Last updated: 6 July 2026 (clarified the partner-sites example in the short version). This policy explains how Paglipat (an independently run personal project) processes personal data on www.paglipat.com.
Paglipat is the data controller. For any data-protection questions, write to [email protected].
The short version
- We don't sell your data.
- We don't have user accounts. There's nothing to log in to.
- We don't take payments. Bookings happen on partner sites (for example Travelpayouts, Agoda, Yesim, 12Go).
- We use Google Analytics (IP anonymised) and PostHog EU (anonymous behavioural events plus input-masked session replay), plus standard server logs from Cloudflare and DigitalOcean. All analytics tools are opt-in via the cookie banner.
- You have the right to ask what we know about you, correct it, or delete it.
What we collect
| Data | Source | Purpose | Lawful basis (UK GDPR) |
|---|---|---|---|
| IP address, user-agent, request URL, referrer, timestamp | Automatic (server logs at Cloudflare + DigitalOcean) | Site security, abuse prevention, performance debugging | Legitimate interest (Art. 6(1)(f)) |
| Pseudonymous analytics ID, page-view events, session duration | Google Analytics 4 (with IP anonymisation) | Understand which content gets read | Consent (Art. 6(1)(a)) - opt-in via the cookie banner |
| Pseudonymous events (clicks, search submits, scroll depth), session recordings with all keyboard input automatically masked at the SDK level | PostHog EU (hosted in Frankfurt by PostHog Inc.) | See where users get stuck in the search-to-booking flow and prioritise UX fixes | Consent (Art. 6(1)(a)) - opt-in via the cookie banner |
| Search preferences (currency, locale) | Cookies (set when you use the site) | Remember your preferences across visits | Legitimate interest (Art. 6(1)(f)) |
| Email address (newsletter - when enabled) | You, voluntarily, when you submit the newsletter form | Send you new posts | Consent (Art. 6(1)(a)) - opt-in, unsubscribe in every email |
| Email address (when you contact us) | You, voluntarily, when you email us | Reply to your message | Legitimate interest (Art. 6(1)(f)) |
We do not collect:
- Names, addresses, phone numbers, credit card details (booking happens on partner sites - they collect that, not us).
- Sensitive categories: race, religion, health, sexual orientation, etc.
- Data from anyone we know to be under 13.
Who we share data with (processors)
We share the minimum data needed with the following processors, who act on our instructions:
- Cloudflare - DNS, CDN, bot protection. Sees IP + request metadata. Privacy.
- DigitalOcean - static-site hosting. Sees server-log metadata. Privacy.
- Google (Analytics 4) - anonymised analytics. Privacy.
- PostHog Inc. - behavioural analytics + session replay, hosted on the EU region (Frankfurt) so your data does not leave the EEA. Privacy · DPA.
- TravelPayouts - flight search widget. When you use it, you interact with their service. Privacy.
- Agoda - hotel search widget. When you use it, you interact with their service. Privacy.
- Resend (when newsletter is enabled) - email delivery. Sees only your email and the message we send. Privacy.
- Yesim - eSIM provider (Genesis Group AG, Switzerland). When you click a buy link on our /esim page, you go directly to yesim.app - no data passes through us, but Yesim becomes the controller for that booking. Privacy.
International transfers
Some of our processors are based outside the UK/EEA (notably Google in the US, Agoda in Singapore, Cloudflare globally, Resend in the US, Yesim in Switzerland). Where data leaves the UK/EEA, we rely on Standard Contractual Clauses or equivalent UK-approved transfer mechanisms.
How long we keep data
- Server logs: 30 days at Cloudflare, 90 days at DigitalOcean.
- Google Analytics: 14 months (we use the shortest available retention).
- PostHog events: 1 year. Session recordings: 30 days, then automatically deleted by PostHog.
- Newsletter emails: until you unsubscribe + 30 days for our records, then deleted.
- Support emails: up to 2 years after the last reply, then deleted.
Your rights
Under UK GDPR you have the right to:
- Access - ask what data we hold about you
- Rectify - correct inaccurate data
- Erase - delete your data ("right to be forgotten")
- Restrict - limit how we use it
- Port - get a machine-readable copy
- Object - to processing based on legitimate interest
- Withdraw consent - anytime, for newsletter
Email [email protected]. We respond within 30 days.
You also have the right to complain to the UK Information Commissioner's Office: ico.org.uk/make-a-complaint.
Children
The site is not directed at children under 13. If you believe we hold data about a child under 13, email [email protected] and we'll delete it.
Changes
Material changes to this policy will be flagged on the site. The "Last updated" date at the top reflects the most recent change.
Contact
Paglipat
[email protected]
Email: [email protected]