PRIVACY NOTICE
Last Updated: April 2026
Autopilot Travel, Inc. ("Autopilot," "we," "our," or "us") is a Delaware corporation with its principal place of business at 27 East 28th Street, New York, NY 10016. We operate the website withautopilot.com and a suite of travel-management services, including automated fare monitoring, price-drop rebooking, and travel reservation management, as well as a companion App (collectively, the "Services").
This Privacy Notice ("Notice") describes how we collect, use, retain, disclose, and protect your personal information when you visit our website, create an account, or use the Services. It also describes your rights with respect to your personal information and how you can exercise those rights.
By creating an account or using the Services, you acknowledge that you have read and understood this Notice. If you do not agree to these practices, please do not use the Services.
CONTENTS
1. Scope of This Notice
2. Information We Collect
3. How We Collect Information
4. Gmail & Email Inbox Integration
5. Purposes for Which We Use Your Information
6. Disclosure of Your Information to Third Parties
7. Cookies, Tracking Technologies & Digital Advertising
8. Sensitive Personal Information
9. Data Retention
10. Data Security
11. Children's Privacy
12. Third-Party Links and Integrations
13. Your Privacy Rights (All Users)
14. California Privacy Rights (CPRA / CCPA)
15. Additional State Privacy Rights
16. Do Not Sell or Share My Personal Information
17. Global Privacy Control (GPC)
18. Changes to This Notice
19. Contact Us
1. SCOPE OF THIS NOTICE
This Notice applies to:
This Notice does not apply to the data practices of third-party service providers, airlines, hotels, or other travel providers to which we may refer or connect you. Those parties' privacy practices are governed by their own policies.
2. INFORMATION WE COLLECT
2.1 Information You Provide Directly
A. Account Registration & Profile Data
When you create an Autopilot account, we collect:
B. Traveler Profile Data
To enable fare monitoring, rebooking, and reservation management, we collect the following information about you and any companion travelers on your reservations:
Note on Companion Travelers: If a reservation you import includes other travelers (e.g., family members, colleagues), we process their personal information as described in this Notice. By importing such a reservation, you represent that you have authority to do so and have informed those individuals of Autopilot's privacy practices.
C. Flight Reservation Data
For each flight reservation we track on your behalf, we store:
D. Hotel Reservation Data
For hotel reservations, we store:
E. Payment & Billing Information
We use Stripe, Inc. as our payment processor. We do not store full payment card numbers on our servers. Through Stripe, we retain:
All full card numbers and sensitive financial credentials are held exclusively by Stripe and are subject to Stripe's Privacy Policy (stripe.com/privacy). We have no access to your full card number.
F. Support & Communications
When you contact us for support or otherwise communicate with us, we collect the contents of those communications and any personal information you choose to share.
2.2 Information Collected Automatically
When you visit our website or use the Services, we and our third-party partners automatically collect:
We do not currently collect precise geolocation data (GPS coordinates). If we do so in the future, we will update this Notice and seek your consent where required by applicable law.
2.3 Information Received from Third Parties
We may receive information about you from:
3. HOW WE COLLECT INFORMATION
| Method | Description | Examples |
|---|---|---|
| Direct Input | Information you provide when registering, updating your profile, or contacting us. | Name, email, traveler profile, payment info |
| Email Forwarding | You forward confirmation emails to trips@withautopilot.com; we parse them to extract reservation data. | Flight PNRs, hotel confirmations |
| Gmail Integration | With your explicit OAuth authorization, we access qualifying travel emails in your inbox. | Travel confirmation emails (see Section 4) |
| Automatic Collection | Our systems and analytics tools collect data as you navigate the Services. | IP address, session recordings, analytics events |
| Third-Party Providers | Data received via APIs from Google, airlines, hotels, or other partners. | OAuth profile data, reservation updates |
4. GMAIL & EMAIL INBOX INTEGRATION
| OPTIONAL FEATURE: EXPLICIT AUTHORIZATION REQUIRED |
|---|
| Linking your Gmail account is optional. You may use the Services by manually importing reservations or by forwarding confirmation emails to trips@withautopilot.com. If you choose to connect Gmail, we will request only the specific OAuth permissions described below. |
4.1 OAuth Scopes Requested
When you authorize Gmail access, Autopilot requests the following Google OAuth scopes:
We do not request permission to compose, send, delete, or modify emails. We do not access contacts, calendars, Google Drive, or any Google service beyond the scopes listed above.
4.2 Data Accessed and Stored
Upon authorization, Autopilot scans your inbox for emails from travel providers using domain and subject-line matching. Specifically:
We do not read, store, or process non-travel emails. We do not currently use inbox data to serve you third-party advertising. We do not sell the contents of your emails. Any other and further use shall be disclosed to you in advance and, where required by law, will require your consent.
