Privacy Policy
Last updated: July 17, 2026
This policy explains what personal data we collect when you use Plavion (plavion.travel), why we collect it, and the rights you have over it. The data controller is SIAL CONSULTING d.o.o., Bizeljska cesta 5, 8250 Brežice, Slovenia. Contact: pavle.paunob@gmail.com.
1. Data we collect
- Account data — your email address and password (stored in hashed form by our authentication provider), or your basic Google profile (email, name) if you sign in with Google, plus email-verification status.
- Search data — the trips you search for (origin, destination, dates, number of travelers), your recent search history (kept so you can re-run searches; only the most recent entries are stored), and the results generated for you.
- Credits and purchase data — your credit balance, a transaction log of credits earned and spent, and records of your Stripe purchases (package, amount, time). We never see or store your card number — payments are handled entirely by Stripe.
- Technical data — standard server logs (IP address, browser type, time of request) created by our hosting provider for security and reliability.
We do not collect any special categories of data and we do not sell personal data.
2. Why we process it (legal bases under the GDPR)
- To provide the Service (Art. 6(1)(b) — contract): accounts, running searches, credit accounting, purchases, search history.
- Security, fraud prevention and service improvement (Art. 6(1)(f) — legitimate interest): server logs, abuse detection, aggregate cost/quality metrics.
- Legal obligations (Art. 6(1)(c)): keeping payment and tax records.
- Advertising/affiliate cookies and pixels (Art. 6(1)(a) — consent): loaded only if you accept them in the cookie banner. See the Cookie Policy.
3. Who processes data for us
We use a small number of service providers (processors) to run Plavion. They process data only on our instructions:
- Google Firebase (Google LLC) — authentication and database (accounts, credits, search history, cached results).
- Stripe — payment processing and subscription billing.
- Anthropic — the AI model that performs your search. Your trip query (destination, dates, travelers) is sent to the model; your identity is not.
- Bright Data — web retrieval infrastructure used during searches to fetch public travel pages. It receives search terms, not your identity.
- Vercel — website hosting and server logs.
- Affiliate networks (CJ, Viator, GetYourGuide) — tracking of clicks and impressions on partner links, only with your cookie consent.
Some providers are located in the United States. Where data leaves the EEA, it is protected by the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
4. How long we keep data
- Account, balance and transaction data — while your account exists.
- Search history — only your most recent searches (older entries are dropped).
- Search results and caches — hours to days; they expire automatically.
- Purchase records — as long as tax/accounting law requires.
- Server logs — short rotation periods set by our hosting provider.
5. Your rights
Under the GDPR you can ask us at any time to:
- access a copy of the data we hold about you;
- correct inaccurate data;
- delete your account and data (“right to be forgotten”);
- receive your data in a portable format;
- restrict or object to processing based on legitimate interest;
- withdraw cookie consent at any time (see the Cookie Policy).
Email pavle.paunob@gmail.com and we will respond within 30 days. You also have the right to complain to a supervisory authority — our lead authority is the Slovenian Information Commissioner (Informacijski pooblaščenec, ip-rs.si), and you may always contact the authority of your own country of residence.
6. Children
Plavion is not directed at children. Accounts require a minimum age of 16, and purchases require 18. We do not knowingly collect data from children; if you believe a child has created an account, contact us and we will delete it.
7. Security
Data is encrypted in transit (HTTPS everywhere), authentication is handled by Google Firebase, payments never touch our servers, and access to production data is restricted to the operator. No system is 100% secure, but we keep the amount of personal data we hold deliberately small.
8. Changes
We will post any changes to this policy here and update the date above. Material changes will be announced on the site or by email.