Last updated: July 5, 2026
Pelgrim is built and operated from the Netherlands. We treat your travel data as yours, not ours. This page explains exactly what we collect, why, and what you can do about it.
Account data. Username, display name, email address, hashed password (we never see your plain password). If you sign in with Google or Apple, we receive your email address and name from them — never a password. Optional: home country preferences, display preferences.
Travel data. Whatever you import or enter: flights, stays, trips, properties, dates, notes. This is the data the product exists to manage. We store it; we don't share it.
Photos & content. Photos you attach to a check-in are stored on our servers in Europe and only appear where you choose to show them. Hotel images on maps and pages come from Google Places, not from you.
Loyalty balances. If you use the Pelgrim browser extension, it reads a balance from a loyalty page you're already signed in to and sends only the numbers to Pelgrim. We never receive or store your loyalty-program password.
Analytics. Anonymous, cookieless pageview counts. We log path, referrer (where you came from), a coarse country derived from your IP (via an open IP-to-country database), and broad device class. We do not set tracking cookies and do not run third-party analytics scripts.
Acquisition source. If you arrive with UTM parameters (e.g. from a marketing link), we record the source, medium, and campaign once per session and persist them with your account on signup so we know which channels work. No personal identifiers are involved.
To deliver the service. The travel log only works if we store your travel data.
To send transactional email. Email verification, password reset, occasional service announcements. We do not send marketing email unless you explicitly opt in.
To improve the product. Anonymous aggregate usage data tells us which features are loved or ignored.
By default: nobody.
To operate the service we use a small number of sub-processors:
Nothing about your travel is public by default. When you create a share link or turn on a public profile, only the items you've allowed appear — private flights and stays are always excluded, and hotels and check-ins stay off the map unless you switch them on. Anyone holding a share link can view it until you revoke it. If you let visitors leave messages or reactions on a shared trip, those are tied to that trip and you can remove them.
Account data: as long as you have an account, plus 30 days after deletion (so we can restore an accidental deletion). After that it's purged from active systems within 90 days.
Analytics data: aggregate counters indefinitely; individual pageview rows for 12 months.
Email verification tokens: 24 hours.
You have the right to access, correct, export, restrict, and delete your data. Pelgrim already lets you do most of this through the product (export every flight, stay, and trip as CSV; delete any record; delete your account). Anything you can't do through the UI, email us and we'll handle it within 30 days.
We use a single session cookie to keep you logged in. That's it. No tracking cookies, no third-party cookies, no banner needed.
If we materially change this policy we'll email registered users at the address on file and post a notice on the homepage. The "last updated" date at the top will always reflect the current version.
Questions about this policy or about how your data is handled: hello@pelgrim.app.