Farside is the data controller for the information you share with us.
Farside is an editorial travel publication and digital passport service operated from Hong Kong. When you submit an enquiry through farside.earth, sign up for the Farside Passport, or subscribe to the journal, Farside acts as the "data controller" for your personal data — meaning we decide what data is collected and how it is used.
This policy is written to comply with the principal data protection regimes that apply to our readers and users: the European Union's General Data Protection Regulation (GDPR), the United Kingdom's UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act (CCPA) and its amendments (CPRA), Hong Kong's Personal Data (Privacy) Ordinance (PDPO), and Brazil's Lei Geral de Proteção de Dados (LGPD). Where any of these regimes grants you stronger rights than another, we apply the stronger right.
Where a particular section applies only in certain jurisdictions, we say so explicitly.
Every Farside surface, but not the operators we introduce you to.
This policy covers all personal data processed by Farside in connection with: the farside.earth website and any subdomain we operate, the Farside Passport progressive web app, the Farside journal email broadcasts, the Farside podcast (where it collects identifying analytics), and any enquiry, subscription, or account interaction with us.
This policy does not cover the privacy practices of independent travel operators we may introduce you to. When you submit an enquiry to a Farside-listed operator, your details are passed to that operator who becomes a separate data controller for their handling of your information from that point forward. We strongly recommend reading the operator's own privacy notice before you book.
This policy also does not cover third-party websites that link to or from Farside. We are not responsible for the privacy practices of any site we link to.
Only what we need to deliver each part of the service.
We have grouped what we collect by the surface where it's collected, so you can see exactly which of your interactions with Farside gives rise to which data. Items marked optional are only collected when you actively choose to provide them.
When you visit the Farside website
- Server log data. Your IP address, browser type and version, operating system, the URL you requested, the page you came from (referrer), and the date and time. Standard server logs that exist on every website on the internet. We use these for security, abuse prevention, and basic analytics.
- Coarse geolocation. A two-letter country code derived from your IP address by our hosting provider. We never derive city-level or street-level location from your IP.
- Analytics events (marketing pages only). When you visit pages outside the Passport (the journal, destination pages, operators page), Google Analytics 4 records anonymised page views, scroll depth, and audio playback events. The Passport itself uses a separate, privacy-respecting analytics path that does not load Google's scripts.
When you submit an enquiry to a Farside-listed operator
- Your name, email address, country of residence, and the message you typed. Used to forward the enquiry to the operator and to follow up with you if needed.
- The destination and travel-window details you specify. Used to route the enquiry to the correct operator and to inform our editorial planning of which destinations are in demand.
- An email-verification check. We verify that your email address is real and reachable (via a third-party verification service, Hunter.io) before forwarding the enquiry, so operators are not flooded with bot-generated submissions. We store the verification result (deliverable / risky / undeliverable), not the email's reputation history.
When you subscribe to the Farside journal
- Your email address and (optionally) your first name. Stored with our email service provider (Resend) and in our internal subscriber database (Airtable). Used to deliver the weekly journal and any administrative emails about your subscription.
- Subscription state. Whether you have confirmed your subscription, whether you've unsubscribed, whether messages have bounced, and the date of each state change. Used to manage list hygiene and to honour unsubscribe requests.
When you sign up for the Farside Passport
- Your email address. Used as the unique identifier for your account and to send sign-in links.
- Your chosen username and display name (optional). Used to identify you to friends you connect with and, if you opt into a public profile, to anyone who knows your username.
- Your home country (optional). A two-letter ISO country code you choose. Used to compute travel-distance and carbon-footprint statistics shown only to you.
- Visit data. The countries, regions, and cities you mark as visited; the years of those visits (optional); the wishlist destinations you star. Used to render your Passport and, if you opt in, to share specific dimensions with friends you connect with.
- Friend connections. The other Passport users you have accepted as friends, and the privacy choices you have made for each friend (whether to share year-of-visit information with them).
- Phone-number hash (optional, only if you opt into contact discovery). A one-way SHA-256 hash of your phone number, never the raw number. Used to let your existing phone contacts find you on Farside if they search for your number's hash. The raw phone number never leaves your device.
