← Back to home

Privacy Policy

Last updated: April 2026

1. Who we are

Budge (“we”, “us”, “our”) is an AI-powered travel research service operated by Budge, accessible at budge.me. For privacy-related enquiries, contact us at legal@budge.me.

2. What data we collect

When you use Budge, we collect:

  • Account data — your email address and name, provided directly or via Google OAuth
  • Travel preferences — trip styles, interests, and travel context you provide during onboarding and in your profile
  • Trip and chat data — destinations, travel dates, party details, and your AI research conversations
  • Anonymous session data — if you use the public “Try it” experience without signing in, we store a temporary session identifier (held in your browser's localStorage), your destination, travel-party details, and chat messages. This data is linked to a random session ID, not to your identity, and can be migrated to a full account if you sign up.
  • Contact form data — if you contact us via the site's contact form, we collect your name, email address, and message, along with technical metadata including your IP address, browser user-agent, page URL, and any UTM campaign parameters present in the URL at the time of submission. This metadata is used solely for spam prevention and triage.
  • Newsletter subscription data — if you subscribe to product updates, we store your email address and subscription status (pending, confirmed, or unsubscribed). We use a double opt-in process; your subscription is only confirmed after you click the verification link we send.
  • Feedback data — ratings, NPS scores, and comments you voluntarily submit, whether or not you are signed in
  • Usage data — pages visited and features used, to improve the product

We do not collect payment information, precise location data, or any special category data under GDPR.

3. How we use your data

We use your data to:

  • Provide and personalise the Budge service
  • Generate AI-powered trip research and plans using your preferences and conversation history
  • Send transactional emails — account verification, password reset, and service notices
  • Send product update emails to subscribers who have opted in (you can opt out at any time via the unsubscribe link in any email)
  • Respond to contact form enquiries
  • Analyse aggregated, anonymised feedback to improve the product
  • Detect and prevent spam and abuse on public-facing endpoints

We do not sell your data. We do not use your data to train AI models.

4. Legal basis for processing (GDPR)

  • Contract performance — processing your account, trip, and chat data to deliver the service you signed up for
  • Legitimate interests — improving the product using anonymised usage and feedback data; spam and abuse prevention using contact form metadata
  • Consent — sending product update emails and maintaining newsletter subscriptions; you may withdraw consent at any time

5. Data sharing

We share data only with the following third-party processors, under data processing agreements:

  • Amazon Web Services (AWS) — cloud infrastructure, database (DynamoDB), AI model hosting (Bedrock), and email delivery (SES)
  • Vercel — frontend hosting
  • Google — OAuth authentication (if you sign in with Google); reCAPTCHA (for spam prevention on the contact form)

No other third parties receive your personal data.

6. Data retention

  • Account and profile data — retained while your account is active, deleted within 30 days of an account deletion request
  • Trip and chat data — retained while your account is active; individual messages expire after 90 days automatically
  • Anonymous session data (“Try it”) — retained for the duration of your session; migrated to your account if you sign up, otherwise retained for product analytics unless you request deletion
  • Contact form messages — retained for up to 12 months to allow us to respond to and track enquiries
  • Newsletter subscription records — retained until you unsubscribe, plus a short period thereafter for compliance; unsubscribe records are kept to honour opt-outs
  • Feedback data — retained for up to 2 years for product improvement purposes
  • You may request deletion of your data at any time by emailing legal@budge.me

7. Your rights under GDPR

You have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data (“right to be forgotten”)
  • Restriction — ask us to limit how we process your data
  • Portability — receive your data in a machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — for any processing based on consent (e.g. marketing emails); use the unsubscribe link in any email or email us directly

To exercise any right, email legal@budge.me. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. Cookies and local storage

We use browser localStorage to store your session tokens, anonymous session ID (for the “Try it” experience), theme preference, and UI state (such as dismissed prompts). We do not use third-party tracking cookies or advertising cookies.

9. Data security

Your data is stored in AWS infrastructure with encryption at rest and in transit. Access is restricted to authorised personnel only. Public-facing submission endpoints (such as the contact form) are protected by shared secrets and reCAPTCHA to prevent automated abuse. We follow industry-standard security practices.

10. Children

Budge is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us data, contact legal@budge.me and we will delete it promptly.

11. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or via an in-app notice. The “last updated” date at the top reflects the most recent revision.