Privacy Policy

Last updated: March 2026

Galloway Software Solutions Inc., operating as Toqui ("we," "us," or "our"), provides the Toqui AI travel companion application and website. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

By using Toqui, you consent to the data practices described in this policy. If you do not agree, please do not use the service.

1. Information We Collect

1.1 Account Information

When you create an account via Google OAuth, we collect:

Email address
Display name
Profile photo URL (from Google)
Google account identifier

1.2 Trip Data

Information you provide about your trips:

Trip titles, descriptions, and dates
Itinerary items (places, times, notes)
Booking confirmations you upload or forward
Trip themes and destination information

1.3 Chat Conversations

Messages exchanged with Toqui and expert guides are stored to maintain conversation context and improve your experience. Chat data is associated with your trip and subject to the data retention schedule described in Section 7.

1.4 Location Data

Your real-time location is NEVER stored permanently.

In Companion Mode, you may choose to share your current location to receive nearby recommendations. This location data is:

Ephemeral and request-scoped only
Used only for the duration of that single request
Passed to the AI as temporary context to generate relevant recommendations
Immediately discarded after the response is generated
Never written to any database, log, or persistent storage
Never shared with third parties

Itinerary items may include location coordinates for places you explicitly add to your trip (e.g., a restaurant address). These are places you chose, not your personal location.

1.5 Booking Details

When you paste or forward booking confirmations (flights, hotels, activities), Toqui extracts structured data such as dates, times, locations, and confirmation numbers. This data is stored as part of your trip and subject to the retention schedule in Section 7.

1.6 Marketing Site Analytics

This marketing website may use analytics services (such as Google Analytics) to collect anonymized usage data including pages visited, referral sources, and general geographic region. This data is aggregated and cannot be used to identify individual users. You can opt out of analytics tracking via the cookie consent banner.

2. How We Use Your Information

Provide the service: Plan trips, generate itineraries, manage bookings, and deliver personalized travel recommendations.
AI processing: Your messages and trip context are sent to AI language model providers to generate responses. We do not use your data to train AI models.
Persona matching: Your trip themes and destination are used to match you with relevant expert guide personas.
Recommendations: We may provide travel recommendations that include links to affiliate partners. See Section 5 for details.
Service improvement: Aggregated, anonymized usage patterns may be used to improve the service. Individual conversations are not reviewed by humans unless you report an issue.
Communications: We may use your email address for service-related notifications, including material changes to this policy.

3. Legal Basis for Processing

Under GDPR Article 6, we process your personal data on the following legal bases:

Processing Activity	Legal Basis
Account creation and authentication	Contractual necessity (Art. 6(1)(b)) — required to provide the service
Trip planning and itinerary management	Contractual necessity (Art. 6(1)(b)) — core service functionality
AI chat processing	Contractual necessity (Art. 6(1)(b)) — required to generate travel recommendations
Booking data storage	Contractual necessity (Art. 6(1)(b)) — to manage your travel bookings
Real-time location (Companion Mode)	Consent (Art. 6(1)(a)) — opt-in only, never stored
Marketing site analytics	Consent (Art. 6(1)(a)) — via cookie consent banner
Service improvement (aggregated analytics)	Legitimate interest (Art. 6(1)(f)) — improving service quality
Service-related communications	Legitimate interest (Art. 6(1)(f)) — notifying you of material changes

Where processing is based on consent, you may withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing performed prior to withdrawal. Where processing is based on legitimate interest, you have the right to object (see Section 8).

4. AI and Data Processing

Toqui uses third-party AI providers to generate travel recommendations and conversational responses. You should be aware of the following:

Chat messages and trip context are sent to AI providers (Anthropic Claude, Google Gemini) for processing.
We use API-only access. Per our providers' API terms, your data is not used to train their models.
We do not send your email address, name, or account information to AI providers — only trip context and message content.
AI providers process data under their respective data processing agreements and do not retain conversation data beyond the API request.
AI-generated content may contain errors. Recommendations, itineraries, and other AI outputs are provided for informational purposes. Always verify critical details independently.

5. Third-Party Services

We use the following third-party services to operate Toqui:

Service	Purpose	Data Shared
Anthropic (Claude)	AI chat processing	Chat messages, trip context
Google (Gemini)	AI chat processing	Chat messages, trip context
Google	Authentication (OAuth)	Standard OAuth flow data
Helcim	Payment processing	Payment details (handled by Helcim directly)
SendGrid	Transactional email	Email address, message content

These sub-processors process data under their respective data processing agreements (DPAs) and privacy policies. All infrastructure services (hosting, database, storage) are provided by Google Cloud Platform under Google's Cloud Data Processing Addendum. If you require a copy of our sub-processor list or DPA for your organization, contact us at privacy@toqui.travel.