4.4 Revoking Gmail Access
You may revoke Autopilot's access to your Gmail account at any time by:
Upon revocation, we deactivate your Gmail OAuth token promptly. Previously stored email content and extracted reservation data are subject to our standard retention policy (Section 9).
4.5 Google API Services User Data Policy
Autopilot's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for purposes beyond those described in this Notice.
5. PURPOSES FOR WHICH WE USE YOUR INFORMATION
We use your personal information only for the following purposes:
| Purpose | Information Used | Legal Basis |
|---|---|---|
| Providing & operating the Services (fare monitoring, rebooking, reservation mgmt.) |
Account data, traveler profile, reservation data, Gmail data (if linked) | Performance of contract; legitimate business interest |
| Billing & Payment Processing | Billing info, payment data (via Stripe) | Performance of contract |
| Customer Support & Service Communications | Account data, support correspondence | Performance of contract; legitimate business interest |
| Personalized Marketing & Promotional Emails (e.g., fare-drop nudges, destination-based offers) |
Account data, reservation data, behavioral segments (Customer.io) | Legitimate business interest; opt-out available |
| Fraud Detection & Prevention | Account data, IP address, device identifiers, payment data (Stripe) | Legitimate business interest; legal obligation |
| Analytics, A/B Testing & Product Development | Usage data, session recordings, behavioral data (PostHog, Google Analytics) | Legitimate business interest; consent; opt-out available |
| AI-Assisted Operations (email parsing, features via OpenAI/Anthropic APIs) |
Limited operational data (reservation/email snippets) | Legitimate business interest consent; opt-out available |
| Legal Compliance | As required by applicable law | Legal obligation |
| Business Transfers | As reasonably necessary | Legitimate business interest |
5.1 Automated Processing
Stripe may use automated fraud-detection algorithms in connection with payment processing on our behalf. Autopilot does not currently make fully automated decisions about users that produce legal or similarly significant effects. We will update this Notice if that changes.
5.2 AI-Assisted Operations
We use third-party AI tools, including OpenAI and Anthropic APIs, to assist in operational tasks such as email parsing and reservation data extraction. We do not use your personal information to train foundational AI models without your separate consent.
6. DISCLOSURE OF YOUR INFORMATION TO THIRD PARTIES
6.1 Service Providers (Processors / Contractors)
We disclose personal information to the following service providers who process data on our behalf, subject to contractual data processing obligations:
| Service Provider | Category of Information Disclosed | Purpose |
|---|---|---|
| Stripe, Inc. | Billing name, billing address, last 4 digits, card type, tokenized card data, subscription information | Payment processing & fraud prevention |
| Customer.io | Email address, account data, behavioral segments, send/receive tracking events | Email marketing & transactional communications |
| PostHog, Inc. | Usage data, session recordings, analytics events, IP address | Product analytics, A/B testing, session replay |
| Google LLC (Google Analytics) | Usage data, IP address, browsing behavior | Website analytics |
6.2 Travel Providers (Airlines & Hotels)
In the ordinary course of providing the Services, such as when we contact an airline or hotel on your behalf to rebook or inquire about a reservation, we disclose the personal information necessary to facilitate that interaction. This typically includes confirmation number (PNR), full traveler names, dates of birth, and itinerary details.
6.3 Cross-Context Behavioral Advertising (Meta Pixel)
We use the Meta (Facebook) Pixel on our website. The Meta Pixel sends behavioral data, including page visits, conversion events, and device identifiers, to Meta Platforms, Inc. Meta may use this data for cross-context behavioral advertising, meaning it may serve targeted ads to you on Meta's platforms (Facebook, Instagram) based on activity on our site.
You may opt out of this sharing at any time. See Section 16.
6.4 Business Transfers
If Autopilot is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website prior to your personal information becoming subject to a materially different privacy policy.
6.5 Legal Disclosures
We may disclose personal information if required by law, regulation, court order, or legal process, or in response to a lawful request from law enforcement or government authorities. We may also disclose personal information when we believe in good faith that disclosure is necessary to protect our rights or property, prevent fraud or illegal activity, or protect the personal safety of any person.
6.6 No Sale of Personal Information
Autopilot does not sell your personal information to data brokers or other third parties for monetary consideration. For California residents' rights regarding 'sharing' for cross-context behavioral advertising, see Sections 14 and 16.
