Privacy Policy

1. What we collect

We collect the minimum data needed to operate the service:

• Account information: your email address and an encrypted password hash (or third-party authentication identifier if you sign in via OAuth, when available).
• Trip inputs: destination, dates, party size, traveler profile, and passport country you enter into the brief form. We use these to generate your brief and to fetch the right government advisory and weather data. We retain generated briefs for as long as your account is active.
• Travel programs (optional): credit card programs, airline / alliance / hotel elite status, and trusted traveler memberships you choose to add to your profile. Used only to personalize your brief recommendations. Stored encrypted at rest in our database.
• Payment information: when you upgrade to Pro, payment details are collected and processed by Stripe directly. We never see or store your full card number. We store only a Stripe customer ID and your subscription status.
• Usage data: timestamps of brief generation requests, your client IP for rate limiting (retained no longer than 24 hours), and basic error logs for debugging.

2. How we use your data

• Authenticate you and maintain your session.
• Generate trip briefs personalized to your profile and travel programs.
• Process subscription payments and manage your Pro access.
• Send transactional emails: account confirmation, password reset, subscription receipts.
• Protect the service from abuse via rate limiting and anomaly detection.
• Improve the product by analyzing aggregate, anonymized usage patterns (no individual-identifying analysis).

We do not use your data for advertising. We do not sell your data. We do not share it with third parties except as described below.

3. Third-party services

Groundwork is built on top of several third-party services. Each receives only the data necessary for its function:

• Supabase (database + authentication): stores your account, profile, brief history, and travel programs. Supabase's privacy policy: supabase.com/privacy.
• Vercel (hosting + analytics): serves the website and collects basic, anonymized request metadata. vercel.com/legal/privacy-policy.
• Stripe (payment processing): handles all credit card data, subscription billing, and webhook events. stripe.com/privacy.
• Anthropic (AI brief generation): receives your destination, dates, profile, and travel programs as part of the brief prompt. Anthropic does not retain prompt content for training. anthropic.com/legal/privacy.
• Open-Meteo (weather): receives the destination coordinates to return weather data. No identifying information is sent.
• Government advisory feeds: US State Department, UK FCDO, Canada Global Affairs, Australia Smartraveller. We fetch their public RSS or JSON feeds — no user-identifying data is sent.

4. Cookies and local storage

We use first-party cookies and browser local storage only as needed to keep you signed in and remember your session. We do not use third-party advertising or tracking cookies.

5. Your rights

You have the right to access, correct, export, or delete your personal data at any time. To exercise these rights:

• Access / export: contact us via the support email below and we will provide a copy of all data we hold about you within 30 days.
• Correction: most account information can be edited from your account settings. For other corrections, contact us.
• Deletion: contact us to permanently delete your account and associated data. Note that we retain certain billing records as required by tax law for the minimum statutory period.

If you are in the European Union or United Kingdom, you have additional rights under GDPR / UK GDPR including the right to object to processing and to lodge a complaint with your local data protection authority. California residents have additional rights under the CCPA.

6. Data retention

We retain account and profile data for as long as your account is active. Generated briefs are retained while the account exists so you can access your history. Billing records are retained for the statutory period (typically 7 years). Rate limiting and request logs are retained for 24 hours.

7. Children

Groundwork is not intended for users under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it.

8. Security

We use industry-standard encryption in transit (TLS) and at rest (Supabase / Vercel infrastructure). Passwords are hashed using bcrypt-equivalent algorithms. We do not have access to your plain-text password at any time. Despite these measures, no system is 100% secure — please use a strong unique password and notify us immediately if you suspect your account has been compromised.

9. International data transfers

Groundwork is operated from the United States. If you access the service from outside the US, your data will be transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses for international data transfers.

10. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of this page reflects when it was last changed. Material changes will be communicated via email to registered users at least 30 days before taking effect.

11. Contact

For questions about this policy, data requests, or to exercise your rights:

• Email: maarteno@arrive-prepared.com
• Entity: Groundwork Travel Intelligence LLC, Connecticut, USA