← Back to BeenThere

Privacy Policy

Last updated: March 6, 2025

BeenThere ("we," "us," or "our") operates the website beenthere.page and the BeenThere mobile application (together, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using BeenThere, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

  • Account information: name, email address, username, display name, profile picture, and password (stored in hashed form).
  • Profile information: bio, country, and links to your social media profiles (e.g., X/Twitter, Instagram, LinkedIn).
  • Trip content: trip titles, descriptions, dates, cover images, and all content you add to your trip canvas — including text blocks, quotes, prompt answers, checklists, and Spotify embeds.
  • Photos: images you upload to illustrate your travel stories. These are stored on our cloud infrastructure (see Section 5).
  • Collaboration data: when you invite trip buddies, we collect the email addresses you provide for those invitations.

1.2 Information Collected Automatically

  • Session data: IP address and user agent (browser/device information) when you sign in, used to maintain your authenticated session.
  • Photo metadata: file type (MIME type), file size, and image dimensions. We do not extract or store EXIF data (such as GPS coordinates embedded in photos) from your uploaded images.

1.3 Information from Third Parties

  • Google OAuth: if you sign in with Google, we receive your name, email address, and profile picture from Google. We also store authentication tokens necessary to maintain your sign-in session.

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service: create and manage your account, display your profile and trips, and enable trip editing and sharing.
  • Process and deliver photos: store, optimize, resize, and serve your uploaded images through our content delivery network for fast loading.
  • Enable collaboration: send trip buddy invitation emails on your behalf and manage buddy permissions.
  • Authenticate you: verify your identity via email + password, magic links, one-time passwords (OTP), or Google sign-in.
  • Communicate with you: send transactional emails such as magic link sign-in emails, OTP codes, and buddy invitations.
  • Enforce quotas and plans: track your usage (photos, trips, buddies) against your plan limits.
  • Maintain and improve the Service: monitor for abuse, fix bugs, and improve features.

3. How We Share Your Information

3.1 Public Content

When you set a trip's visibility to "public," the trip's title, description, cover image, dates, and all content blocks (including photos, text, and buddy highlights) are visible to anyone on the internet. Your username, display name, avatar, bio, and linked social profiles are visible on your public profile page at beenthere.page/your-username.

3.2 Shared Content

Trips set to "shared" visibility are accessible to invited trip buddies.

3.3 Service Providers

We share your information with the following third-party service providers who process data on our behalf:

  • Cloudflare (R2 & Images): stores and delivers your uploaded photos.
  • Neon: hosts our PostgreSQL database containing account data, trip content, and media records.
  • Vercel: hosts and deploys our web application.
  • Google: provides OAuth authentication services.
  • Email service provider: delivers transactional authentication emails (magic links, OTPs, invitations).

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

3.4 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal process, such as a court order or government request.

4. Cookies and Tracking

BeenThere uses only essential cookies that are strictly necessary for the Service to function:

  • Authentication session cookie: keeps you signed in. Cached for up to 7 days.
  • Cross-subdomain cookie: enables seamless authentication across BeenThere subdomains.

We do not use any analytics, advertising, or tracking cookies. If this changes in the future, we will update this policy and obtain your consent where required by law.

5. Data Storage and Security

  • Photos are stored in Cloudflare R2 object storage and processed through Cloudflare Images for optimization and delivery.
  • Database records (account info, trips, blocks, media metadata) are stored in a Neon-hosted PostgreSQL database.
  • Passwords are stored in hashed form — we never store or have access to your plain-text password.
  • OTP codes for email verification are stored in hashed form and expire after 5 minutes.

We implement reasonable technical and organizational measures to protect your information. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

6. Data Retention

  • Account data: retained as long as your account is active.
  • Trip content and photos: retained as long as the associated trip exists.
  • Orphaned photos (photos removed from a trip but not explicitly deleted): retained for approximately 7 days after removal to allow for undo, then permanently deleted from storage.
  • Deleted media: soft-deleted immediately (no longer accessible), then permanently removed from cloud storage during routine cleanup.
  • Session data (IP address, user agent): retained for the duration of the session and removed upon sign-out or session expiry.
  • Username change history: retained for platform integrity (preventing abuse of the username system).

7. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: request a copy of the personal data we hold about you.
  • Correction: update or correct inaccurate information in your account settings.
  • Deletion: request the deletion of your account and all associated data, including photos.
  • Portability: request your data in a portable format.
  • Objection: object to certain processing of your data.

To exercise any of these rights, contact us at privacy@beenthere.page. We will respond within 30 days.

8. Children's Privacy

BeenThere is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States where our service providers operate. These countries may have different data protection laws than your jurisdiction. By using BeenThere, you consent to such transfers.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For significant changes, we will make reasonable efforts to notify you (e.g., via email or a prominent notice on the Service). Your continued use of BeenThere after any changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us: