Privacy Policy
Last updated: April 13, 2026 · Effective immediately
Chatelier LTD ("we", "us", "our"), Company № 16846652, registered in England & Wales, operates the Jess AI travel platform ("Service"). This Privacy Policy explains how we collect, use, and protect your information.
1. Information We Collect
a. Information You Provide
- Name, email address, and login credentials (Google OAuth)
- Travel preferences and search queries
- Passport information (name, number, expiry, nationality) — for flight bookings
- Phone number — for booking confirmations
- Voice input — if you use voice chat features
- Wallet address — for USDC payments
b. Automatically Collected
- IP address and approximate location
- Device type, browser, and operating system
- Usage data: pages visited, features used, search queries
- Conversation history with Jess AI
c. Third-Party Data
We may receive data from travel platforms (Duffel, Channex), payment networks (Base blockchain), and authentication providers (Google).
2. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide travel search and booking services | Contract performance |
| Process payments via USDC | Contract performance |
| Personalize AI recommendations | Legitimate interest |
| Share passport data with airlines for booking | Contract performance |
| Send booking confirmations and travel updates | Contract performance |
| Improve the Service and Decision Engine | Legitimate interest |
| Prevent fraud and ensure security | Legitimate interest |
| Comply with legal obligations | Legal obligation |
3. Passport Data Protection
🔐 Your passport data is encrypted with AES-256-GCM before storage. It is only decrypted when needed to complete a flight booking with the airline. We never display full passport numbers in the UI. You can delete your passport data at any time from your profile.
4. Voice Data
If you use voice input:
- Audio is processed by Deepgram (speech-to-text) and is not stored after transcription
- Transcribed text is processed by the AI to generate responses
- Voice synthesis (ElevenLabs) generates Jess's spoken responses — no user voice data is sent to ElevenLabs
- We do not store voice recordings beyond the duration of the active session
5. AI Processing
Your queries are processed by OpenAI's API to generate responses. By using Jess:
- Your messages are sent to OpenAI for processing under their API data usage policy
- OpenAI does not use API data for training models
- We maintain conversation history (last 8 messages) for context continuity
- Conversation data is stored in our database (Supabase) and encrypted in transit
6. Data Sharing
We share your data only as necessary:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Duffel | Flight search and booking | Passenger name, passport, dates |
| Channex | Hotel booking | Guest name, email, dates |
| OpenAI | AI processing | Chat messages (anonymized) |
| Deepgram | Speech-to-text | Audio stream (not stored) |
| ElevenLabs | Text-to-speech | Response text only |
| Base Network | Payment processing | Wallet address, amounts |
| Brevo | Email notifications | Email, booking details |
We do NOT sell your personal data. We do not share data with advertisers or data brokers.
7. Blockchain & Payment Data
Payments are processed on the Base blockchain (Layer 2 Ethereum). Please note:
- Blockchain transactions are public and permanent by nature
- Your wallet address and transaction amounts are visible on-chain
- We use gasless transactions (EIP-2612 permits) — your wallet private key never leaves your device
- We do not store your wallet private key or seed phrase
8. Cookies & Tracking
We use minimal cookies:
- Authentication — session tokens (essential)
- Preferences — language, niche selection (functional)
We do not use third-party advertising cookies. We do not use Google Analytics or Facebook Pixel. You can disable cookies in your browser settings.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Conversation history | 90 days, then auto-deleted |
| Passport data (encrypted) | Until you delete it or 12 months after last booking |
| Booking records | 7 years (legal requirement) |
| Payment transactions | On-chain permanently; off-chain records 7 years |
| Voice data | Not stored beyond active session |
10. Your Rights
Under GDPR (UK/EU residents)
You have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion ("right to be forgotten")
- Portability — receive your data in a structured format
- Restriction — limit how we process your data
- Object — object to processing based on legitimate interest
- Withdraw consent — at any time, without affecting prior processing
To exercise these rights, contact us at info@chatelier.net. We will respond within 30 days.
Under CCPA (California residents)
You have the right to know what data we collect, request deletion, and opt out of data sales (we do not sell data). Contact us to exercise these rights.
11. Data Security
We implement industry-standard safeguards:
- AES-256-GCM encryption for sensitive data (passport)
- TLS 1.3 for all data in transit
- Supabase Row Level Security (RLS) for database access
- Cloudflare Workers with edge security
- JWT authentication with secure token rotation
- Non-custodial wallet design — we never hold your private keys
No system is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any breaches.
12. International Transfers
Your data may be processed in:
- United Kingdom — primary jurisdiction (Chatelier LTD)
- European Union — Supabase hosting
- United States — OpenAI, Duffel, Cloudflare processing
Where data is transferred outside the UK/EU, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).
13. Children's Privacy
The Service is not intended for children under 13. We do not knowingly collect data from children under 13. If we become aware of such data, we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via the Service or email. Continued use after changes constitutes acceptance. Previous versions are available upon request.
15. Data Protection Officer
For privacy inquiries or to exercise your rights:
- Chatelier LTD
- Email: info@chatelier.net
- Address: College House, 2nd Floor, 17 King Edwards Road, Ruislip, London, HA4 7AE, UK
If you are unsatisfied with our response, UK residents may contact the Information Commissioner's Office (ICO).