Viaza - AI-Powered Travel Planning & Social Sharing

Effective Date: May 20, 2026 Last Updated: May 20, 2026

1. Introduction

Welcome to Viaza ("Viaza," "we," "our," or "us"). Viaza is an AI-powered travel planning and booking mobile application that helps you discover destinations, plan itineraries, book flights and accommodations, and share travel experiences with friends.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our mobile application, our backend services, and any related services (collectively, the "Services"). It also describes your rights and choices with respect to your personal information.

Please read this policy carefully. By using Viaza, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Services.

This Privacy Policy is intended to comply with applicable privacy laws, including the California Consumer Privacy Act (CCPA/CPRA), the EU General Data Protection Regulation (GDPR), the UK GDPR, the Australian Privacy Act 1988, and other applicable data protection laws.

2. Who We Are

Viaza is operated by Viaza, Inc., a Delaware C-corporation.

For questions about this policy or to exercise your privacy rights, please contact us at:

Email: team@viazaai.com
Mailing Address: 1101 Ludlow Ave, Philadelphia, PA 19107, USA
Data Protection Officer (if applicable): team@viazaai.com

3. Information We Collect

We collect information that you provide to us directly, information that is generated automatically when you use our Services, and information we receive from third-party services you connect to Viaza.

3.1 Information You Provide Directly

Account Registration

When you create a Viaza account, we collect:

Full name
Email address
Password (stored as a one-way cryptographic hash using bcryptjs; we never store your plaintext password)
Authentication method (email/password, Google Sign-In, or Apple Sign-In)
When using OAuth (Google/Apple), the corresponding provider subject identifier (sub)

Public Profile Information

When you create or edit your public profile, you may voluntarily provide:

Display name and biography/travel motto
Profile photo (URL to image)
Location (city or country you display publicly)
Occupation and pronouns
Travel style preferences (e.g., adventure, luxury, backpacker)
Languages spoken
Travel experience level (beginner/intermediate/expert)
Accommodation preferences (hotel, Airbnb, hostel, etc.)
Instagram handle and personal website URL
Interests, travel companion style
Favorite destinations and bucket list destinations
Favorite travel memory
Visibility settings for each field (show/hide to other users)

Private Profile Information

When you complete your private profile, you may voluntarily provide:

Phone number (used for SMS booking notifications)
Date of birth (used for flight booking compliance and age verification)
Currency preference and language preference
Time zone
Dietary restrictions (e.g., vegetarian, halal, kosher, gluten-free)
Accessibility needs
Additional preferences stored as key-value pairs

Emergency Contact Information

You may optionally add an emergency contact, including:

Name, phone number, relationship, email address, and mailing address

Medical Information (Optional)

You may optionally provide:

Allergies
Medications
Blood type
General medical conditions

This sensitive health information is used solely to assist us in providing personalized travel planning and accessibility accommodations. It is never shared with third parties for marketing purposes.

Trip Planning Information

When planning a trip, you provide:

Destination, departure city, travel dates, number of travelers
Budget range (minimum/maximum) and currency
Budget flexibility preferences
Dietary restrictions relevant to the trip
Interests and activities (e.g., museums, hiking, nightlife)
Travel style and vibes (e.g., relaxing, adventurous)
Accessibility needs for the trip
Special requests (free-text)

Booking / Checkout Information

When you book flights or hotels through Viaza, you (or each traveler on the booking) provide:

First name and last name
Date of birth (required for flight manifests)
Gender (required for airline compliance; collected as M/F)
Email address (for booking confirmations)
Phone number, including country code (for airline/hotel contact and SMS confirmation)
Payment card details — collected directly by Stripe, our payment processor; Viaza does not see or store full card numbers or CVVs

Memories / Photo Content

When you upload trip memories, we collect:

Photos or videos (URL to media file)
Caption text
Location tag (where the photo was taken)

When using the friends feature, we collect:

Email address or phone number of the person you wish to invite
Friend request status

Group Trip Invitations

When inviting others to a group trip, we collect:

Email address or phone number of the invitee
The invitee's acceptance/decline response

3.2 Information Collected Automatically

When you use the Viaza app, we and our service providers may collect certain information automatically:

Device information: device type, operating system, platform (iOS/Android)
User agent string: browser/app version information collected when authentication tokens are issued
Expo Push Notification Token: a unique device token (ExponentPushToken[...]) generated by the Expo SDK to deliver push notifications to your device
Interaction data: how you interact with itinerary items — views, likes, regenerate requests, and feedback reasons — stored in our user_interactions table for service improvement
Locally cached data on your device: Viaza stores trip data and album information in your device's local storage (AsyncStorage) for offline access and performance. Authentication tokens are stored in your device's secure enclave (expo-secure-store)

3.3 Information From Third-Party Services

When you authenticate with Google or Apple, we receive limited profile information from those services:

From Google Sign-In:

Google account email address
Full name (as set on Google account)
Google user subject identifier (sub)
Profile picture URL (optional, if available)

