Privacy Policy — NoThinkTravel

1. Introduction

NoThinkTravel ("we", "our", or "us") operates the NoThinkTravel mobile application (available on iOS and Android) and the website at nothinktravel.com (collectively, the "Service").

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights regarding your data. When you use the Service, your personal data is processed as described in this Privacy Policy, in accordance with the applicable legal bases set out in Section 6 below.

We are committed to protecting your privacy and handling your data in an open and transparent manner in compliance with the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

NoThinkTravel
Controller: Anton Shemiakin
Email: support@nothinktravel.com

If you have any questions about how we process your personal data, you can reach us at the email address above.

3. Data We Collect

3.1 Account Information

When you create an account, we collect:

Email address — used as your account identifier and for account-related communications
Password — stored in hashed form only (we never store or have access to your plaintext password)
First and last name (optional) — for personalizing your profile
Profile photo URL (optional) — if you choose to add a profile picture

If you sign in with Google, we receive your Google account email, name, and profile photo URL. We store your Google subject identifier to link your account but do not access your Google contacts, calendar, or any other Google data.

3.2 Location Data

Location is core to how NoThinkTravel works. We collect:

Foreground location — your coordinates while the app is open, used to show nearby points of interest (POIs), generate walking routes, and display your position on the map
Background location (opt-in only) — if you enable the "Nearby POI Notifications" feature in Settings, the app monitors your location in the background to alert you when you are near notable landmarks. You can disable this at any time from the app settings or your device's system settings

Your location coordinates are sent to our server solely to retrieve nearby POIs and calculate routes. We do not build a location history profile. Location data is processed transiently to fulfill your request and is not persisted on our servers. Note that standard server access logs may temporarily record request parameters, including coordinates, as part of normal server operation; these logs are subject to the retention periods described in Section 9.

3.3 Search Data

Search queries — text you enter when searching for destinations, sent to our server for geocoding
Recent searches — the last 10 searches are stored locally on your device for convenience; they are not transmitted to our servers

3.4 User-Generated Content

Favorites — POIs you bookmark are stored on our server, associated with your account
Route history — generated routes you save, including route geometry and associated POIs, are stored on our server

3.5 Device and Technical Data

IP address — collected with authentication requests for security purposes (session tracking and token reuse detection)
User-Agent string — browser/app identifier, collected with authentication requests
Device platform — iOS or Android, inferred from app usage
App preferences — theme (dark/light), language preference, route duration preference — stored locally on your device only

3.6 Analytics Data

We use Firebase Analytics (provided by Google) to understand how the app is used. Where required by applicable law (including in the EEA and UK), we will obtain your consent before enabling analytics technologies that are not strictly necessary for the Service. Firebase may collect:

Screen views and navigation patterns
Feature usage events (e.g., viewing a POI, generating a route, searching)
Authentication events (login/signup method, without credentials)
Device identifiers, app version, OS version
General location (country/region level, derived by Google from IP)

Firebase Analytics data is processed by Google and is governed by Google's Privacy Policy. You can opt out of Firebase Analytics by disabling analytics in your device settings or by contacting us.

4. Provision of Data and Consequences

Some personal data is necessary to provide the Service. Below is a summary of what is required and what happens if you choose not to provide it:

Data	Required?	Consequence if Not Provided
Email and password (or Google Sign-In)	Yes	You cannot create an account or use the Service
Foreground location	Yes, for core features	Nearby POIs, route generation, and map positioning will not function
Background location	No (opt-in)	Proximity notifications will not be available; all other features work normally
First name, last name, profile photo	No (optional)	Your profile will display your email instead
Analytics	No (where consent is required)	No impact on Service functionality

5. How We Use Your Data

Purpose	Data Used
Provide the Service (map, POIs, routes)	Location, search queries
Account management and authentication	Email, password hash, Google ID
Generate AI-powered place descriptions	POI name, coordinates, Wikidata ID (no personal data)
Send proximity notifications (opt-in)	Background location
Save your favorites and route history	Account ID, selected POIs, route data
Improve the app and understand usage patterns	Analytics events
Protect against abuse and ensure security	IP address, User-Agent, rate limiting

We do not use your data for advertising, sell your personal data to third parties, or create behavioral profiles for marketing purposes.

6. Legal Basis for Processing

Under the GDPR and UK GDPR, we rely on the following legal bases for each processing activity:

Processing Activity	Legal Basis
Account creation and login	Contract — necessary to provide the Service
POI discovery and route generation using foreground location	Contract — core Service functionality
Saving favorites and route history	Contract — requested feature of the Service
AI-generated place descriptions	Contract — core Service functionality
Background location for proximity notifications	Consent — opt-in via app settings; withdrawable at any time
Push notifications	Consent — opt-in via device permissions; withdrawable at any time
Firebase Analytics	Consent (EEA/UK) or Legitimate interest (where consent is not required by local law) — understanding usage to improve the Service
Security logging (IP, User-Agent, token events)	Legitimate interest — fraud prevention, abuse detection, account security
Rate limiting	Legitimate interest — protecting Service availability

Where we rely on consent, you can withdraw it at any time through your device settings or the app, without affecting the lawfulness of processing before withdrawal.

Where we rely on legitimate interest, we have assessed that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest — see Section 11.