6.1 Affiliate Partners

Toqui may include links to third-party travel services. When you follow these links, the partner may collect data according to their own privacy policies. Our affiliate partners include:

Booking.com (accommodation)
Skyscanner (flights)
GetYourGuide / Viator (tours and activities)
DiscoverCars (car rentals)
SafetyWing (travel insurance)

We do not share your personal data with affiliate partners. When you click an affiliate link, only standard web referral data (click-through data) is transmitted. No personal information is sent.

6.2 What We Do Not Do

We do not sell your personal data to third parties.
We do not share your personal information with advertisers.
We do not provide your data to data brokers.

7. Data Retention

7.1 Active Trips

All trip data and chat history is retained while a trip is in planning or active status.

7.2 Completed Trips

When a trip is marked as completed, a 90-day retention period begins for chat messages. After this period:

Chat conversations are permanently deleted
Itinerary and booking data are retained for your reference
The trip enters archive mode

7.3 Deleted Trips

When you delete a trip, all associated data is permanently removed: itinerary items, bookings, chat history, and theme associations. This deletion is immediate and irreversible.

7.4 Account Deletion

When you delete your account, all data is permanently removed within 30 days, including all trips, conversations, and profile information.

7.5 Server Logs

Server logs (request metadata, error logs, audit events) are retained for 90 days for security monitoring and debugging purposes. Logs do not contain full email addresses — they are masked in audit records. After 90 days, logs are automatically purged.

7.6 Waitlist Data

If you join the waitlist, your email is retained until you are invited and create an account, at which point it becomes part of your account data. You may request removal from the waitlist at any time by contacting us.

8. Your Rights

8.1 Under GDPR (European Economic Area)

If you are in the EEA, you have the right to:

Access (Article 15) — Request a copy of all personal data we hold about you
Rectification (Article 16) — Request correction of inaccurate data
Erasure (Article 17) — Request deletion of your account and all associated data within 30 days
Data portability (Article 20) — Receive your data in a structured, machine-readable format (JSON export)
Restrict processing (Article 18) — Request that we limit how we use your data
Object (Article 21) — Object to processing of your data for specific purposes
Withdraw consent — Withdraw consent at any time where processing is based on consent

We will respond to all GDPR requests within 30 days.

8.2 Under PIPEDA (Canada)

As a Canadian service, we comply with PIPEDA. You have the right to:

Access — Request access to your personal information
Correction — Request correction of inaccurate information
Withdraw consent — Withdraw consent for non-essential data processing
Complain — File a complaint with the Office of the Privacy Commissioner of Canada

8.3 Under CCPA (California)

If you are a California resident, you have the right to:

Know — Request what personal information we collect, use, and disclose
Delete — Request deletion of your personal information
Opt-out — Opt out of the sale of personal information (we do not sell your data)
Non-discrimination — Not be discriminated against for exercising your rights

We do not sell personal information to third parties.

9. How to Exercise Your Rights

Delete Your Account

You can delete your account and all associated data at any time from your account settings in the app. This action deletes:

Your user profile
All trips, itineraries, and bookings
All chat conversations across all trips
All theme and persona associations

Export Your Data

You can request a full export of your data from your account settings. Your data will be prepared as a JSON file and made available for download within 24 hours, in compliance with GDPR Article 20 (data portability).

Contact Us

For any privacy-related requests or questions, contact us at: privacy@toqui.travel

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption in transit (TLS) and at rest
Authentication via OAuth 2.0 (no passwords stored)
HttpOnly authentication cookies (not accessible to JavaScript)
Role-based access controls for internal systems
Regular security reviews

11. Cookies

The Toqui application uses minimal cookies:

Authentication tokens — HttpOnly session cookies required for the service to function. These are not tracking cookies.

We do not use advertising cookies or third-party tracking cookies in the application. The marketing website (this site) may use analytics cookies with your consent, as described in our cookie consent notice. You can accept or decline analytics cookies when prompted, and your choice is stored locally in your browser.

12. Age Requirement

Toqui is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected data from someone under 18, we will delete it promptly.

13. International Data Transfers

Your data may be processed in Canada, the United States, and other jurisdictions where our service providers operate. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via email at the address associated with your account and update the effective date on this page. Continued use of the service after changes constitutes acceptance of the updated policy.

15. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the Province of British Columbia and the federal laws of Canada applicable therein, without regard to conflict of law principles.

16. Contact

If you have questions about this Privacy Policy or our data practices:

Galloway Software Solutions Inc.
British Columbia, Canada
Email: privacy@toqui.travel