How we handle your information.

Vidalumi is a cruise-discovery and concierge service operated by And It Just Happens, Inc. (“Vidalumi,” “we,” “us”). We help travelers find cruises across major lines, save itineraries that fit, and watch for price movements on sailings they’re interested in.

We’re a discovery and planning surface, not a travel agency. Bookings happen on the cruise line’s own site or through your preferred travel advisor. We never charge your card and we never hold your booking.

We use your information to provide the service you signed up for, to keep your account secure, and to communicate with you about cruises you’re tracking. Specifically:

• Run the service: show you sailings, save your trips, send price alerts, sync your account across devices.
• Email you: price alerts you set up, account security notices, and (only if you opt in) news about new features. Marketing emails always have a one-click unsubscribe link.
• Improve the product: aggregate usage analytics tell us which features get used and where users get stuck. Personally identifying details aren’t included.
• Prevent abuse: rate-limit aggressive scrapers, detect account takeovers, and comply with legal obligations.

We don’t sell your data. We don’t share it with advertisers. We don’t build a profile on you to retarget you across the web.

The short version: only with services that help us run Vidalumi, and only the data those services need.

• Supabase: our database and authentication provider. Holds your account, your saved trips, and your price alerts. Located in the US (us-west-2).
• Cloudflare: CDN and edge compute. Sees request metadata (IP, user-agent, requested URL) for routing, DDoS protection, and bot detection.
• Resend: sends transactional and price-alert emails. Sees your email address and the message body.
• Google: if you sign in with Google, we receive your email and basic profile (name, picture). If you opt in to marketing analytics, Google Analytics receives anonymized site usage.
• Cruise lines and travel partners: we link you out to cruise-line booking pages with your preferred cabin class and date range as URL parameters. The cruise line’s own privacy policy applies once you’re on their site.

We may also disclose information when required by law (subpoena, court order, regulatory request) or to investigate suspected fraud or violations of our Terms.

If Vidalumi is acquired or merged, your information may transfer to the acquiring entity. We’ll notify you by email and on the site at least 30 days before any such transfer takes effect, and you’ll have the option to delete your account first.

We use cookies for two things only:

• Session cookies (essential): keep you signed in, remember your light/dark mode preference, prevent cross-site request forgery on form submissions. These can’t be turned off without breaking the site.
• Analytics cookies (optional, US/EEA users see a banner): Google Analytics 4. You can decline these and still use the site normally.

We don’t use cookies for advertising. We don’t share cookie data with third-party ad networks. We don’t embed tracking pixels from Facebook, TikTok, or any other ad platform.

You can do all of the following from your account settings, or by emailing us at privacy@vidalumi.com:

• Access a copy of what we have about you.
• Correct anything that’s wrong.
• Delete your account and the data tied to it. We’ll process the request within 30 days; some operational logs retain anonymized request metadata for up to 90 days for security purposes.
• Export your data in a portable format (JSON).
• Opt out of marketing emails at any time (every marketing email has a one-click unsubscribe link).
• Withdraw consent for analytics cookies (clear them in your browser; we honor Do Not Track and Global Privacy Control signals).

EEA / UK residents: these rights are guaranteed under GDPR Articles 15–22. Our legal basis for processing is (a) contract performance — running the service you signed up for, (b) legitimate interest — improving the product and preventing abuse, and (c) consent — for marketing emails and analytics cookies. You may also lodge a complaint with your local supervisory authority.

California residents (CCPA / CPRA): you have the right to know, delete, correct, and opt out of any sale or sharing. We don’t sell or share personal information for cross-context behavioral advertising, so the opt-out is moot — but the right exists.

While your account is active, we keep what you’ve created. When you delete your account:

• Profile, saved trips, price alerts, and traveler-group details are removed within 30 days.
• Aggregated, anonymized analytics may persist (we can’t unbake an aggregate).
• Operational security logs (failed sign-in attempts, abuse signals) retain hashed IP addresses for up to 90 days.
• Email records held by Resend follow their own retention policy (currently 30 days for transactional, longer for bounces and complaints).

We protect your information with industry-standard practices: passwords are hashed with bcrypt, sessions use HTTP-only secure cookies, traffic is encrypted in transit (TLS 1.3), and the database is encrypted at rest. We rotate credentials regularly, minimize who has production access, and require multi-factor authentication for staff.

No system is bulletproof. If we detect a breach affecting your data, we’ll notify you by email within 72 hours of becoming aware of it, along with what data was affected and what we’re doing about it.

Vidalumi isn’t designed for children under 13. We don’t knowingly collect personal information from them. If you’re a parent or guardian and you believe your child under 13 has created an account, contact us at privacy@vidalumi.com and we’ll delete it.

You can add children to a travel-group profile (so a cruise line can match age-eligible cabins), but those profiles don’t have their own login and store only first name and birth year — no contact info, no behavioral data.

Our infrastructure lives primarily in the United States (Supabase us-west-2, Cloudflare US edge nodes). If you’re in the EEA, UK, or other jurisdictions, your information will be transferred to and processed in the US under Standard Contractual Clauses or equivalent safeguards.

We’ll update this page when our practices change. Material changes get a notice on the site and an email to account holders at least 14 days before they take effect. Non-material changes (clarifying language, adding a service provider) are reflected here with the “Last updated” date bumped.

Questions, requests, or concerns about your privacy?

• Email: privacy@vidalumi.com
• Mail: And It Just Happens, Inc., Privacy Office, [postal address pending publication]