Privacy Policy
Last updated: 17 April 2026
1. Data controller
The controller of the personal data collected on beskapad.com (hereinafter the “Service”) is Kaneleon (SAS), whose registered office is located at 231 rue Saint-Honoré, 75001 Paris, France.
Contact: contact@kaneleon.com.
2. Data collected
The following data is collected when you use the Service:
- Account: email address, password (stored in hashed form via bcrypt, never in plain text).
- Travel profile: first name, interests, dietary requirements, whether you own a vehicle, preferred comfort level, reduced mobility, regions already visited.
- Saved itineraries: search criteria (destination, dates, budget), generated itineraries, notes and ratings.
- Session: session token (
budgettrip_sessioncookie, valid for 30 days). - Technical data: IP address (for rate limiting and, where applicable, approximate detection of your departure city via the third-party service GeoJS), user agent, request timestamps.
- User feedback: messages sent through the feedback form, beta applications (emails).
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Creation and management of the Account | Performance of the contract (art. 6.1.b GDPR) |
| Generation of personalised itineraries | Performance of the contract (art. 6.1.b GDPR) |
| Rate limiting and security | Legitimate interest (art. 6.1.f GDPR) |
| Transactional emails (sign-up, password reset) | Performance of the contract (art. 6.1.b GDPR) |
| Feedback form / waiting list | Consent (art. 6.1.a GDPR) |
4. Recipients and processors
The data is processed by Beskapad and the following processors, with whom a GDPR-compliant agreement is in place:
- Supabase (database hosting and authentication) — United States / European Union depending on the project region.
- Vercel (application hosting) — United States, with transfers governed by the European Commission's standard contractual clauses.
- Resend (sending of transactional emails) — United States.
No data is sold or shared for advertising purposes.
5. Transfers outside the European Union
Some processors (Vercel, Resend) are located in the United States. These transfers are governed either by the Data Privacy Framework or by the standard contractual clauses adopted by the European Commission, in accordance with Articles 44 et seq. of the GDPR.
6. Retention periods
- Account and profile: kept for as long as the Account is active. Deleted within 30 days of a deletion request.
- Sessions: 30 days maximum (automatic expiry).
- Password reset tokens: 1 hour.
- Saved itineraries: until deleted by the User or the Account is closed.
- Technical logs: 12 months maximum.
- Feedback and waiting-list emails: 3 years from the last contact.
7. Security
Beskapad implements appropriate technical and organisational measures to protect the data: TLS encryption in transit, passwords hashed via bcrypt (12 rounds), httpOnly and secure session cookies, rate limiting on sensitive endpoints, and separation of database access roles.
8. Users' rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights:
- Access: obtain a copy of your data.
- Rectification: correct inaccurate data from My account.
- Erasure: delete your Account and the associated data.
- Restriction: restrict processing in certain cases.
- Portability: retrieve your data in a structured format.
- Objection: object to processing based on legitimate interest.
- Withdrawal of consent: at any time, for processing based on consent.
To exercise these rights, write to contact@kaneleon.com. A response is provided within one month. If you believe your rights are not being respected, you may lodge a complaint with the CNIL (www.cnil.fr).
9. Cookies
Beskapad uses the following cookies:
budgettrip_session— authentication (30 days). Strictly necessary.budgettrip_cid— anonymous visitor identifier for audience measurement (aggregated usage statistics, 12 months). Subject to your consent.
The strictly necessary cookie does not require prior consent (art. 82 of the French Data Protection Act). The audience-measurement cookie budgettrip_cid is only set after your acceptance via the consent banner; if you decline, no identifier is created and no usage statistics are collected. No advertising cookies are used.
The data stored in the browser's localStorage (budgettrip_email, budgettrip_profile, budgettrip_consent) is not shared with third parties and can be erased at any time from the browser settings.
10. Minors
The Service is not intended for persons under the age of 15. No data is knowingly collected from a minor under the age of 15 without the consent of the holder of parental authority.
11. Changes to the policy
This policy may be amended at any time. The “last updated” date shown at the top of this page allows you to track changes. Substantial changes will be notified by email to registered users.
12. Contact
For any question relating to this policy or the exercise of your rights, write to contact@kaneleon.com.
See also: terms of use · legal notice.