Privacy Policy

1. Who We Are

Holoholo.ai LLC ("Holoholo," "we," "us," or "our") operates the regenerative tourism concierge platform at holoholo.ai. This Privacy Policy explains how we collect, use, and protect your personal information when you use our service.

2. Information We Collect

Information you provide directly

• Contact information: your name, email address, and phone number, provided when you submit a trip planning request.
• Travel preferences: your selected activities, travel dates, group size, budget, neighborhood preference, dietary needs, fitness level, and other itinerary inputs.
• Hotel information: the name of your hotel, used to find nearby beach service providers and determine guest pricing.
• Payment information: processed directly by Stripe. Holoholo.ai does not store your card number, CVV, or full payment credentials. We receive a Stripe payment confirmation and customer identifier.

Information collected automatically

• Usage data: pages visited, browser type, IP address, and referring URL, collected via standard web server logs. We do not currently use third-party analytics.
• Authentication cookie: a short-lived, httpOnly session cookie is set when you access your trip portal via a magic-link. This cookie contains a hashed token and is used solely for trip portal authentication.

3. How We Use Your Information

• To generate and deliver your personalized Oʻahu itinerary
• To coordinate bookings with local suppliers on your behalf
• To process your planning deposit and send payment confirmations via email
• To send your trip portal access link via email (magic-link authentication)
• To send SMS booking alerts if you opted in at the time of your trip request (carrier message rates may apply)
• To respond to your support inquiries
• To improve the platform and fix bugs (using anonymized usage data)

We do not sell your personal information to third parties. We do not use your data for targeted advertising.

4. Third-Party Services

We share your information with the following sub-processors only as necessary to operate the service:

• Stripe — payment processing for your planning deposit and any refunds back to your card. Your payment data is governed by Stripe’s Privacy Policy.
• Privacy.com (Lithic Technology Inc.) — issues the single-use virtual cards we use to pay suppliers on your behalf. Your card number is never shared with the operator; instead we mint a virtual card capped at the supplier price and use that to complete the booking. We share only the purchase amount and merchant info needed to mint the card — no traveler name, email, or phone. Governed by Privacy.com’s Privacy Policy.
• Resend — transactional email (deposit confirmations, magic-link emails). Your name and email address are transmitted to Resend for delivery.
• Supabase (PostgreSQL) — our primary database, hosted in the United States. Trip records, preferences, and booking data are stored here.
• Vercel— web hosting and serverless functions. Requests to holoholo.ai pass through Vercel’s infrastructure.
• Local suppliers — your name, email, and phone may be shared with specific tour operators and beach service providers when we place bookings on your behalf. We share only the minimum information necessary for the booking.
• Anthropic (Claude API)— your travel preferences, group size, neighborhood preference, dietary needs, and any concierge chat messages you send are transmitted to Anthropic to generate and adjust your itinerary and to power the concierge chat. Our use of the Anthropic API is governed by Anthropic’s Commercial Terms (§ B, Customer Content), which prohibit Anthropic from training models on the data we send. General data handling is described in their privacy policy.
• OpenAI — used as a fallback model provider for the same itinerary + concierge functions when Anthropic is unavailable. Same data scope. Governed by OpenAI’s privacy policy.
• Twilio — SMS booking alerts (only if you opted in at trip-request time). Your phone number is transmitted for delivery.

5. Cookies

We use one functional cookie: a short-lived, httpOnly trip portal authentication cookie (name: holoholo_trip_token_[publicId]). This cookie is set only when you click a magic-link and is used exclusively for trip portal authentication. It is not used for advertising or cross-site tracking.

Magic-link expiration: each magic-link is valid for 14 days from the time we send it; after that you will need to request a fresh link from your trip portal.

We do not use Google Analytics, Facebook Pixel, or any third-party advertising cookies.

6. Data Retention

We retain your trip record and associated personal information for as long as necessary to fulfill the services described in your trip request and to comply with legal obligations. Concierge chat messages (SMS and email conversations with our automated concierge) are retained for 365 days from the date each message was sent, after which they are deleted by an automated nightly process.

Financial records — booking, payment, charge, and refund rows associated with completed transactions — are retained for 7 years to satisfy US tax (IRC §6001), consumer-protection, and SEC record-keeping obligations. These rows do not contain your name, email, or phone number; they hold only Stripe transaction identifiers and amounts.

Backups are replicated for up to 30 days. Records you delete will age out of replicated backups within that window.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access / export — download a structured JSON copy of every personal-data row we hold about you. From your trip portal, request an export at /api/account/export; you’ll receive a file containing your trip records, itineraries, concierge chat history, payments, bookings, and any newsletter or referral records.
• Deletion — request deletion of your account from your trip portal at /api/account/delete. We will anonymize your name, email, phone, hotel address, travel preferences, and concierge chat history; financial records are retained for the seven-year window described in Section 6. A confirmation email is sent on completion.
• Request correction of inaccurate data
• Opt out of marketing emails (newsletter, NPS surveys, cart-abandonment) at any time via the unsubscribe link in any such email
• Opt out of SMS alerts at any time by replying STOP to any text we send

You can also email keith@holoholo.ai if you cannot access your trip portal or prefer a manual process. We aim to respond within five business days.

8. Children’s Privacy

Our service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately.

9. Security

We use industry-standard measures to protect your data, including HTTPS encryption, httpOnly authentication cookies, and hashed token storage. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address on your trip record. Continued use of the service after notice of changes constitutes acceptance of the updated policy.

11. Governing Law

This Privacy Policy is governed by the laws of the State of Hawaiʻi, USA.

12. Contact

Privacy questions or requests? Email keith@holoholo.ai or write to: