Skip to content

Legal

Privacy Policy

Last updated: 25 April 2026

1. Who we are

Cavale is a trading name of Nothing Is Permanent Ltd, registered in England and Wales. If you have questions about this policy or your personal data, contact us at hello@cavale.travel.

2. What data we collect and why

Booking data

What: Name, email address, requested dates, guest count, optional message, payment information (processed by Stripe).

Why: To process your booking request and coordinate with the experience operator.

Legal basis: Performance of a contract (GDPR Article 6(1)(b)).

Retention: 7 years after trip completion (tax and legal requirements).

Account data

What: Email address and authentication session.

Why: To provide you with an account to track bookings and manage vouchers.

Legal basis: Performance of a contract (GDPR Article 6(1)(b)).

Retention: Deleted on request via your account settings or by contacting us.

Newsletter

What: Email address.

Why: To send you our fortnightly newsletter about curated travel experiences.

Legal basis: Consent (GDPR Article 6(1)(a)).

Retention: Until you unsubscribe.

Analytics

What: Anonymised usage data (pages visited, device type, approximate location).

Why: To understand how visitors use the site and improve the experience.

Legal basis: Legitimate interest (GDPR Article 6(1)(f)).

Retention: Anonymised data, no personal identifiers stored.

Operator applications

What: Name, company name, email, website, description.

Legal basis: Legitimate interest (GDPR Article 6(1)(f)).

Retention: 2 years.

Contact messages

What: Name, email, message content.

Legal basis: Legitimate interest (GDPR Article 6(1)(f)).

Retention: 1 year.

Reviews

What: Review text, rating, and display name (linked to your booking).

Legal basis: Consent (GDPR Article 6(1)(a)).

Retention: Published reviews remain on the site unless you request removal.

3. Cookies and local storage

We use the smallest set of cookies that lets the site work, plus a few preference keys in your browser’s local storage. Our Cookie Policy has the full list with names and lifetimes.

Strictly necessary cookies

  • Supabase Auth session (sb-<project>-auth-token) — keeps you signed in. HTTP cookie so the server can authenticate every request.
  • Language preference (NEXT_LOCALE) — remembers en / fr / lb across visits.

Browser local storage (not cookies, not sent to our servers)

  • Currency preference — your selected display currency.
  • Cookie consent — your saved preferences for the cookie banner.
  • Auth-token shadow — the supabase-js client mirrors the auth cookie on the page; cleared on sign-out.
  • UI dismissal flags — one-time keys for the welcome banner and onboarding checklist.

PostHog analytics is cookieless. It runs with persistence: ‘memory’ and autocapture: false: no cookies, no localStorage, only the explicit events we’ve defined. State is discarded when you close the tab.

4. Third-party processors

We share personal data with the following services, only as necessary to provide our service:

  • Stripe (PCI DSS Level 1 certified, Ireland/US) — payment processing. Receives payment information directly; we do not store card details.
  • Supabase (EU region, Frankfurt — eu-central-1) — database and authentication. Stores booking data, account data, and reviews.
  • Sanity (EU CDN) — content management system. Stores and delivers editorial content and experience listings; no personal data.
  • PostHog (EU servers, cookieless mode) — anonymised product analytics. No personal data stored.
  • Resend (US) — transactional email delivery. Receives your email address to send booking confirmations and account emails.
  • Beehiiv (US) — newsletter platform. Receives your email address only if you subscribe to our newsletter.
  • Vercel (global) — website hosting and serverless functions. Processes requests and may log IP addresses for security.

5. Data retention

  • Booking records: Kept for 7 years (tax and legal requirements).
  • Account data: Deleted on request via account settings or by emailing us.
  • Analytics data: Anonymised; no personal identifiers stored or retained.
  • Newsletter subscriptions: Until you unsubscribe.

6. Your rights under GDPR

Under GDPR and UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data (“right to be forgotten”).
  • Restriction — ask us to limit how we use your data.
  • Portability — request your data in a machine-readable format.
  • Objection — object to processing based on legitimate interest.

To exercise any of these rights, email hello@cavale.travel or use the “Request my data” option in your account settings. We will respond within 30 days.

7. Legal basis for processing

  • Contract performance (Article 6(1)(b)) — bookings, payments, account management.
  • Legitimate interest (Article 6(1)(f)) — analytics, fraud prevention, operator vetting.
  • Consent (Article 6(1)(a)) — newsletter subscription, reviews.

8. Data transfers

Some of our service providers (Stripe, Resend, Beehiiv, Vercel) may process data outside the European Economic Area. These providers operate under Standard Contractual Clauses or equivalent safeguards approved by the European Commission.

9. Changes to this policy

We may update this privacy policy from time to time. The “last updated” date at the top of this page will always reflect the most recent version.

10. Contact and complaints

For any privacy-related questions or requests, contact us at hello@cavale.travel.

You also have the right to lodge a complaint with a supervisory authority. For Luxembourg residents: CNPD (cnpd.public.lu). For UK residents: ICO (ico.org.uk).