Effective Date: March 31, 2026 · Last Updated: March 31, 2026
NoThinkTravel ("we", "our", or "us") operates the NoThinkTravel mobile application (available on iOS and Android) and the website at nothinktravel.com (collectively, the "Service").
This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights regarding your data. When you use the Service, your personal data is processed as described in this Privacy Policy, in accordance with the applicable legal bases set out in Section 6 below.
We are committed to protecting your privacy and handling your data in an open and transparent manner in compliance with the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.
The data controller responsible for your personal data is:
NoThinkTravel
Controller: Anton Shemiakin
Email: support@nothinktravel.com
If you have any questions about how we process your personal data, you can reach us at the email address above.
When you create an account, we collect:
If you sign in with Google, we receive your Google account email, name, and profile photo URL. We store your Google subject identifier to link your account but do not access your Google contacts, calendar, or any other Google data.
Location is core to how NoThinkTravel works. We collect:
Your location coordinates are sent to our server solely to retrieve nearby POIs and calculate routes. We do not build a location history profile. Location data is processed transiently to fulfill your request and is not persisted on our servers. Note that standard server access logs may temporarily record request parameters, including coordinates, as part of normal server operation; these logs are subject to the retention periods described in Section 9.
NoThinkTravel does not currently enable third-party mobile analytics. The app may still create local, non-transmitted events internally so product flows can share one analytics interface, but those events are discarded and are not sent to an analytics provider.
If we enable analytics in the future, we will update this Privacy Policy and, where required by applicable law, request consent before enabling analytics technologies that are not strictly necessary for the Service.
When you request AI-powered place context, guide text, route explanations, or similar features, we process the place name, coordinates, address, Wikidata or OpenStreetMap identifiers, selected route context, language preference, and your prompt or selected options. We do not intentionally send your account password, payment details, contact list, or precise location history to AI providers.
AI responses may be cached on our server to improve performance and reduce repeated external API calls. AI-generated content is informational only and may be inaccurate.
If you buy or restore a subscription, we process store purchase tokens, transaction identifiers, product identifiers, subscription status, and expiry dates to validate access. Payments are processed by Apple App Store or Google Play; we do not receive your full payment card details.
Some personal data is necessary to provide the Service. Below is a summary of what is required and what happens if you choose not to provide it:
| Data | Required? | Consequence if Not Provided |
|---|---|---|
| Email and password (or Google Sign-In) | Yes | You cannot create an account or use the Service |
| Foreground location | Yes, for core features | Nearby POIs, route generation, and map positioning will not function |
| Background location | No (opt-in) | Proximity notifications will not be available; all other features work normally |
| First name, last name, profile photo | No (optional) | Your profile will display your email instead |
| Analytics | No (where consent is required) | No impact on Service functionality |
| Purpose | Data Used |
|---|---|
| Provide the Service (map, POIs, routes) | Location, search queries |
| Account management and authentication | Email, password hash, Google ID |
| Generate AI-powered place descriptions, guide text, and route context | POI name, coordinates, address, route context, Wikidata/OpenStreetMap IDs, prompt/options |
| Validate purchases and manage subscription access | Store purchase tokens, transaction IDs, product IDs, subscription status, expiry date |
| Send proximity notifications (opt-in) | Background location |
| Save your favorites and route history | Account ID, selected POIs, route data |
| Improve the app and understand usage patterns | Aggregated operational feedback and support requests; no third-party mobile analytics is currently enabled |
| Protect against abuse and ensure security | IP address, User-Agent, rate limiting |
We do not use your data for advertising, sell your personal data to third parties, or create behavioral profiles for marketing purposes.
Under the GDPR and UK GDPR, we rely on the following legal bases for each processing activity:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and login | Contract — necessary to provide the Service |
| POI discovery and route generation using foreground location | Contract — core Service functionality |
| Saving favorites and route history | Contract — requested feature of the Service |
| AI-generated place descriptions | Contract — core Service functionality |
| Background location for proximity notifications | Consent — opt-in via app settings; withdrawable at any time |
| Push notifications | Consent — opt-in via device permissions; withdrawable at any time |
| Third-party mobile analytics | Not currently enabled. If enabled later, we will rely on consent where required or another appropriate legal basis under applicable law |
| Security logging (IP, User-Agent, token events) | Legitimate interest — fraud prevention, abuse detection, account security |
| Rate limiting | Legitimate interest — protecting Service availability |
Where we rely on consent, you can withdraw it at any time through your device settings or the app, without affecting the lawfulness of processing before withdrawal.
