MyJourneys

MyJourneys — Privacy Policy

Version 0.1 — 2026-04-19 — DRAFT FOR REVIEW

Draft notice. This is an internal drafting document. It has not been reviewed by qualified UK or EU counsel. Do not publish to myjourneys.app or expose to real users until legal review is complete. The controller transition from sole trader to MindRoam OÜ (see below) in particular needs legal sign-off.

In plain English (non-legal summary)

  • We collect the minimum we need to run MyJourneys: your account details, the trips and journal entries you create, the photos you upload, and your subscription status.
  • We use trusted processors (Google sign-in, Render hosting, Neon database, Stripe for payments, OpenAI and Anthropic for AI-generated guide content, Cloudflare, Microsoft 365). Some of them are based in the US — we use Standard Contractual Clauses to protect your data on transfer.
  • You can access, correct, export, or delete your data at any time. If the account goes, the content goes — with a 30-day grace window in case you change your mind.

1. Who we are (data controller)

MyJourneys is a product of MindRoam, a portfolio of consumer lifestyle apps.

  • Today (sole trader phase): The data controller for MyJourneys is Andrew Samuels, trading as MyJourneys, a sole trader registered in the United Kingdom. Contact: hello@myjourneys.app.
  • Planned transition: MindRoam OÜ, an Estonian private limited company formed via the Estonian e-Residency programme, will take over as the data controller once incorporation and operational handover complete. When that transition occurs, we will:
    • Update this policy with the OÜ's full registered details, registry number, and registered office.
    • Notify registered users in advance by email, and show an in-app notice.
    • Bump the version and date at the top of this policy.
    • Your data will not be sold, transferred to a third party, or used for any new purpose as part of the handover — MindRoam OÜ will inherit the same controller obligations Andrew currently carries.

(What this means: the company name on your contract will change once the Estonian entity exists. Nothing about how your data is handled changes.)

2. Scope of this policy

This policy covers the MyJourneys web application at myjourneys.app, any future native iOS/Android wrappers of the same product, and the marketing pages on the same domain. It does not cover external sites you reach via links from MyJourneys (for example, a booking partner's site) — those sites publish their own policies.

3. What data we collect and why

We practise data minimisation: we collect only what is necessary for MyJourneys to function, for us to bill you, or for us to improve the product responsibly.

3.1 Account data

  • What: email address, display name, password hash (if you sign up with email/password) or Google account identifier (if you sign in with Google), account creation date, confirmed age-gate response.
  • Why: to create and secure your account, let you sign in, and send you essential service emails (password resets, receipts, policy updates).
  • Legal basis (GDPR Art. 6): performance of a contract (Art. 6(1)(b)).

3.2 Trip content and journal entries

  • What: the trips, itineraries, text journal entries, ratings, and any tags or notes you create inside the app.
  • Why: this is the core product — we store it so we can show it back to you, sync it across your devices, and generate personalised guides from it.
  • Legal basis: performance of a contract (Art. 6(1)(b)).

3.3 Photos you upload

  • What: image files you attach to journal entries or trips, along with any embedded metadata that you choose to leave in (for example, EXIF timestamp and location tags).
  • Why: to display them inside your journal, auto-associate them with entries by timestamp, and include them in your scrapbook.
  • Legal basis: performance of a contract (Art. 6(1)(b)).

(What this means: if you upload a photo with GPS coordinates in its EXIF data, we will read that to help timeline the photo. You can strip EXIF data before upload if you prefer — see Section 10.)

3.4 Subscription and billing data

  • What: Stripe customer ID, subscription status, plan, start/end dates, payment receipts. We do not store your card number or CVC — those sit with Stripe directly.
  • Why: to run your subscription, invoice you, and meet tax-record obligations.
  • Legal basis: performance of a contract (Art. 6(1)(b)), and compliance with a legal obligation for tax record retention (Art. 6(1)(c)).

3.5 Device and connection basics

  • What: IP address (for session security and abuse prevention), browser user-agent, device type, approximate region derived from IP (country / city-level, not precise location).
  • Why: to keep the service working, spot suspicious logins, and know where to improve performance.
  • Legal basis: legitimate interests (Art. 6(1)(f)) — running a secure, functioning service.

3.6 Product analytics

  • What: aggregated, pseudonymised usage events such as "trip created", "journal entry saved", "scrapbook generated".
  • Why: to understand which features work, which are broken, and where to invest next.
  • Legal basis: legitimate interests (Art. 6(1)(f)). We balance this against your right to privacy by pseudonymising event data and keeping it separate from content.

3.7 Marketing communications

  • What: your email address, and the fact that you opted in.
  • Why: only if you actively opt in, we will send a periodic MyJourneys newsletter or product update.
  • Legal basis: consent (Art. 6(1)(a)). You can withdraw consent at any time via the unsubscribe link or in-app settings.

