Privacy Policy

Versión / Version 1.0· Effective date / Fecha de entrada en vigor: 12 May 2026

This Privacy Policy explains how XPLORE APP, S.L. ("Xplore", "we", "our", or "us") collects, uses, and shares your personal data when you use the Xplore mobile application and related services (the "Service"). We are committed to protecting your privacy in compliance with the EU General Data Protection Regulation (GDPR), the Spanish Organic Law on Data Protection (LOPDGDD), and applicable App Store privacy requirements.

1. Who we are

Data Controller:

Company name: XPLORE APP, S.L.
CIF: B26807339
Registered office: Avenida de Esparta 94, 28232 Las Rozas de Madrid, Madrid, Spain
Commercial registry: Registro Mercantil de Madrid
Privacy contact: xploream@gmail.com

We have not appointed a Data Protection Officer (DPO) because we do not meet the mandatory criteria under GDPR Article 37. You may contact us at the address above for any privacy-related question.

2. Personal data we collect

2.1 Data you provide directly

Account information: email address, password (hashed), display name, profile picture, biography, locale, phone number (if you sign up with phone).
Travel preferences: destinations of interest, travel companions, dates, interests selected during onboarding.
User-generated content: posts, comments, place reviews, photos, videos, captions, ratings.
Saved content: places you save, videos you bookmark, trips you create, lists you build.
Communications: messages you send to other users through the Service.
AI Travel Planner inputs: prompts and preferences you submit to generate itineraries.
Bookings: reservation details when you make a booking through Xplore.
Contact data: phone numbers from your address book (only as cryptographic hashes; see section 5.3) when you opt in to "Find friends from your contacts".

2.2 Data collected automatically

Device data: device model, operating system version, app version, language, time zone, push notification token.
Usage data: screens visited, features used, content viewed, time spent, session duration (used for personalisation and product analytics).
Inferred preferences: interests and category affinities derived from your in-app behaviour (used to rank the feed and recommendations).
Technical data: IP address (stored temporarily for security and rate limiting), crash reports, error stack traces.

2.3 Data imported from third-party platforms

When you import content via the iOS Share Extension or in-app importers:

Instagram: public oEmbed preview metadata (thumbnail, caption, author handle) of the post you share.
TikTok: public oEmbed preview metadata of the video you share.
Google Maps: public place metadata (name, address, coordinates, rating) of the place you share.

We do not access your private accounts on these platforms, your full social graph, or your private content.

3. Why we collect your data (legal basis)

Under GDPR Article 6, we rely on the following legal bases:

Purpose	Legal basis	Examples
Provide the Service	Performance of a contract (Art. 6.1.b)	Account creation, saving places, creating trips, messaging
Personalise content	Legitimate interest (Art. 6.1.f) — and consent where required	Feed ranking, place recommendations, AI travel suggestions
Security & fraud prevention	Legitimate interest (Art. 6.1.f) and legal obligation (Art. 6.1.c)	Rate limiting, blocking abusive signups, brute-force protection
Send transactional emails	Performance of a contract (Art. 6.1.b)	Email verification, password reset, booking confirmation
Send marketing emails	Consent (Art. 6.1.a)	Newsletters, feature announcements (only if you opt in)
Analyse usage	Consent (Art. 6.1.a)	Product analytics, session replays
Comply with legal obligations	Legal obligation (Art. 6.1.c)	Responding to lawful requests from authorities

You can withdraw consent at any time in Settings → Privacy without affecting the lawfulness of processing carried out before withdrawal.

4. How we use your data

We process your data to:

Create and maintain your account.
Personalise your feed, search results, and travel recommendations.
Generate AI-powered travel itineraries based on the prompts you provide.
Enable social features (following, commenting, messaging, sharing content).
Process bookings you make through the Service.
Find friends already on Xplore from your phone contacts (only with explicit opt-in).
Improve the Service (identify bugs, measure feature adoption, prioritise development).
Prevent fraud, abuse, and unauthorised access.
Communicate important service updates (e.g., security incidents, terms changes).

5. Who we share your data with

5.1 Other Xplore users

By design, the following data is visible to other users:

Your profile (display name, photo, bio).
Posts, comments, place reviews, photos you publish.
Trips and lists you make public.
Direct messages — only to the recipient(s).

You can restrict visibility through Settings → Privacy.

