Privacy Policy

Last updated: May 28, 2026

This Privacy Policy explains how TastePass (“we”, “us”) collects, uses, shares, and protects your personal data when you use our website and purchase our digital travel itineraries. It also describes your rights under the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).

TastePass is operated by Mahmoud Darwish, based in Egypt. For data subject requests under GDPR/CCPA, refund inquiries, or privacy questions, contact support@tastepass.co. We respond within 30 days. Our registered postal address is available on written request to the same email.

1. Data we collect

• Account and contact data: your email address, used for passwordless magic-link sign-in and to deliver your itinerary.
• Itinerary inputs: the information you submit to generate an itinerary — destinations, travel dates, party size, pace, preferences, and your dietary requirements (for example halal, kosher, vegan, or allergy information). Some dietary or health-related details may be considered sensitive personal data; we process them only to create the itinerary you ask for, on the basis of your explicit provision of that information.
• Payment metadata: when you pay, our reseller Paddle processes your payment. We do not receive or store your full card details. We receive limited transaction metadata from Paddle (such as an order identifier, the products purchased, and the billing country) to fulfill and support your order.
• Technical data: basic technical information such as IP address, browser/device type, and request logs, collected by our hosting provider to operate and secure the service.

2. How and why we use your data

We use your data to:

• generate, deliver, and let you customize your itinerary (to perform our contract with you);
• process dietary and preference inputs to tailor recommendations (on the basis of your explicit provision of that information / your consent);
• send transactional emails such as sign-in links and delivery (to perform our contract);
• operate, secure, and improve the service and prevent abuse (our legitimate interests);
• comply with legal, tax, and accounting obligations (legal obligation).

We send marketing or newsletter emails only if you opt in, and you can unsubscribe at any time.

3. Who we share your data with

We share data with a small number of service providers (“processors”) who help us run TastePass. They may process your data only on our instructions and for the purposes below:

• Paddle — payment processing and Merchant of Record (handles your payment and billing).
• Anthropic — AI processing: your itinerary inputs are sent to Anthropic’s API to generate your travel plan.
• Cloudflare — website hosting, database, file storage, and content delivery / security.
• Resend — sending transactional emails (sign-in links and itinerary delivery).
• Google Workspace — handling our support mailbox when you contact us.

We do not sell your personal data, and we do not share it for cross-context behavioral advertising.

4. International data transfers

Some of our providers are located outside your country, including in the United States. Where we transfer personal data internationally, we rely on appropriate safeguards such as the providers’ standard contractual clauses and equivalent mechanisms, as required by applicable law.

5. How long we keep your data

• Account email: kept while your account or unused credits are active, and until you ask us to delete it.
• Itinerary inputs and generated itineraries: retained for the life of your credits (up to 18 months) plus a short buffer so you can re-download, after which they are deleted or anonymized.
• Payment records: transaction records are retained by Paddle, and by us as required for tax and accounting purposes.
• Support emails: retained for a limited period to handle your request and for our records.

6. Your rights

Depending on where you live, you have some or all of the following rights:

Under GDPR (EEA / UK)

• access a copy of your personal data;
• correct inaccurate data;
• erase your data (the “right to be forgotten”);
• restrict or object to certain processing;
• data portability;
• withdraw consent at any time (without affecting prior processing);
• lodge a complaint with your local data-protection supervisory authority.

Under CCPA / CPRA (California)

• know what personal information we collect and how we use it;
• access and delete your personal information;
• correct inaccurate personal information;
• opt out of the sale or sharing of personal information — note that we do not sell or share your personal information;
• not be discriminated against for exercising your rights.

To exercise any of these rights, email support@tastepass.co. We may need to verify your identity before responding, and we will respond within the timeframes required by law.

7. Cookies and similar technologies

We keep cookies to a minimum. We use strictly necessary cookies and similar storage to keep you signed in (our magic-link session) and to keep the service secure. We do not use third-party advertising or cross-site tracking cookies. If we add analytics in the future, we will update this policy first.

8. Children

TastePass is not directed to children, and we do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to this policy

We may update this Privacy Policy from time to time. We will revise the “Last updated” date above and, where appropriate, notify you of material changes.

10. Contact us

For any privacy question or to make a data request, email support@tastepass.co.