← Back to Valise

Privacy Policy

Effective date: March 20, 2026 · Last updated: March 20, 2026

This Privacy Policy describes how Valise LLC, a California limited liability company ("Valise," "we," "us," or "our"), collects, uses, discloses, and protects your personal information when you use our website, applications, and services (collectively, the "Service"). By using the Service, you consent to the practices described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide

  • Account information: Email address and password (hashed using bcrypt; we never store plaintext passwords).
  • Search parameters: Travel preferences including budget, zip code, travel dates, destinations, travel mode, fare class, number of travelers, and concierge notes.
  • Saved content: Saved itineraries, favorite properties, wish list items, and any notes you attach to them.
  • Taste profile data: If you complete a taste quiz or interact with recommendations, we build a preference profile to personalize future results. This includes travel style preferences, psychographic indicators, and budget sensitivity.
  • Two-factor authentication: If you enable 2FA, we store an encrypted TOTP secret and hashed recovery codes.
  • Payment information: Payment details (card number, billing address) are collected and processed exclusively by our payment processor, Stripe, Inc. We store only a Stripe customer identifier — we never receive, transmit, or store your full card number.
  • Communications: Content of emails or support requests you send to us.
  • Referral information: If you participate in our referral program, we store your referral code and the association between referrer and referee accounts.

1.2 Information Collected Automatically

  • Technical data: IP address, browser type, operating system, and device information for security, rate limiting, and fraud prevention.
  • Browser fingerprint: For unauthenticated users, we generate a SHA-256 hash derived from browser characteristics (canvas rendering, screen dimensions, timezone, and language settings) to enforce rate limits and prevent abuse. This hash cannot be used to identify you personally and is not shared with third parties.
  • Session data: Authentication tokens and session identifiers stored in secure, httpOnly cookies.
  • Usage analytics: Aggregate, anonymized page view counts (page path and date only). For authenticated users, we record page-to-page navigation patterns and dwell time to improve the user experience.
  • Attribution data: If you arrive at our site via a marketing link, we record UTM parameters (source, medium, campaign, term, content) associated with your account to measure the effectiveness of our marketing efforts.
  • Error diagnostics: In the event of a software error, we collect error stack traces, request context, and associated user identifiers to diagnose and resolve issues.

1.3 Interaction & Recommendation Data

To improve the relevance of your travel recommendations, we record how you interact with the results we show you. This includes which properties you view, expand, click through to book, save, favorite, add to your wish list, share, or skip. We also record which recommendation source (e.g., personalized match, trending, serendipity, or editorial) produced each result and whether you engaged with it.

This data is tied to your authenticated account and is never shared with third parties or used for advertising. You can opt out of personalized recommendations at any time from your account settings. When opted out, your interaction data is no longer collected and your recommendations will be based on general popularity rather than your personal preferences.

2. How We Use Your Data

We use the information we collect to:

  • Provide the Service: Generate personalized travel recommendations, process searches, and display results.
  • Personalization: Build and refine your taste profile to improve recommendation relevance over time.
  • Payment processing: Manage subscriptions, process billing, and handle refunds through Stripe.
  • Communications: Send transactional emails (account verification, password resets, subscription confirmations), service notifications (consultation limits), and, with your consent, promotional content (weekly digests, product updates).
  • Security & fraud prevention: Enforce rate limits, detect abuse, verify bot protection (CAPTCHA), and protect account integrity.
  • Service improvement: Analyze aggregate usage patterns, conduct internal A/B testing, and improve our algorithms and user experience.
  • Legal compliance: Respond to legal requests and enforce our Terms of Service.

3. Automated Decision-Making

The Service uses automated processing, including artificial intelligence, to generate travel recommendations and personalize results based on your preferences and interaction history. These automated decisions affect which properties and itineraries are presented to you and in what order, but they do not produce legal effects or similarly significant effects on you. You may opt out of personalized automated recommendations at any time from your account settings, in which case results will be based on general popularity rather than your profile.

Automated rate limiting and bot-protection systems may restrict access to the Service based on IP address, browser fingerprint, or usage patterns. If you believe you have been incorrectly restricted, contact support@valisedesk.com.

4. Data Protection

We implement industry-standard security measures to protect your personal information:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
  • Encryption at rest: Sensitive data, including two-factor authentication secrets, is encrypted using AES-256 before storage.
  • Password security: Passwords are hashed using bcrypt with per-user salts. We cannot view or recover your password.
  • Infrastructure: Our infrastructure is hosted on SOC 2-compliant cloud providers with automatic security updates and access controls.
  • Access controls: Employee and contractor access to personal data is limited to those with a legitimate business need and is logged.

We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes. We will never monetize your personal data.

5. Third-Party Services

We share information with third-party service providers only as necessary to operate and improve the Service. Each provider processes data under its own privacy policy. We contractually require providers to protect data and limit use to the services they perform on our behalf.

Anthropic (AI Recommendations)

We send your search parameters (budget, destinations, travel dates, preferences) and, for personalized results, a summary of your taste profile to Anthropic's API to generate travel recommendations. We do not send your email address, password, payment information, or other personally identifying information to Anthropic. Anthropic does not use this data to train its models.