3.8 What we do not collect

  • Precise real-time location (the MVP does not run live GPS).
  • Payment card details (those sit with Stripe).
  • Sensitive/special-category data (health, religion, political views, biometrics). If you choose to write any of that in a journal entry yourself, it is stored as generic text content — but we do not process it as special-category data, and we ask you not to use journal entries as medical or legal records.
  • Data about children under 16 (see Section 11).

4. Who we share data with (processors and sub-processors)

We use a small set of reputable third-party processors to deliver the service. Each has a data processing agreement (DPA) in place with MyJourneys, or will have one by the time they process live user data.

ProcessorWhat they doData they touchLocation
Google (via Auth.js)OAuth sign-inYour Google account identifier and email if you choose Google sign-inEU/US
RenderApplication hosting and serverless computeAll processed data, in transitEU region preferred (Frankfurt) where available; US fallback
NeonPostgreSQL database hostingAll stored dataEU region (Frankfurt) preferred
StripePayment processing and subscription billingEmail, Stripe customer ID, payment details (held by Stripe, not us)EU/US
OpenAIAI-generated guide content (Sights, Tastes, Practical slices)Trip prompts and preference summaries (no raw journal or photo data)US
AnthropicAI-generated guide content (fallback / secondary)Same as OpenAIUS
CloudflareDNS, edge CDN, basic DDoS protectionIP address, request metadataGlobal edge
Microsoft 365Operational email and document storage (founder/admin side)Inbound/outbound support email contentEU tenant

We maintain a supplier register tracking each processor's DPA status, certifications (SOC 2, ISO 27001, etc.), and sub-processor list. This register is available to regulators on request and is reviewed at least annually.

(What this means: we keep a tight, named list of suppliers. We don't sell your data, and we don't share it with advertisers or data brokers — there are none in the stack.)

4.1 Changes to processors

When we add or remove a processor that handles personal data, we will update this policy and bump the version. For material changes (for example, moving to a new hosting provider), we will also notify registered users by email.

5. International data transfers

Some processors listed above are based in the United States (Stripe, OpenAI, Anthropic; Cloudflare and Render have US presence alongside EU). When your personal data is transferred outside the UK or EEA, we rely on:

  • Standard Contractual Clauses (SCCs) in the European Commission's 2021 form, or the UK Information Commissioner's International Data Transfer Agreement (IDTA) / Addendum where the UK is the exporter.
  • Supplementary measures where appropriate (encryption in transit and at rest, pseudonymisation of prompts sent to AI providers).
  • Adequacy decisions where they exist (for example, the UK–US Data Bridge, subject to ongoing legal developments).

We monitor legal developments around US transfers (Schrems II line of cases and successors) and will adjust the stack if adequacy positions change materially.

(What this means: for the AI guide generation in particular, some of your trip preferences will leave the EU to reach OpenAI/Anthropic. We limit what is sent, and we have paperwork in place to protect it.)

6. How long we keep your data (retention)

Data categoryRetention period
Account and profileWhile your account is active
Trip content, journal entries, photosWhile your account is active, plus a 30-day grace window after deletion during which you can restore. After 30 days, content is purged from primary systems within 7 days and from backups within 90 days.
Subscription and billing records7 years after the last transaction, to meet UK/EU tax and accounting obligations
Server and security logs90 days, then deleted or fully aggregated
Marketing consent recordsUntil consent is withdrawn, plus 3 years as evidence of prior consent
Analytics events (pseudonymised)24 months, then aggregated

(What this means: if you delete your account, your trips and photos are gone within about 30 days from the active system and within 90 days from backups. Billing records we have to keep longer — that's the law.)

7. Your rights

Under UK GDPR and EU GDPR, you have the right to:

  • Access — ask for a copy of the personal data we hold about you.
  • Rectification — ask us to correct data that is wrong.
  • Erasure — ask us to delete your data ("right to be forgotten"), subject to any legal retention obligations (for example, billing records).
  • Portability — receive your data in a structured, machine-readable format (we provide a JSON export of trips, journal entries, and photo links).
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Objection — object to processing based on legitimate interests, including product analytics.
  • Withdraw consent — for anything we do on the basis of consent (marketing, non-essential cookies).
  • Lodge a complaint — with your local supervisory authority. In the UK that is the Information Commissioner's Office (ICO)ico.org.uk. In Estonia (once MindRoam OÜ is controller) it will be the Estonian Data Protection Inspectorate (AKI)aki.ee.

To exercise any of these rights, email hello@myjourneys.app. We aim to respond within 30 days.

