Privacy Policy

SpaceTrip is operated by SV-Union. If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at: Email: privacy@sv-union.com Website: https://spacetrip.sv-union.com

We collect and process the following categories of personal data: Account data (Email registration): - Email address - Username - First name and last name - Password (stored as a secure hash — never in plain text) Account data (Social login): - Telegram: Telegram user ID, username, first and last name - Google: Google account ID, email address, name, profile picture - Microsoft: Microsoft account ID, email address, name Profile data (optional, provided by you): - Profile avatar / photo URL - Short biography (bio) - Personal website URL - Preferred language, currency, and timezone Trip data: - Travel plans: title, description, destination country and city, travel dates - Trip days, places visited, personal notes - Saved flights: airline, flight number, route, departure time, price, booking URL - Saved hotels: hotel name, location, check-in/check-out dates, price, booking URL Flight alert data: - Origin and destination airports (IATA codes) - Travel date range and maximum price threshold - Alert hit records (flight details when a price match is found) Notification data: - In-app notifications: type, title, body, read status Technical data (collected automatically): - IP address - Browser type and version - Operating system - HTTP request headers including Accept-Language (used to detect your preferred language)

We collect your data in the following ways: - Directly from you when you register, fill in your profile, create trips, or set up flight alerts - From third-party authentication providers (Telegram, Google, Microsoft) when you choose to log in via those services - Automatically through your use of our platform (technical data, server logs)

We process your personal data on the following legal bases under the General Data Protection Regulation (GDPR): - Contract performance (Art. 6(1)(b)): Processing necessary to provide our services, including account management, trip planning, and flight alerts - Legitimate interests (Art. 6(1)(f)): Ensuring platform security, preventing fraud, and sending service-related notifications - Consent (Art. 6(1)(a)): Newsletter subscriptions and optional marketing notifications. You can withdraw consent at any time in your profile settings - Legal obligation (Art. 6(1)(c)): Where required by applicable law

We use your personal data for the following purposes: - Creating and managing your user account - Providing and personalising the trip planning features - Monitoring flight prices and sending alerts when your price threshold is reached - Sending notifications via Telegram and/or Email (only if enabled by you in settings) - Sending service-related emails such as email address verification and password reset - Displaying your public profile and shared trips to other users (only if you explicitly enable this) - Detecting and preventing fraud and abuse of our platform - Improving and developing SpaceTrip features

We do not sell your personal data. We share data with third parties only to the extent necessary to operate our services: Authentication providers: - Telegram (when you log in via Telegram Mini App) - Google LLC (when you log in via Google) - Microsoft Corporation (when you log in via Microsoft) Their respective privacy policies apply when you use these login methods. Flight search — Travelpayout / Aviasales: We use the Travelpayout Data API to search for flight prices. Search queries include origin airport, destination airport, and travel dates. No personal user data (name, email, account ID) is transmitted to Travelpayout. Hotel search — Booking.com: We generate deep links to Booking.com search results. When you click a hotel link, you are redirected to Booking.com and their privacy policy applies. We do not transmit your personal data to Booking.com. Email delivery: We use our mail infrastructure (sv-union.com) to send transactional emails including email verification, password reset, and flight alert notifications. We require all third-party service providers to respect the security of your data and to process it only in accordance with our instructions and applicable law.

SpaceTrip participates in affiliate programmes with Aviasales (Travelpayout) and Booking.com. When you click on a flight or hotel booking link and complete a purchase, we may earn a small commission at no additional cost to you. Affiliate booking links are only opened when you explicitly click on them. We never automatically open booking URLs in the background.

We retain your personal data for as long as your account is active or as needed to provide our services: - Account and profile data: Retained until you delete your account - Trip data: Retained until you delete the trip or your account - Flight alerts and alert hits: Retained until you delete the alert or your account - In-app notification records: Retained for up to 12 months - Email verification tokens: Expire automatically after 7 days - Password reset tokens: Expire automatically after 2 hours - Server/technical logs: Retained for up to 30 days When you delete your account, all personal data associated with your account is permanently and irreversibly deleted within 30 days, except where we are required by law to retain it longer.

If you are located in the European Economic Area (EEA), you have the following rights: - Right of access (Art. 15 GDPR): Request a copy of all personal data we hold about you. Use the in-app Export Data feature (Settings → Export Data) or contact us. - Right to rectification (Art. 16 GDPR): Correct inaccurate or incomplete data directly in your profile settings. - Right to erasure (Art. 17 GDPR): Permanently delete your account and all associated data via Settings → Delete Account. - Right to restriction of processing (Art. 18 GDPR): Request that we restrict how we process your data in certain circumstances. - Right to data portability (Art. 20 GDPR): Export all your data as a structured JSON file via Settings → Export Data. - Right to object (Art. 21 GDPR): Object to processing based on our legitimate interests. - Right to withdraw consent: Where processing is based on your consent (e.g. newsletter), you can withdraw it at any time in profile settings. To exercise any of these rights, use the in-app features or contact us at privacy@sv-union.com. We will respond within 30 days. We may ask you to verify your identity before fulfilling your request.

We implement appropriate technical and organisational measures to protect your personal data: - All passwords are stored using a secure one-way hashing algorithm and are never stored or transmitted in plain text - All communication between your browser and our servers is encrypted using HTTPS/TLS - JWT authentication tokens have limited lifetimes: access tokens expire after 24 hours, refresh tokens after 30 days - Our backend API is not directly accessible from the internet — all requests are proxied through our frontend server - Email verification and password reset tokens are single-use and expire automatically - Access to production systems is restricted to authorised personnel only Despite our efforts, no method of data transmission over the internet or electronic storage is 100% secure. We cannot guarantee the absolute security of your data.

SpaceTrip is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child under 16 has provided us with personal data without appropriate consent, please contact us at privacy@sv-union.com and we will delete it promptly.

Your data is primarily processed and stored within the European Union. When you use social login providers such as Google or Microsoft, your authentication data may be processed by those providers in countries outside the EEA. In such cases, we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards as required by GDPR Chapter V.

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of significant changes by updating the "Last Updated" date at the top of this page and, where appropriate, by sending an in-app notification. We encourage you to review this Privacy Policy periodically. Continued use of SpaceTrip after changes have been posted constitutes your acceptance of the updated policy.

For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact us: Email: privacy@sv-union.com Website: https://spacetrip.sv-union.com If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority responsible for data protection in your country of residence.