7. COOKIES, TRACKING TECHNOLOGIES & DIGITAL ADVERTISING
7.1 Cookie Inventory
We and our third-party partners use cookies, web beacons, pixel tags, and similar tracking technologies. The following cookies are currently deployed:
| Set By | Purpose |
|---|---|
| PostHog | Product analytics, A/B testing, and session recording; |
| Stripe | Device fingerprint for payment fraud prevention; Merchant account session identifier; Stricter-scoped device fingerprint; Tracks recently viewed Stripe dashboard pages. |
| Meta (Facebook) | Pixel and ad measurement tracking; Browser identification; Session and authentication token |
8. SENSITIVE PERSONAL INFORMATION
Under the California Privacy Rights Act (CPRA) and similar state laws, certain categories of personal information receive heightened protection ("Sensitive Personal Information" or "SPI"). We handle the following categories of SPI:
| SPI Category | How We Handle It |
|---|---|
| Government Identifiers (Redress Number, Canadian Travel Number) | Collected from reservation records; used solely for service delivery. |
| Financial Account Data (last 4 digits, billing info) | Collected via Stripe for billing; not used for purposes unrelated to payment processing. |
| Special Service Request (SSR) Data (e.g., disability, dietary, medical) | SSR data may appear in raw airline API responses; we do not intentionally parse, store, or act on SSR data. |
| Precise Geolocation (GPS) | Not currently collected. We may collect this in the future and will seek your consent where required by law. |
We use Sensitive Personal Information only as necessary to provide the Services and for limited additional purposes permitted by applicable law. We do not use SPI to infer characteristics about you unrelated to our Services.
We do not collect biometric information, racial or ethnic origin, religious beliefs, health conditions (beyond incidental SSR contact), union membership, or the contents of personal communications unrelated to travel reservations.
9. DATA RETENTION
We retain personal information for as long as necessary to fulfill the purposes described in this Notice, subject to applicable legal obligations:
| Data Category | Retention Period |
|---|---|
| Account registration data (name, email, hashed password) | Retained while account is active; deleted from our primary database promptly upon a verified account deletion request. |
| Traveler profile and reservation data (flights, hotels) | Retained indefinitely while account is active, or until you request deletion. |
| Gmail OAuth access token | Retained while account is in good standing; deleted immediately upon account deletion or access revocation. |
| Stored confirmation email content | Retained as part of reservation records; subject to the same deletion policy as reservation data. |
| Payment records (via Stripe) | Retained indefinitely for billing, fraud prevention, tax/accounting, and dispute resolution. Stripe applies its own retention limits independently. |
| Analytics & session recording data | Retained indefinitely in analytics systems; certain operational logs become inaccessible after 30 days. |
| Third-party vendor records (Stripe, Customer.io) | Retained per those providers' own retention policies, which may differ from ours. |
| Backup systems | Account deletion propagates to backups during regular backup cycles; immediate removal from backups is not guaranteed. |
10. DATA SECURITY
We implement technical and organizational measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction:
No security system is impenetrable. In the event of a data breach that creates a material risk to your rights, we will notify you as required by applicable law.
11. CHILDREN'S PRIVACY
The Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. We do not engage in targeted advertising to individuals under the age of 18.
If you become aware that a child under 13 has provided us with personal information, please contact us at support@withautopilot.com and we will delete that information promptly.
12. THIRD-PARTY LINKS AND INTEGRATIONS
Our Services may contain links to or integrations with third-party websites, services, and platforms, including airlines, hotel booking sites, affiliate partners, and social media influencers.
This Notice does not cover the data practices of any third party. We encourage you to review the privacy policies of any third-party service you access through or in connection with Autopilot.
13. YOUR PRIVACY RIGHTS (ALL USERS)
Regardless of your state of residence, you have the following rights with respect to your personal information:
| HOW TO SUBMIT A REQUEST |
|---|
| Email: support@withautopilot.com |
| Subject Line: [Privacy Request] -- [Type of Request] |
| Mail: Autopilot Travel, Inc., 27 East 28th Street, New York, NY 10016 |
| Response Time: We will respond to verifiable requests within 45 days. |
| If additional time is required, we will notify you in writing. |
We may need to verify your identity before fulfilling a rights request. We will ask you to confirm information associated with your account. We will not discriminate against you for exercising any of your privacy rights.
Authorized agents may submit requests on your behalf with written authorization signed by you. We may require you to directly verify your identity with us even when using an authorized agent.
14. CALIFORNIA PRIVACY RIGHTS (CPRA / CCPA)
This section applies to California residents and supplements the rights described in Section 13.
