Privacy Notice

Last updated: 5 April 2026

This Privacy Notice explains how Olympus (“we”, “us”) collects, uses, and safeguards personal data when you use our AI-powered travel planning and booking service at olympus.io and related apps (the “Service”). It is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Olympus is operated by Olympus Travel Ltd (in formation), a company being registered in the United Kingdom. Until incorporation is complete, the service is operated by its founder as a sole trader based in London, United Kingdom. You can reach our privacy team at privacy@olympus.io.

2. What data we collect

We collect the following categories of personal data:

  • Account data — name, email address, hashed password, and authentication tokens.
  • Travel planning inputs — the natural-language prompts, destinations, dates, traveller counts, budget, and preferences you provide to the AI planner.
  • Booking data — flight, hotel, and activity selections; passenger details required by suppliers; booking references.
  • Payment data — we do not store full card numbers. Card data is collected directly by Stripe, our PCI-DSS compliant payment processor. We retain only the last four digits, card brand, and a Stripe customer ID.
  • Technical data — IP address, browser user-agent, and request timestamps, collected via server logs for security and diagnostic purposes.

3. Why we use your data (purposes)

  • To create and maintain your Olympus account.
  • To generate personalised trip recommendations using large language models.
  • To search third-party travel inventory (flights, hotels, activities) and complete bookings on your behalf.
  • To process payments and issue refunds.
  • To send transactional emails (booking confirmations, receipts).
  • To detect abuse and secure the Service (rate-limiting, fraud prevention).

4. Legal basis

We rely on the following UK GDPR Article 6 lawful bases:

  • Consent (Art. 6(1)(a)) — for creating an account and processing your travel inputs through AI subprocessors. You give this consent via the opt-in checkbox at signup and may withdraw it at any time by deleting your account.
  • Contract performance (Art. 6(1)(b)) — for processing bookings and payments once you request them.
  • Legitimate interests (Art. 6(1)(f)) — for security logging and fraud prevention, balanced against your rights.

5. Subprocessors

To deliver the Service, we share the minimum necessary data with the following subprocessors. Each is bound by a data processing agreement (see PR #284 for the current DPA register).

  • Anthropic PBC (United States) — large language model inference (trip planning, ranking, itinerary). Data shared: trip prompts and structured travel metadata. Transfers under UK IDTA / SCCs. Zero-retention mode enabled where available.
  • Google LLC (United States) — supplementary AI inference via Gemini and Google OAuth for sign-in. Data shared: prompts (Gemini), email and profile (OAuth).
  • SerpAPI, LLC (United States) — flight and hotel inventory search. Data shared: search parameters only (origin, destination, dates, passenger counts). No personal identifiers.
  • Resend (US) — transactional email delivery. Data shared: recipient email address and message content.
  • Stripe Payments Europe Ltd(Ireland) — payment processing. Data shared: amount, currency, card details you enter directly into Stripe's elements, billing name.
  • Google Cloud Platform (europe-north1, Finland) — hosting and database infrastructure.
  • Vercel Inc. (United States / EU edge) — web frontend hosting and CDN.

6. Your rights

Under UK GDPR you have the right to access, rectify, erase, export, restrict, and object to the processing of your personal data, and to withdraw consent at any time.

  • Access and export — email privacy@olympus.io and we will respond within one month.
  • Erasure — you may delete your account from your profile settings (feature in development, tracked as issue #261). Until it ships, email us and we will delete your account within 72 hours.
  • Rectification — update your name and email from your profile settings.
  • Complaint— you have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

7. Retention

Account and booking data are retained for as long as your account is active, plus six years after closure to meet UK tax and consumer protection obligations. Server logs are retained for 30 days. AI prompts sent to subprocessors are not retained by the subprocessor where zero-retention mode is available.

8. International transfers

Some of our subprocessors are located outside the UK. Transfers are protected by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses or an equivalent safeguard.

9. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Contact

Questions or requests about this notice: privacy@olympus.io.

11. Changes

We will post any material changes to this notice on this page and, where the change affects how we use your data, notify you by email. The “Last updated” date at the top reflects the latest revision.