Skip to main content

Capy Trips

Your chill guide to the perfect getaway.

Privacy Policy

Last updated: Feb. 18, 2026

This Privacy Policy explains how Capy Trips ("we," "us," or "our") collects, uses, stores, and protects information when you use capytrips.com (the "Site").

1. Information We Collect

a. Account Information You Provide

When you create an account, we collect:

  • Email address
  • Password (stored as a one-way cryptographic hash — we never store or see your plaintext password)
  • Marketing communication preference (opt-in checkbox at signup)

If you sign in with a third-party provider (Google or GitHub), we receive your email address and basic profile information (name, avatar URL) from that provider. We do not receive or store your third-party password.

No payment information is collected by us.

b. User-Generated Data

When you use the Site while logged in, we store:

  • Saved cities and saved city comparisons
  • Marketing consent status and timestamp

If you use the Site without an account, saved cities and comparisons are stored locally in your browser (localStorage) and are not transmitted to our servers.

c. Automatically Collected Information

We collect limited technical information automatically, including:

  • Pages viewed and interactions
  • Device type, browser, and operating system
  • IP address (used for rate limiting and bot protection; not stored long-term)
  • Approximate location (city, region, country, and timezone) provided by Cloudflare edge network metadata — used to personalize search results and display local time on city pages
  • Precise location coordinates (latitude and longitude) — only when you grant browser location permission for "near me" searches. These coordinates are sent to our server to improve search accuracy but are never stored or logged.
  • Referral source

This data is collected through Cloudflare Web Analytics, which does not use client-side cookies and does not track individual users across sites.

2. How We Use Information

We use collected information to:

  • Operate and maintain the Site and your account
  • Authenticate your identity and manage sessions
  • Persist your saved cities, comparisons, and preferences across devices
  • Send transactional emails (account verification, password resets, security alerts)
  • Send marketing or feature-update emails if you opted in (you can unsubscribe at any time)
  • Personalize search results using your approximate location (e.g., "near me" queries)
  • Improve content, rankings, and features
  • Enforce rate limits and protect against abuse
  • Monitor performance and prevent misuse

We do not use personal data for profiling or automated decision-making that produces legal or similarly significant effects.

3. Cookies, Local Storage, and Tracking Technologies

a. Authentication Cookies

When you log in, we set a session cookie to keep you authenticated. This cookie is:

  • HttpOnly — not accessible to JavaScript
  • Secure — only sent over HTTPS
  • SameSite=Lax — limited cross-site sending

Session cookies expire after 7 days of inactivity or 30 days maximum. You can log out at any time to clear your session.

b. Local Storage

We use browser localStorage to store your preferences, recently viewed cities, and (for anonymous users) saved cities and comparisons. This data stays on your device and is not sent to our servers unless you create an account and choose to sync it.

c. Bot Protection

We use Cloudflare Web Application Firewall (WAF) and managed challenge/rate-limiting rules on authentication endpoints to reduce bot traffic and abuse. These protections are managed by Cloudflare at the edge.

d. Analytics

We use Plausible Analytics, a privacy-focused analytics service that does not use cookies, does not collect personal data, and does not track users across websites. Plausible is hosted in the EU and is fully compliant with GDPR, CCPA, and PECR. We may also use Cloudflare Web Analytics for supplemental aggregate traffic metrics.

e. Affiliate Tracking Cookies

Affiliate partners (including Viator, Booking.com, and others) may use cookies or tracking parameters to:

  • Attribute referrals
  • Track bookings or purchases
  • Calculate commissions

These cookies are set and controlled by third parties, not by us.

4. Third-Party Services and Data Processors

We use the following third-party services to operate the Site. Each processes data only as necessary for its stated purpose:

  • Cloudflare (Pages, D1, KV, R2, Workers, Web Analytics, Email Routing, WAF) — hosting, database, caching, analytics, bot protection, and email forwarding
  • Plausible Analytics — privacy-focused website analytics (no cookies, no personal data, EU-hosted)
  • Resend — transactional email delivery (verification, password reset, security alerts)
  • Google OAuth — optional third-party sign-in (only if you choose to sign in with Google)
  • GitHub OAuth — optional third-party sign-in (only if you choose to sign in with GitHub)
  • Unsplash — city imagery (requests are made server-side; your data is not shared with Unsplash)
  • Google Gemini API — AI-powered city recommendations (requests are made server-side; your data is not shared with Google beyond the search query text)
  • Affiliate partners (Viator, Booking.com, and others) — outbound referral links

When you click an affiliate or external link, you leave our Site and the third party's privacy policy applies. We have no control over their data practices.

5. How We Share Information

We do not sell, rent, or trade personal information.

We may share limited data:

  • With the third-party service providers listed above, solely to operate the Site
  • When required by law, legal process, or governmental request
  • To protect the rights, safety, or security of the Site, our users, or the public

6. Data Storage and Security

Account data (email, hashed password, saved cities, comparisons, and marketing preferences) is stored in Cloudflare D1, a globally distributed database. Sessions are managed server-side with secure, HttpOnly cookies.

We take reasonable measures to protect information, including:

  • One-way password hashing (scrypt)
  • Encrypted connections (HTTPS/TLS everywhere)
  • HttpOnly, Secure session cookies
  • Rate limiting on authentication endpoints
  • Bot protection via Cloudflare WAF challenge/rate-limiting rules
  • Single-use, time-limited tokens for email verification and password resets
  • Limited access to production data and secrets

No system is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

  • Account data is retained as long as your account remains active
  • Session data expires automatically (7-day idle timeout, 30-day maximum)
  • Email verification tokens expire after 24 hours
  • Password reset tokens expire after 1 hour
  • Rate-limiting counters are stored temporarily and expire automatically via TTL
  • Analytics data is retained according to Cloudflare Web Analytics defaults (aggregated, non-personal)

When you delete your account, your personal data (email, saved cities, comparisons, marketing consent, and sessions) is permanently removed from our database.

8. Your Rights and Choices

You may:

  • Access your data — view your saved cities, comparisons, and account information within the Site
  • Delete your account — permanently remove your account and all associated data by using the Travel Hub account deletion option, or by contacting us
  • Unsubscribe from marketing emails — click the unsubscribe link in any marketing email, or update your preference in your account settings
  • Disable cookies — adjust your browser settings (note: disabling cookies will prevent login and may affect functionality)
  • Withdraw OAuth access — revoke Capy Trips access from your Google or GitHub account settings at any time

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data protection laws, you may also have the right to request data portability, correction, or restriction of processing. Contact us to exercise these rights.

9. International Data Transfers

The Site is hosted on Cloudflare's global network. Your data may be processed in data centers located outside your country of residence. Cloudflare maintains appropriate safeguards for international data transfers.

10. Children's Privacy

The Site is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of the Site after changes indicates acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or your data, contact us at: support@capytrips.com