travel.to
Last updated · 2026-05-12

Privacy policy.

We collect the minimum data needed to deliver the service. We don't sell it. We don't share it with advertisers. We don't profile you.

1 · What we collect

  • Email address — to deliver your QR code and order confirmations.
  • Payment metadata from Stripe — a payment intent ID. Stripe holds your card details, we never see them.
  • eSIM usage data — how many MB you've consumed against your active plan. Used to display in your dashboard and enforce the fair-use policy.
  • Customer IP at order time — for fraud screening and to detect when an order may need manual review.
  • Locale — to display the site in the right language.

2 · What we don't collect

  • Card numbers (Stripe handles those).
  • Phone number history, call records, SMS content.
  • Real-time location (we know which country your IP says you're in at order time; we don't track movement).
  • Browsing history outside travel.to.
  • Behavioral profiles for advertising.

3 · Who we share it with

  • Stripe — payment processing. Subject to Stripe's privacy policy.
  • eSIM provisioning partners (eSIM Go, Airalo Partners as applicable) — your order ID is sent so they can issue the eSIM. They don't receive your name, billing address, or card data.
  • Email transport provider — to deliver your QR code email.

We do not sell, rent, or otherwise share your data with third parties beyond the operational vendors above.

4 · Cookies & analytics

First-party session cookies only — for login state. No advertising cookies. No Google Analytics, no Facebook Pixel, no behavioral trackers. If we ever change this, the date at the top of this page changes and we tell you in plain words.

5 · How long we keep your data

Order records and payment metadata: 7 years (required by tax law in most jurisdictions). Account email and usage data: until you delete your account, or 24 months of inactivity. eSIM usage data tied to an expired plan: 6 months after expiry.

6 · Your rights

If you're in the EU, UK, California, or any jurisdiction with similar laws, you have the right to access, correct, or delete your data, and to ask us to limit processing. Email hello@travel.to with "DATA REQUEST" in the subject. We respond within 30 days.

7 · Security

HTTPS everywhere, password hashing via Django's PBKDF2, data at rest encrypted on the database side. No system is 100% secure — if we discover a breach affecting your data, we tell you within 72 hours of detection.

8 · Children

travel.to is intended for adults. We don't knowingly collect data from anyone under 16. If you believe we have, contact us and we'll delete it.

9 · Contact

VPS.org, LLC operates travel.to. Email hello@travel.to for any privacy-related question.