may process data for the following purposes:

  • Hosting and infrastructure providers — hosting, storage, caching, security, and abuse prevention
  • Analytics providers — aggregate website analytics and performance measurement
  • Email delivery providers — account verification, password resets, and security alerts
  • Google OAuth — optional third-party sign-in (only if you choose to sign in with Google)
  • GitHub OAuth — optional third-party sign-in (only if you choose to sign in with GitHub)
  • Image and content providers — city imagery and related media used on the Site
  • AI providers — help generate recommendations and summaries from your search text and, where relevant, location context
  • Affiliate partners (Viator, Booking.com, and others) — outbound referral links

When you click an affiliate or external link, you leave our Site and the third party's privacy policy applies. We have no control over their data practices.

5. How We Share Information

We do not sell, rent, or trade personal information.

We may share limited data:

  • With the third-party service providers listed above, solely to operate the Site
  • When required by law, legal process, or governmental request
  • To protect the rights, safety, or security of the Site, our users, or the public

6. Data Storage and Security

Account data (such as email address, hashed password, saved cities, comparisons, and marketing preferences) is stored on infrastructure operated by our service providers. Sessions are managed with secure, HttpOnly cookies.

We take reasonable measures to protect information, including:

  • One-way password hashing (scrypt)
  • Encrypted connections (HTTPS/TLS everywhere)
  • HttpOnly, Secure session cookies
  • Rate limiting on authentication endpoints
  • Bot protection via Cloudflare WAF challenge/rate-limiting rules
  • Single-use, time-limited tokens for email verification and password resets
  • Limited access to production data and secrets

No system is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

  • Account data is retained as long as your account remains active
  • Session data expires automatically according to our authentication settings
  • Email verification and password reset tokens expire automatically after a limited period
  • Rate-limiting counters are stored temporarily and expire automatically via TTL
  • Analytics data is retained according to our analytics providers' settings in aggregated form

When you delete your account, your personal data (email, saved cities, comparisons, marketing consent, and sessions) is permanently removed from our database.

8. Your Rights and Choices

You may:

  • Access your data — view your saved cities, comparisons, and account information within the Site
  • Delete your account — permanently remove your account and all associated data by using the Travel Hub account deletion option, or by contacting us
  • Unsubscribe from marketing emails — click the unsubscribe link in any marketing email, or update your preference in your account settings
  • Disable cookies — adjust your browser settings (note: disabling cookies will prevent login and may affect functionality)
  • Withdraw OAuth access — revoke Capy Trips access from your Google or GitHub account settings at any time

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data protection laws, you may also have the right to request data portability, correction, or restriction of processing. Contact us to exercise these rights.

9. International Data Transfers

The Site is hosted on Cloudflare's global network. Your data may be processed in data centers located outside your country of residence. Cloudflare maintains appropriate safeguards for international data transfers.

10. Children's Privacy

The Site is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of the Site after changes indicates acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or your data, contact us at: support@capytrips.com