- Session and authentication data. A randomly generated session identifier (cookie), an internal record of when your session was created and last refreshed, the user-agent string of the device you signed in from, and the country code of your sign-in IP. Used to keep you signed in and to flag suspicious sign-in patterns in the audit log.
- Push-notification subscription details (optional, only if you opt into push notifications). The cryptographic endpoint and keys your browser supplies for delivering push notifications. We do not see your device identity beyond this endpoint.
- Pro subscription state (if you subscribe to Farside Pro or Pro+). Your subscription tier, billing status, renewal date, and the Stripe customer identifier linking your account to your payment record at Stripe. We never see or store your card number or full payment details — those live with Stripe.
An audit log of important security events
- Security events linked to your account. Sign-in attempts, account changes, friend-connection events, and similar security-relevant actions. Each row records your user ID, the event type, an IP-country code, a truncated IP address (the first 24 bits for IPv4, first 4 groups for IPv6 — not your full IP), and a short JSON blob describing the event. Used to investigate abuse, support disputes, and respond to law-enforcement requests where legally required.
Each piece of data has a single, narrow purpose.
We do not repurpose your data for uses you wouldn't expect from the context in which you provided it. Specifically, we use your data:
To deliver the service you signed up for. Account creation, sign-in, displaying your Passport, processing enquiries to operators, sending you the journal, processing Pro subscriptions, and similar operational uses.
To keep the service secure. Detecting and blocking abuse (rate limiting, bot detection, repeated sign-in attempts from suspicious IPs); preventing fraud; investigating support requests; honouring our legal obligations to retain certain transactional records.
To respond to you. When you write to us, when you submit an enquiry, when you request your data, when you ask to delete your account.
To improve Farside. Aggregate, non-identifying analytics — how many people visited a destination page this week, how many users have marked a country, etc. We never link these aggregates to individual identifiable users.
To send marketing communications you have consented to. The weekly journal email, if you've subscribed. You can opt out at any time.
We do not sell or rent your data to third parties, build advertising profiles, share it with data brokers, or use your data for any purpose not listed in this section.
A note on machine learning. We may, in the future, train internal classification or recommendation models on Passport visit data — for example, to power features like travel-personality summaries, destination suggestions based on your travel history, or to surface relevant friend overlap. Any such training would be done in-house, on aggregated or pseudonymous data where feasible, and would never involve sharing your personal data with external AI providers for their own model training. Before introducing any new processing of this kind, we will update this policy and, where required by law, ask for your explicit consent. You can object to this processing at any time by writing to us.
Why we are legally allowed to process your data.
Under GDPR, UK GDPR, and similar regimes we are required to identify a lawful basis for each category of processing. Ours are:
| Processing activity | Legal basis |
|---|---|
| Creating and operating your Passport account (sign-in, visit storage, friend graph, Pro subscription) | Contract — processing is necessary to deliver the service you signed up for. |
| Forwarding your enquiry to an operator | Contract — you submitted the enquiry because you want the operator to respond. |
| Sending you the journal email | Consent — you double-opted in. You can withdraw consent any time via the unsubscribe link in every email. |
| Push notifications | Consent — you actively granted browser permission. You can revoke at any time in your browser settings. |
| Optional features (public profile, contact discovery, year-of-visit sharing) | Consent — you explicitly toggled them on. |
| Security logging, rate limiting, abuse detection | Legitimate interest — protecting the service and our users from abuse, fraud, and unauthorised access. We've weighed this against your privacy expectations and concluded it is reasonable. |
| Aggregate analytics | Legitimate interest — understanding how Farside is used so we can improve it. Data is aggregated and not linked to individual identifiers. |
| Retaining payment / transactional records | Legal obligation — tax, accounting, and consumer-protection laws require us to keep certain records for defined periods. |
If you have any questions about our legal basis for a specific processing activity, please contact us using the address at the foot of this page.
A complete list of every third party that touches your data, and why.