Stripe, Inc. (Payment Processing)

Stripe processes all payment transactions. When you subscribe, your payment method details are collected directly by Stripe and are never transmitted through our servers. We receive only a customer identifier and subscription status. Stripe is PCI DSS Level 1 certified.

Resend (Email Delivery)

We use Resend to deliver transactional and, where opted in, promotional emails. Resend receives your email address and the content of emails sent on our behalf.

Cloudflare Turnstile (Bot Protection)

We use Cloudflare Turnstile, an invisible CAPTCHA service, during account registration, login, and search to distinguish human users from automated bots. Turnstile may collect IP address and browser interaction data. No tracking cookies are set.

Sentry (Error Monitoring)

We use Sentry to capture and diagnose software errors. Error reports may include user identifiers, request URLs, and stack traces. Sentry does not receive your password, payment information, or search content.

Google Places API (Property Verification)

We use Google's Places API to verify the existence, location, and ratings of recommended properties. Property names and locations are sent to Google; your personal information is not.

SerpAPI (Search Verification)

We use SerpAPI to verify property mentions in public Reddit discussions and web search results. Property names are sent as search queries; your personal information is not shared.

Vercel (Hosting & Infrastructure)

Our application is hosted on Vercel's serverless infrastructure. Vercel processes web requests and may log IP addresses and request metadata as part of standard web hosting operations.

6. Cookies & Similar Technologies

We use a limited set of cookies, all of which are essential for the operation of the Service:

  • Authentication cookies: Secure, httpOnly session tokens that maintain your login state. These expire after 30 days of inactivity.
  • CSRF protection: Tokens to prevent cross-site request forgery attacks.

We do not use advertising cookies, third-party tracking cookies, or cross-site tracking pixels. Our analytics are privacy-respecting, first-party, and aggregate only — we collect page path and date without personal data, cookies, or device identifiers.

Do Not Track: We honor Do Not Track (DNT) signals. Because we do not engage in cross-site tracking, our Service behaves the same regardless of the DNT setting.

7. Data Retention

  • Account data: Retained while your account is active. Upon account deletion, all personal data is permanently removed within 30 days.
  • Interaction & recommendation data: Retained for 24 months from the date of collection. After this period, records are automatically anonymized by removing the association with your account. Anonymized data may be retained for aggregate analysis.
  • Rate-limiting data: IP addresses and browser fingerprint hashes used for anonymous rate limiting are automatically deleted after 24 hours.
  • Payment records: Stripe maintains its own records in accordance with financial regulations. We retain only subscription status and billing period metadata.
  • Anonymized analytics: Aggregate, anonymized usage data may be retained indefinitely for service improvement.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Delete your account and all associated personal data from your account settings, or request deletion by contacting us.
  • Data portability: Request your data in a structured, commonly used, machine-readable format.
  • Opt out of marketing: Unsubscribe from promotional emails at any time via email preferences or by contacting us.
  • Opt out of personalization: Disable taste profile tracking and personalized recommendations from your account settings.
  • Restrict processing: Request that we limit processing of your data in certain circumstances.
  • Withdraw consent: Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact support@valisedesk.com. We will respond within 30 days (or sooner where required by law). We may request verification of your identity before processing a request.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with additional rights:

  • Right to know: You may request the categories and specific pieces of personal information we have collected, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale/sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising. No opt-out is necessary, but we honor such requests regardless.
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of personal information collected (per CCPA categories): Identifiers (email, IP address); Internet or electronic network activity (browsing history within the Service, search parameters, interaction data); Geolocation data (zip code, inferred from IP); Financial information (processed by Stripe — we do not receive full card numbers); Inferences (taste profile, travel preferences).

To exercise your CCPA rights, contact support@valisedesk.com. You may also designate an authorized agent to make a request on your behalf.

10. GDPR (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and applicable local laws provide you with additional rights:

  • Data portability: Receive your data in a structured, machine-readable format and transmit it to another controller.
  • Right to restrict processing: Limit processing of your data in certain circumstances.
  • Right to object: Object to processing based on legitimate interests.
  • Right to lodge a complaint: File a complaint with your local data protection supervisory authority.

Legal basis for processing:

  • Contract performance: Processing necessary to provide the Service you requested (account management, search, recommendations, billing).
  • Legitimate interest: Security, fraud prevention, service improvement, and internal analytics, where these interests are not overridden by your rights.
  • Consent: Marketing communications and optional personalization features. You may withdraw consent at any time.
  • Legal obligation: Where required to comply with applicable law.

Data Protection Officer: For GDPR-related inquiries, contact our DPO at dpo@valisedesk.com.

11. International Data Transfers

Valise LLC is based in the United States. If you access the Service from outside the United States, your data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to the transfer of your data to the United States. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK International Data Transfer Agreement as the legal mechanism for such transfers.

12. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected data from a minor, we will promptly delete the account and all associated data. If you believe a child under 18 has provided us with personal information, please contact support@valisedesk.com.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to active account holders at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy. We encourage you to review this page periodically.

14. Contact

For questions or concerns about this Privacy Policy or our data practices, contact:

Valise LLC

General inquiries: support@valisedesk.com

Data Protection Officer (GDPR): dpo@valisedesk.com

Legal notices: legal@valisedesk.com

Questions? support@valisedesk.com · Terms of Service · Support

© 2026 Valise LLC. All rights reserved.