14.1 Categories of Personal Information Collected
In the preceding twelve (12) months, we have collected the following categories of personal information from California residents:
| CPRA Category | Examples Collected by Autopilot |
|---|---|
| A. Identifiers | Name, email address, IP address, account ID, device identifiers |
| B. Personal Information (Cal. Civ. Code Sec. 1798.80) | Name, billing address, last four digits of payment card |
| C. Protected Classifications | Date of birth; SSR data incidentally received but not intentionally processed |
| D. Commercial Information | Subscription plan, payment history, service usage |
| F. Internet / Electronic Network Activity | Browsing behavior, session recordings, clickstream data, cookie identifiers |
| G. Geolocation Data | Coarse location derived from IP address |
| H. Sensory / Electronic Data | Travel confirmation email content (accessed via Gmail integration) |
| K. Inferences | Customer segments derived from reservation and behavioral data (e.g., upcoming destination, engagement level) |
| Sensitive PI: Government Identifiers | Known Traveler Number (KTN), redress number, Canadian travel number |
| Sensitive PI: Financial Account Data | Last four digits and metadata of payment card (held primarily by Stripe) |
14.2 California Consumer Rights
California residents have the right to:
14.3 Verifiable Consumer Requests
Submit a CPRA request to support@withautopilot.com. We will verify your identity by matching information against your account records and respond within 45 days. If we need additional time (up to 90 days total), we will notify you within the initial 45-day period. You may submit a request to know up to twice in any 12-month period.
14.4 Appeals
If we deny your rights request, you may appeal by responding to our denial notice with a written explanation. If your appeal is denied, you may contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.
14.5 Shine the Light (Cal. Civ. Code Section 1798.83)
California customers may request information once per year about categories of personal information (if any) we share with third parties for their independent direct marketing purposes. We do not share personal information with unaffiliated third parties for their independent direct marketing purposes without your consent.
15. ADDITIONAL STATE PRIVACY RIGHTS
While Autopilot does not currently meet the volumetric thresholds that trigger mandatory compliance under all applicable state privacy laws, we respect the privacy rights of users from all states and voluntarily extend similar rights to all users. States with comprehensive consumer privacy laws include:
| State Law | Key User Rights |
|---|---|
| Virginia VCDPA | Access, correction, deletion, portability, opt-out of targeted advertising and profiling |
| Colorado CPA | Access, correction, deletion, portability, opt-out of targeted advertising, profiling, and sale of PI |
| Connecticut CTDPA | Access, correction, deletion, portability, opt-out of targeted advertising, profiling, and sale of PI |
| Texas TDPSA | Access, correction, deletion, portability, opt-out of targeted advertising and sale of PI |
| Montana MCDPA | Access, correction, deletion, portability, opt-out of targeted advertising and profiling |
| Oregon OCPA | Access, correction, deletion, portability, opt-out of targeted advertising, profiling, and sale of PI |
Targeted Advertising: We use the Meta Pixel and Customer.io for marketing purposes that may constitute 'targeted advertising' or 'sharing' under state law definitions. You may opt out -- see Section 16.
Profiling: We use PostHog and Customer.io to segment users into behavioral categories based on travel patterns. We do not currently make automated decisions that produce legal or similarly significant effects. We will update this Notice if that changes.
To exercise your state privacy rights, contact us at support@withautopilot.com. We will not discriminate against you for exercising these rights.
16. DO NOT SELL OR SHARE MY PERSONAL INFORMATION
Autopilot does not sell personal information for monetary consideration. However, our use of the Meta Pixel may constitute a 'share' of personal information for cross-context behavioral advertising under California law and may constitute 'targeted advertising' under other state laws.
To opt out of this sharing / targeted advertising:
We will process opt-out requests within 15 business days. We will not deny you access to the Services because you have exercised this right.
18. CHANGES TO THIS PRIVACY NOTICE
We may update this Privacy Notice from time to time. When we make material changes, we will notify you by email to the address on file with your account. The updated Notice will also be posted on our website with a revised "Last Updated" date at the top.
For non-material changes (such as typographical corrections or clarifications that do not affect your rights or our data practices), we may update the Notice without separate notice. Your continued use of the Services following posting of any changes constitutes your acceptance of the updated Notice.
We recommend reviewing this Notice periodically to stay informed about our data practices.
19. CONTACT US
If you have any questions, concerns, or requests related to this Privacy Notice or our data practices, please contact us:
| Autopilot Travel, Inc. |
|---|
| 27 East 28th Street, New York, NY 10016 |
| Email: support@withautopilot.com |
| Subject Line for Rights Requests: [Privacy Request] -- [Type of Request] |
| We will respond to all privacy inquiries within 45 days. |
For California residents exercising CPRA rights, you may also contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov if you believe we have failed to fulfill your rights request
Copyright © Autopilot Travel, Inc. | Created with ❤️ in NYC and 🌎
Live life on autopilot.
Autopilot is not affiliated with any airline, hotel or other travel provider.
