Privacy Policy

The data controller is [LEGAL_ENTITY_NAME], a company registered in Ghana, trading as “Exohaven”. You can reach our privacy team at [PRIVACY_CONTACT_EMAIL].

This Policy applies to all visitors to exohaven.app and to people who create an Exohaven account. It does not apply to third-party websites we link to from the Service — including the Blacvolta event pages, the Google OAuth consent screen, the Paystack checkout, and OpenStreetMap. Those parties handle your data under their own privacy policies.

We collect only the data we need to run the Service. The categories below match what the platform actually stores.

Account & profile

• email address (required, unique);
• name;
• password (stored only as a salted hash — we never see your password in clear);
• profile image URL (optional);
• email-verified flag and verification timestamps;
• phone number and phone-verified flag (optional);
• date of birth (optional);
• gender (optional, one of: male / female / other / prefer not to say);
• account creation and last-update timestamps.

OAuth (only if you sign in with Google)

• provider identifier, access token, refresh token, ID token and token expiry — received from Google as part of the OAuth flow you authorise.

Verification

• one-time passcodes and email-verification tokens (short-lived; minutes to hours).

Roles & subscription tier

• your subscription tier (Wayfinder, Explorer, Voyager, Tourist Pass), role flags, verification status and expiry dates.

Session

• IP address;
• user-agent (browser/device string);
• session token and expiry.

Interests

• interest categories you select to personalise recommendations.

Itinerary inputs (sent to our AI service)

• primary city and radius;
• trip dates;
• group composition (adults, children, age range);
• pace, budget, transport and novelty preferences;
• free-text “other needs” field.

Itineraries

• itinerary name, description, city, locations, stops, photos, dates, cost-per-person, currency and sharing flags.

Invites & collaborators

• recipient user IDs, the role you assigned (viewer or editor), expiry, and revocation timestamps.

Budget Pools

• pledge amount, status and currency. Payments are recorded offline; we do not collect or hold card data for Budget Pools.

Subscriptions (via Paystack)

• subscription tier and billing interval;
• Paystack customer reference;
• masked card last 4 digits, card network and expiry date.

Communications preferences

• newsletter and notification toggles.

• full card numbers or card-verification values (held only by Paystack);
• biometric data;
• precise GPS location — we do not call your browser’s geolocation API;
• your device contacts or address book;
• social-graph data beyond the Google profile fields the OAuth consent screen explicitly lists.

• Directly from you when you sign up, edit your profile, build an itinerary, send an invite, or subscribe.
• Automatically when you use the Service (IP address, user-agent, cookies, technical logs).
• From Google when you use “Sign in with Google” (name, email, profile picture URL — only what Google’s consent screen authorises).
• From Paystack when you complete a subscription payment (the masked card metadata listed in section 3).

Under the Ghana Data Protection Act 2012, we rely on the following lawful bases:

• Contractual necessity for account creation, itinerary creation, sharing, subscription billing and customer support;
• Legitimate interest for security logging, fraud prevention and product analytics, balanced against your right to privacy;
• Consent for marketing emails and the optional profile fields (date of birth, gender, phone number);
• Legal obligation for retention of subscription and tax records.

• run your account and authenticate you;
• generate AI itineraries from your inputs;
• deliver invitations and run collaboration features;
• process Paystack billing for paid subscriptions;
• send transactional email (verification, security alerts, receipts) via our email provider;
• secure the platform — rate-limiting, abuse detection, incident response;
• understand product use in the aggregate so we can improve the Service;
• comply with law and respond to lawful requests;
• with your separate opt-in, send marketing communications about Exohaven and Ghana travel.

Your itinerary inputs — group composition, dates, budget, the free-text “other needs” field — are sent to our itinerary-generation service to produce a plan. We strongly recommend you do not include sensitive personal data in the “other needs” field (for example details of health conditions, religion, sexual orientation, political views, or other people’s personal data). If you do, you do so on your own responsibility.

We share personal data only with the providers we need to run the Service, and only the minimum data each of them needs to do their job.

• Paystack Payments Limited — for subscription billing. Paystack acts as an independent controller for the payment transaction. Shared: name, email and the billing reference.
• Google LLC — only if you use “Sign in with Google”. Shared: only the data Google’s consent screen lists.
• Resend Inc. — transactional email delivery. Shared: your email, your name and the contents of the message we send you.
• Blacvolta — events provider. We do not send personal data; you fetch public event listings.
• OpenStreetMap contributors — when map tiles load, your IP and request headers are sent to their tile servers.
• Fly.io — our hosting provider (primary region: Northern Virginia, United States). All platform traffic passes through Fly.io’s infrastructure as a processor.
• Neon — our managed Postgres database. All stored data sits on Neon as a processor.
• Google LLC (Google Analytics 4, property G-T14K2TCD5J) — see the Cookie Policy for what is collected and how to opt out.
• Law enforcement and regulators — only where legally compelled or to protect rights, safety or property.
• An acquirer or successor — in a merger, acquisition or restructuring, your data may transfer under equivalent protections.

We do not sell your personal data and we donot share your personal data with advertising networks.

Your data is stored on Fly.io and Neon infrastructure located outside Ghana — Fly.io’s primary region for Exohaven is the United States, and Neon operates a multi-region managed database service. By using the Service you consent to your data being transferred and stored internationally for the purpose of operating the Service. We require our processors to maintain protections equivalent to those required under the Ghana Data Protection Act 2012.

• Account data: until you delete your account.
• Sessions: until the session expires (typically up to 30 days of inactivity).
• Verification codes: minutes to hours.
• Subscription and billing records: up to 7 years, to satisfy Ghanaian tax-record obligations.
• Itineraries: until you delete them, or 12 months after you delete your account — whichever is sooner.
• Server logs (including IP): 90 days.
• Backups: up to 35 days after deletion, as a function of our managed-database point-in-time recovery window.

You can close your account at any time from Account → Account → Deactivate. Closing your account is irreversible. We remove your profile data immediately; itineraries you created are de-associated from your identity and scheduled for hard deletion within twelve (12) months; your memberships in other people’s collaborations are removed. Billing records we are legally required to retain are kept for the period stated in section 11.

Under the Ghana Data Protection Act 2012 you have the right to:

• request access to the personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request deletion (subject to legal retention obligations);
• object to processing in certain circumstances;
• withdraw your consent for marketing communications at any time.

To exercise these rights, email [PRIVACY_CONTACT_EMAIL]. We aim to respond within thirty (30) days. If you believe we have not handled your data properly, you can complain to the Data Protection Commission of Ghana.

We use industry-standard measures to protect your data: TLS in transit; salted password hashing; HTTP-only, secure session cookies; role-based access controls at our APIs; one-time passcodes for email verification; access logging; and offsite database backups. No system is perfectly secure. You are responsible for keeping your own credentials safe and for telling us at [PRIVACY_CONTACT_EMAIL] if you believe your account has been compromised.

The Service is not intended for users under the age of 18. We do not knowingly collect personal data from minors. If we learn that a minor has registered, we will delete the account. If you are a parent or guardian and believe your child has registered, please email [PRIVACY_CONTACT_EMAIL].

You can manage marketing preferences at Account → Notifications. Disabling marketing does not stop transactional emails (verification, security alerts, subscription receipts) because we need those to run the Service.

We may update this Policy from time to time. Material changes will be notified by email at least fourteen (14) days before they take effect. The current version is always available at this URL.

Privacy questions or rights requests: email [PRIVACY_CONTACT_EMAIL] or write to [REGISTERED_ADDRESS].