Privacy Policy

Nomadic is the controller for personal data processed through this site.

Contact: privacy@nomadic.travel. You can also use the contact page for data requests.

We collect only what is needed to deliver the service:

• Trip planning inputs you provide (origins, destinations, dates, traveler counts, preferences).
• An essential session_id stored in a secure HttpOnly cookie plus the same identifier in our backend to keep your trip context and chat history tied to this session. The cookie is encrypted and cannot be accessed by JavaScript.
• Booking context from the Expedia Group Rapid API when you request live rates or booking details (itinerary IDs, rate keys, property/room identifiers).
• Communications you send us (support, privacy, or booking questions) and any identifiers you share (e.g., Expedia itinerary ID).
• Device/diagnostic data needed for reliability and security (IP address, browser type, basic logs). We do not record raw payment data; Expedia processes payments.

Nomadic does not scrape websites or use unauthorized data collection methods. All travel content displayed on our platform is retrieved exclusively through authorized APIs:

• The Expedia Group Rapid API provides hotel, flight, and activity listings under an authorized affiliate agreement.
• The Booking.com Demand API provides additional accommodation options under authorized partnership terms.
• Destination images are sourced from Unsplash under their API license.

This ensures all information is accurate, compliant with partner terms, and lawfully obtained.

• Delivering trip planning and showing live booking options you request (contract).
• Keeping the platform secure, preventing fraud/abuse, and ensuring reliability (legitimate interests).
• Responding to support or privacy requests (contract/legal obligation).
• Respecting or storing consent choices for non-essential cookies/tech if you opt in (consent). None are active by default today.

We share only what is necessary to provide the service:

• Expedia Group Rapid API to retrieve live rates and booking details you ask for. Expedia processes payments and confirmations under its own terms.
• Booking.com Demand API to retrieve additional accommodation options and booking details. Booking.com processes payments under its own terms.
• Infrastructure providers (hosting, databases, monitoring) under confidentiality and data processing terms.
• Service providers for support or compliance (only as needed and under contract).

Where data is transferred outside your region, we rely on appropriate safeguards (e.g., DPAs and standard contractual clauses).

• session_id persists until you clear cookies or start a new session in the app. Sessions automatically expire after 90 days or 14 days of inactivity.
• Trip contexts, chat history, and tile clicks are retained for active planning and reliability, then deleted when you request removal or after a limited operational window.
• Expedia itinerary identifiers are kept only as long as needed for booking status or support.
• Support communications are retained as required for compliance and recordkeeping.

• Access, correction, deletion, or portability of your personal data.
• Objection or restriction where permitted by law (especially for legitimate interests).
• Withdraw consent for any optional processing without affecting past processing.
• Lodge a complaint with your supervisory authority; we encourage you to contact us first so we can help quickly.

We store an essential session_id in a secure HttpOnly cookie to keep your trip context and chat history. This cookie cannot be accessed by JavaScript, providing enhanced security. Functional, analytics, and marketing categories are disabled by default and none are active today. Manage choices anytime via the banner or the "Manage cookies" link in the footer. See the Cookie Policy for details.

We use encryption in transit, access controls, and role-based limits for staff access. Please protect your device and avoid reusing credentials across services.

Nomadic is not directed to children under 16, and we do not knowingly collect their data.