Privacy Policy

Effective 2026-06-15. Last updated 2026-06-15.

This Privacy Policy explains what data VerTrek ("we," "us") collects when you use the VerTrek mobile app and website, how we use it, and the choices you have.

The short version

We collect what we need to find flights and hotels and to book them on your behalf.
We do not sell your personal data.
You can delete your account and all associated booking history at any time from the app or this deletion page.

What we collect

Account information

When you sign up we collect your email address and the password you set (we never see the password in plain text — it's handled by AWS Cognito). When you complete your profile you may add your name, date of birth, and phone number; these are required by airlines to issue tickets.

Booking information

To complete a booking we share your passenger details with our flight and hotel providers. After a booking confirms we store the booking reference, status, dates, and amount so we can show your trips in the app and let you cancel later.

Device information

We collect basic device identifiers (operating system, app version, push notification token if you opt in) for service operation and to send relevant trip notifications.

Usage data

We collect anonymous aggregate usage metrics (which screens are visited, which searches are run) so we can improve the product. We do not collect a precise location.

How we use it

Find and book trips: We send your search criteria and passenger details to our travel API provider (Duffel) to issue bookings.
Communicate with you: Booking confirmations, departure reminders, and account notifications.
Operate and improve the service: Diagnose bugs, prevent abuse, and improve relevance of results.

Who we share it with

Travel providers (Duffel and the airlines/hotels you book): the passenger and booking details required to issue your ticket or reservation.
Infrastructure providers (Amazon Web Services): hosting, database, authentication.
Push notification services (Apple Push Notification service, Firebase Cloud Messaging): only the push token, not any personal data.

We do not sell, rent, or trade your personal data to advertisers or marketing brokers.

Data retention and deletion

We keep account and booking data as long as your account is active. When you delete your account:

Your Cognito account is removed within 24 hours.
Your stored profile (name, DOB, phone) and booking history are deleted from our database.
We may retain anonymized aggregate booking data (e.g. "1 trip to Lisbon in June 2026") for analytics and reporting. This cannot be linked back to you.
Bookings that have already been issued by the airline or hotel remain in their systems per their own retention policies; we cannot delete those on your behalf.

Delete your account anytime in the app under Profile → Delete account, or via the web request form.

Your rights

Depending on where you live, you may have the right to access, correct, export, or delete the personal data we hold about you. To exercise any of these rights, email privacy@vertrek.io. We'll respond within 30 days.

Children

VerTrek is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe we have, contact privacy@vertrek.io and we will delete it.

Security

We use HTTPS in transit, encrypted storage at rest, and AWS Cognito for password handling. We do not store payment card data — payments are processed by our travel provider.

Changes to this policy

We'll post material changes here and update the "Last updated" date. Significant changes will trigger an in-app notice.

Contact

Questions about privacy: privacy@vertrek.io