itinly

Privacy Policy

Effective Date: May 23, 2026

itinly ("the Service," "we," or "us") is a travel-itinerary application that turns trip confirmations from your Gmail or Outlook inbox into a structured day-by-day itinerary. This policy explains what data we access, where it is stored, and the choices you have. By using the Service you agree to the practices described below.

1. Account Data We Access

When you sign in (with Google or Microsoft), the Service requests the following OAuth scopes. We ask for each one for a single, narrow purpose, and we do not use the data for advertising, model training, resale, or any purpose other than providing the Service's core features to you. Every sign-in flow forces the account picker, so you never get silently authenticated as a different identity than the one you intended.

  • Basic profile (openid, email, profile)— to identify your account, display your name and avatar inside the app, and contact you about the Service. For Microsoft sign-in we additionally call Microsoft Graph's /me/photo endpoint to render your avatar; if you have no photo, we fall back to your initials.
  • Gmail / Outlook read-only (gmail.readonly for Google, Mail.Read for Microsoft) — used only when you initiate an email scan. We search your inbox for messages that look like travel confirmations (flights, hotels, rentals, reservations) and read those messages so we can extract trip details. We do not read mail outside the queries you trigger, and we never send mail on your behalf.
  • Google Calendar / Outlook Calendar (calendar for Google, Calendars.ReadWrite for Microsoft) — used only when you choose to sync a trip to your calendar. We create or update events corresponding to your itinerary segments. We do not read or modify unrelated events.

2. Linking Multiple Providers

A single itinly account can hold one Google identity and one Microsoft identity at the same time, plus separate Mail and Calendar capability connections per provider. This lets you scan a Gmail confirmation and sync the resulting trip to Outlook Calendar (or any other combination) without maintaining two accounts. Linked identities and capability connections are visible at /settings/account, where you can disconnect any single integration. Disconnecting an identity also removes its Mail and Calendar capability rows.

3. Where Your Data Is Stored

Your trip data is stored on itinly's servers in a managed Postgres database (Supabase). Itineraries, segments, todo lists, settings, and the metadata we keep about which emails you have already imported are written to per-user rows in that database. Access is gated by row-level security policies keyed on your authenticated user ID, so other users cannot read your rows.

Other server-side data is limited to what is required to keep your sessions, integrations, and shared links working. Specifically:

  • Encrypted refresh tokens for connected integrations. When you connect Gmail, Outlook, Google Calendar, or Outlook Calendar, we store an encrypted refresh token for that integration so background tasks (e.g. resolving share links while you're offline) can run. Refresh tokens are encrypted at rest with AES-256-GCM using a server-held key.
  • A share registry.When you create a share link, we store a record mapping that link's opaque ID to the underlying trip so recipients can resolve the link.
  • Operational logs and error reports. Our servers produce request logs and, when configured, send error reports to Sentry to help us diagnose crashes. These may contain your account ID, request paths, and error messages, but we make a best effort to avoid logging email contents or trip details.

4. Email Parsing and Anthropic

When you trigger an email scan, the Service sends the contents of the candidate travel-confirmation messages it finds to Anthropic's Claude API for parsing into structured trip data. We do this only on emails identified as likely travel confirmations, and only at your request. Anthropic processes these requests under its own commercial API terms and does not use API inputs to train its models. Only the structured result is persisted to our database; the raw email is not stored on our servers.

5. Third-Party Services

The Service relies on the following sub-processors. We share with them only what is necessary to operate the relevant feature.

  • Google — authentication (Sign-In with Google), Gmail access, Calendar sync.
  • Microsoft — authentication (Sign-In with Microsoft), Outlook Mail access, Outlook Calendar sync.
  • Supabase — authentication broker and managed Postgres database where your trip data is stored.
  • Anthropic — email parsing via the Claude API (described above).
  • Vercel — hosting of the web application.
  • Upstash (Redis) — storage of encrypted refresh tokens for connected integrations and the share registry.
  • Sentry — error reporting (when configured).

We do not sell, rent, or trade your personal data, and we do not use it for advertising.

6. Google API Services User Data Policy

itinly's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular: we only access Gmail and Google Calendar data to provide user-facing features you have explicitly invoked; we do not transfer Google user data to third parties except as necessary to provide or improve those features (Anthropic for parsing the contents of messages you ask us to scan, and Supabase as the managed database where the resulting structured itinerary is stored); we do not use Google user data to serve advertising; and we do not allow humans to read Google user data unless we have your explicit consent for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data has been aggregated and anonymized.

7. Cookies and Tracking

The Service uses only the cookies and local-storage entries necessary to keep you signed in (for example, OAuth state and your access token). We do not use third-party advertising cookies or behavioral-tracking pixels.

8. Your Rights and Choices

  • Revoke access at any timefrom your Google Account's "Third-party apps with account access" page (myaccount.google.com/permissions) or from your Microsoft account's "Apps and services that can access your data" page. Revoking access invalidates the refresh tokens we hold for you.
  • Disconnect a single integration from Settings → Account inside the app. This deletes the corresponding refresh token from our servers.
  • Delete your trip data and account by contacting us at the address below. We will purge your itinerary rows, processed-email metadata, refresh tokens, and share-registry entries.

9. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from them.

10. Changes to This Policy

We may update this policy from time to time. The "Effective Date" at the top of this page reflects the most recent revision. Material changes will be announced in the application itself before they take effect.

11. Contact

Questions, deletion requests, or concerns about this policy can be sent to support@itinly.app.