Privacy & data · No surprises

We read your mail. So here's exactly what that means.

Two columns: the left is what we touch, the right is what we don't. Below them, the one thing we build from everyone's trips together. If anything moves, this page changes first.

What we touch · what we don't

✓ What we read

Booking confirmations.

Hotels, flights, trains, transfers, museum/event tickets.

The structured fields only.

Dates, times, prices, terms, addresses. Not your replies.

Sender domains we recognise.

A whitelist of ~200. Booking.com, Expedia, airlines, OTAs.

Dates of travel.

To know when to file the dossie.

× What we don’t

Personal correspondence.

Mail from people, not businesses, is filtered out before parsing.

Send, draft, or reply.

OAuth scope is read-only. Send permission is not granted.

Sell or broker your inbox.

Not sold, not rented, never handed to data brokers — not the raw mail, not anything that names you.

Train models on your inbox.

Your raw mail does not go into any training corpus. Ever.

Track you with cookies.

Only essential cookies — they keep you signed in and remember your invite. No analytics, no ad pixels, no third-party trackers.

→ What we learn from trips

Trip patterns, in aggregate.

Where people go, when, for how long — pooled across everyone, never tied to a name.

To make the briefings better.

Sharper tip ranking, “travellers like you found this worth it”, real seasonal price context.

It stays in-house.

These aggregates improve Dossie. They aren’t sold, licensed, or shared outside the desk.

Three commitments

Standing rules the desk keeps, in writing.

7-day purge

Cancel and your personal data is deleted within 7 days, logs included. Anonymised aggregates that can’t identify you remain.

Hosted in Frankfurt

EU-resident DB, EU-resident workers. No third-party processors.

Read-only, end to end

OAuth scope is read. Workers can’t send, draft, or forward — the capability isn’t granted on either side of the desk.