Legal

Privacy Policy

Last updated: 9 June 2026

1. Who we are

Cavale is a trading name of Nothing Is Permanent Ltd, registered in England and Wales. If you have questions about this policy or your personal data, contact us at hello@cavale.travel.

2. What data we collect and why

Booking data

What: Name, email address, requested dates, guest count, optional message, payment information (processed by Stripe).

Why: To process your booking request and coordinate with the experience operator.

Legal basis: Performance of a contract (GDPR Article 6(1)(b)).

Retention: 7 years after trip completion (tax and legal requirements).

Account data

What: Email address and authentication session.

Why: To provide you with an account to track bookings and manage vouchers.

Legal basis: Performance of a contract (GDPR Article 6(1)(b)).

Retention: Deleted on request via your account settings or by contacting us.

Newsletter

What: Email address.

Why: To send you our fortnightly newsletter about curated travel experiences.

Legal basis: Consent (GDPR Article 6(1)(a)).

Retention: Until you unsubscribe.

Analytics

What: Anonymised usage data (pages visited, device type, approximate location).

Why: To understand how visitors use the site and improve the experience.

Legal basis: Legitimate interest (GDPR Article 6(1)(f)).

Retention: Anonymised data, no personal identifiers stored.

Operator applications

What: Name, company name, email, website, description.

Legal basis: Legitimate interest (GDPR Article 6(1)(f)).

Retention: 2 years.

Contact messages

What: Name, email, message content.

Legal basis: Legitimate interest (GDPR Article 6(1)(f)).

Retention: 1 year.

Reviews

What: Review text, rating, and display name (linked to your booking).

Legal basis: Consent (GDPR Article 6(1)(a)).

Retention: Published reviews remain on the site unless you request removal.

3. Cookies and local storage

We use the smallest set of cookies that lets the site work, plus a few preference keys in your browser’s local storage. Our Cookie Policy has the full list with names and lifetimes.

Strictly necessary cookies

  • Supabase Auth session (sb-<project>-auth-token) — keeps you signed in. HTTP cookie so the server can authenticate every request.
  • Language preference (NEXT_LOCALE) — remembers en / fr / lb across visits.

Browser local storage (not cookies, not sent to our servers)

  • Currency preference — your selected display currency.
  • Cookie consent — your saved preferences for the cookie banner.
  • Auth-token shadow — the supabase-js client mirrors the auth cookie on the page; cleared on sign-out.
  • UI dismissal flags — one-time keys for the welcome banner and onboarding checklist.

PostHog analytics is cookieless. It runs with persistence: ‘memory’ and autocapture: false: no cookies, no localStorage, only the explicit events we’ve defined. State is discarded when you close the tab.

4. Third-party processors

We share personal data with the following services, only as necessary to provide our service:

  • Stripe (PCI DSS Level 1 certified, Ireland/US) — payment processing. Receives payment information directly; we do not store card details.
  • Supabase (EU region, Frankfurt — eu-central-1) — database and authentication. Stores booking data, account data, and reviews.
  • Sanity (EU CDN) — content management system. Stores and delivers editorial content and experience listings; no personal data.
  • PostHog (EU servers, cookieless mode) — anonymised product analytics. No personal data stored.
  • Resend (US) — transactional email delivery. Receives your email address to send booking confirmations and account emails.
  • Beehiiv (US) — newsletter platform. Receives your email address only if you subscribe to our newsletter.
  • Vercel (global) — website hosting and serverless functions. Processes requests and may log IP addresses for security.

5. Data retention

  • Booking records: Kept for 7 years (tax and legal requirements).
  • Account data: Deleted on request via account settings or by emailing us.
  • Analytics data: Anonymised; no personal identifiers stored or retained.
  • Newsletter subscriptions: Until you unsubscribe.

6. Your rights under GDPR

Under GDPR and UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data (“right to be forgotten”).
  • Restriction — ask us to limit how we use your data.
  • Portability — request your data in a machine-readable format.
  • Objection — object to processing based on legitimate interest.

To exercise any of these rights, email hello@cavale.travel or use the “Request my data” option in your account settings. We will respond within 30 days.

7. Legal basis for processing

  • Contract performance (Article 6(1)(b)) — bookings, payments, account management.
  • Legitimate interest (Article 6(1)(f)) — analytics, fraud prevention, operator vetting.
  • Consent (Article 6(1)(a)) — newsletter subscription, reviews.

8. Data transfers

Some of our service providers (Stripe, Resend, Beehiiv, Vercel) may process data outside the European Economic Area. These providers operate under Standard Contractual Clauses or equivalent safeguards approved by the European Commission.

9. Pre-trip communications

After you book, Cavale provides an in-platform messaging channel (“the Concierge”) so you and your experience operator can exchange messages about your trip directly within your account. Messages you send are stored against your booking and are visible to you, the operator, and the Cavale team.

Email notifications:When you receive a message, we send you an email notification (from the operator) so you don’t have to keep checking. When you send a message, the operator receives an email notification. These are service messages tied to your booking, not marketing. You can mute booking notifications in your account settings; operators always receive booking-related notifications.

Phone number sharing at T-7 days: Seven days before your trip, your phone number and the operator’s phone number are shared between you so you can coordinate directly via WhatsApp during your trip window. Both you and the operator agree to this exchange as part of using the Concierge — it exists so you can reach your guide quickly on the ground. If you would prefer not to share your number, contact us at hello@cavale.travel before your trip.

Legal basis: Performance of a contract (GDPR Article 6(1)(b)). Retention: Messages are retained with the booking record (see section 5).

10. Changes to this policy

We may update this privacy policy from time to time. The “last updated” date at the top of this page will always reflect the most recent version.

11. Contact and complaints

For any privacy-related questions or requests, contact us at hello@cavale.travel.

You also have the right to lodge a complaint with a supervisory authority. For Luxembourg residents: CNPD (cnpd.public.lu). For UK residents: ICO (ico.org.uk).