From Apple Sign-In:

Apple user subject identifier (sub)
Email address (provided by Apple only on first sign-in; Apple may relay a private email address)
Full name (provided only on first sign-in, if the user consents)

4. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Legal Basis (GDPR)	Data Used
Create and manage your account	Contract performance	Name, email, password hash, auth provider
Authenticate your identity and maintain secure sessions	Contract performance / Legitimate interest	Email, password, OAuth tokens, refresh tokens, user agent
Generate personalized AI trip itineraries	Contract performance	Destination, dates, budget, preferences, dietary restrictions, accessibility needs, interests
Search for and display flights, hotels, restaurants, and activities	Contract performance	Destination, travel dates, number of travelers, dietary restrictions
Process bookings and payments	Contract performance	Traveler details (name, DOB, gender, email, phone), itinerary data, Stripe payment intent
Transmit passenger data to airlines and hotels via our booking partners	Contract performance / Legal obligation	Full name, DOB, gender, email, phone
Send booking confirmation emails	Contract performance	Email, name, flight/hotel details, PNR, confirmation number
Send booking confirmation SMS messages	Contract performance / Consent	Phone number, booking details
Send push notifications about bookings and trip updates	Consent	Push token, notification content
Enable social features (friends, group trips, invitations)	Contract performance	Email/phone of friends, trip membership
Display and manage your travel memories	Contract performance	Photo URLs, captions, location tags
Improve our AI models and recommendation quality	Legitimate interest	Interaction data, preferences (anonymized/aggregated where possible)
Compute trending destinations and trip styles (internal analytics)	Legitimate interest	Aggregated trip destination data
Ensure platform security, detect fraud, and enforce our Terms of Service	Legitimate interest / Legal obligation	Authentication logs, rate-limit data, device info
Comply with legal obligations	Legal obligation	As required by applicable law
Respond to your requests and support inquiries	Legitimate interest / Contract	Contact information, account details

We do not sell your personal information to third parties. We share your information only in the following circumstances:

1. With booking providers (required to fulfill your booking): When you book a flight or hotel, we transmit traveler details — including full name, date of birth, gender, email address, and phone number — to Duffel (our primary travel API) and in some cases Amadeus, who in turn transmit your information to the relevant airline or hotel to create your reservation.

2. With payment processors: Your payment card information is submitted directly to Stripe for processing. We share a booking reference, session ID, price amount, and your name with Stripe as required to create and manage your payment intent.

3. With communication service providers: We share your email address and booking details with Resend (our email delivery provider) to send you booking confirmations. We share your phone number and booking details with Twilio to send you SMS booking confirmations, where you have enabled SMS notifications.

4. With AI service providers: We share your trip planning parameters — including destination, dates, budget, dietary restrictions, accessibility needs, interests, and travel preferences — with OpenAI to generate personalized itinerary recommendations. Please see Section 6.10 for OpenAI's data handling practices.

5. With location and discovery services: We share location queries (city name, coordinates) with Yelp and Google Places to retrieve restaurant recommendations and place details. These queries do not include your account information or personally identifiable data.

6. With other users (profile information you make public): Fields on your public profile that you have not hidden will be visible to other Viaza users, including friends and group trip members.

7. With trip members (group trips): When you create a group trip, invited members will see your name and the trip details you created.

8. For legal compliance and safety: We may disclose your information when required by law, court order, or government authority.

9. In connection with business transfers: If Viaza is acquired, merged, or undergoes a similar corporate transaction, your information may be transferred to the acquiring entity.

10. With your consent: We may share information for other purposes with your explicit consent.

6. Third-Party Service Providers and Their Privacy Practices

Viaza integrates with numerous third-party services. Below we describe each integration, what personal data is shared, and where you can find each provider's privacy policy.

6.1 Database Infrastructure — Supabase (PostgreSQL)

What it is: Supabase is our primary database and backend infrastructure provider.

Supabase Privacy Policy: https://supabase.com/privacy
Supabase DPA: https://supabase.com/dpa

Google Privacy Policy: https://policies.google.com/privacy
OAuth Scopes Used: openid, email, profile

Apple Privacy Policy: https://www.apple.com/legal/privacy/

6.4 Payment Processing — Stripe

Stripe is our payment processor. Viaza does not receive, process, or store full payment card numbers or CVV codes.

Stripe Privacy Policy: https://stripe.com/privacy
PCI-DSS Compliance: https://stripe.com/guides/pci-compliance

6.5 Flight & Hotel Booking — Duffel

Duffel is our primary flight and hotel booking API. When you complete a booking, we transmit traveler details to Duffel, who creates the booking with the relevant airline or hotel.

Duffel Privacy Policy: https://duffel.com/legal/privacy-policy

6.6 Flight Search — Amadeus

Amadeus Privacy Policy: https://amadeus.com/en/policies/privacy-policy

Note: We are in the process of transitioning our primary flight booking away from Amadeus to Duffel.

