Last updated: 2026-06-03
Privacy Policy
Last updated: 3 June 2026
This Privacy Policy explains how Seazly, operated by Anand Murugan, an individual based in India ("Seazly," "we," "us"), collects, uses, and protects your personal data when you use our website and services (the "Service"). We act as the data fiduciary/controller for the personal data described here.
We aim to comply with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and, where applicable, the EU/UK GDPR.
1. Data we collect
You provide:
- Email address (for passwordless sign-in and to deliver your itineraries).
- Trip preferences you enter or speak (destinations, dates, budget, travel style, number of travelers).
- WhatsApp phone number, only if you opt in to receive your dossier and trip updates on WhatsApp.
- Payment is handled by our payment processors; we receive confirmation and limited transaction metadata, not your full card details.
Collected automatically:
- Usage and event data (pages viewed, features used, anonymous session identifiers) to operate and improve the Service and understand our conversion funnel.
- Approximate location derived from your device/network for relevant features, and trip-related location text you provide.
- Standard technical data (device, browser, IP-derived region) and error diagnostics.
Images: If you use the photo "lens" feature, the image you upload is processed to generate a description. We strip embedded metadata (including GPS location data) from images before processing, and we do not retain the raw image beyond the request unless you explicitly choose to save it.
2. How we use your data
- To provide the Service: generate itineraries, deliver dossiers by email and (if opted in) WhatsApp, and run the AI features.
- To process payments and manage subscriptions.
- To provide customer support and respond to your requests.
- To analyze usage and improve the Service.
- To detect, prevent, and address fraud, abuse, and security issues.
- To comply with legal obligations.
We rely on your consent (e.g., WhatsApp opt-in, analytics cookies), the performance of our contract with you (providing the Service you paid for), and our legitimate interests (security, improvement) as our legal bases, as applicable.
3. AI processing
To generate itineraries, chat responses, packing and visa guidance, and image descriptions, we send relevant inputs to third-party AI providers (currently Anthropic and DeepSeek). We wrap untrusted content to guard against prompt manipulation, and we do not send your raw payment details to AI providers. AI outputs are guidance only — see our Terms.
4. Affiliate links and tracking
Some links in the Service are affiliate links (for example to connectivity, activity, transfer, or insurance partners). If you click them and transact with the partner, we may earn a commission. We record that a click occurred for attribution. We do not place your personal contact details into outbound affiliate URLs. See our Affiliate Disclosure.
5. Cookies and analytics
We use essential cookies to operate the Service (such as sign-in and session continuity) and, with your consent, analytics cookies to understand usage. You can manage non-essential cookies through our cookie banner and your browser settings.
A narrow set of server-side payment-confirmation events (e.g., paid, subscription.activated) are recorded in our analytics provider without consent gating, because they are necessary for revenue accounting and to deliver the Service you paid for (performance of contract under DPDP §4(1)(b) / GDPR Art. 6(1)(b)). These events use an order or subscription identifier as the analytics distinct id — never your user id or session id — and the underlying order/subscription identifiers are anonymized on account deletion.
6. Who we share data with (sub-processors)
We share data with service providers who help us run the Service, only as needed:
- Supabase — database, authentication, file storage
- Anthropic, DeepSeek — AI processing
- Razorpay, Stripe — payment processing
- Resend — transactional email delivery
- AiSensy / Meta (WhatsApp) — WhatsApp message delivery (only if you opt in)
- Google (Places) — venue and location data
- Mapbox — maps
- Sentry — error monitoring
- PostHog — product analytics
- Travelpayouts — flight-fare aggregator (search-only; we never send your personal details, only origin/destination/month)
- IRCTC — affiliate redirect for Indian rail bookings (no personal data shared by us; you transact directly with IRCTC on their site)
- RedBus — affiliate redirect for Indian intercity bus bookings (same — referral link only)
- Agoda, Booking.com — affiliate redirects for hotel bookings (same — referral link only)
These providers process data under their own terms and may operate outside India. Where required, we rely on appropriate safeguards for cross-border transfers. We do not sell your personal data.
7. Data retention
We keep personal data for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. You can request deletion as described below.
8. Security
We use measures including encryption of sensitive fields at rest (for example, your WhatsApp number is encrypted), access controls, and row-level database protections. No method of transmission or storage is perfectly secure, but we work to protect your data.
9. Your rights
Depending on your location, you may have the right to access, correct, update, or delete your personal data; to withdraw consent (for example, WhatsApp opt-in, which you can also revoke by replying STOP); to object to or restrict certain processing; and to data portability. You can manage some of this in your account, or contact us to exercise these rights. We will respond within the timeframes required by law.
To request access, correction, or deletion of your data, contact privacy@seazly.com.
When you delete your account, we erase your personal data from our database (trips, dossiers, memories, chat, the encrypted phone number, and any analytics events tied to your account). We also issue a deletion request to PostHog — our product-analytics processor — for events associated with your account identifier. Sentry, our error-monitoring processor, does not receive personally identifiable identifiers attached to your events (we tag errors with hashed ids only), so no separate Sentry deletion request is required. Order and subscription records are anonymized rather than deleted so we can satisfy financial-record retention requirements under the Income-tax Act and GST law (Section 44AA and Section 35 respectively, ≥7 years); the rows that remain carry only amounts, dates, plan/tier, and the payment provider's transaction reference, with no link back to a person.
10. Children
The Service is not directed to children under 18, and we do not knowingly collect their personal data. If you believe a minor has provided us data, contact us and we will delete it.
11. Grievance / contact
For privacy questions or to exercise your rights, contact our privacy point of contact:
Email: privacy@seazly.com
We will acknowledge and address grievances in accordance with applicable law.
12. Changes
We may update this Policy from time to time. We will revise the "Last updated" date and, for material changes, take reasonable steps to notify you.