Back to home

Privacy Policy

Last updated: June 5, 2026

Protecting your personal data is important to us. This Privacy Policy explains what personal data Mylo Technologies LLC processes when you use the MYLO service, for what purposes, on what legal bases, and what rights you have. It is written to meet the requirements of the EU General Data Protection Regulation (GDPR) for our members in Germany, Austria, and the wider EU/EEA, and it also describes the rights of residents of California and other US states. Switzerland is outside the EU/EEA and is governed by its own data-protection law (the revised Swiss Federal Act on Data Protection, revFADP/nFADP); Swiss residents are addressed separately in Section 15. Mylo Technologies LLC is established in the United States; the company's authoritative contact and mailing address is set out in Section 1, and the address shown there corresponds to our Wyoming registered-agent address pending confirmation of the principal place of business (see also our Legal Notice / Imprint). Last updated: June 5, 2026.

1. Controller and EU Representative

The controller responsible for processing your personal data is:

Mylo Technologies LLC
75 E 3rd St, Sheridan, WY 82801, USA
Email: support@never-economy-again.com [to complete: confirm]
Represented by: [to complete: Real name of the managing member from the Wyoming filing — do not invent; populate before publication.]

Note on the address: The address above corresponds to our registered-agent address in the State of Wyoming and may not be the company's physical place of business. [to complete: Confirm the authoritative contact / mailing address used across all our legal documents (Imprint, Privacy Policy, Terms, and Refund & Cancellation Policy), and replace this address with the confirmed monitored mailing address if different. The same address must be used consistently in all four documents.]

Representative in the EU pursuant to Art. 27 GDPR:
[to complete: Real name of the appointed EU Art. 27 representative established in an EU/EEA Member State — do not invent]
[to complete: Full address, EU/EEA Member State]
Email: [to complete: working representative contact email]

Art. 27 GDPR is mandatory for us as a US controller offering services to EU/EEA data subjects. This Policy must not be published while these representative fields remain placeholders; the representative must be appointed and mandated in writing under Art. 27(4) GDPR and recorded under Art. 30 GDPR before going live.

[to complete: If a Data Protection Officer has been appointed, provide name and contact details here. A DPO is not mandatory for every controller.]

2. What Data We Process

Depending on how you use MYLO, we process the following categories of personal data:

  • Account data: name, email address, login credentials, and account settings.
  • Payment data: your subscription status and billing information. Card and payment details are collected and processed directly by our payment processor, Stripe; we do not store full card numbers ourselves.
  • AwardWallet linkage and points data: if you connect your frequent-flyer and points accounts via AwardWallet, we receive information such as your loyalty programs, miles and points balances, and related account details so that MYLO can give you personalized recommendations.
  • Chat inputs and AI interaction data: the messages, questions, travel goals, preferences, and other free-text you enter into the MYLO chat, which are processed to generate AI responses and recommendations.
  • Usage and technical data: log data, device and browser information, IP address, and information about how you use the web app, generated automatically when you access the service.

3. Purposes and Legal Bases of Processing

We process your personal data for the following purposes and on the following legal bases under Art. 6(1) GDPR:

  • Providing the service (account, AI concierge, recommendations, AwardWallet-based personalization) and performing the subscription contract with you, including billing via Stripe: Art. 6(1)(b) GDPR (performance of a contract).
  • Security, abuse prevention, service improvement, and analytics in aggregated or pseudonymized form: Art. 6(1)(f) GDPR (legitimate interests in operating, securing, and improving the service). You may object to processing based on legitimate interests as described below.
  • Optional features that require your consent (for example certain non-essential cookies/analytics, or — only if and where we offer it — use of your inputs beyond providing the service): Art. 6(1)(a) GDPR (consent), which you may withdraw at any time with effect for the future.
  • Compliance with legal obligations (for example tax and accounting retention): Art. 6(1)(c) GDPR.

4. Processors and Third-Party Services

We use carefully selected service providers that process personal data on our behalf as processors under Art. 28 GDPR, bound by data processing agreements:

  • Stripe — payment processing for your monthly subscription. [to complete: confirm Stripe contracting entity and address.]
  • AI / LLM provider — processing of your chat inputs to generate AI responses. [to complete: name and address of the AI/LLM provider and its contracting entity.]
  • Hosting / infrastructure provider — operation of the web app and storage of data. [to complete: name and address of hosting provider.]
  • [to complete: Any further subprocessors, e.g. email delivery, error monitoring, analytics — name and address.]

