Privacy Policy

1. Who We Are

EasyOnward ("we," "us," "our") is a travel intelligence platform that helps travelers understand visa, transit, and entry requirements for international travel. This Privacy Policy explains how we collect, use, store, and protect your personal information.

2. Information We Collect

Account Information

When you create an account, we collect your name and email address via your OAuth provider (Google, Apple). We do not collect or store your OAuth provider password.

Traveler Profile Data

To provide personalized travel compliance analysis, you may voluntarily provide:

• Citizenship(s) and country of residence
• Passport details (issuing country, expiry date, passport number)
• Visa and residence permit information
• Vaccination status (e.g., yellow fever)
• Date of birth and name (from passport scan)

Passport Scan Data

When you use the passport scan feature, your passport image is uploaded to our server for MRZ (Machine Readable Zone) extraction. The image is processed in memory and is not stored. Only the extracted text fields (name, nationality, expiry, etc.) are saved to your profile.

Usage and Analytics Data

We collect anonymized usage data including search queries, affiliate link clicks, pages visited, and feature usage. This data helps us improve the product and is not linked to your identity unless you are signed in.

2a. Health and Other Special-Category Data (GDPR Art. 9)

Draft — pending counsel review. The wording below describes the consent posture engineering has built into the product. The legal review will confirm whether the language and scope meet GDPR Art. 9, UK GDPR, and CCPA / CMIA sensitive-data requirements before public launch.

Some of the data EasyOnward's rules engine can evaluate is considered a special category of personal data under GDPR Article 9 — most notably health information (vaccinations, medications, chronic conditions, pregnancy, travel-insurance coverage). The GDPR forbids us from processing this data unless one of the exemptions in Article 9(2) applies. We rely on Article 9(2)(a): your explicit consent.

Providing this data is optional

You can use EasyOnward without ever entering any health information. When you skip these fields, the rules engine falls back to generic destination-level guidance (for example, it will still warn you about yellow-fever requirements in endemic regions, but it won't personalise the warning to your vaccination status). Every health field on the Profile screen is labelled "optional" — you choose what to share.

What we consider you have consented to

Before you can save any health information to your profile, you must tick an affirmative-consent checkbox. The checkbox label reads "I'm choosing to share this health information to personalise my screening." By ticking it, you give EasyOnward explicit consent to:

• store the health fields you provide, encrypted at rest using AES-256 (Fernet);
• use them only as inputs to the rules engine's evaluation of your own trips — never to provide medical advice and never to share with anyone outside EasyOnward;
• retain them for as long as your account is active (subject to the retention windows in Section 6 below).

EasyOnward is not a medical provider

Nothing the rules engine outputs is medical advice. We surface destination-level facts (e.g., "yellow-fever vaccination is mandatory for entry") and the official source behind them so you can make informed decisions with a qualified healthcare professional. Always consult a doctor or travel-medicine clinic before changing or starting any treatment, and treat our output as a checklist, not a prescription.

Revoking your consent

You can revoke consent at any time from Profile → Medical-data consent. Revoking blocks any further health-data writes immediately and prevents the rules engine from using your health fields in future evaluations. Revoking does not delete the data you have already entered — use the "Delete profile" flow if you want it removed. (We separate the two actions so you can pause sharing without losing the data you have curated.)

Other special categories

EasyOnward does not collect or evaluate biometric data, genetic data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or data concerning sex life or sexual orientation. We do store passport metadata that includes the "sex" field machine-read from the document's Machine Readable Zone — that field is treated as ordinary identifying data under Art. 6, not special-category data under Art. 9, because it is the value the document itself encodes and is required to match the document when crossing a border.

3. How We Use Your Information

• Travel compliance analysis — evaluating visa, transit, and entry requirements based on your profile
• Personalized recommendations — suggesting which passport to use, applicable waivers, required documents
• Account management — authentication, saved trips, group travel features
• Product improvement — understanding which features are used and where users encounter issues
• Affiliate services — when you click an affiliate link (e.g., onward ticket, travel insurance), we track the click for attribution but do not share your profile data with the affiliate provider

4. How We Protect Your Data

• Sensitive fields (passport number, date of birth) are encrypted at rest using AES-256 (Fernet) encryption
• All data in transit is encrypted via TLS
• Authentication uses secure HttpOnly session cookies — no tokens stored in browser localStorage
• Database access is restricted and connection-pooled with parameterized queries (no SQL injection)
• Travel Briefs (shareable compliance reports) contain no PII — only rule explanations and official sources

5. Data Sharing

We do not sell your personal information. We share data only in these limited circumstances:

• Group travel — if you join a group trip, other members may see limited travel compatibility information (e.g., "this destination has a blocker for one member"). Sensitive details (passport numbers, criminal history, health data) are never shared with group members.
• Affiliate partners — when you click an affiliate link, the partner receives a tracking ID and the URL you visited. They do not receive your profile data.
• Legal requirements — we may disclose data if required by law, subpoena, or court order.

5a. Service Providers (Sub-processors)

To run EasyOnward we rely on a small set of third-party services that may process limited categories of your data on our behalf. We choose providers we believe meet appropriate security and data-protection standards, and we only share the minimum data each provider needs to perform its function.

