Legal
Last updated: June 18, 2026
Bestow is a trip-gifting platform that lets people build and send travel experiences as gifts. We're based in the United States. When this policy says "Bestow," "we," "us," or "our," we mean the Bestow service and the people who run it.
Account information. When you create an account, we collect your name and email address. If you sign in with Google, we also receive your Google profile picture and a unique identifier from Google — we never see your Google password. If you sign up with email and password, we store your password as a one-way cryptographic hash (meaning it can never be read back or recovered, even by us).
Trip data. When you build a gift trip, we store the destinations, travel dates, budget, personal message, and the recipient's name and email address you provide. When a recipient responds to an invite, we store their flight, hotel, and activity selections.
Usage data. Our hosting infrastructure (Cloudflare) automatically collects standard server logs — IP addresses, browser type, pages visited, and timestamps. We don't tie these to individual accounts for analytics purposes.
Communications. When we send you a verification email, password reset, or trip notification, your email address is passed to our email delivery provider (Resend). We don't store the content of outbound emails beyond what's needed to deliver them.
We don't use your information to show you advertising, and we don't sell your data to anyone.
Bestow relies on the following third-party services to operate. Each handles data under its own privacy policy:
We keep your account information and trip data for as long as your account is active. If you'd like your account and associated data deleted, email us at [email protected] and we'll take care of it within 30 days.
Invite links that have never been opened expire automatically. Trip data tied to expired invites is removed along with them.
Passwords are stored using PBKDF2 with 600,000 iterations — a current industry standard that makes them impractical to crack even if our database were ever accessed. Session tokens are cryptographically signed and expire after 30 days. All data is transmitted over HTTPS.
No system is perfectly secure. If you discover a security issue, please email [email protected] directly rather than posting publicly.
Bestow is not directed at children under 13. We don't knowingly collect personal information from children. If you believe a child has created an account, please contact us and we'll delete it.
If you're a California resident, you have the right to know what personal information we collect about you, to request deletion of it, and to opt out of its sale (we don't sell data, so this last right is already satisfied). To exercise these rights, email [email protected].
Bestow is based in the United States and your data is stored on US-based infrastructure. If you're accessing Bestow from outside the US, be aware that your information will be transferred to and processed in the United States. By using Bestow, you consent to that transfer.
If you're in the European Union or UK, you have additional rights under GDPR/UK GDPR, including the right to access, correct, or erase your personal data. Contact us at [email protected] to exercise them.
If we make material changes to this policy, we'll update the "last updated" date at the top and, where appropriate, notify you by email. Continued use of Bestow after a change takes effect constitutes your acceptance of the updated policy.
Questions about this policy or your data? Email us at [email protected]. We'll respond within a few business days.