BonVoyageurbêta

Privacy Policy

Last updated: June 10, 2026

Data Collected

When creating an account: email address and password (hashed, unreadable). When using the service: itineraries you create (countries, dates, durations, configuration settings). Audience measurement: navigation and usage data (pages visited, actions taken in the application) collected via an analytics service hosted in Europe (PostHog EU), without cookies by default (session-memory storage) and tied to a stable pseudonymous identifier derived from your session, which lets us understand journeys without naming you. With your explicit consent (checkbox at registration): cross-session persistence via cookie/local storage and a recording of your browsing session (session replay) to diagnose issues and improve the experience; session replay is never enabled without this consent, withdrawable at any time in your settings.

Purposes of Processing

Your data is used to: provide the service (authentication, saving and retrieving your itineraries), measure audience and activation to improve the algorithm and experience, monitor technical errors to ensure service stability, and respond to support requests. No data is used for advertising or commercial purposes, nor transferred to third parties for such purposes.

Legal Basis

Performance of contract: account data and itineraries, required to provide the service you signed up for. Legitimate interest: product audience measurement, for all users (anonymous and registered), to understand usage and improve the product — you have an effective right to object, exercisable at any time (see “Your Rights”); and technical logs (connections, errors) to ensure service security and stability. Consent: only for cookie/local-storage persistence and session recording (session replay), given at registration and withdrawable at any time in your settings.

Data Retention

Your account data and itineraries are retained for as long as your account is active. You can request account deletion at any time from your settings — your data is then deleted within 30 days. Audience measurement data is retained for at most 12 months by the analytics service (the plan's automatic retention), then deleted.

Your Rights

Under the GDPR, you have the following rights: access to your data (contact us at contact@bonvoyageur.fr), rectification (update your information in settings), deletion (available directly in the application), portability (your itineraries can be exported in Excel format), objection to audience measurement (based on legitimate interest) at any time — via the control below, available to everyone, or in your account settings for an effect across all your devices — and withdrawal of consent to session replay and cookies (in your settings). You also have the right to lodge a complaint with a data protection authority — in France, the CNIL (www.cnil.fr).

Audience measurementAudience measurement relies on legitimate interest and sets no cookie. You can object at any time, right here. Registered users have an equivalent setting in their account that applies across all their devices.

Cookies

Session cookies: set by Supabase when you log in, required for authentication. They expire at the end of your session or when you log out. Audience measurement: no cookie is set by default — data is stored in session memory. If you object to measurement, that refusal is stored in local storage, strictly to honor your choice. Persistent analytics cookies: set by PostHog only with your explicit consent (checkbox at registration); they enable cross-session usage tracking and, where applicable, session replay. You can withdraw consent at any time in your settings. No advertising cookies are used.

Data Transfers

Your data is hosted and processed in Europe: Supabase (database, AWS eu-west-3, Paris) and PostHog (audience measurement under legitimate interest, session replay under consent; server-side error monitoring without personal data — EU instance hosted by Hetzner Frankfurt, Data Processing Agreement signed). The application is hosted on Vercel, whose servers may process connection metadata outside the EU — appropriate contractual safeguards (EU Standard Contractual Clauses) apply in such cases. Your data is never sold or transferred to third parties.

Security

Communications between your browser and the service are encrypted via HTTPS/TLS. Passwords are hashed and never stored in plain text. Data access is controlled by database-level security policies (Row Level Security). In the event of a data breach likely to affect your rights, you will be notified in accordance with GDPR timelines.

Contact — Exercise Your Rights

To exercise your rights or for any questions about your personal data, contact us at: contact@bonvoyageur.fr. We will respond within 30 days. If your request is not resolved, you may contact the French data protection authority (CNIL): Commission Nationale de l'Informatique et des Libertés, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr.