1. What we collect
We collect three categories of information, and only what we need to operate the publication and deliver the service you have requested.
Information you give us directly. Your email address when you subscribe to the newsletter, request a research brief, or correspond with editors. Your name, country of residence, and stated travel interests when you complete an intake form for a planning consultation. The contents of any message you send to privacy@viaive.com or editor@viaive.com, including attachments and the routing metadata your mail client appends.
Information collected automatically. Standard server logs (IP address resolved to country, user agent string, referring URL, requested path, response status, timing). Page-view events recorded by our first-party analytics. Authentication cookies for editor sign-in and a session cookie for the reader-side experience. We do not run third-party advertising trackers, and we do not sell or rent reader data.
Information from partners. When you arrive from an affiliate partner via a tracking link, the partner appends a click identifier so we can attribute the visit. When you complete a booking or purchase through one of our affiliate links, the partner reports back a conversion event tied to that identifier. The conversion record contains the booking value and a partner-side reference number; it does not include your name, address, payment details, or travel itinerary. We do not receive your booking confirmation, your dates of travel, the room category you selected, or any free-text notes you may have left for the operator.
What we deliberately do not collect. We do not collect payment-card numbers, bank-account details, passport numbers, national identification numbers, biometric data, precise GPS location, or contents of any device storage. Where a feature would benefit from one of these inputs (for example, a streamlined booking flow), we send you to the partner site rather than handle the data ourselves.
2. How we use it
We use your information to deliver the editorial product you signed up for, to improve the reporting, and to operate a transparent affiliate model.
- Sending the newsletters and research briefs you requested.
- Personalising editorial recommendations to the regions and travel categories you have indicated interest in.
- Routing and answering correspondence directed to our editors.
- Producing aggregated readership analytics that inform editorial planning (which destinations, which categories, which formats are working).
- Reconciling affiliate commission reports against our own click logs to verify partner accuracy.
- Detecting and preventing abuse, scraping, fraud, and security incidents.
- Meeting our legal, accounting, and tax obligations.
We rely on the following GDPR legal bases: consent for marketing emails and research-brief delivery; contract performance for the planning intake flow; legitimate interest for analytics, abuse prevention, and editorial improvement; and legal obligation for tax, audit, and data-subject responses.
3. Data processors and where data is held
The platform is built on a small, deliberate set of vendors. Each is bound by a data processing agreement, each is reviewed annually, and each is restricted to the minimum scope of data needed to perform its function.
- Supabase — primary application database, authentication,
and edge functions. Reader records, intake submissions, and editor accounts
live here. Data is stored in the EU (Frankfurt) region. Sensitive credentials
(API keys, partner tokens, third-party secrets) are stored in the Supabase
Vault (
vault.secrets) with encryption at rest, never in application source or environment variables that ship with the build. - Brevo — transactional and editorial email delivery, list management, and unsubscribe handling. Brevo receives your email address, the lists you are subscribed to, and engagement events (opens, clicks, bounces). Data is stored in the EU.
- Cloudflare — DNS, content delivery network, edge compute, bot mitigation, and basic privacy-preserving analytics. Cloudflare sees the HTTP request envelope (IP, headers, requested path) for every page load. Cloudflare Web Analytics does not set tracking cookies and does not fingerprint readers.
- Google AI (Gemini) — used to assist editors with research summarisation, fact-checking outlines, and translation drafts. Reader personal data is never sent to Gemini. The prompts contain editorial material (article drafts, public source text, translation candidates) only. Gemini API calls run with logging disabled where the option is available, and outputs are reviewed by a human editor before publication.
Where data crosses borders we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum where applicable, and adequacy decisions where they exist. Sub-processor changes are tracked internally and reflected in this policy at the next revision.
We deliberately do not use Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight, or any other third-party advertising or social-media tracker. We do not run a customer-data platform. We do not buy reader enrichment data from third-party providers. The only data we hold about you is data you gave us directly or that our own systems generated in the course of serving you a page.
4. Cookies and similar technologies
The cookies we set fall into three classes. Strictly necessary cookies preserve your session and remember whether you have already dismissed a banner. Functional cookies remember language and currency preferences. Analytics events are recorded by Cloudflare Web Analytics, which is cookieless by design.
We do not deploy advertising cookies, retargeting pixels, or social-media tracking scripts. If you have set Global Privacy Control or Do Not Track in your browser, we respect it: analytics events from your session are dropped at the edge and never written to durable storage.
5. Your rights
If you live in the European Union, the United Kingdom, California, Brazil, Singapore, Japan, South Korea, Australia, or another jurisdiction with a comparable regime, the following rights apply.
Under the GDPR (EU and UK): the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the right to withdraw consent at any time without affecting the lawfulness of prior processing. You may also lodge a complaint with your national supervisory authority.
Under the CCPA / CPRA (California): the right to know what personal information we collect and how it is used and shared, the right to delete personal information we hold about you, the right to correct inaccurate information, the right to opt out of sale or sharing of personal information (we do not sell or share personal information for cross-context behavioural advertising — there is nothing to opt out of), and the right to non- discrimination for exercising any of these rights.
To exercise any right, email privacy@viaive.com with the subject line "Privacy request". We respond within 30 days for GDPR requests and within 45 days for CCPA requests. We will verify your identity using the email address on file before disclosing any personal information.
6. Retention
Newsletter subscriptions are retained until you unsubscribe, plus a 30-day suppression window so the unsubscribe propagates across systems. Intake form responses are retained for 36 months for editorial-research and trip-recall purposes, then deleted. Server logs are retained for 90 days. Affiliate conversion records are retained for 7 years to satisfy financial-audit obligations. Editor accounts are retained for the duration of the editor's engagement plus a 90-day handover window. Backups are rotated on a 30-day cycle; deletion requests propagate through the backup tape on the next rotation.
7. Security
Reader and editor traffic is served over TLS with HSTS preload.
Application secrets, partner API keys, and third-party credentials are
stored in the Supabase Vault (vault.secrets) with at-rest
encryption and short-lived service tokens. Database access is gated
by Row Level Security policies enforced at the engine layer, so an
application bug cannot expose data the calling user is not entitled
to read. Editor accounts require strong passwords and support
time-based one-time passcodes; production data is access-logged.
Despite these controls, no internet-connected system is provably
secure. If we discover a breach affecting your data, we will notify
you and the relevant supervisory authority within the timelines
required by law.
8. Children
The publication is written for adult readers. We do not knowingly collect personal data from children under 16. If you believe a child has submitted information through one of our forms, write to privacy@viaive.com and we will delete the record on verification.
9. Automated decisions and profiling
We do not make decisions that produce legal or similarly significant effects about you using solely automated processing. Newsletter segmentation and editorial recommendation engines use light-touch profiling — the regions you read about, the categories you click on, the lead magnets you have downloaded — to decide which articles to surface to you. You can opt out of personalisation at any time by replying to any newsletter and asking to be removed from the segmentation pool, in which case you will receive the unsegmented edition.
10. Contact
The data controller for Viaive is Viaive Editorial Ltd. For any privacy question, to exercise a right, or to escalate a concern about how we handle personal data, write to privacy@viaive.com. For editorial questions about a published article, write to editor@viaive.com.
11. Changes to this policy
We update this page when our practices change. Material changes are announced at the top of the page for at least thirty days and, where the change affects active subscribers, by email. The version date below is the authoritative timestamp.
Last updated: May 6, 2026. Operated by Viaive Editorial Ltd.