We use a small number of carefully selected service providers ("processors") to operate Farside. Each one has a contractual obligation to process your data only on our instructions, to keep it secure, and to delete it when we instruct them to. We do not share your data with anyone outside this list, and we never sell your data.
| Service provider | What they do for Farside | What data they see |
|---|---|---|
| Netlify, Inc. (United States) | Website hosting and edge functions. | Your IP address, browser request data, and the data you send through forms or the Passport API while it is in transit and being processed by our serverless functions. |
| Turso / chiselstrike (United States, EU regions) | Database hosting for the Passport (libSQL). | Your Passport account record, visits, wishlist, friend graph, audit log entries, and Pro subscription state. |
| Resend, Inc. (United States) | Transactional email delivery (sign-in links, journal broadcasts, account notifications). | Your email address, first name (if provided), email send-and-open events, bounce / complaint events. |
| Airtable, Inc. (United States) | Internal operational database for subscribers, enquiries, operator pipeline, and editorial planning. | Your email and name when you subscribe or submit an enquiry; your enquiry message and destination details; your subscription state. |
| Stripe, Inc. (United States) — only if you subscribe to Pro | Payment processing for Farside Pro and Pro+ subscriptions. | Your billing details and card information — held by Stripe, not by us. We see only the Stripe customer identifier and the subscription state. |
| Hunter.io (France) — enquiry forms only | Email-address verification on enquiry submissions. | Your email address (at the moment of verification only). |
| Cloudflare, Inc. (United States) — bot detection on forms | Cloudflare Turnstile bot-detection challenge on enquiry and Pro signup forms. | Anonymised request metadata; Cloudflare does not see your form contents. |
| Make.com (Czech Republic, EU) | Internal workflow automation (notifies us of new enquiries, syncs editorial pipeline). | Enquiry metadata; not the body of editorial drafts. EU-hosted infrastructure. |
| Google LLC (United States) — marketing pages only | Google Analytics 4 on non-Passport pages (journal, destinations, operators page). | Anonymised page-view events, scroll depth, audio playback events. The Passport itself does not load Google Analytics. |
| Apple, Inc. and Google LLC (United States) — push notifications only | Apple Push Notification service and Firebase Cloud Messaging deliver Web Push messages to your device. | The cryptographic push endpoint your browser supplied; the notification payload (encrypted). |
We may also disclose your data to law-enforcement authorities, regulators, courts, or other public bodies if we are legally required to do so — for example in response to a valid subpoena or court order, or to investigate fraud, security incidents, or violations of our terms. In any such case we will only disclose the minimum required by law and, where legally permissible, we will notify you in advance.
If Farside is acquired by or merged with another company, your data may be transferred as part of that transaction. In that case we will notify you in advance and you will have the opportunity to delete your account before the transfer takes effect.
Your data may be processed outside your home country.
Because Farside is operated from Hong Kong and our service providers are headquartered in the United States, the European Union, and elsewhere, your personal data is necessarily transferred across international borders during normal operations.
For transfers of personal data of users in the European Economic Area, United Kingdom, or Switzerland to countries that have not been deemed to provide an "adequate level of protection" by the European Commission, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the United Kingdom's International Data Transfer Addendum, where required, with our service providers. Copies of these clauses are available on request.
For users in California, we rely on contractual safeguards with our service providers consistent with the CCPA's requirements for cross-border processing.
For users in Hong Kong, transfers comply with the PDPO's data-transfer requirements via comparable contractual protections, and we observe the recommendations of the Office of the Privacy Commissioner for Personal Data (PCPD) on cross-border data flows.
We keep data only as long as we need it.
Different categories of data have different retention periods, reflecting how long each category is useful or legally required. After the period expires we delete or fully anonymise the data.
