Privacy Policy

• We do not create user accounts or store personal profiles
• We do not store your payment card details
• We do not sell or share your data with advertisers
• Query results and access tokens are stored locally in your browser only
• Location inputs you type are sent to Google Maps to calculate routes
• City and country data is sent to Anthropic to generate travel guidance
• If you subscribe to our mailing list, your email address is collected and stored with Resend
• An affiliate tracking script (Travelpayouts) only loads if you accept cookies — see section 4

2a. Location queries

When you enter a pickup and destination address, those addresses are transmitted to Google Maps Platform APIs (Distance Matrix, Directions, Places) to calculate route distance and duration. Google's use of this data is governed by the Google Privacy Policy.

2b. City and country

The city and country of your pickup location (e.g. “Bangkok, Thailand”) is sent to Anthropic's Claude API to generate taxi scam warnings, tipping recommendations, and driver phrases. No address-level detail is sent — only the city and country name. Anthropic's use of data is governed by the Anthropic Privacy Policy.

2c. Payment information

When you make a purchase, you are redirected to a Stripe-hosted checkout page. Hootling never sees, handles, or stores your card number, CVC, or banking details. Stripe's data practices are governed by the Stripe Privacy Policy.

After successful payment, Stripe notifies us that a session was completed. We store a record that the session ID was used (to prevent token replay). This record contains no personal or financial information and is retained for up to 90 days before being automatically deleted.

2d. Email address (optional)

After completing a purchase, you may optionally subscribe to the Hootling mailing list. If you subscribe, your email address is collected and stored by Resend (our email service provider). We use your email to send you travel tips, product updates, and occasional promotional content. You can unsubscribe at any time via the link in any email or at hootling.com/unsubscribe. Resend's data practices are governed by the Resend Privacy Policy.

2e. Browser storage

We store the following data locally in your browser:

• httpOnly cookies: JWT access tokens that grant access to query results. Tokens expire automatically (8 hours for single queries, 24 hours for DayPass tokens, 90 days for bundle tokens). These cookies are inaccessible to JavaScript and are never transmitted to third parties.
• sessionStorage: Your form inputs (pickup and destination) are temporarily saved before a payment redirect so they can be restored when you return. This data is cleared after use.
• localStorage (language/currency): Your selected display language and currency preference. No personal data.

None of this browser-stored data is transmitted to Hootling servers.

• Payment card details, CVC, or banking information
• Device identifiers or fingerprinting data
• Browsing history or cross-site tracking
• Precise GPS location (you type addresses manually)
• Email address (unless you explicitly opt in to our mailing list)

Vercel Analytics

We use Vercel Analytics, a privacy-first tool that does not use cookies, does not track individuals across sites, and collects only aggregate, anonymous data (page URL, referrer, country, browser type). No personal data is collected or stored.

Google Analytics (GA4)

We use Google Analytics 4 in cookieless mode (client_storage='none'), which disables cookies and prevents cross-site tracking. Aggregate usage data (page views, session duration, device type) is collected to understand how the Service is used.

Microsoft Clarity (Session Recordings)

If you accept cookies, we load Microsoft Clarity, a session recording and heatmap tool. Clarity records anonymised interactions (mouse movements, clicks, scroll depth) to help us identify usability issues. All text inputs are automatically masked— Clarity never records what you type, including addresses, emails, or any personal data. Clarity's use of data is governed by the Microsoft Privacy Statement.

Travelpayouts Affiliate Tracking

We participate in the Travelpayouts affiliate programme. A tracking script from Travelpayouts (tpembars.com) is loaded only if you accept cookies via the consent banner displayed on your first visit. This script may set cookies or collect data for the purpose of attributing affiliate commissions when you click on partner links (such as airport transfer services). If you decline cookies, no Travelpayouts script is loaded and no affiliate tracking cookies are set. This tracking, when active, is subject to the Travelpayouts Privacy Policy.

We do not use advertising cookies or sell your data to advertisers.

• AI query results (scam warnings, tipping guides) are cached on our servers for up to 90 days to improve performance and reduce costs. These entries contain only the city/country name and the AI response — no personal data.
• Payment session records (used/not-used status for replay prevention) are retained for up to 90 days, then automatically deleted.
• Email addresses are retained for as long as you remain subscribed. You may request deletion at any time by unsubscribing or contacting us.

Hootling is not directed to children under the age of 13. We do not knowingly collect any information from children. If you believe a child has used the Service and provided any personal information, please contact us and we will take steps to remove it.

Hootling is designed for international travellers and is accessible worldwide. By using the Service, you acknowledge that data (such as your location query and city name) may be processed in countries where our third-party providers (Google, Anthropic, Stripe, Vercel, Resend, Travelpayouts) operate, which may have different data protection laws than your country.

Australian users: Your privacy is protected under the Privacy Act 1988 (Cth) and the Privacy and Data Protection Act 2014 (Vic). You have the right to access, correct, or request deletion of any personal information we hold about you (which is limited to your email address if you have subscribed to our mailing list).

EEA & UK users (GDPR / UK GDPR): Where applicable, our lawful basis for processing your personal data is: legitimate interests (preventing payment fraud via session replay records), and consent (email subscriptions and affiliate tracking cookies). You have the following rights under GDPR Articles 15–22:

• Access (Art. 15) — request a copy of the personal data we hold about you
• Rectification (Art. 16) — request correction of inaccurate data
• Erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”)
• Restriction (Art. 18) — request that we limit processing of your data
• Portability (Art. 20) — receive your personal data in a structured, machine-readable format
• Objection (Art. 21) — object to processing based on legitimate interests
• Withdraw consent — you may withdraw consent for email marketing or cookies at any time without affecting the lawfulness of prior processing

The only personal data we hold directly is your email address (if subscribed). Payment session records contain no personal data. We do not appoint a formal Data Protection Officer as we are a small operator not engaged in large-scale systematic processing. You also have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EEA).

California users (CCPA): You have the right to know what personal information is collected, to request deletion, and to opt out of sale. We do not sell personal information.

For any privacy enquiry or data subject request, contact us at privacy@hootling.com. We aim to respond within 30 days.

We may update this policy periodically. The “Effective” date at the top reflects the most recent update. Significant changes will be noted on the Service.

Privacy questions or requests: privacy@hootling.com