Privacy Policy

Effective 13 July 2026 · Version 7

Overlap has two modes. Manual quiz-code mode works locally in your browser. Private trip mode stores the information needed to keep a shared trip available across devices. We do not sell personal data or build advertising profiles.

1. Controller

Overlap is a Dutch sole proprietorship at Oude Delft 60a, 2611 CD Delft, registered under KVK 42107390. Contact: [email protected].

2. Manual code mode

Quiz answers, generated codes, matches, saved places and planning state remain in your browser unless you choose to share a code or create or join a private trip. We cannot recover local-only quiz codes. A downloaded city-result summary is generated on your device and is not sent to Overlap.

3. Gift-card personalization

Recipient names, the sender name and the optional note entered in the gift editor are used only in that browser to render the preview and printable card. Newly generated gift links and QR codes contain only the generic Malta setup address; they do not contain those names or the note, and Overlap does not store the gift-editor fields.

Older gift links may contain a legacy for query parameter. On the Malta page, Overlap removes that parameter from the address bar before public analytics is inserted, uses the name only in the current rendered page to show the legacy personalization and does not copy it into browser storage. Because an old URL must first reach Cloudflare, it can still appear once in ordinary platform request or security logs subject to the account’s retention settings. Regenerating the gift creates a privacy-safe link.

4. Private trip mode

For a private trip we store the organizer email, first names, optional member emails, submitted quiz codes, trip dates, base area, saved places, completed places and planning state. We also store hashed credentials, short-lived one-time access links, secure session records and delivery status needed to send or retry access email. This processing is necessary to provide the requested shared trip.

Free private trips are kept for up to 12 months after activity. Paid private-trip product data is kept for up to two years after purchase unless you delete it earlier. One-time links normally expire after 30 minutes, sessions after 30 days, sent delivery jobs after 30 days and failed delivery records after 90 days.

5. Purchases and email

Lemon Squeezy acts as merchant of record for paid orders and handles payment, invoicing, VAT and refunds under its own buyer terms and privacy policy. Overlap receives the order details needed to activate, reconcile and support the trip. The customer email copied into the operational financial record is removed after 90 days; minimal transaction/accounting fields may be retained for the legally required administration and tax period. Access emails and support correspondence are delivered through our configured email provider.

6. Destination votes and launch notifications

When you vote for a future destination, Overlap records one aggregate vote and temporarily keeps a purpose-specific cryptographic hash of your email to reduce duplicate votes. If you separately consent to a launch notification, your email is stored only so we can send the requested launch message.

You can remove your launch-notification email through the contact page’s removal form or by emailing us. Removal deletes the subscriber email and destination links. Automatic expiry removes notification emails, destination associations and vote-deduplication hashes no later than 24 months after the latest subscription activity. The historic aggregate count remains without the underlying email or hash.

7. Forms and support correspondence

Contact, custom, withdrawal and refund form bodies are delivered to the support inbox and are not copied into form-relay application storage. Routine support correspondence is deleted within 12 months after closure. Withdrawal/refund correspondence is deleted within 24 months after closure unless specific evidence must be retained for an active dispute or legal/accounting obligation.

To prevent abuse, the relay stores a purpose-specific cryptographic hash of the Cloudflare-provided source IP with a short-lived request count and reset time. Raw IP addresses are not stored by the relay. Cloudflare may retain ordinary platform request and security logs according to the account configuration.

8. Product metrics and operational audit

Public pages use Simple Analytics for aggregate, cookieless page-view statistics. Private trip, invite, authentication, quiz, group and Today pages do not load third-party page analytics. Overlap also keeps aggregate product-event counts. Public browsers can report only intent events; trip creation, invitations, quiz completion, group readiness, checkout and purchase outcomes are recorded by the server. Idempotency hashes and aggregate rows are kept for up to 400 days and do not contain answers, emails, trip IDs or device identifiers.

Security and operational audit events contain a category, action, internal trip/member reference and minimized detail. Detail removes emails, names, credentials, secrets, cookies, order identifiers and similar values. Audit events are deleted after 90 days.

9. Reconciliation and diagnostics

Routine automated reconciliation returns only aggregate counts and opaque references, so customer emails and full merchant order identifiers are not written to ordinary CI logs. A separately protected detailed diagnostic view is used only for a specific investigation. Scheduled reconciliation creates no diagnostic artifact.

10. Service providers

We maintain an internal data/processor register and review purposes, legal bases, data locations, retention and deletion procedures when the architecture changes.

11. Security

Private-trip access uses one-time email links that create secure HttpOnly sessions. Access tokens are stored as hashes, private pages are not indexed, strongly consistent rate limits protect the public form relay, and security headers restrict framing and external connections. No system is risk-free. We maintain an incident-response procedure and assess whether affected people or the Dutch supervisory authority must be notified if an incident occurs.

12. Your rights

You may request access, correction, deletion, restriction, objection or portability where applicable. Trip owners can delete an entire trip. Other members can leave a trip and delete their own stored membership and quiz result. Destination-notification subscribers can remove their email through the contact page. Contact [email protected]. You may also complain to the Dutch Data Protection Authority.

13. Children

Overlap is intended for people planning travel and is not directed at children. Do not submit a child’s email address or personal information without appropriate authority.

14. Changes

Material changes are published here with a new effective date. The current policy is intended to describe the current production architecture; operational controls are verified during releases and retention reviews.