8. Security

We follow ISO 27001-aligned practices from day one, even though certification is a future milestone. Practical measures include:

  • TLS 1.2+ for all connections.
  • Passwords hashed with a modern algorithm (argon2id or equivalent).
  • Database encryption at rest.
  • Principle of least privilege for administrative access.
  • Multi-factor authentication on all admin and processor accounts.
  • Documented incident response plan — in the event of a personal data breach likely to cause risk to users, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay.

No system is perfectly secure, but we treat your data as if it were our own.

9. Cookies and similar technologies

See the separate MyJourneys Cookie Policy for full detail.

10. Your controls inside the app

  • Export — "Download my data" in settings.
  • Delete account — in settings. Triggers the 30-day grace period.
  • Marketing preferences — toggle in settings and in every marketing email.
  • EXIF stripping — optional toggle to strip location metadata from photos on upload.
  • Analytics opt-out — toggle to disable non-essential product analytics.

11. Children

MyJourneys is not intended for anyone under 16. We use 16 as a conservative threshold because several EU member states set the digital-consent age there (GDPR Art. 8 allows member states to set this between 13 and 16). A simple age-gate is presented at signup. If we become aware we have collected data from a user under 16, we will delete it.

(What this means: we don't knowingly collect anything from children. If you are a parent or guardian and believe your child has created an account, email hello@myjourneys.app and we will remove it.)

12. Automated decision-making

MyJourneys uses AI (OpenAI, Anthropic) to generate personalised travel guide content. This is content generation, not automated decision-making with legal or similarly significant effect in the GDPR Art. 22 sense — the output is suggestions, and you remain in control of your trip. We do not use AI to decide pricing, eligibility, or access.

13. Governing law and jurisdiction

  • While Andrew Samuels (sole trader) is the controller: this policy is governed by the laws of England and Wales, and disputes are subject to the exclusive jurisdiction of the courts of England and Wales, without prejudice to mandatory consumer rights in your country of residence.
  • Once MindRoam OÜ is the controller: this policy will be governed by the laws of Estonia, with disputes subject to Estonian courts, again without prejudice to mandatory consumer rights in your country of residence.

(What this means: your statutory consumer rights in your home country — for example, EU consumer protection, UK Consumer Rights Act — always apply regardless of what this policy says about jurisdiction.)

14. Contact

Questions, requests, or complaints:

  • Email: hello@myjourneys.app
  • Subject line suggestion: "Privacy request — [what you want]"

15. Changes to this policy

We will update this policy when processors, practices, or legal obligations change. The version and date at the top tells you which version is live. For material changes (new processor categories, new data types collected, change of controller), we will notify registered users by email at least 14 days before the change takes effect.

Review notes for Andrew

Personal judgement calls and confirmations needed before this goes live:

  1. Controller transition date — when do you expect MindRoam OÜ to be the named controller? The transition clause (Section 1) needs a target date once you have one.
  2. Registered office details — both for the sole trader phase (UK trading address) and for MindRoam OÜ once incorporated. Currently placeholders.
  3. Processor list confirmation — check whether Render EU region availability is confirmed, whether Neon's primary region is Frankfurt, and whether you plan to use both OpenAI and Anthropic in production or pick one. If only one, drop the other from Section 4.
  4. SCCs paperwork — the policy claims SCCs are in place. Before launch, confirm you have actually executed DPAs with each US processor (Stripe, OpenAI, Anthropic, Cloudflare). This is a gap if not done.
  5. Supplier register — Section 4 references a supplier register "available to regulators on request". You need that document to actually exist (ISO 27001 A.5.19 — supplier relationships). Create it alongside this policy.
  6. Breach notification plan — Section 8 commits to 72-hour notification. Make sure you have a documented incident response procedure with roles and contact steps, even as a solo operator.
  7. Age gate implementation — Section 11 promises an age gate at signup. This needs to actually be built into the MVP signup flow. Currently not in the locked 6-feature MVP list — decide whether to add it or whether it is already implicit in the onboarding feature.
  8. Analytics opt-out toggle — Section 10 promises one. Also not in the MVP. Decide whether to build now or accept that analytics is legitimate-interest-only and opt-out happens by email request until the toggle exists.
  9. EXIF stripping toggle — same question. Not in the MVP. Lower priority than the age gate.
  10. JSON export — Section 7 promises a portability export. Build it for the MVP or have a manual export workflow ready by launch.
  11. Counsel review — before this goes live, put it through UK solicitor review (for the sole trader phase) and Estonian counsel review (for the OÜ phase). ICO guidance is clear but a lawyer's eyes are cheap insurance for a consumer app.
  12. ICO registration — as a data controller in the UK, Andrew Samuels as sole trader likely needs to pay the ICO data protection fee. Confirm and register.

End of MyJourneys Privacy Policy — Version 0.1 — 2026-04-19 — DRAFT.