LEGAL — SITE POLICIES

Privacy
Policy

What we collect, what we do with it, and the rights you have over it — in plain English.

Last updated — June 28, 2026

We're a small operation. We don't need much from you to plan a great trip, and we don't do anything cute with what you give us. Here's the long version.

Who We Are

K Travel Group, doing business as KGAY Travel ("KGAY Travel," "we," "us," or "our"), is an LGBTQ+ travel business run by Steven Krumholz out of San Diego, California — the guy who actually picks up the phone. We have been doing this since 2007.

We are a registered independent travel agent and Seller of Travel. Most of what we sell is travel operated by other companies — full-ship gay cruises, resort takeovers, and group land trips run by charter companies, cruise lines, resorts, and tour operators such as Atlantis Events, VACAYA, Brand g Vacations, Out Adventures, RSVP and Source Journeys. For those trips we act as your agent and the trip itself is operated by the supplier under their own terms. We also plan and operate some of our own charters and group events — those are a smaller part of what we do and are clearly identified as KGAY-operated when they come up.

Alongside the booking business, we publish a free informational trip guide in the KGAY Travel mobile app — a native app for iOS and Android — so guests can see their itinerary, event schedule, entertainment lineup, port and destination info, and saved plans in one place. Together, the agency, the marketing site at kgaytravel.com and the mobile app are referred to in this policy as the "Service."

This policy explains what we collect across the Service, what we do with it, who we share it with, and the rights you have over it. When you book a trip operated by a Travel Supplier, that supplier also has its own privacy policy that governs how it handles your information.

What We Collect

We try to collect as little as possible. Here is the full list, grouped by where it comes from.

Account and identity

When you create an account, we collect the identifiers you sign up with — your email address (required) and, optionally, your phone number. If you sign in with a social or OAuth provider (such as Apple or Google), we receive the basic profile information that provider shares with us, which may include your name, email and a provider profile photo.

Authentication is handled by our sign-in provider, Clerk, which securely stores your credentials and any password you choose to set. Sign-in is passwordless by default; a password is optional. We do not see or store your social-account passwords.

Profile

To personalize the app and sync it across your devices, we store the profile you create: first and last name, display name, an optional username (used only inside the app, never to sign in), a short free-text "about", a profile photo (avatar), your location, your phone number (optional), and your trip preferences. Location is whatever you enter during onboarding — your country is required; state and city are optional. We also store a marketing-email opt-in flag, the timestamp when you accepted our Terms, and the timestamp when you finished onboarding. You can edit or remove most of this anytime in Settings.

Saved content and activity

We store the content you save to your account so it is available on every device you sign in to: your saved and followed trips, saved plan items (events, attractions and venues, with any notes you add), per-trip display preferences, and your read/dismiss state for alerts. Your uploaded avatar is included here too.

Friends and social connections

The app has a friends feature built on shareable friend codes (in the format XXXX-XXXX, including one-time codes) and QR codes. When you redeem someone's code you become their follower, and we record that follow relationship. Each account has a "show my plans to friends" toggle that is on by default — when it is on, friends you connect with can see the trips and events you have saved. You can turn it off at any time in Settings. What your friends see is your display name and avatar, not your sign-in identity.

Booking and inquiry information

When you inquire about a trip or move forward with a booking, we collect your name, email, phone number, the trip details you are asking about, and anything you write in the message field. We share the booking details that are necessary to operate your trip with the relevant Travel Supplier. We use JotForm to handle contact and inquiry forms. We do not collect or store payment-card data on our own sites — when it is time to pay, payment is handled by the Travel Supplier on their systems.

Usage and analytics

We use PostHog to understand how the Service is used. PostHog records page and tab views, custom product events (for example, opening a trip guide), device, operating-system and browser information, the site that referred you, and a session and device identifier. PostHog infers an approximate location from the IP address of the request.

We keep analytics separate from your account identity — we do not send your name, email or any account ID to PostHog, so analytics events are not tied back to you as an identified person. Some signals — an IP-derived approximate location, a session or device identifier — may still count as personal data under the GDPR, which is one reason you can turn analytics off at any time in Settings. We do not use analytics for cross-site advertising or retargeting, and there is none on the Service. (We previously kept a small in-house analytics table; it has been retired and that collection is now switched off.)

