What you should know about your data

Brand: Journee by PeruPremiumAdventure.

Legal entity: [Pending Peruvian SAC formation — final jurisdiction is still open until F4 closes. See pending decisions in journee_decisions.md.]

Founding team: Ives Barcelli and Cococho, co-founders of Journee. We work alongside a network of local operators in Cusco, Lima, and other Peruvian destinations.

Operating address: [Pending — will be updated when the entity is formed.]

Privacy contact: hola@perupremiumadventure.com

When you talk with Journee and we craft your journey, we handle the following information:

• Conversation data: messages exchanged with the chatbot, declared preferences (what inspires you, vibes, constraints), and choices you make on the map.
• Trip data: dates, date granularity, flexibility you've declared, number of travelers, group composition, selected destinations.
• Identification data: name, email, phone number when you share them to confirm a journey or coordinate over WhatsApp.
• Payment data: processed by a regulated external provider [final processor pending F4 closure]. Journee never stores full card numbers or CVVs in its own systems.
• Technical data: approximate IP address, browser type, device language, pages visited. Collected by our privacy-first analytics tool (see Cookies).
• Operational coordination data: messages you send via WhatsApp when applicable to confirm trip details with local operators.

• To craft your journey in a personalized way — the chatbot needs context to suggest coherent experiences.
• To validate operational availability with local operators in Peru (within 12 hours of deposit, per our internal standard).
• To stay in touch before, during, and after your trip (reminders, adjustments, a warm post-trip message).
• To meet legal and tax obligations (invoicing, retention of records per applicable jurisdiction).
• To improve Journee — we analyze aggregate patterns and never re-identify individual cases without your explicit permission.

We share data only when strictly necessary to deliver the service or to comply with the law:

• Local operators in Peru: they receive the minimum data required to execute what we've coordinated (names, dates, declared allergies, group particularities). Each operator signs a data processing agreement.
• Payment processor: [pending F4 closure]. Receives only what's required to process your transaction.
• Anthropic: messages you send to the chatbot go through the Claude API (their privacy policy applies to that segment). We do not use that data to train models.
• Vercel and Neon: web infrastructure and database. They process data in the US under post-Schrems II Standard Contractual Clauses.
• Plausible: privacy-first analytics with no individual tracking cookies.
• What we never do: share your data with advertisers, ad networks, data brokers, or any third party for external marketing purposes.

You have all of the following rights over your data, regardless of your country of residence:

• Access: request a copy of the data we hold about you.
• Rectification: correct inaccurate information.
• Deletion: request that we erase your data (except records we are legally required to retain).
• Portability: receive your data in a standard format to take it elsewhere.
• Objection: ask us to stop processing your data for specific purposes.
• Withdrawal of consent: at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, write to us at hola@perupremiumadventure.com with the subject line "Privacy rights". We respond within 30 days.

• Chatbot conversations: until you ask us to delete them.
• Transactional data and receipts: the applicable legal period (typically 5+ years for tax compliance).
• Analytics data: anonymized after 26 months (GDPR standard).
• Marketing/communication data: as long as your subscription is active, deleted on opt-out.

Your data travels to three main places:

• United States: technology infrastructure (Anthropic, Vercel, AWS via Neon).
• Peru: local operators executing your journey.
• Possibly other jurisdictions: depending on where the final legal entity sits once F4 closes.

When data leaves the European Economic Area or the United Kingdom we apply Standard Contractual Clauses (model clauses approved by the European Commission post-Schrems II) or equivalent mechanisms per jurisdiction.

In plain language, here's what we do to keep it safe:

• Encryption at rest (Neon Postgres) and in transit (HTTPS/TLS 1.2+).
• Role-based access. Admin consoles use HMAC-signed session tokens with short expiration windows.
• Periodic internal audits. When we discover vulnerabilities we remediate them per CVE criticality.
• Breach notification: if something serious happens, we notify you within 72 hours along with the relevant authority, in line with GDPR.

If we update this policy, we notify you via two channels: email to active travelers and a banner on the site visible for at least 30 days. Continued use of Journee after the notice is considered acceptance of the changes.

For any question or complaint, write to us at hola@perupremiumadventure.com. You also have the right to file a complaint with your local data protection authority (in the UK the ICO, in California the Attorney General, in Spain the AEPD, in Peru the Autoridad Nacional de Protección de Datos Personales, etc.).

Disclaimer: this document is a draft prepared by the Journee team. Final validation by a lawyer specialized in international tourism is pending. Once the final legal entity closes (F4), we will update placeholders with real data and re-validate the content.