itinly

Privacy Policy

Effective Date: May 1, 2026

itinly ("the Service," "we," or "us") is a travel-itinerary application that turns trip confirmations from your Gmail inbox into a structured day-by-day itinerary. This policy explains what data we access, where it is stored, and the choices you have. By using the Service you agree to the practices described below.

1. Google Account Data We Access

When you sign in with Google, the Service requests the following OAuth scopes. We ask for each one for a single, narrow purpose, and we do not use Google user data for advertising, model training, resale, or any purpose other than providing the Service's core features to you.

  • Basic profile (openid, email, profile) — to identify your account, display your name and avatar inside the app, and contact you about the Service.
  • Gmail read-only (gmail.readonly) — used only when you initiate an email scan. We search your inbox for messages that look like travel confirmations (flights, hotels, rentals, reservations) and read those messages so we can extract trip details. We do not read mail outside the queries you trigger, and we never send mail on your behalf.
  • Drive per-file access (drive.file) — used to create and update files in a single app-managed folder ("TravelItineraryMaker") inside your Google Drive. This scope only grants access to files the app itself creates; it does not grant the Service access to any other file in your Drive.
  • Google Calendar (calendar) — used only when you choose to sync a trip to your calendar. We create or update events corresponding to your itinerary segments. We do not read or modify unrelated events.

2. Where Your Data Is Stored

Your trip data lives in your own Google Drive. Itineraries, segments, todo lists, settings, and the metadata we keep about which emails you have already imported are written as JSON files inside the TravelItineraryMaker folder in your Drive. We do not maintain a separate copy of your trip data on our servers. If you delete that folder, your data is gone from the Service.

Server-side data is limited to what is required to keep your session and shared links working. Specifically:

  • Encrypted Google refresh tokens. When you sign in we store an encrypted refresh token so that recipients of share links you create can read the shared trip from your Drive even when you are offline. Refresh tokens are encrypted at rest with AES-256-GCM using a server-held key.
  • A share registry. When you create a share link, we store a record mapping that link's opaque ID to the underlying trip so recipients can resolve the link.
  • Operational logs and error reports. Our servers produce request logs and, when configured, send error reports to Sentry to help us diagnose crashes. These may contain your account ID, request paths, and error messages, but we make a best effort to avoid logging email contents or trip details.

3. Email Parsing and Anthropic

When you trigger an email scan, the Service sends the contents of the candidate travel-confirmation messages it finds to Anthropic's Claude API for parsing into structured trip data. We do this only on emails identified as likely travel confirmations, and only at your request. Anthropic processes these requests under its own commercial API terms and does not use API inputs to train its models. The structured result is written to your Drive; the raw email is not stored on our servers.

4. Third-Party Services

The Service relies on the following sub-processors. We share with them only what is necessary to operate the relevant feature.

  • Google — authentication (Sign-In with Google), Drive storage, Gmail access, Calendar sync.
  • Anthropic — email parsing via the Claude API (described above).
  • Vercel — hosting of the web application.
  • Upstash (Redis) — storage of encrypted refresh tokens and the share registry.
  • Sentry — error reporting (when configured).

We do not sell, rent, or trade your personal data, and we do not use it for advertising.

5. Cookies and Tracking

The Service uses only the cookies and local-storage entries necessary to keep you signed in (for example, OAuth state and your access token). We do not use third-party advertising cookies or behavioral-tracking pixels.

6. Your Rights and Choices

  • Revoke access at any time from your Google Account's "Third-party apps with account access" page (myaccount.google.com/permissions). Revoking access invalidates the refresh token we hold for you.
  • Delete your data by deleting the TravelItineraryMaker folder from your Google Drive. This removes all itineraries, segments, todos, and processed-email metadata.
  • Request server-side deletion of your encrypted refresh token and share-registry entries by contacting us at the address below.
  • Disconnect a single feature (for example, stop using calendar sync) by simply not invoking it; no data is sent to that feature's sub-processor unless you use it.

7. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from them.

8. Changes to This Policy

We may update this policy from time to time. The "Effective Date" at the top of this page reflects the most recent revision. Material changes will be announced in the application itself before they take effect.

9. Contact

Questions, deletion requests, or concerns about this policy can be sent to support@itinly.app.