Device and push notifications

If you turn on push notifications, we store your device's push token and platform. For signed-in users this is linked to your account so notifications reach the right person across your devices. We use these to send trip updates and friend-add notifications, and we deliver them through Apple Push Notification service (APNs), Firebase Cloud Messaging (FCM) and Expo Push. You can turn notifications off anytime in your device settings.

Other mobile device data

On mobile, the camera is used only when you scan a QR friend code or choose an avatar photo — we do not access it otherwise. We use on-device storage (SQLite and AsyncStorage) for offline caching and to remember your preferences. We do not collect GPS or real-time location — the only location we hold is what you type into your profile at onboarding.

Email-list signups

If you opt in to marketing email, we store your email address and name and the fact that you opted in, so we can send trip announcements and honor unsubscribe requests. See "Marketing email" below.

Images

Avatars and trip imagery are stored and served through the Bunny.net content delivery network. On mobile, trip images may also be cached locally on your device so the guide works offline.

How We Use What We Collect

  • To run your account — sign you in, sync your profile and saved plans across devices, and power the friends feature.
  • To respond to your inquiry, quote a trip, hold space and send the paperwork — the actual job of being your travel agent.
  • To operate trips you book, by sharing the necessary details with the relevant Travel Supplier.
  • To send you trip updates and the notifications you have turned on.
  • To send marketing email, but only if you opted in.
  • To improve the Service. Aggregated analytics, not linked to your identity, show us what people care about and where things are breaking.
  • To keep the Service secure and to detect and prevent fraud and abuse.
  • To meet our legal obligations — California and Florida Seller of Travel recordkeeping, tax records and similar.

Legal Bases for Processing (EU and UK)

If you are in the EU or UK, the GDPR requires a legal basis for each way we use your information. Here is what we rely on under Article 6.

  • Running your account — signing you in, syncing your profile and saved plans, and the friends feature — performance of our contract with you (and, for optional features you switch on, your consent).
  • Responding to your inquiry, quoting and booking a trip, and sharing the necessary details with the Travel Supplier to operate it — performance of a contract, or taking steps at your request before entering one.
  • Marketing email — your consent, which you can withdraw at any time.
  • Product analytics — your consent where required; otherwise our legitimate interest in understanding and improving the Service. You can turn analytics off at any time.
  • Push notifications — your consent (you choose to turn them on).
  • Keeping the Service secure and preventing fraud and abuse — our legitimate interests.
  • Seller of Travel recordkeeping, tax and other legal records — compliance with a legal obligation.
  • A merger, acquisition or asset sale — our legitimate interest in running and transferring the business.

Who We Share It With

We share your information only with the categories of recipients below, and only what each one needs to do its job. We do not sell or rent your personal information, and we do not share it with advertising networks for retargeting.

Travel Suppliers

When you book a cruise, resort stay or land trip, we hand off the booking details needed to operate it to the charter company, cruise line, resort or tour operator running the trip (such as Atlantis Events, VACAYA, Brand g Vacations, Out Adventures, RSVP and Source Journeys, among others). They handle payments, manifests and on-board logistics under their own privacy policies.

Service providers

We use trusted third parties to run the Service. They process your data only to provide their service to us, under their own privacy and security commitments:

  • Clerk — Authentication and account identity: email, optional phone, social/OAuth identities, name, optional provider photo, session data.
  • Convex — Our backend database and real-time sync: profile, saved plans and trips, friends, preferences, push tokens.
  • Bunny.net — Image content delivery network: avatars and trip imagery.
  • PostHog — Product analytics not linked to your account: no account IDs are sent (configured in production).
  • Mailchimp — Opt-in marketing email: email address and first/last name only (configured in production).
  • Apple APNs / Google FCM / Expo — Delivery of push notifications.
  • JotForm — Contact and inquiry forms.
  • Travel Suppliers — Fulfillment of the trips you book.
  • AI providers (Google Gemini, Anthropic Claude, Firecrawl) — Internal/admin content tools only (see below); no customer personal information is sent.

Legal and business transfers

We may disclose information if the law requires it — subpoenas, court orders, regulatory audits — and we will push back where we can and tell you when we are allowed to. If KGAY Travel is ever involved in a merger, acquisition or sale of assets, your information may be transferred as part of that transaction.

