Privacy Policy

Lokoway (“Lokoway”, “we”, “us”) is operated from Singapore. This Privacy Policy explains what personal data we collect when you use Lokoway, how we use it, who we share it with, and the rights you have over it. Read it together with our Terms of Service.

1. Data We Collect

Account information. Email address, password (hashed by our auth provider), display name, username, country of residence, and any avatar you upload.

Trip and activity data. Trip titles, dates, destinations, activities, locations, captions, reviews, file attachments, and any text you send to Loko, our AI planning assistant.

Photos. Images you upload to your trips and activities. Photos uploaded through the Lokoway web client are compressed in your browser before upload, which typically removes embedded metadata such as GPS coordinates. This is not enforced on our servers, so we do not guarantee metadata removal on every upload path.

AI conversation history. Your prompts to Loko and Loko’s responses, so you can resume planning across sessions and so we can improve the assistant.

Usage and device data. When you are signed in, our analytics provider (PostHog) receives your Lokoway account identifier and display name, the URL of the page you are on, the events you trigger, and standard technical signals such as approximate location derived from your IP address, browser and device type, and language. This is account-linked, not anonymous.

Purchase data. If paid checkout is enabled and you buy a paid digital feature, our payment processor (Lemon Squeezy) receives your billing location, payment details, and account email. Lokoway receives a confirmation of the purchase and the credits or feature access attached to your account; we do not receive your full card details.

Affiliate click data. If you click a booking link marked as an affiliate link, we record bounded click telemetry such as the booking provider, the activity or trip context, the generated click ID, whether the redirect succeeded, and the time of the click. We do not store raw provider payloads, payment details, card data, traveller names from the provider, full user agents, or browser fingerprints for this tracking.

Cookies and similar technologies

Lokoway uses strictly-necessary cookies to keep you signed in and to remember your analytics-cookie choice. Analytics cookies are only set if you accept them on the cookie banner shown on your first visit. Your choice is remembered on this device for 12 months. You can change it anytime in Settings → Analytics preferences.

2. How We Use Your Data

To provide the planning, group-collaboration, journaling, and inspiration-discovery features of Lokoway.
To run Loko: your prompts and trip context are sent to Google Gemini so the assistant can generate suggestions; place verifications go to Google Maps and Google Places.
To moderate content: photos pass through Google Cloud Vision SafeSearch, and flagged content may be reviewed by Gemini and by Lokoway moderators.
To process paid digital-feature purchases via Lemon Squeezy if checkout is enabled.
To send you transactional email about your account (sign-in confirmation, password resets, security notices). We may also send occasional product announcements; if we do, those emails will include an unsubscribe link.
To investigate abuse, prevent fraud, enforce our Terms, and comply with legal obligations.
To improve the product by analysing how users interact with Lokoway. Analytics events are linked to your account identifier so we can debug specific issues, understand patterns of use, and prioritise feature work. We only run analytics for users who have accepted analytics cookies on the banner.
To route disclosed affiliate booking links and measure click-attributed travel economics. Provider revenue or booking confirmations are not connected unless a provider later supplies them through a separate integration.

Lawful basis. User-action analytics described above run only on consent (the banner). Transaction telemetry recorded when our payment processor confirms a Loko Pack purchase rests on legitimate interest (record of sale, fraud prevention, business accounting) and is not gated by the analytics-cookie banner. Affiliate redirect telemetry also rests on legitimate interest (routing disclosed booking links, fraud prevention, and measuring click-attributed travel economics) and is not gated by the analytics-cookie banner because it does not use analytics cookies or browser fingerprinting.

3. Subprocessors

Lokoway uses the following service providers to operate the product. Each receives only the data needed for its function:

Supabase — authentication, database, file storage, transactional email.
Vercel — application hosting and edge networking.
Cloudflare — CDN for serving photos.
Google Gemini — AI planning assistant; receives prompts and the trip context required to answer.
Google Maps and Places API — place verification and map display; receives place names and coordinates.
Google Cloud Vision — automated content-safety screening of uploaded photos.
PostHog — usage analytics; receives your Lokoway account identifier, display name where set, event data, and the URL of the page you are on.
Lemon Squeezy — payment processing for paid digital features, if checkout is enabled, as merchant of record; receives your billing location, payment details, and account email.
Discord — operational alerting for content reports and admin moderation actions; receives report metadata (reporter and reported user identifiers, trip titles, report notes), storage paths of flagged content, and admin URLs.

