Pillowfare PillowFare

Privacy Policy

Effective May 19, 2026 ยท PillowFare LLC

Summary

This policy explains what information PillowFare collects when you use the site, why we collect it, who we share it with, and how you can exercise your rights over it. We try to collect the minimum data needed to run the service.

The short version:

  • We collect account, search, and limited device information.
  • We share booking details with the travel partner you choose, and processor data (Stripe) for payments.
  • We don't sell your personal data.
  • You can access, correct, export, or delete your data at any time from your account.

1. Who we are

"PillowFare," "we," "us," and "our" mean PillowFare LLC, a Montana limited liability company. You can reach us at [email protected] or through our contact form.

2. Information we collect

2.1 Information you give us

  • Account information: email address, password (stored hashed with bcrypt), and optionally your first name, last name, phone number, country, and profile photo.
  • Authentication credentials: WebAuthn passkey public keys and signature counts when you add a passkey. We never receive or store your biometric data โ€” that stays on your device.
  • Search criteria: destinations, travel dates, traveler counts, cabin class, and similar parameters you enter into our search forms.
  • Payment information: handled by Stripe, our payment processor. We store a Stripe customer ID linking to your account but never see or store your full card number, CVV, or PayPal/Apple Pay credentials.
  • Communications: messages you send through our contact form, including the name, email, subject, body, and metadata you provide.
  • Marketing preferences: your opt-in or opt-out status for marketing emails.

2.2 Information we collect automatically

  • Device and connection data: IP address, browser type, operating system, referrer URL, pages viewed, and timestamps.
  • Cookies and similar technologies: session cookies to keep you signed in, a long-lived visitor token cookie so we can associate searches you make before signing up, and CSRF tokens to protect form submissions. See "Cookies" below.
  • Search activity: we save your recent searches so you can revisit them. Anonymous visitors' searches are tied to a cookie-stored visitor token; signed-in users' searches are tied to their account.

2.3 Information from third parties

If you book through a travel partner, that partner may share booking confirmation status, reservation IDs, and related transactional information back to us so we can show it on your account.

3. How we use information

  • Provide the service: run searches, show results, save recent searches, process bookings, deliver transactional emails (account confirmations, password resets, contact replies).
  • Personalization: remember your last search type, pre-fill traveler counts from prior searches.
  • Payments: create and maintain your Stripe customer record, store payment method tokens for future bookings.
  • Security and fraud prevention: rate-limit attempts to sign in or use the contact form, detect abuse.
  • Communications: respond to support inquiries, send service announcements, and (with your consent) send marketing emails about deals and product updates.
  • Legal compliance: respond to lawful requests, enforce our Terms, protect rights and safety.

4. Legal bases (for EU/UK users)

If you are in the EU, UK, or Switzerland, we rely on the following legal bases under GDPR/UK-GDPR:

  • Contract: to provide the service you've signed up for.
  • Legitimate interests: to secure the service, prevent fraud, and improve features.
  • Consent: for marketing emails and any non-essential cookies (where applicable).
  • Legal obligation: tax records, fraud investigations, and other compliance.

5. How we share information

5.1 Travel partners

When you book through PillowFare, we share the booking details (name, email, dates, traveler counts, payment confirmation) with the partner you've chosen โ€” for example Booking.com, Expedia, Agoda, Hotelbeds, or the relevant supplier. That partner's privacy policy then applies to how they handle your data for that booking.

5.2 Service providers (processors)

  • Stripe โ€” payment processing
  • SendGrid (or equivalent SMTP provider) โ€” outgoing transactional and marketing email
  • Cloud hosting provider โ€” infrastructure where our application and database run
  • Error and performance monitoring โ€” Sentry, used to capture application errors so we can fix them

These providers act on our behalf under data-processing agreements and may only use your data as we instruct.

5.3 Legal and safety

We may disclose information when required by law, court order, or to protect the rights, property, or safety of PillowFare, our users, or the public.

5.4 Business transfers

If PillowFare is acquired or merges with another company, your information may transfer as part of that transaction, subject to this policy.

5.5 We don't sell your data

We do not sell or rent personal information to third-party advertisers or data brokers.

6. Cookies and tracking

We use the following cookies:

  • Session cookie (essential) โ€” keeps you signed in after authentication.
  • Visitor token cookie (essential) โ€” long-lived random ID so we can save your recent searches before you sign up.
  • CSRF token cookie (essential) โ€” protects form submissions from cross-site request forgery.

We currently use no third-party advertising or analytics cookies. If we add analytics in the future (e.g. for product improvement) we'll update this policy and request consent where required.

7. Your rights and choices

Regardless of where you live, you can:

  • Access and update your account information from your profile page.
  • Change your password or add/remove passkeys.
  • Toggle marketing emails on or off.
  • Request export or deletion of your account data by emailing [email protected].

7.1 EU / UK / Swiss users

You have additional rights under GDPR/UK-GDPR including: access, rectification, erasure, restriction of processing, data portability, objection to processing (including direct marketing), and the right not to be subject to solely automated decisions. To exercise these rights contact [email protected]. You may also lodge a complaint with your local supervisory authority.

7.2 California users (CCPA / CPRA)

California residents have the right to know what categories of personal information we collect and share, to request copies of that information, to request deletion, to correct inaccurate data, and to opt out of any "sale" or "sharing" (we don't engage in either). Submit requests to [email protected]. We will not discriminate against you for exercising these rights.

7.3 Canadian users (PIPEDA)

Canadian users may access and request correction of personal information held by PillowFare. Contact [email protected].

8. International data transfers

PillowFare is operated from the United States. If you are located outside the United States, your information will be transferred to and processed in the U.S. and in countries where our service providers operate. We rely on Standard Contractual Clauses or equivalent safeguards where required by law.

9. Data retention

We retain personal information only as long as needed to provide the service or comply with legal obligations:

  • Account data: until you delete your account (we delete within 30 days of a deletion request).
  • Search history: 12 months after last activity, then automatically purged.
  • Contact messages: 24 months for support history.
  • Booking records and payment transactions: as long as required by tax and accounting law (typically 7 years).
  • Server logs: 90 days.

10. Security

We use industry-standard safeguards including TLS encryption in transit, bcrypt password hashing, server-side session storage, CSRF protection, rate limiting on sensitive endpoints, and least-privilege access controls. No system is perfectly secure โ€” if you suspect unauthorized access to your account, email [email protected] immediately.

11. Children's privacy

PillowFare is not directed to children under 13 (or under 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. The "Effective" date at the top tells you when this version became active. For material changes we'll notify you by email or a prominent notice on the site before the change takes effect.

13. Contact us

PillowFare LLC
[Registered business address]
Email: [email protected]
Support: Contact form