Legal
Privacy Policy
Last updated: 14 April 2026
This privacy policy explains how your personal data is collected, used, stored, and shared when you use Milo, a travel intelligence platform available at mymilo.travel (the “Service”).
The data controller is Nathan Davies, trading as Milo, United Kingdom. For any questions about this policy or how your data is handled, contact us at hello@mymilo.travel.
1. About this policy
This policy is issued under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It sets out the basis on which we process personal data we collect from you, or that you provide to us, in connection with the Service. Please read it carefully.
2. Personal data we collect
We collect and process the following categories of personal data:
2.1 Account data
When you create an account, we collect your name and email address. If you authenticate via Google OAuth, we receive your name and email address from Google. We do not request or receive your Google password.
2.2 Travel preference data
During onboarding and through your account settings, you may provide travel preferences including departure region, budget range, pace, travel style, and novelty appetite. All preference data is optional. You may update or delete it at any time through your account settings.
2.3 Trip and itinerary data
When you save a trip or generate an itinerary, we store the destination, travel dates, trip duration, travel party composition, and the itinerary content.
2.4 Reservation data
If you upload booking confirmations or record reservation details within the Service, we store the provider name, booking reference, dates, and any uploaded confirmation files.
2.5 Usage data
We collect information about how you interact with the Service, including pages visited, itinerary interactions, features used, and affiliate links clicked. We do not use usage data to build advertising profiles or to serve targeted advertising.
2.6 Post-trip feedback
If you respond to a post-trip feedback prompt, we store your responses. Feedback is voluntary and used solely to improve the accuracy of future recommendations.
2.7 Payment data
Payments are processed by Stripe. We do not receive, process, or store your full payment card details. We store only your Stripe customer identifier, subscription plan, subscription status, and billing dates. Stripe acts as an independent data controller for payment card data - see Stripe's privacy policy at stripe.com/privacy.
2.8 Communication data
If you email us or contact us through the Service, we retain the content of your communication and your contact details for as long as necessary to deal with your enquiry and for our legitimate records.
2.9 Newsletter consent record
If you opt in to the Milo newsletter, we store your consent preference and the date and time consent was given. The consent checkbox is never pre-ticked.
2.10 Technical data
Our hosting provider (Vercel) processes standard server logs, which may include your IP address, browser type, and request timestamps. We do not access or analyse this data at an individual level.
3. How and why we use your data
We process your personal data on the following legal bases under Article 6 of the UK GDPR:
| Purpose | Data used | Legal basis |
|---|---|---|
| To provide the Service - generating recommendations, itineraries, and personalised features | Account data, preference data, trip data, reservation data | Contract performance (Art. 6(1)(b)) |
| To process payments and manage your subscription | Payment data, account data | Contract performance (Art. 6(1)(b)) |
| To send transactional emails - confirmations, trip shares, subscription receipts | Account data (email address) | Contract performance (Art. 6(1)(b)) |
| To send the Milo newsletter | Account data (email), consent record | Consent (Art. 6(1)(a)) - withdraw at any time |
| To improve the Service using aggregated, anonymised usage patterns | Usage data (aggregated and anonymised) | Legitimate interests (Art. 6(1)(f)) |
| To improve recommendation accuracy using behavioural signals | Usage data, post-trip feedback, reservation data | Legitimate interests (Art. 6(1)(f)) |
| To detect fraud and prevent abuse | Account data, technical data | Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, you have the right to object (see Section 8).
4. Data sharing
We share personal data only with the following third-party processors, and only to the extent necessary for the purposes described above. We do not sell, rent, or trade your personal data.
| Processor | Purpose |
|---|---|
| Supabase Inc. | Database hosting and authentication. Data stored in the EU (Frankfurt region). We have a data processing agreement in place. |
| Stripe, Inc. | Payment processing. Stripe is an independent data controller for card data. See stripe.com/privacy. |
| Anthropic, PBC | AI-powered itinerary generation. Your destination, trip constraints, and preferences are sent to the Claude API. We do not send your name or email. Anthropic's API data is not used to train models. See anthropic.com/privacy. |
| Resend, Inc. | Transactional and newsletter email delivery. Your email is used only to deliver emails you have requested or consented to. Resend does not use your email for its own marketing. |
| Vercel, Inc. | Web hosting. Standard server logs are processed as part of hosting operations. |
International transfers. Some processors (Stripe, Anthropic, Resend, Vercel) are based in the United States. Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including standard contractual clauses approved by the ICO or participation in a recognised data protection framework. You may request details of specific safeguards by contacting us.