Use of chat inputs for AI model training: We instruct our AI/LLM provider to process your chat inputs solely to generate responses for you and to operate the service. [to complete: After the AI/LLM provider is selected, state definitively and truthfully whether your chat inputs are or are not used to train AI/LLM models, and on what basis (for example a contractual opt-out / no-training commitment, anonymization, or your separate, explicit consent), and name the provider and its contracting entity and address. If any training-related use occurs beyond providing the service, it must be covered by the Art. 6(1)(a) consent basis referenced in Section 3 and must be genuinely opt-in. Recommended default once confirmed, and only if literally true: "Your chat inputs are not used to train the AI provider's general models. Where any training-related processing occurs, it takes place only on an aggregated/anonymized basis or with your separate, explicit consent." This statement must be a definitive position before this Policy goes live, not a placeholder.]

5. Independent Third-Party Service: AwardWallet

When you connect your loyalty and points accounts through AwardWallet, AwardWallet acts as an independent (separate) controller with respect to the data you hold and manage in your AwardWallet account, not as our processor. Your use of AwardWallet is governed by AwardWallet's own terms and privacy policy.

We receive from AwardWallet only the points and account information needed to provide you with personalized recommendations, and we process that information as a controller for the purposes described in this Policy. Please review AwardWallet's privacy notice to understand how it handles your data. [to complete: link to AwardWallet privacy policy, if you wish to reference it.]

6. Special Categories of Data (Art. 9 GDPR)

MYLO does not request or require special categories of personal data (such as data revealing health, religion, or other sensitive matters under Art. 9 GDPR). However, because the MYLO chat accepts free-text input, it is possible for you to voluntarily include sensitive information in your messages.

We ask you not to enter special-category data unless necessary. If you do choose to include such information in your chat, you provide it voluntarily and, to the extent it is processed, you consent to its processing for the purpose of answering your request pursuant to Art. 9(2)(a) GDPR. You may withdraw this consent at any time with effect for the future.

7. Profiling and Automated Decision-Making

MYLO uses AI to analyze your inputs and your linked points balances in order to generate tailored travel and award recommendations. This involves a degree of automated processing and profiling within the meaning of the GDPR, but it is used only to inform and assist you.

MYLO does not make decisions producing legal effects concerning you, or similarly significantly affecting you, based solely on automated processing within the meaning of Art. 22 GDPR. All recommendations are non-binding suggestions; you remain free to decide whether and how to act on them, and you make and pay for any bookings yourself.

8. International Data Transfers (USA)

Mylo Technologies LLC is established in the United States, and some of our service providers may also process data in the USA or other countries outside the EU/EEA. Such transfers involve a transfer of personal data to a third country.

Where we transfer personal data to recipients outside the EU/EEA, we ensure an adequate level of protection through appropriate safeguards under Chapter V GDPR, in particular:

  • Mylo Technologies LLC (USA): [to complete: safeguard, e.g. EU Standard Contractual Clauses (SCCs) with EU representative, and/or EU-US Data Privacy Framework certification status.]
  • Stripe: [to complete: SCCs and/or Data Privacy Framework certification.]
  • AI / LLM provider: [to complete: SCCs and/or Data Privacy Framework certification.]
  • Hosting provider: [to complete: SCCs and/or Data Privacy Framework certification and processing location.]

You can request a copy of the relevant safeguards via the contact details above.

9. Retention

We retain personal data only for as long as necessary for the purposes described in this Policy:

  • Account and AwardWallet linkage data: for the duration of your account; deleted or anonymized after account closure, subject to legal retention periods.
  • Chat inputs and AI interaction data: [to complete: specify retention period, e.g. retained for the duration of your account / for X months, then deleted or anonymized.]
  • Payment and billing records: retained for the period required by applicable tax and commercial law.
  • Usage and log data: [to complete: specify retention period.]

When data is no longer required and no legal retention obligation applies, we delete or anonymize it.

