Privacy Policy

Ambrosio Company is the controller of personal data processed on the Voyspark platform. We have appointed a Data Protection Officer (DPO) to represent users before the company and supervisory authorities.

DPO contact: dpo@voyspark.com. We respond within 15 days for Brazilian data subjects (LGPD art. 19) and within 1 month for European subjects (GDPR art. 12), extendable based on complexity.

We process personal data based on (a) contract performance (LGPD art. 7 V; GDPR art. 6(1)(b)) — to deliver contracted features; (b) compliance with legal obligation (LGPD art. 7 II; GDPR art. 6(1)(c)) — to retain tax and accounting data; (c) legitimate interest (LGPD art. 7 IX; GDPR art. 6(1)(f)) — for security, fraud prevention, aggregated analytics and service improvement, always balanced against your rights.

When none of the above applies, we request your freely-given, informed and unambiguous consent (LGPD art. 7 I; GDPR art. 6(1)(a)), particularly for direct marketing, non-essential cookies and processing of sensitive data.

Identification: name, email, phone (optional), date of birth (optional), country of residence, preferred language.

Navigation: IP address, device type and browser, operating system, pages visited, time spent, referrer, cookie identifiers — collected via our own server (track.voyspark.com) and analytics partners.

Usage: Trip Plans created, destinations searched, travel dates, Taste Genome preferences, messages exchanged with Voyspark AI, reviews, Trip Diaries published, Insider Network answers.

Transaction: subscription history, payment status, last 4 digits of the card (only via Stripe), billing and tax address when required.

Communication: emails exchanged with support, tickets, chats, survey and NPS responses.

When you choose "Sign in with Google", Voyspark uses the OAuth 2.0 protocol to receive only the following data from your Google profile: unique identifier (sub), email address, verified-email status, full name, given name, family name and profile picture URL.

These data are used strictly to: (a) create and authenticate your Voyspark account; (b) display your name and avatar within the platform; (c) link subsequent sign-ins; (d) send essential transactional communications (signup confirmation, access recovery, critical updates).

Voyspark does NOT request, access or store: Gmail content, messages, attachments, contacts, Google Drive files, Google Calendar events, Google Photos images, Google Contacts or any other restricted scope of your Google account.

Voyspark does NOT share data obtained via Google OAuth with third parties for marketing, targeted advertising or AI model training purposes. These data are not sold under any circumstance.

You may revoke Voyspark’s access to your Google account at any time at myaccount.google.com/permissions. After revocation we keep only data strictly necessary to comply with legal obligations (billing, accounting, fraud prevention), according to the retention periods described in section 8.

Authentication and account: create, maintain and protect your account, validate access, recover password and prevent account takeover.

Personalization: tailor destination recommendations, itinerary suggestions and editorial curation to your declared profile and behavior on the platform.

Transactional: process subscriptions, issue receipts, communicate contractual changes, charges and renewals.

Communication: respond to support questions, send important service updates and — only with consent — editorial newsletters and offers.

Analytics and improvement: analyze aggregated usage to understand behavior, identify bottlenecks, prioritize improvements and measure performance.

Security and fraud prevention: detect and block suspicious access, abuse, scraping, payment fraud and breaches of the Terms.

Voyspark shares personal data only with operational partners (operators under LGPD, processors under GDPR) strictly necessary for the service, under contracts requiring equivalent protection.

Main processors in use: Stripe Inc. (payments); Supabase Inc. (database and authentication); Vercel Inc. and Cloudflare Inc. (hosting and CDN); Anthropic PBC and OpenAI OpCo, LLC (AI models via API, no training on private data); Google LLC (OAuth login, fonts, optional analytics); Travelpayouts (editorial affiliation — receives only an anonymous click identifier/sub_id, no nominal personal data); Resend or equivalent (transactional email).

We do not sell personal data. We do not share data with data brokers, cross-site advertising networks or third parties processing your data for their own purposes incompatible with this notice.

We provide an in-depth breakdown of cookies, pixels, local storage and identifiers in the Cookie Policy (/legal/cookies), with categories, purposes, durations and management options.

Active account: we keep data while your account is active and for 30 additional days after deletion request (reversible soft-delete).

Tax and accounting data: up to 5 years for Brazilian users (tax obligation) and per applicable legal term in other jurisdictions.

Security logs: up to 12 months, per art. 13 and 15 of the Brazilian Internet Civil Framework and EU equivalents.

Voyspark AI conversations: up to 18 months, then anonymized and used only in aggregated form for statistical analysis.

Published content (Trip Diaries, reviews): remains visible until removed by the user, with backup copies kept for up to 90 days after deletion.

Under LGPD art. 18 you have the right to: (a) confirm the existence of processing; (b) access your data; (c) correct incomplete, inaccurate or outdated data; (d) anonymize, block or delete unnecessary data; (e) port data to another provider; (f) delete data processed based on consent; (g) be informed about sharing; (h) withdraw consent.

To exercise any right, send a request to the DPO at dpo@voyspark.com with sufficient identification. We respond within 15 calendar days.

Under GDPR you have the right to: access (art. 15), rectification (art. 16), erasure/right to be forgotten (art. 17), restriction (art. 18), portability (art. 20), objection (art. 21) and the right not to be subject to fully automated decisions with significant effect (art. 22).

You also have the right to lodge a complaint with a supervisory authority, such as CNIL (France), AEPD (Spain), Garante (Italy), BfDI (Germany), CNPD (Portugal) or ICO (United Kingdom).

California residents have the rights granted by CCPA/CPRA: know categories and specific elements of data collected, sources and purposes; request deletion; opt-out of sale or sharing (Voyspark does not sell data); correct inaccurate data; limit use of sensitive personal information.

To exercise these rights, send a request to dpo@voyspark.com with the phrase "CCPA Request". We do not discriminate against users exercising their rights.

Voyspark is not intended for children under 13 (Brazil) or 16 (EU, except where local age is lower). We do not knowingly collect data from such subjects.

If we identify improper collection, we will delete the data promptly. Parents or guardians who detect processing of minors’ data can request immediate deletion at dpo@voyspark.com.

Operating Voyspark involves international data transfers (for example to US and EU servers of processors such as Stripe, Vercel, Cloudflare, Supabase, Anthropic and OpenAI).

These transfers are made based on the European Commission Standard Contractual Clauses (SCCs) and other safeguards under LGPD art. 33 and GDPR arts. 44–49.

We apply technical and organizational measures appropriate to the risk: in-transit encryption (TLS 1.2+), at-rest encryption for sensitive data, password hashing (bcrypt/argon2), least-privilege access control, environment segregation, audit logs, continuous monitoring and periodic reviews.

No system is fully immune to risk. In the event of a relevant incident, we will notify ANPD (Brazil) and/or the competent European authority within legal deadlines (up to 72 hours under GDPR), and the affected subjects when applicable.

This Policy may be updated to reflect regulatory changes, new features or new partners. Previous versions are archived and available upon request at dpo@voyspark.com.

Material updates will be communicated 15 days in advance by email and/or a prominent notice on the platform.

Data Protection Officer: dpo@voyspark.com. Legal contact: legal@voyspark.com.

Supervisory authorities: ANPD (Brazil, anpd.gov.br), CNIL (France, cnil.fr), AEPD (Spain, aepd.es), Garante (Italy, garanteprivacy.it), BfDI (Germany, bfdi.bund.de), CNPD (Portugal, cnpd.pt), ICO (United Kingdom, ico.org.uk) and California Privacy Protection Agency (cppa.ca.gov).