5.2 Service providers (data processors)

We share data with the following processors strictly to operate the Service. All processors are bound by GDPR-compliant Data Processing Agreements:

Processor	Purpose	Location	Transfer safeguards
Supabase Inc.	Database, authentication, file storage, edge functions	EU (Frankfurt)	Standard Contractual Clauses (SCCs)
OpenAI, L.L.C.	AI travel itinerary generation	United States	SCCs + zero-retention API mode
Google LLC	Maps & Places search	United States	SCCs
Meta Platforms, Inc.	Instagram oEmbed previews	United States	SCCs
ByteDance / TikTok Pte. Ltd.	TikTok oEmbed previews	Singapore / United States	SCCs
PostHog, Inc.	Error tracking, session replay	EU (Frankfurt)	SCCs
Apple Inc.	Push notifications, App Store distribution	United States	Apple Privacy Framework

5.3 Phone contact matching

When you opt in to "Find friends from your contacts", we apply a one-way cryptographic hash (HMAC-SHA256 with a server-side secret) to each phone number on your device and send only the hashes to our server. We never receive plaintext phone numbers or names. Hashes are compared against the same hash computed for registered Xplore users; matches return user IDs, never phone numbers.

5.4 Legal disclosure

We may disclose your data when required by law (court orders, subpoenas, lawful requests from competent authorities) or to protect our rights, property, or safety, or that of others.

5.5 Business transfers

If Xplore is acquired or merges with another entity, your data may be transferred to that entity, subject to this Privacy Policy or a successor policy that respects your rights.

We do not sell or rent your personal data to third parties for advertising purposes.

6. International data transfers

Some of our processors are located outside the European Economic Area (EEA), primarily in the United States. We rely on the European Commission's Standard Contractual Clauses (SCCs) for these transfers, supplemented with additional technical and organisational measures (encryption in transit and at rest, access controls, audit logs).

You may request a copy of the SCCs by writing to xploream@gmail.com.

7. How long we keep your data

Data category	Retention
Account data (profile, settings)	While your account is active. Deleted within 30 days of account deletion.
User-generated content (posts, reviews, comments)	While your account is active. Deleted on account deletion.
Messages	While your account is active. Deleted on account deletion (other participants retain their own copy).
Authentication logs	90 days
Telemetry & analytics events	12 months
Crash reports	30 days
Audit logs (consent, data processing)	6 years (GDPR Art. 30)
Imported social previews (oEmbed metadata)	While the saved item exists, then deleted
AI travel planner conversations	While your account is active

When you delete your account, we delete all personal data linked to you within 30 days, except where retention is required by law (e.g., audit logs).

8. Your rights

Under GDPR, you have the following rights:

Right of access (Art. 15): Request a copy of all personal data we hold about you. Available in Settings → Privacy → Download my data.
Right to rectification (Art. 16): Correct inaccurate or incomplete data. Edit your profile or contact us.
Right to erasure / "right to be forgotten" (Art. 17): Available in Settings → Privacy → Delete my account.
Right to restriction (Art. 18): Ask us to limit how we use your data.
Right to portability (Art. 20): Receive your data in a structured, machine-readable format (JSON).
Right to object (Art. 21): Object to processing based on legitimate interest, including profiling for personalisation.
Right to withdraw consent (Art. 7): Withdraw any consent you previously gave (e.g., marketing emails, analytics).
Right to lodge a complaint: File a complaint with the Agencia Española de Protección de Datos (AEPD) — www.aepd.es.

To exercise any of these rights, use the in-app controls or write to xploream@gmail.com. We will respond within 30 days.

9. Children

The Service requires users to be at least 16 years old (see our Terms and Conditions). We do not knowingly collect personal data from children under 16. If you are under 16, do not use the Service. If you believe we have collected data from a child under 16, contact us at xploream@gmail.com and we will delete it.

For users aged 16–17, we recommend that a parent or guardian review this Privacy Policy.

10. Security

We protect your data through:

Encryption in transit (TLS 1.2+) for all client-server communication.
Encryption at rest for the database and file storage.
Row-Level Security on every database table (a user cannot read another user's private data).
Hashed phone numbers (HMAC-SHA256) for contact matching.
Multi-layer rate limiting and brute-force protection on authentication.
Principle of least privilege for internal access.

No system is 100% secure. If we become aware of a personal data breach that is likely to result in a high risk to your rights, we will notify the AEPD within 72 hours and you without undue delay (GDPR Art. 33–34).

11. Cookies and similar technologies

The Xplore mobile app does not use traditional web cookies. We use the following on-device storage technologies:

Authentication tokens: stored securely on your device (iOS Keychain / Android Keystore) to keep you logged in.
Local cache: of recent posts and places for offline use and performance.
Anonymous device identifier: a random ID generated on first launch (not your IDFA/IDFV) used to associate analytics events.

Our website (xploreplans.com) uses only essential cookies necessary for the site to function.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will:

Publish the new version at xploreplans.com/privacy with an updated effective date.
Increment the version number.
For material changes (e.g., new processors, new data categories), notify you in the app and request renewed consent if legally required.

13. Contact

For any question about this Privacy Policy or to exercise your rights:

Email: xploream@gmail.com
Postal address: XPLORE APP, S.L. — Avenida de Esparta 94, 28232 Las Rozas de Madrid, Madrid, Spain