Privacy Policy

Last updated: 17 April 2026

1. Data controller

The controller of the personal data collected on beskapad.com (hereinafter the “Service”) is Kaneleon (SAS), whose registered office is located at 231 rue Saint-Honoré, 75001 Paris, France.

Contact: contact@kaneleon.com.

2. Data collected

The following data is collected when you use the Service:

  • Account: email address, password (stored in hashed form via bcrypt, never in plain text).
  • Travel profile: first name, interests, dietary requirements, whether you own a vehicle, preferred comfort level, reduced mobility, regions already visited.
  • Saved itineraries: search criteria (destination, dates, budget), generated itineraries, notes and ratings.
  • Session: session token (budgettrip_session cookie, valid for 30 days).
  • Technical data: IP address (for rate limiting and, where applicable, approximate detection of your departure city via the third-party service GeoJS), user agent, request timestamps.
  • User feedback: messages sent through the feedback form, beta applications (emails).

3. Purposes and legal bases

PurposeLegal basis
Creation and management of the AccountPerformance of the contract (art. 6.1.b GDPR)
Generation of personalised itinerariesPerformance of the contract (art. 6.1.b GDPR)
Rate limiting and securityLegitimate interest (art. 6.1.f GDPR)
Transactional emails (sign-up, password reset)Performance of the contract (art. 6.1.b GDPR)
Feedback form / waiting listConsent (art. 6.1.a GDPR)

4. Recipients and processors

The data is processed by Beskapad and the following processors, with whom a GDPR-compliant agreement is in place:

  • Supabase (database hosting and authentication) — United States / European Union depending on the project region.
  • Vercel (application hosting) — United States, with transfers governed by the European Commission's standard contractual clauses.
  • Resend (sending of transactional emails) — United States.

No data is sold or shared for advertising purposes.

5. Transfers outside the European Union

Some processors (Vercel, Resend) are located in the United States. These transfers are governed either by the Data Privacy Framework or by the standard contractual clauses adopted by the European Commission, in accordance with Articles 44 et seq. of the GDPR.

6. Retention periods

  • Account and profile: kept for as long as the Account is active. Deleted within 30 days of a deletion request.
  • Sessions: 30 days maximum (automatic expiry).
  • Password reset tokens: 1 hour.
  • Saved itineraries: until deleted by the User or the Account is closed.
  • Technical logs: 12 months maximum.
  • Feedback and waiting-list emails: 3 years from the last contact.

7. Security

Beskapad implements appropriate technical and organisational measures to protect the data: TLS encryption in transit, passwords hashed via bcrypt (12 rounds), httpOnly and secure session cookies, rate limiting on sensitive endpoints, and separation of database access roles.

8. Users' rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

  • Access: obtain a copy of your data.
  • Rectification: correct inaccurate data from My account.
  • Erasure: delete your Account and the associated data.
  • Restriction: restrict processing in certain cases.
  • Portability: retrieve your data in a structured format.
  • Objection: object to processing based on legitimate interest.
  • Withdrawal of consent: at any time, for processing based on consent.

To exercise these rights, write to contact@kaneleon.com. A response is provided within one month. If you believe your rights are not being respected, you may lodge a complaint with the CNIL (www.cnil.fr).

9. Cookies

Beskapad uses the following cookies:

  • budgettrip_session — authentication (30 days). Strictly necessary.
  • budgettrip_cid — anonymous visitor identifier for audience measurement (aggregated usage statistics, 12 months). Subject to your consent.

The strictly necessary cookie does not require prior consent (art. 82 of the French Data Protection Act). The audience-measurement cookie budgettrip_cid is only set after your acceptance via the consent banner; if you decline, no identifier is created and no usage statistics are collected. No advertising cookies are used.

The data stored in the browser's localStorage (budgettrip_email, budgettrip_profile, budgettrip_consent) is not shared with third parties and can be erased at any time from the browser settings.

10. Minors

The Service is not intended for persons under the age of 15. No data is knowingly collected from a minor under the age of 15 without the consent of the holder of parental authority.

11. Changes to the policy

This policy may be amended at any time. The “last updated” date shown at the top of this page allows you to track changes. Substantial changes will be notified by email to registered users.

12. Contact

For any question relating to this policy or the exercise of your rights, write to contact@kaneleon.com.

See also: terms of use · legal notice.