If we change subprocessors, we will update this list.

Lokoway is collaborative. Some of your data is visible to others by design:

Trip members see the trip’s activities, dates, members’ display names, and content the relevant member has shared inside the trip.
People you share a trip link with (/shared/<token>) see the trip’s non-private itinerary — activities, dates, locations, and estimated costs entered by trip members — plus the reviews, captions, and photos contributed by you. They do not see other trip members’ reviews or photos through your share link. Any trip member can mark an activity Private; private activities and the photos and reviews attached to them are hidden from share links and public surfaces for everyone.
Public visitors to your published trip page (/u/<username>/<slug>) and to the Inspiration Feed see the same non-private itinerary plus your reviews, captions, and selected photos. Other members can publish the same trip from their own perspective with their own reviews and photos.
Public visitors to your creator profile (/u/<username>) see your display name, username, published-trip list, and aggregate public trip stats when your profile visibility is Public.
Setting your profile visibility to Private hides the creator profile page and profile links, but it does not unpublish trips you already published. Those trips can still appear in Inspiration and stay reachable at their trip URLs until you unpublish them.
If you leave a collaborative trip, you can choose whether your reviews, captions, and photos stay attached to that trip or are removed from it. The shared itinerary structure stays with the remaining trip members.
Your display name and username are visible on your published trips and in the feed byline. Your published trip’s URL contains your username.

We do not sell your personal data and we do not share it with third parties for advertising.

When you click an affiliate booking link, you leave Lokoway for the booking provider. That provider receives the ordinary information your browser sends when visiting its site, plus any click ID included in the affiliate link.

5. Retention

We keep your account data for as long as your account is active. When you delete your account or specific content, we remove it from the live product immediately. Backup copies of removed data may persist for a limited period under our hosting and database backup cycles before they are overwritten. We may retain limited records (e.g. moderation actions, abuse signals, transactional logs) for as long as necessary to comply with legal obligations or to protect the service.

6. Your Rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you.
Correct data that is inaccurate (most fields can be edited from Settings or your trip pages).
Delete your account and personal data (Settings → Delete account; see also Section 9 of the Terms of Service for what is removed).
Export your data — contact us at the address below to request an export. A self-serve export option may be added later.
Object to or restrict specific processing.
Withdraw consent where processing is based on your consent.
Lodge a complaint with your local data-protection authority — for example, Singapore’s Personal Data Protection Commission (PDPC) or, in the EU/UK, your national supervisory authority.

7. International Transfers

Lokoway is operated from Singapore, but our subprocessors operate globally. By using Lokoway you understand that your data may be processed in countries outside your own, including the United States and Europe. We rely on the contractual and technical safeguards offered by our subprocessors for cross-border transfers.

8. Children

Lokoway is not intended for children under the local age of digital consent (see the Eligibility clause in our Terms of Service). We do not knowingly collect personal data from children below that age without verifiable parent or guardian consent. If you believe a child has registered without that consent, contact us and we will delete the account.

9. Security

We use industry-standard technical and organisational measures to protect your data, including encrypted storage at rest, encryption in transit (HTTPS), least-privilege database access, and role-based admin permissions. No system is perfectly secure; if we suffer a breach affecting your data we will notify you as required by applicable law.

10. AI and Your Content

We do not sell your content. We send your prompts and trip context to Google Gemini so that Loko can respond; Google’s handling of those prompts is governed by Google’s Gemini API terms. We may use anonymised, aggregated patterns to improve our own product features.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be posted on this page with an updated “Last updated” date and, where appropriate, surfaced in-app.

12. Contact

Questions, requests, or complaints can be sent to support@lokoway.com.