Eiffel Tower, Paris
New York City Skyline
Sagrada Familia, Barcelona
Yellow Tram, Lisbon
Big Ben, London
Colosseum, Rome
Tokyo Tower, Japan
Sydney Opera House
Burj Khalifa, Dubai
Christ the Redeemer, Rio
Venice Canals, Italy
Blue Domes, Santorini
Amsterdam Canals
Pyramids of Giza, Egypt
Hagia Sophia, Istanbul
Back to Home

Privacy Policy

Last updated: February 8, 2026

1. Introduction

SC Lucky Craft Srl ("CityGems," "we," "us," or "our"), registered in Romania (CUI: RO35828082), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services at citygems.app (the "Service").

We act as the Data Controller for the personal data we process. This policy is designed to comply with the EU General Data Protection Regulation (GDPR) and applicable Romanian data protection laws.

2. Information We Collect

We collect and process the following categories of personal data:

2.1 Information You Provide

  • Account Information: Name, email address, and profile picture provided through Google Authentication.
  • Travel Preferences: Destinations, travel dates, interests, group size, and other preferences you input when creating itineraries.
  • Communications: Any messages or feedback you send us via email or support channels.

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, itineraries generated and saved, check-ins, and interaction patterns.
  • Device Information: Browser type, operating system, screen resolution, and language preferences.
  • Log Data: IP address, access timestamps, and referring URLs.

2.3 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not store, process, or have access to your full credit card numbers or banking details. We only receive confirmation of payment status and your Stripe customer ID. For Stripe's privacy practices, see Stripe's Privacy Policy.

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide you with the Service, including generating itineraries, managing your account, and processing subscriptions.
  • Legitimate Interest (Art. 6(1)(f)): Analytics and service improvement, fraud prevention, and ensuring security of the Service.
  • Consent (Art. 6(1)(a)): Where we process data based on your explicit consent, such as optional marketing communications. You may withdraw consent at any time.
  • Legal Obligation (Art. 6(1)(c)): Where processing is required to comply with applicable laws, such as tax and accounting regulations.

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service, including generating personalized itineraries and recommendations.
  • Process transactions and manage your subscription.
  • Track your gamification progress (XP points, explorer ranks, badges).
  • Respond to your comments, questions, and support requests.
  • Monitor and analyze usage trends to improve user experience (via Vercel Analytics).
  • Detect, prevent, and address technical issues, fraud, or abuse.
  • Comply with legal obligations, including tax reporting (EU VAT/OSS).

5. Third-Party Service Providers

We share data with trusted third-party providers who process data on our behalf. Each provider is bound by their own privacy policies and data processing agreements:

  • Supabase (Supabase Inc., USA): Authentication and database hosting.
  • Google Cloud Platform (Google LLC, USA): Content generation engine, Maps, and Places data.
  • Stripe (Stripe Inc., USA): Secure payment processing and subscription management.
  • Vercel (Vercel Inc., USA): Application hosting, deployment, and anonymized analytics.
  • Unsplash (Unsplash Inc.): Stock photography used in itineraries and recommendations.

We do not sell, rent, or trade your personal data to any third parties for marketing purposes.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), particularly the United States, where our infrastructure providers (Supabase, Google Cloud, Stripe, Vercel) operate.

These transfers are protected by appropriate safeguards, including:

  • EU-U.S. Data Privacy Framework: Our providers have certified compliance where applicable.
  • Standard Contractual Clauses (SCCs): As approved by the European Commission, ensuring adequate data protection.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

  • Account Data: Retained for as long as your account is active. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
  • Itinerary & Usage Data: Cached data expires after 90 days. Saved itineraries are retained as long as your account is active.
  • Payment Records: Retained for 7 years to comply with Romanian tax and accounting regulations.
  • Log Data: Retained for up to 12 months for security and debugging purposes.

8. Cookies & Tracking Technologies

We use the following types of cookies:

  • Strictly Necessary Cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Functional Cookies: Remember your preferences, language settings, and previous interactions.
  • Analytics Cookies (Vercel): Help us understand how users interact with the Service using anonymized, aggregated data.

We do not use advertising or third-party tracking cookies. You can control cookie settings through your browser. Note that disabling necessary cookies may affect the functionality of the Service.

9. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your personal data, subject to legal retention requirements.
  • Right to Restriction (Art. 18): Request that we limit processing of your data in certain circumstances.
  • Right to Data Portability (Art. 20): Request your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests.
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent, without affecting lawfulness of prior processing.

To exercise any of these rights, contact us at support@citygems.app. We will respond within 30 days as required by GDPR. You can also manage your account data directly in the "Settings" section of the app.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest.
  • Secure authentication via Google OAuth 2.0.
  • Regular security reviews and monitoring.
  • Access controls limiting employee access to personal data on a need-to-know basis.

While we take reasonable precautions, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (ANSPDCP — Romania's Data Protection Authority) within 72 hours of becoming aware of the breach, as required by GDPR Art. 33.
  • Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by GDPR Art. 34.

12. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@citygems.app.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

14. Supervisory Authority

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with your local data protection authority. In Romania, the supervisory authority is:

ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, București, România
Website: www.dataprotection.ro

15. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

  • Data Controller: SC Lucky Craft Srl (CUI: RO35828082)
  • Email: support@citygems.app
  • Website: https://citygems.app