6.7 Email Notifications — Resend

Resend Privacy Policy: https://resend.com/privacy

6.8 SMS Notifications — Twilio

You can opt out of SMS notifications by replying STOP to any SMS from Viaza, or by removing your phone number from your profile.

Twilio Privacy Policy: https://www.twilio.com/legal/privacy

6.9 Push Notifications — Expo Push Notification Service

Expo Privacy Policy: https://expo.dev/privacy

6.10 AI Trip Planning — OpenAI

We use OpenAI's API (GPT-4 mini model) to generate personalized travel itineraries. Your name, email, and payment information are not sent to OpenAI.

OpenAI Privacy Policy: https://openai.com/policies/privacy-policy
API Data Usage: https://openai.com/policies/api-data-usage-policies

7. Data Storage and Security

We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it.

Storage Location

All application data is stored in a PostgreSQL database hosted by Supabase on AWS infrastructure. Authentication credentials and tokens are managed by our backend API hosted on Vercel.

Security Measures

Measure	Implementation
Password hashing	bcryptjs with 10 salt rounds — passwords are never stored in plaintext
Authentication tokens	Short-lived JSON Web Tokens (JWT) signed with a 32+ character secret
Refresh tokens	Cryptographically random, stored as bcrypt hashes, expire automatically
Database access control	Row-Level Security (RLS) policies on all Supabase tables
Transport security	All API communications use HTTPS/TLS encryption
Payment security	Card data handled exclusively by Stripe (PCI-DSS Level 1 compliant)
Mobile token storage	JWT and refresh tokens stored in expo-secure-store (iOS Keychain / Android Keystore)
Rate limiting	Authentication endpoints rate-limited (sign-up: 5/hour/IP; login: 10/15min/IP)

8. Data Retention

Data Category	Retention Period
Account information (name, email, password hash)	Until account deletion
Trip and itinerary data	Until you delete the trip or your account
Booking and checkout records	Retained for a minimum of 7 years for financial/legal compliance
Payment records (Stripe references, amounts)	Retained for a minimum of 7 years for accounting and tax compliance
Authentication refresh tokens	Expire per their individual expiration timestamp (typically 30–90 days)
Memories (photos/videos)	Until you delete them or your account
User interaction data	Up to 3 years; may be used in aggregated/anonymized form thereafter

9. Your Privacy Rights and Choices

9.1 Access and Correction

To request a copy of all personal data we hold about you, email team@viazaai.com with the subject line "Data Access Request."

9.2 Deletion

Email team@viazaai.com with the subject line "Account Deletion Request."

9.3 Portability

Email team@viazaai.com with the subject line "Data Portability Request." We will provide your data in JSON format within 30 days.

9.4 Opt-Out of Communications

SMS notifications: Reply STOP to any SMS from Viaza, or remove your phone number from your Private Profile
Push notifications: Disable in your device's notification settings
Marketing emails: Unsubscribe using the link at the bottom of any marketing email

9.7 California Residents (CCPA / CPRA)

We do not sell your personal information or share it for cross-context behavioral advertising purposes. To exercise your rights, submit requests to team@viazaai.com.

If you are located in the EEA, UK, or Switzerland, you have rights including access, rectification, erasure, restriction, portability, and the right to object. Contact our DPO at team@viazaai.com.

10. Sensitive Personal Information

Category	Examples	Why Collected
Financial information	Payment card data (processed exclusively by Stripe)	To process bookings
Health and medical information	Allergies, medications, blood type, medical conditions	For personalized travel planning and accessibility
Biometric-adjacent	Date of birth (required for flight manifests)	Airline and government regulatory requirement
Precise geolocation	Trip destinations, restaurant search coordinates	To find nearby restaurants and activities

11. Children's Privacy

Viaza is not directed to children under the age of 13 (or under 16 in the EEA/UK). If you believe we may have inadvertently collected information from a child, please contact us at team@viazaai.com.

12. International Data Transfers

Viaza is operated from the United States. Your personal information may be transferred to, stored in, and processed in countries other than your country of residence. We ensure international transfers comply with applicable data protection laws, including through Standard Contractual Clauses (SCCs).

13. Cookies and Similar Technologies

The Viaza mobile app does not use browser cookies. We use AsyncStorage and expo-secure-store for local data caching and secure token storage on your device.

14. Third-Party Links

Our app may display links to third-party websites or travel services. This Privacy Policy does not apply to those third-party services.

15. Changes to This Privacy Policy

When we make material changes, we will post the updated policy and notify you via in-app notification and/or email at least 30 days before material changes take effect.

16. Contact Us

General Privacy Inquiries:
Email: team@viazaai.com — We aim to respond within 30 days

Data Deletion / Access / Portability:
Email: team@viazaai.com — Subject: "Privacy Request — [Request Type]"

Mailing address: 1101 Ludlow Ave, Philadelphia, PA 19107, USA

This Privacy Policy was prepared based on the technical architecture and data flows of the Viaza application. This document does not constitute legal advice.

Privacy Policy.