Where we rely on legitimate interest, we have assessed that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest — see Section 11.
We share personal data only when necessary to provide the Service. Below are the categories of recipients and their roles:
| Service | Role | Purpose | Data Shared |
|---|---|---|---|
| Google Sign-In | Independent controller | OAuth authentication | Google ID token (user-initiated) |
| OpenAI / Perplexity AI | Data processor | AI-generated place descriptions, guide text, and route context | Place name, coordinates, address, route context, Wikidata/OpenStreetMap IDs, prompt/options |
| Apple App Store / Google Play | Independent controller / payment platform | Subscriptions, purchase validation, restore purchases | Store purchase tokens, transaction IDs, product IDs, subscription status |
| Wikidata | Public data source | POI enrichment (descriptions, images) | Wikidata entity IDs (no personal data; client-side requests) |
| Geograph | Public data source | Photo metadata (UK landmarks) | Photo URLs (no personal data; client-side requests) |
The following services run entirely on our own infrastructure within the EU. No data is shared with external parties through these services:
Our servers are hosted by Contabo GmbH (Germany), which acts as infrastructure provider. Contabo provides the physical server but does not access or process your personal data on our behalf.
We implement appropriate technical and organizational measures to protect your data, including:
While we take reasonable steps to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
We retain your data only for as long as necessary for the purposes described in this policy or as required by law. If you delete your account, account-related data is retained for up to 30 days after the deletion request and then permanently deleted, unless a longer retention period is required by law.
| Data | Retention Period |
|---|---|
| Account information | Until you delete your account, then retained for up to 30 days before permanent deletion |
| Favorites and route history | Until you delete them, or for up to 30 days after account deletion, then permanently deleted |
| Cached place descriptions | Indefinite server-side cache; periodically refreshed (no personal data) |
| POI tile cache | 60 days (automatic expiration) |
| Access tokens (JWT) | 60 minutes |
| Refresh tokens | 60 days, or until revoked on logout/rotation |
| Security logs (IP address, User-Agent, authentication events) | 90 days, then automatically purged |
| Server access logs (may include request parameters) | 30 days |
| Third-party mobile analytics data | Not currently collected |
| Local device data (preferences, recent searches) | Until you clear app data or uninstall the app |
We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significant effects on you.
While the Service uses AI technology (OpenAI and/or Perplexity AI) to generate place descriptions, guide text, and route context, this processing is informational and does not affect your rights or produce decisions about you.
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights:
To exercise any of these rights, contact us at support@nothinktravel.com. We will respond within 30 days. If the request is complex, we may extend this by up to 60 additional days, in which case we will inform you of the extension and the reasons.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority (DPA).
If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by CPRA):
Categories of personal information we collect:
Sources: directly from you (account creation, app usage) and automatically from your device (IP address and request metadata).
Business purposes: providing the Service, account management, security, and app improvement as detailed in Section 5.
Third parties receiving data: as listed in Section 7.
Your rights:
How to submit a request: email support@nothinktravel.com with the subject line "CCPA Request". We will verify your identity and respond within 45 days.
The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@nothinktravel.com and we will promptly delete such information.
Our servers are located in the European Union (Germany). If you access the Service from outside the EU, your data will be transferred to and processed in the EU.
Some third-party services may process data outside the EU/EEA:
You may request further details about the safeguards in place for international transfers by contacting us at support@nothinktravel.com.
We may update this Privacy Policy from time to time. When we make material changes, we will:
We encourage you to review this policy periodically.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
NoThinkTravel
Controller: Anton Shemiakin
Email: support@nothinktravel.com
Website: nothinktravel.com
If you are in the EU/EEA or the UK and believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority. A list of EEA DPAs can be found on the European Data Protection Board website.