Required for the service to function

• Google and Apple (United States) — sign-in. They receive your email address, name, and the unique identifier your OAuth provider issues for your account.
• Duffel (United Kingdom) — primary flight search provider. Receives airport codes, travel dates, traveller counts, and cabin class. We do not send passport, citizenship, or any other profile data. Amadeus (France) is retained as the legacy provider, with the same minimal data shape.
• Hetzner Online (Finland, EU) — cloud hosting and storage for the production environment. Sensitive fields (passport number, date of birth) are encrypted at rest before they reach the database.
• GitHub (United States) — Docker image hosting for our deployment pipeline. Does not process user data; only application code and container images.
• Let's Encrypt (United States) — TLS certificates for our domains. Does not process user data.

Optional, config-gated

• Sentry (United States) — crash reporting and error monitoring. Receives sanitized error data; passport numbers, dates of birth, medical notes, cookies, and auth headers are stripped before transmission. Disabled unless explicitly configured.
• Calendarific (United States) — holiday calendars used for travel-impact warnings. Receives country codes and year. No user data.
• Google Gemini and Anthropic (United States) — two operator-driven uses, neither carrying user PII:
  1. Visa-catalogue research drafting. Prompts contain only a country name; outputs are human-reviewed before any catalogue update.
  2. Policy-news monitor triage (Anthropic only). The monitor sends Anthropic flagged feed-entry titles, summaries, and URLs from public policy-news sources so it can judge whether a change is material. No traveler-profile data, IP, search history, or any other user-identifying field is included.

Affiliate-redirect partners (browser-driven, not subprocessing)

When you click a "Browse other prices" or comparable affiliate CTA, your browser navigates directly to the partner site. EasyOnward does not transmit your profile, search history, citizenship, or any other server-held data to the partner — the partner sees the same HTTP request your browser would have sent had you typed the URL yourself, plus the affiliate identifier in the URL. The flight-search affiliates that appear on result cards are:

• Travelpayouts (Cyprus / Russia) — click- tracking intermediary for the Kiwi.com partnership; receives your IP, User-Agent, and the corridor + dates in the URL when the Kiwi CTA redirects through tp.media/click. The Aviasales CTA goes directly to Aviasales; Travelpayouts receives that click via Aviasales' server-side attribution callback.
• Aviasales (Cyprus) — the "Browse other prices on Aviasales" CTA on result cards. Receives IP, User-Agent, and corridor + dates via the URL.
• Kiwi.com (Slovakia) — used as the no-results fallback for routes our primary providers don't cover. Same data shape as Aviasales after the Travelpayouts redirect.

The authoritative implementation reference is docs/subprocessors.md in our repository, which records each integration's code paths and is reviewed quarterly. When we add a new sub-processor, this section and that document are updated together.

6. Data Retention

Your profile data is retained as long as your account is active. You can delete your profile data at any time from the Traveler Profile page. If you delete your account, all associated data (profile, trips, evaluations) is permanently deleted within 30 days.

Specific retention windows by data category:

• Account, profile, saved trips — for the life of the account, or 30 days after deletion (whichever ends first).
• Search history + evaluation records — up to 12 months for personalisation and audit; pruned on a rolling basis.
• Affiliate click logs + product analytics — 24 months in aggregated form. The raw event log is pruned at 90 days; aggregated counts (no user identifiers) are retained longer for trend reporting.
• Operational logs (HTTP, error) — 30 days.
• Encrypted offsite backups — retained for up to 35 days, then rotated out. Deletion requests under §7 below do not remove data from already-written backups inside this window; the data is overwritten on the normal rotation.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Withdraw consent for data processing
• Opt out of analytics tracking

Data export scope (GDPR Art. 20): the JSON export available from Settings → Privacy includes your account metadata, traveler-profile fields, saved trips, and search history. Some fields are encrypted at rest with per-user keys (passport / visa / permit numbers, free-text notes) and are not emitted in plaintext on the bulk export; they remain accessible to you in their decrypted form through the Profile / Entry Authorisations pages while you are signed in. Request a one-time decrypted bundle by email to the address below if you need it for a portability migration.

To exercise any of these rights, contact us at [email protected].

8. Cookies

We use two essential cookies, both set by our server. We do not use third-party advertising cookies, fingerprinting, or client-side tracking pixels. Analytics is logged server-side from the request, not from a browser cookie. Anonymous visitors receive zero cookies until they take an action that needs one (signing in or starting an OAuth round-trip).

We also use browser localStorage for a few non-identifying preferences (theme, currency, draft guest profile). These are not cookies, are not sent in HTTP requests, and stay on your device until you clear them.

9. Children

EasyOnward is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date. Continued use of the platform after changes constitutes acceptance.

11. EU Representative (GDPR Art. 27)

Draft — pending appointment. EasyOnward is not established in the European Union. Article 27 of the GDPR requires us to designate a representative in the EU for data subjects and supervisory authorities to contact. The appointment and the published contact details below will be finalised before public launch in the EU. Until then this section is a placeholder and you should reach us through the main contact channel in Section 12.

12. Contact

For privacy-related questions or requests — including the rights listed in Section 7 — contact us at [email protected].

If you do not receive a response within seven days, please try again from a different address — replies can be lost to aggressive spam filters on either side. We are working on an in-app contact form to remove this dependency before public launch.