7. Recipients and Third-Party Services

We share personal data only when necessary to provide the Service. Below are the categories of recipients and their roles:

7.1 Third-Party Data Processors and Controllers

Service	Role	Purpose	Data Shared
Google Firebase Analytics	Data processor	App usage analytics	Usage events, device identifiers, app/OS version
Google Sign-In	Independent controller	OAuth authentication	Google ID token (user-initiated)
Perplexity AI	Data processor	AI-generated place descriptions	Place name, coordinates, address, Wikidata ID (no personal data)
Wikidata	Public data source	POI enrichment (descriptions, images)	Wikidata entity IDs (no personal data; client-side requests)
Geograph	Public data source	Photo metadata (UK landmarks)	Photo URLs (no personal data; client-side requests)

7.2 Self-Hosted Services

The following services run entirely on our own infrastructure within the EU. No data is shared with external parties through these services:

Photon — geocoding and search
Overpass API — POI discovery from OpenStreetMap data
GraphHopper / Valhalla — route calculation
PostgreSQL — account data, favorites, route history

7.3 Infrastructure Provider

Our servers are hosted by Contabo GmbH (Germany), which acts as infrastructure provider. Contabo provides the physical server but does not access or process your personal data on our behalf.

8. Data Storage and Security

Where We Store Data

Server-side data (accounts, favorites, route history) is stored in a PostgreSQL database on our dedicated server located in the European Union (Germany)
Local data (preferences, recent searches, authentication tokens) is stored on your device using platform security features and encrypted storage where available

Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

All communications between the app and our server are encrypted using TLS/HTTPS
Passwords are securely hashed before storage — we never store plaintext passwords
Authentication uses JWT tokens with rotation — refresh tokens are single-use with family tracking for reuse detection
API endpoints are protected by rate limiting to prevent abuse
Server access is restricted to SSH only, with no unnecessary ports exposed to the internet

While we take reasonable steps to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Data Retention

We retain your data only for as long as necessary for the purposes described in this policy or as required by law.

Data	Retention Period
Account information	Until you delete your account
Favorites and route history	Until you delete them or delete your account
Cached place descriptions	Indefinite server-side cache; periodically refreshed (no personal data)
POI tile cache	60 days (automatic expiration)
Access tokens (JWT)	60 minutes
Refresh tokens	60 days, or until revoked on logout/rotation
Security logs (IP address, User-Agent, authentication events)	90 days, then automatically purged
Server access logs (may include request parameters)	30 days
Firebase Analytics data	14 months (Google's default retention setting)
Local device data (preferences, recent searches)	Until you clear app data or uninstall the app

10. Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significant effects on you.

While the Service uses AI technology (Perplexity AI) to generate place descriptions, this processing concerns publicly available information about places and landmarks — not your personal data — and does not affect your rights or produce decisions about you.

11. Your Rights

11.1 Rights Under GDPR / UK GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights:

Access (Art. 15) — request a copy of the personal data we hold about you
Rectification (Art. 16) — request correction of inaccurate or incomplete data
Erasure (Art. 17) — request deletion of your data ("right to be forgotten")
Restriction (Art. 18) — request that we limit processing of your data
Portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format
Object (Art. 21) — object to processing based on legitimate interest, including analytics
Withdraw consent (Art. 7(3)) — for any processing based on consent (e.g., background location, analytics in EEA/UK), at any time without affecting prior processing

To exercise any of these rights, contact us at support@nothinktravel.com. We will respond within 30 days. If the request is complex, we may extend this by up to 60 additional days, in which case we will inform you of the extension and the reasons.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority (DPA).

11.2 Rights Under CCPA / CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by CPRA):

Categories of personal information we collect:

Identifiers (email address, name, IP address, device identifiers)
Geolocation data (precise location when using the app)
Internet or electronic network activity (app usage, search queries, analytics events)
Account credentials (hashed password, Google subject ID)

Sources: directly from you (account creation, app usage) and automatically from your device (analytics, IP address).

Business purposes: providing the Service, account management, security, and app improvement as detailed in Section 5.

Third parties receiving data: as listed in Section 7.

Your rights:

Right to know — what personal information we collect, use, and disclose
Right to delete — request deletion of your personal information
Right to correct — request correction of inaccurate personal information
Right to opt out of sale/sharing — we do not sell or share your personal information for cross-context behavioral advertising
Right to non-discrimination — we will not discriminate against you for exercising your privacy rights

How to submit a request: email support@nothinktravel.com with the subject line "CCPA Request". We will verify your identity and respond within 45 days.

12. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@nothinktravel.com and we will promptly delete such information.

13. International Data Transfers

Our servers are located in the European Union (Germany). If you access the Service from outside the EU, your data will be transferred to and processed in the EU.

Some third-party services may process data outside the EU/EEA:

Google Firebase and Google Sign-In — may process data in the United States. Google relies on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) approved by the European Commission
Perplexity AI — may process data in the United States. We rely on Standard Contractual Clauses where applicable

You may request further details about the safeguards in place for international transfers by contacting us at support@nothinktravel.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Notify you through the app or by email for significant changes that affect your rights

We encourage you to review this policy periodically.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

NoThinkTravel
Controller: Anton Shemiakin
Email: support@nothinktravel.com
Website: nothinktravel.com

If you are in the EU/EEA or the UK and believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority. A list of EEA DPAs can be found on the European Data Protection Board website.