5. Affiliate links
Milo earns commission when you book travel services through affiliate links in your itinerary. Current affiliate partners include Booking.com, Skyscanner, GetYourGuide, Viator, Rentalcars.com, and G Adventures.
When you click an affiliate link, you leave the Service and are redirected to the partner's platform. The link contains a tracking reference identifying Milo as the referral source. We do not transmit your name, email, or other personal data to affiliate partners as part of this process. From the point you arrive on a partner's platform, that partner's privacy policy applies.
Affiliate relationships do not influence destination recommendations. The scoring engine operates independently of the affiliate layer.
6. Cookies
Milo uses strictly necessary session cookies to maintain your authenticated session. These cookies are essential for the Service to function and do not require consent under the Privacy and Electronic Communications Regulations 2003 (PECR).
We do not use advertising cookies, analytics cookies, or third-party tracking cookies. We do not engage in cross-site tracking or behavioural profiling. If we introduce non-essential cookies in future, we will update this policy and obtain your consent before setting them.
7. Newsletter and direct marketing
The Milo newsletter is sent only to users who have given explicit, affirmative opt-in consent. The consent checkbox is never pre-selected. We record the date and time consent is given.
Newsletter content includes travel editorial, seasonal destination recommendations, and occasional affiliate links. We do not share your email address with any third party for their own marketing purposes.
You may withdraw consent and unsubscribe at any time using the link in any email we send, or by updating your preferences in your account settings. Withdrawal is processed immediately and does not affect the lawfulness of processing carried out before withdrawal.
8. Your rights under UK GDPR
You have the following rights in relation to your personal data:
Right of access (Art. 15)
Request confirmation of whether we process your personal data and, if so, a copy of that data together with supplementary information about our processing.
Right to rectification (Art. 16)
Request correction of inaccurate personal data. Most preference and account data can be updated directly through your account settings.
Right to erasure (Art. 17)
Request deletion of your personal data. We will comply unless we have a lawful basis for continued retention (for example, financial records required under UK tax law). Account deletion requests are processed within 30 days.
Right to restriction (Art. 18)
Request that we restrict processing of your data in certain circumstances - for example, while we verify the accuracy of data you have contested.
Right to data portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, request your data in a structured, machine-readable format.
Right to object (Art. 21)
Object to processing carried out on the basis of legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to withdraw consent
Where processing is based on consent (newsletter, optional preferences), withdraw at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint
Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been handled unlawfully.
To exercise any of these rights, email hello@mymilo.travel. We will respond within one calendar month. We do not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive.
9. Data retention
We retain your personal data only for as long as necessary for the purposes for which it was collected.
| Data category | Retention period |
|---|---|
| Account and preference data | For the duration of your account. Deleted within 30 days of account deletion. |
| Trip and itinerary data | For the duration of your account. Deleted within 30 days of account deletion. |
| Reservation data and uploaded files | For the duration of your account. Deleted within 30 days of account deletion. |
| Usage and interaction data | Retained in identifiable form for up to 24 months, then aggregated and anonymised. |
| Post-trip feedback | For the duration of your account. Deleted within 30 days of account deletion. |
| Payment transaction records | Retained for 7 years from the date of the transaction, in accordance with UK tax and accounting obligations (HMRC requirements under the Taxes Management Act 1970). |
| Newsletter consent records | Retained for as long as consent is active, plus 12 months after withdrawal, as evidence of lawful processing. |
| Communication records | Retained for up to 24 months from the date of the last communication. |
10. Data security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption of data in transit (TLS), access controls on our database and infrastructure, and use of reputable third-party processors with their own security certifications.
No method of electronic storage or transmission is completely secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security.
11. Children
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a person under 18, please contact us at hello@mymilo.travel and we will delete it promptly.
12. Automated decision-making
Milo uses automated processing to generate destination recommendations and itineraries based on the constraints and preferences you provide. This processing does not produce legal effects or similarly significant effects within the meaning of Article 22 of the UK GDPR - it generates travel suggestions only.
Where we use a preference model derived from your behavioural data to personalise recommendations, this operates as an enhancement to the service and does not restrict your access to any feature or alter the terms on which the service is offered to you.
13. Changes to this policy
If we make material changes - in particular, changes to the categories of data we collect, the purposes for which we process data, or the third parties with whom we share data - we will notify you by email or through a prominent notice within the Service before the changes take effect.
The “last updated” date at the top of this policy will always reflect the most recent version.
14. Contact and complaints
For any questions about this policy, to exercise your rights, or to raise a concern about how your data is handled:
Email: hello@mymilo.travel
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ico.org.uk · 0303 123 1113
Milo ICO Registration Number: ZC121094
Questions? hello@mymilo.travel