Privacy Policy

1. Who we are

Cavale is operated by Nothing is Permanent Ltd, a digital agency based in London, UK. If you have questions about this policy or your personal data, contact us at hello@cavale.travel.

2. What data we collect and why

Booking data

What: Name, email address, requested dates, guest count, optional message, payment information (processed by Stripe).

Why: To process your booking request and coordinate with the experience operator.

Legal basis: Performance of a contract (GDPR Article 6(1)(b)).

Retention: 3 years after trip completion.

Account data

What: Email address and authentication session.

Why: To provide you with an account to track bookings and manage vouchers.

Legal basis: Consent (GDPR Article 6(1)(a)).

Retention: Until you request account deletion.

Newsletter

What: Email address.

Why: To send you our fortnightly newsletter about curated travel experiences.

Legal basis: Consent (GDPR Article 6(1)(a)).

Retention: Until you unsubscribe.

Operator applications

What: Name, company name, email, website, description.

Legal basis: Legitimate interest (GDPR Article 6(1)(f)).

Retention: 2 years.

Contact messages

What: Name, email, message content.

Legal basis: Legitimate interest (GDPR Article 6(1)(f)).

Retention: 1 year.

Reviews

What: Review text, rating, and display name (linked to your booking).

Legal basis: Consent (GDPR Article 6(1)(a)).

Retention: Published reviews remain on the site unless you request removal.

3. Cookies and local storage

We use only essential storage to make the site work:

• Currency preference (localStorage) — remembers your selected display currency.
• Authentication session (localStorage) — keeps you signed in if you have an account.
• Cookie consent (localStorage) — remembers your cookie preferences.
• Language routing — handled via URL path (/en/, /fr/, /lb/), no cookie required.

We do not currently use analytics or marketing cookies. If this changes, we will update this policy and request your consent via the cookie banner.

4. Third-party services

We share personal data with the following services, only as necessary to provide our service:

• Supabase (EU region) — database and authentication. Stores booking data, account data, and reviews.
• Stripe (PCI compliant) — payment processing. Receives payment information directly; we do not store card details.
• Resend — transactional email delivery. Receives your email address to send booking confirmations and account emails.
• Beehiiv — newsletter platform. Receives your email address when you subscribe to our newsletter.
• Vercel — website hosting and serverless functions. Processes requests and may log IP addresses for security.

5. Your rights

Under GDPR and UK GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data (“right to be forgotten”).
• Restriction — ask us to limit how we use your data.
• Portability — request your data in a machine-readable format.
• Objection — object to processing based on legitimate interest.

To exercise any of these rights, email hello@cavale.travel. We will respond within 30 days.

6. Data transfers

Some of our service providers (Stripe, Vercel, Beehiiv) may process data outside the European Economic Area. These providers operate under Standard Contractual Clauses or equivalent safeguards approved by the European Commission.

7. Changes to this policy

We may update this privacy policy from time to time. The “last updated” date at the top of this page will always reflect the most recent version.

8. Contact and complaints

For any privacy-related questions or requests, contact us at hello@cavale.travel.

You also have the right to lodge a complaint with a supervisory authority. For Luxembourg residents: CNPD (cnpd.public.lu). For UK residents: ICO (ico.org.uk).