Legal

Privacy Policy

Last updated: 7 May 2026

Experiences | Curated (“we”, “us”, “our”) is committed to protecting your personal information. This policy explains what we collect, why, how long we keep it, and how you can control it. It applies to all users of our website and services. We comply with India's Digital Personal Data Protection Act 2023 (DPDPA) and, where applicable to users in those regions, the UK GDPR and EU GDPR.

This service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with their data, contact us and we will delete it promptly.

1. What we collect

  • Account data — your email address when you sign up or purchase an event pack.
  • Usage data — pages you visit, experiences you view, searches you run, and items you save to your Trip Board.
  • Travel log data — experiences you mark as visited, ratings, and mood tags you add. These are private by default; only your aggregate rating contributes to the public average.
  • Personalisation data — your traveller archetype, as determined by the onboarding quiz. This is used to personalise the order of content and search results.
  • Purchase data — transaction records for event pack purchases, processed by Paddle as Merchant of Record. We do not store card details.
  • Cookies — we use cookies to maintain your session, remember your free-view count, and (if you consent) to measure search performance via Algolia.

2. Legal bases for processing

We process your personal data on the following bases under the DPDPA and, where applicable, UK/EU data protection law:

  • Contract performance — processing your purchase, creating your account, and delivering event pack access.
  • Legitimate interests — improving the service, personalising content, and preventing fraud. We balance these interests against your rights; you may object at any time (see section 6).
  • Legal obligation — retaining purchase and financial records as required by tax and commercial law.
  • Consent — optional analytics cookies. You can withdraw consent at any time via the cookie banner or by emailing us.

3. How we use it

  • Delivering the service — showing your saved boards, purchase history, and personalised recommendations.
  • Sending transactional emails only — purchase confirmations and magic-link sign-ins. We do not send marketing emails. If this changes, we will ask for your explicit consent first.
  • Personalisation — your archetype and usage patterns are used to reorder search results and content sections. No solely-automated decisions with legal or significant effects are made about you.
  • Improving curation — aggregate, anonymised usage data helps us understand which experiences are most useful.
  • Legal compliance — retaining purchase records as required by applicable law.

4. Who we share it with

  • Paddle — payment processing and subscription management. Paddle is Merchant of Record for all transactions and has its own privacy policy. Data is processed in the US and UK under Standard Contractual Clauses.
  • Supabase — authentication and database hosting. We use the EU (West) region. Supabase is GDPR-compliant and processes data under Standard Contractual Clauses.
  • Algolia — search queries are sent to Algolia to return results. Algolia processes data in the EU and does not link query data to individual users. See Algolia's privacy policy.
  • Cloudflare — image and asset delivery via R2 and CDN. Data is cached globally; Cloudflare processes data under Standard Contractual Clauses.

We do not sell your data. We do not share it with advertisers.

5. Data retention

We keep different categories of data for different periods:

  • Account and profile data — for the duration of your account. Deleted within 30 days of account closure.
  • Travel logs, Trip Boards, and saved items — for the duration of your account. Deleted with your account.
  • Purchase records — 7 years from the date of purchase, as required by Indian tax and commercial law.
  • System and access logs — up to 12 months, for security and debugging purposes.

6. Your rights

Under the DPDPA and, where applicable, UK GDPR and EU GDPR, you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data where there is no compelling reason to continue processing it.
  • Restrict processing — ask us to pause processing your data while a dispute is resolved.
  • Data portability — receive your data in a structured, machine-readable format and transfer it to another service.
  • Object — object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
  • Withdraw consent — where processing is based on consent (e.g. analytics cookies), withdraw it at any time without affecting prior processing.

To exercise any of these rights, email hello@experiencescurated.com. We will respond within 30 days.

7. Supervisory authority

Complaints about our data practices may be directed to the Data Protection Board of India once operational under the DPDPA. If you are in the UK, you may also contact the Information Commissioner's Office (ICO); if you are in the EU, you may contact your local data protection authority. We would appreciate the chance to address your concerns first — please email us before escalating.

8. Cookies

We use two categories of cookies:

  • Strictly necessary — session authentication (Supabase) and free-view count tracking (ec_views). These cannot be declined as the service will not function without them.
  • Optional analytics — Algolia search analytics, which help us understand which searches return poor results. These are only set with your consent.

You can withdraw consent at any time via the cookie banner or by emailing us. Declining optional cookies has no effect on your access to the service.

9. Automated decision-making and profiling

We use your quiz responses and usage patterns to personalise the content and search results you see (your “traveller archetype”). This constitutes profiling under the DPDPA and GDPR, but it does not produce legal or similarly significant effects — it only affects the order in which curated content is shown to you. You can retake or reset your archetype at any time from your profile page.

No solely-automated decisions with legal or significant effects are made about you.

10. Changes to this policy

If we make material changes, we will update the date at the top of this page and, where appropriate, notify you by email.

11. Contact

Questions or requests? Email hello@experiencescurated.com. We aim to respond within 5 business days for general queries, and within 30 days for formal data rights requests.