Privacy Policy
Last updated: 15 January 2026
1. Introduction
Allora ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our family travel planning platform (the "Service").
We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our registered address is Allora Travel Ltd, 3rd Floor, 86-90 Paul Street, London, UK, EC2A 4NE.
2. Information We Collect
2.1 Information You Provide
- Account Information: Name, email address, password (encrypted)
- Profile Information: Family details, travel preferences, children's ages
- Payment Information: Processed securely by Stripe (we do not store card details)
- Search Queries: Destinations, dates, traveller details
- Communications: Messages sent through our chat interface
2.2 Information Collected Automatically
- Device Information: Browser type, operating system, device identifiers
- Usage Data: Pages visited, features used, time spent on Service
- Location Data: IP-based approximate location (not precise GPS)
- Cookies: Session cookies, authentication tokens (see Section 8)
3. How We Use Your Information
We use your information for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Provide and maintain the Service | Contract performance |
| Generate AI-powered travel recommendations | Contract performance |
| Process subscription payments | Contract performance |
| Send service-related emails | Legitimate interest |
| Send marketing communications | Consent |
| Improve our Service and algorithms | Legitimate interest |
| Prevent fraud and abuse | Legitimate interest |
| Comply with legal obligations | Legal obligation |
4. Data Sharing and Third Parties
We share your information with the following third-party service providers:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database and authentication | Account data, search history |
| OpenAI | AI recommendations | Search queries, preferences |
| Stripe | Payment processing | Email, payment details |
| Google Places | Hotel photos and details | Search queries only |
| Duffel | Flight search | Travel dates, passenger details |
| Customer.io | Email communications | Email, name, preferences |
| Google Analytics | Usage analytics | Anonymized usage data |
We do not sell your personal data to third parties. We may share anonymized, aggregated data for analytics purposes.
5. Data Retention
- Account Data: Retained while your account is active, deleted within 30 days of account deletion
- Search History: Retained for 2 years for service improvement, then anonymized
- Payment Records: Retained for 7 years as required by UK tax law
- Marketing Consent: Retained until withdrawn
- Analytics Data: Retained for 26 months (Google Analytics default)
6. Your Rights (GDPR)
Under UK GDPR, you have the following rights:
- Right of Access: Request a copy of your personal data
- Right to Rectification: Request correction of inaccurate data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restrict Processing: Request limitation of how we use your data
- Right to Data Portability: Request your data in a machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time for consent-based processing
To exercise any of these rights, please contact us at privacy@allora.travel or use the settings in your account dashboard.
7. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption of data in transit (HTTPS/TLS)
- Encryption of data at rest
- Secure password hashing
- Regular security audits
- Access controls and authentication
- PCI-DSS compliant payment processing via Stripe
8. Cookies
We use the following types of cookies:
Essential Cookies
Required for the Service to function. These cannot be disabled.
- Authentication tokens (session cookies)
- Security tokens (CSRF protection)
- Cookie consent preferences
Analytics Cookies (Optional)
Help us understand how visitors interact with our Service.
- Google Analytics (_ga, _gid, _gat)
Marketing Cookies (Optional)
Used to deliver relevant advertisements (currently not implemented).
You can manage your cookie preferences at any time using the cookie settings in the footer of our website.
9. International Data Transfers
Some of our service providers are located outside the UK/EEA. When we transfer your data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs)
- EU-US Data Privacy Framework (where applicable)
- Adequacy decisions by the UK Government
10. Children's Privacy
While Allora is a family travel planning service, the Service itself is intended for users aged 18 and over. We do not knowingly collect personal data from children under 18 as account holders.
When planning trips for families with children, we only collect ages (not names or other identifying information) of children to provide appropriate recommendations.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the Service. The "Last updated" date at the top of this policy indicates when it was last revised.
12. Contact Us
For any questions or concerns about this Privacy Policy or our data practices, please contact:
- Data Protection Officer: privacy@allora.travel
- Address: Allora Travel Ltd, 3rd Floor, 86-90 Paul Street, London, UK, EC2A 4NE
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.