Journey Japan

Privacy Policy

Effective date: March 29, 2026 · Last updated: March 29, 2026

1. Introduction

Journey Japan ("we," "us," or "our") operates the website plan.journeyjpn.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our Service.

We are committed to protecting your privacy in compliance with the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is Journey Japan. For any privacy-related inquiries, please contact us at: privacy@journeyjpn.com

3. Personal Data We Collect

3.1 Account Data (Supabase Auth)

When you create an account, we collect the following through Supabase Authentication:

  • Email/Password sign-up: your email address and a securely hashed password.
  • Google OAuth sign-in: your name, email address, and profile picture URL as provided by Google.
  • Magic Link sign-in: your email address.

Your authentication data is stored in Supabase (hosted on AWS infrastructure in the ap-northeast-1 region). Passwords are hashed using bcrypt and are never stored in plain text.

3.2 Usage Data (Google Analytics)

We use Google Analytics 4 (measurement ID: G-5HXRQZT8LF) to understand how visitors interact with our Service. Google Analytics collects:

  • Pages visited and time spent on each page
  • Referral source (how you arrived at our site)
  • Device type, browser, and operating system
  • Approximate geographic location (city-level, derived from IP)
  • Interaction events (clicks, scrolls, searches)

Google Analytics uses cookies to distinguish unique users. IP addresses are anonymized before storage. For more information, see Google's Privacy Policy.

3.3 User-Generated Content

When you use our trip planner, we store the itineraries you create, including selected destinations, schedules, and notes. This data is associated with your account and protected by Row Level Security (RLS) policies so only you can access it.

4. Cookies and Similar Technologies

We use the following categories of cookies:

CategoryCookiePurposeDuration
Essentialsb-*-auth-tokenSupabase authentication sessionSession / 1 year
Essentialjj-cookie-consentStores your cookie consent preferencePersistent (localStorage)
Analytics_ga, _ga_*Google Analytics — distinguish unique users and sessionsUp to 2 years

When you first visit our Service, a cookie consent banner is displayed, allowing you to choose which categories of cookies to accept. You can select from the following categories:

  • Necessary: Required for the site to function properly. These cannot be disabled.
  • Analytics: Help us understand how visitors use our site. Only activated if you give explicit consent.
  • Marketing: Used to deliver relevant advertisements and measure campaign effectiveness. Only activated with your explicit consent.

You may change your preferences at any time by clearing your browser's local storage and refreshing the page, which will re-display the consent banner. When you withdraw consent for a category, the associated cookies are deleted.

5. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

  • Consent (Art. 6(1)(a) GDPR): Analytics cookies and marketing communications are only processed after you give explicit consent.
  • Contract performance (Art. 6(1)(b) GDPR): Account creation and itinerary storage are necessary to provide the Service you requested.
  • Legitimate interest (Art. 6(1)(f) GDPR): Essential cookies and basic security measures to protect the Service and its users.

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We share data only with the following service providers who act as data processors on our behalf:

  • Supabase Inc. — database hosting, authentication, and file storage (AWS ap-northeast-1).
  • Vercel Inc. — website hosting and edge network delivery.
  • Google LLC — Google Analytics for usage statistics; Google Maps for map display; Google OAuth for sign-in.
  • Unsplash Inc. — stock photography used on the site (no user data is shared with Unsplash).

Each processor is bound by a Data Processing Agreement (DPA) or equivalent contractual safeguards. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions.

7. Data Retention

  • Account data: retained for as long as your account is active. Upon deletion, all personal data is removed within 30 days.
  • Itinerary data: retained for as long as your account is active; deleted when you delete your account.
  • Analytics data: Google Analytics data is retained for 14 months, after which it is automatically deleted.
  • Server logs: retained for up to 30 days for security and debugging purposes.

8. Your Rights

8.1 Rights under GDPR (EU/EEA Residents)

Under the GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your personal data ("right to be forgotten").
  • Restriction — request restriction of processing in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — withdraw consent at any time without affecting the lawfulness of prior processing.

You also have the right to lodge a complaint with your local data protection authority (supervisory authority).

8.2 Rights under CCPA/CPRA (California Residents)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used.
  • Request deletion of your personal information.
  • Opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information.
  • Non-discrimination for exercising your privacy rights.

9. How to Exercise Your Rights

To exercise any of the rights described above, please email us at privacy@journeyjpn.com. We will respond within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • HTTPS/TLS encryption for all data in transit.
  • HTTP security headers (Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options).
  • Row Level Security (RLS) in our database ensuring users can only access their own data.
  • Bcrypt password hashing for email/password authentication.
  • Middleware-level route protection for administrative areas.

11. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately so we can delete it.

12. International Data Transfers

Your data may be transferred to and processed in countries outside of your country of residence, including the United States and Japan. When we transfer data outside the EEA, we ensure adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting a prominent notice on our Service or sending you an email. The "Last updated" date at the top of this page indicates when this policy was last revised.

14. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

Journey Japan
Email: privacy@journeyjpn.com