10. Your Rights as a Data Subject (GDPR)

Subject to the conditions of the GDPR, you have the right to:

  • Access your personal data (Art. 15);
  • Rectification of inaccurate data (Art. 16);
  • Erasure (Art. 17);
  • Restriction of processing (Art. 18);
  • Data portability (Art. 20);
  • Object to processing based on legitimate interests (Art. 21); and
  • Withdraw consent at any time, with effect for the future (Art. 7(3)), where processing is based on consent.

To exercise these rights, contact us at support@never-economy-again.com [to complete: confirm] or our EU representative named above. You also have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your residence, place of work, or place of the alleged infringement. [to complete: optionally name the lead supervisory authority for the EU representative's location.]

11. California and Other US State Privacy Rights (CCPA/CPRA)

If you are a resident of California, you have rights under the California Consumer Privacy Act, as amended by the CPRA, and residents of certain other US states may have comparable rights. These include the right to:

  • Know / access the categories and specific pieces of personal information we have collected about you;
  • Delete personal information we hold about you;
  • Correct inaccurate personal information; and
  • Opt out of the "sale" or "sharing" of personal information.

At present, Mylo Technologies LLC does not sell your personal information and does not share it for cross-context behavioral advertising as those terms are defined under California law. We will not discriminate against you for exercising your rights. To make a request, contact us using the details above; [to complete: describe verification process and any authorized-agent procedure.]

Conditional note on future analytics/advertising tools: The 'we do not sell / do not share' statement above applies only for so long as it is literally true. Under the CPRA, certain analytics or advertising cookie/tracking activity can itself constitute a 'sale' or 'sharing.' [to complete: If advertising or analytics tools that qualify as a 'sale' or 'sharing' under the CPRA are introduced (cross-check against the cookie/analytics tools listed in Section 12 once those placeholders are filled), this Policy will be updated, the statement above corrected, and a clear 'Do Not Sell or Share My Personal Information' opt-out link/mechanism will be provided.]

12. Cookies and Tracking

We use cookies and similar technologies that are strictly necessary to operate the web app, log you in, and keep the service secure; these are used on the basis of our legitimate interest and your contract with us.

Any non-essential cookies or analytics/tracking technologies are used only with your prior consent (Art. 6(1)(a) GDPR; § 25 TTDSG / national ePrivacy implementations), which you can give or decline and later change at any time. [to complete: list the specific cookies/analytics tools and provider details, or reference your cookie consent banner/settings. Once filled, cross-check this list against the CCPA/CPRA statement in Section 11 — if any listed tool qualifies as a 'sale' or 'sharing' under the CPRA, update Section 11 and provide a 'Do Not Sell or Share My Personal Information' opt-out.]

13. Data Security

We use appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, and alteration, including encryption in transit, access controls, and the use of reputable service providers. [to complete: summarize key security measures actually in place.] No method of transmission or storage is completely secure, but we continuously review and improve our safeguards.

14. Contact

For any questions about this Privacy Policy or to exercise your rights, contact:

Mylo Technologies LLC — Privacy
75 E 3rd St, Sheridan, WY 82801, USA [to complete: use the same authoritative contact/mailing address confirmed in Section 1 and the Imprint; if the Wyoming address is only the registered-agent address, replace it here with the confirmed monitored address so this matches all other documents]
Email: support@never-economy-again.com [to complete: confirm or provide a dedicated privacy email]
EU representative (Art. 27 GDPR): [to complete: real name and contact of the appointed representative — must be populated before publication]

We may update this Privacy Policy from time to time. The version published on this page with the "Last updated" date above applies.

15. Swiss Residents (revFADP/nFADP)

Switzerland is not part of the EU/EEA and is governed by its own data-protection regime, the revised Swiss Federal Act on Data Protection (revFADP/nFADP), rather than by the GDPR. If you are resident in Switzerland, the descriptions of processing purposes, data categories, recipients, retention, and security in this Policy apply to you, and you have rights of access, rectification, erasure, and objection comparable to those described above, exercisable under Swiss law.

You may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC). [to complete: If our processing of Swiss residents' data meets the thresholds requiring a representative in Switzerland under Art. 14 revFADP, appoint and name a Swiss representative here with full address and contact details, and confirm the legal basis on which Swiss residents' data is transferred to the USA. Resolve before offering the service to Swiss consumers.]