Our AI Tools and Your Data

We use AI inside our internal admin tools only — to research and import trip and entity content, and to generate marketing imagery — through Google Gemini and Anthropic Claude (via the Vercel AI Gateway), plus Firecrawl for scraping supplier and pricing pages. No customer personal information — no emails, phone numbers, profiles, saved plans, friends data or analytics — is sent to any AI system. The only data that flows through those tools is trip and entity content.

Marketing Email

During onboarding you can opt in to marketing email — trip deals, party news and KGAY Travel updates. The box is unchecked by default; you only receive marketing email if you choose to opt in. If you opt in, we share your email address and first/last name with Mailchimp to send these messages, along with your opt-in status.

You can unsubscribe at any time using the link in any email or by changing your preference in the app's Settings. Opting out of marketing does not affect transactional or service messages — like account notices or trip updates.

Cookies and Tracking

We use cookies and similar technologies for a few narrow reasons: keeping you signed in to forms, remembering your language and display preferences, and letting our analytics count visits. We do not run third-party advertising or cross-site retargeting cookies. Your browser lets you block or delete cookies; the Service will still work, though some forms may need to reload and analytics will not see your visit.

How Long We Keep It

We keep your account information for as long as your account is active. Saved content stays until you delete it or delete your account. Marketing data stays until you unsubscribe. Inquiry and booking records are kept for as long as California and Florida Seller of Travel recordkeeping rules require, then deleted on a rolling basis. We may retain limited records longer where the law requires it or to resolve a dispute. You can ask us to delete sooner — see "Your Rights."

Your Rights

Depending on where you live — for example, under the California Consumer Privacy Act (CCPA/CPRA), the EU GDPR or the UK GDPR — you may have one or more of these rights:

  • Access — ask for a copy of what we hold about you.
  • Correction — tell us to fix anything that is wrong (you can edit most profile fields directly in the app).
  • Deletion — ask us to delete your data, subject to the recordkeeping windows above.
  • Portability/Export — ask for your data in a portable form.
  • Object or restrict — object to or restrict certain processing.
  • Withdraw consent — withdraw marketing or analytics consent at any time, directly in Settings.
  • No sale or sharing — California residents can opt out of the sale or sharing of personal information. We do neither — but this is where you would say no if that ever changed.
  • Complaint — EU and UK residents can complain to their local data-protection authority. We would rather you tell us first so we can fix it.

We will not discriminate against you for exercising these rights. You can do most of this directly in the app, or email steven@kgaytravel.com with the subject "Privacy Request" — Steven handles these personally. We will respond within 30 days.

Account Deletion

You can delete your account at any time directly in the app — open Settings and choose to delete your account — or by emailing steven@kgaytravel.com. When you delete your account, we delete or de-identify your profile, saved content and associated personal data within a reasonable period. Deletion cascades to your saved plans, your follows, your friend codes and your push tokens. We keep limited records only where we must to comply with the law or to resolve disputes. Deleting your account also removes you from marketing email.

Children and Adults-Only Service

KGAY Travel is an adults-only business — most trips we book are 18+ or 21+. The Service is not directed to children, and we do not knowingly collect personal information from anyone under 18. You must be at least 18 to create an account. If you believe a minor has provided us information, email us and we will delete it.

International Data Transfers

KGAY Travel is based in the United States and our systems run on US infrastructure. If you use the Service from outside the US — Europe, the UK, Canada, anywhere — your information will be transferred to and processed in the US. Where required, we rely on the European Commission's Standard Contractual Clauses — and, for the UK, the UK International Data Transfer Addendum — with our service providers. EU and UK residents can also raise concerns with their local data-protection authority.

How We Protect It

The Service runs over HTTPS, data is encrypted in transit, and access to inquiry and account data is restricted to Steven and the small team helping run trips. Internal admin access is staff-only. No system is perfectly secure — but we keep the surface area small on purpose.

Changes to This Policy

We will update this page if the way we handle data changes — new tools, new regulations, anything material. The "last updated" date at the top tells you when. For significant changes we will give additional notice in the app or by email.

Contact

Questions, requests and complaints all go to the same place.

  • Owner: Steven Krumholz
  • Email: steven@kgaytravel.com
  • Phone: 310.560.9887
  • Mail: KGAY Travel, 3245 University Ave 1-111, San Diego, CA 92104, USA
  • Registrations: California Seller of Travel CST #2089491-50 · Florida Seller of Travel #ST37113