We hold a few things for you.

We look after the things you upload like a maître d' looks after a coat. Quietly, carefully, and only used to make your trips feel known. Below is the long form of what that looks like in practice — what sits on our side, where it lives, who sees it, and how to take it back.

Last updated: 10 May 2026

What we hold for you

Your photo

The avatar you set on your profile. Shared with the partners on your bookings — the maître d', the driver, the chef — so they recognise you on arrival. Nobody else sees it.

Travel documents

Your passport, national ID, and driver's licence — front and back where the document needs both. Used to pre-fill border forms and to satisfy a partner's check-in. Never browsed, never aggregated, never used to train any model.

Name, address, contact

What we would write on an envelope if we were sending you a hand-written note. Used to address you correctly, to ship the occasional thing, and to reach you about a trip in flight.

Payment methods

The cards you save are tokenised by our payment processor (Stripe). We hold a reference, not the full number. The CVV is never stored at all.

Trip history

Your bookings, the ledger of what was spent on each trip, and the partner reviews you've left. Used to suggest the next thing in a way that fits the last.

Location

Only while you're using the app, and only to surface what's near you — a recommended bar two streets over, a timed reminder on the day of travel. Never recorded in the background, never sold.

Concierge conversations

What you ask the concierge — by voice or in writing — and what it answers. Held against your trip so the assistant remembers context across days. Speech is transcribed on-device where the device allows it.

Where it lives

Encrypted in transit and at rest

Everything you send to us travels over an encrypted connection (TLS 1.2+) and is held in encrypted storage on the other end. The keys are managed by our cloud provider; the bytes themselves are never readable in the open.

Held in regional cloud storage

Your files sit in Google Cloud's europe-west region, under an account scoped to you. A different signed-in person — even with the same app installed — can't see your files. We do not transfer your data outside the European Economic Area without an appropriate safeguard in place.

Who sees it

Never sold, never used for ads

Not with advertisers, not for training any external AI. Outside the partners on your trips, nothing about you leaves the house.

Partners on your bookings only

When you book a hotel, a car, a table — that partner sees the slice of your profile they need to host you. A different partner, on a different trip, sees a different slice. Nobody sees the whole.

Notturno staff don't browse

Day-to-day, no human at Notturno opens your files or reads your concierge thread. Engineers reach into individual records only on a documented incident, and only with a logged, time-boxed audit trail.

Your controls

See what we hold

Every piece of data on this page is visible to you inside the app — your profile photo, your saved documents, your trip ledger, your card tokens, your conversation history. The app is the canonical view.

Edit, replace, remove

Any field is editable from your Profile. Travel documents can be replaced or removed individually. The concierge thread can be cleared per-trip.

Close your account

From the bottom of your Profile, you can close your account. We delete your live profile, photo, documents, and active conversations right away, and we archive a copy of your records to a secure, locked-down archive only used to honour open tax / refund / dispute windows. The archive is purged on schedule and is never used for marketing.

Reach a human

Write to us at contact@notturno.com with a request to see, correct, export, or erase your data. We respond within fourteen days and never charge for the work.

Sub-processors

The vendors below operate slices of the platform on our behalf. Each is bound by a data-processing agreement and may only handle your data for the work we ask them to do.

Firebase / Google Cloud (Google LLC)

Authentication, real-time database, encrypted file storage, cloud functions, and push notifications. Regional hosting in europe-west.

Stripe (Stripe Payments Europe Ltd.)

Card tokenisation, Apple Pay, settlement to partners. Card numbers and CVVs never touch our servers.

Google Vertex AI

The concierge's language and voice models. Conversation content sent to Vertex for inference is governed by Google Cloud's data-processing terms; it is not used to train any general-purpose model.

Retention

Active records live for as long as your account is open. Closed-account archives are kept for up to seven years to satisfy tax law and partner-side dispute windows, then permanently purged. Concierge transcripts and analytics events are summarised after ninety days and the raw form is deleted.

Contact

Write to us at contact@notturno.com with any data-protection request — access, correction, export, erasure, or a complaint. We answer every email by hand and respond inside fourteen days.

If you believe we have mishandled your information you can also raise the matter with the Information Commissioner's Office (ico.org.uk) or your local supervisory authority — we would rather you raised it with us first and gave us a chance to put it right.