| Data category | Retention period |
|---|---|
| Passport account data (visits, wishlist, friends, profile) | Until you delete your account. Triggered by you, or after 36 months of complete inactivity if you do not respond to a final reminder email. |
| Sign-in / magic-link tokens | 15 minutes (until used or expired), then deleted from the database within 24 hours. |
| Session records | 90 days from last use, sliding window. Deleted on sign-out or account deletion. |
| Audit log entries | 90 days for routine events; 12 months for security-significant events (sign-in anomalies, account changes, fraud-related events). |
| Journal subscribers | Until you unsubscribe, then we retain a one-way hash of your email for 24 months for the sole purpose of honouring future unsubscribe requests if our list is ever shared with an inheritor. |
| Enquiries submitted to operators | 24 months, then deleted. The operator has their own retention policy from the moment we forward to them. |
| Pro subscription and payment records | 7 years after subscription end, as required by tax and accounting law. |
| Anonymised aggregate analytics | Retained indefinitely — this data is fully anonymised and cannot be linked back to an individual. |
If you exercise your right to deletion (described below) we will delete your data sooner than the schedule above, except where we are legally required to retain a record — for example tax or fraud-investigation records. In those cases we will tell you what is being retained and why.
You have substantial rights over your data, and exercising them is free.
Depending on where you live, you have some or all of the following rights. We honour all of these rights for all users regardless of jurisdiction.
| Right | What it means |
|---|---|
| Access | Ask us for a copy of the personal data we hold about you, and information about how it is being processed. |
| Rectification | Ask us to correct inaccurate or incomplete data. |
| Erasure ("right to be forgotten") | Ask us to delete your data. We will do so unless we have a compelling legal obligation to retain it. |
| Portability | Ask us to give you a machine-readable copy of the data you provided to us (JSON or CSV), so you can take it elsewhere. |
| Restriction | Ask us to stop using your data for certain purposes while we investigate a concern. |
| Objection | Object to processing based on our legitimate interests. We will weigh your objection and either honour it or explain why we are continuing. |
| Withdraw consent | For any processing based on consent (newsletter, push notifications, optional features), you can withdraw your consent at any time without affecting the legality of any processing that happened before. |
| Non-discrimination | We will not discriminate against you for exercising any of your privacy rights. We will not lock you out of features, charge you more, or degrade your service. |
| Lodge a complaint | If you believe we have mishandled your data, you have the right to complain to a data-protection supervisory authority (see below). |
How to exercise these rights
Three options, all free:
1. Inside the Farside Passport, go to your account menu. Most rights are exercisable directly — "Edit profile" handles rectification, "Export my data" handles portability, "Delete my account" handles erasure.
2. By email to privacy@farside.earth. Tell us which right you wish to exercise and we will respond within 30 days (sometimes sooner). For complex requests we may extend this by up to two additional months under GDPR, but we will tell you if we need to.
3. Through a designated agent. California residents may designate an authorised agent to make a request on their behalf. We will require reasonable verification of the agent's authority.
If you live in the European Economic Area or United Kingdom
You can lodge a complaint with the data-protection supervisory authority in your country of residence. A list is maintained by the European Data Protection Board. In the UK, that authority is the Information Commissioner's Office (ICO).
If you live in California
Under the CCPA / CPRA you have specific rights to know, delete, correct, and opt out of any "sale" or "sharing" of your personal information. Farside does not sell or share personal information for advertising purposes. Nonetheless, you may submit a verifiable consumer request to privacy@farside.earth; we will respond within the periods set by California law.
If you live in Hong Kong
You can lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD).
What we store on your device, and what it does.
We store a small amount of information on your device to make Farside work. We do not use third-party advertising cookies, social-media cookies, or cross-site tracking pixels.
Strictly necessary cookies (Passport only)
When you sign in to the Farside Passport, we set a single HTTP cookie containing a random session identifier. The cookie is HttpOnly (not accessible to JavaScript), Secure (only sent over HTTPS), SameSite=Lax (not sent on cross-site requests), and expires 90 days after your last activity. Without this cookie you cannot stay signed in — it is "strictly necessary" within the meaning of the EU ePrivacy Directive, and no consent is required to set it.
Local storage and IndexedDB (Passport only)
The Passport stores your visit data, wishlist, draft sort-order preferences, and similar interface state in your browser's local storage. This data lives on your device only; it syncs to our server when you are signed in but is otherwise local. Clearing your browser's site data will clear this without affecting the server-side record.
Analytics cookies (marketing pages only)
Pages outside the Passport (the journal, destination pages, the operators page, the home page) load Google Analytics 4, which sets cookies in your browser to measure page views, scroll depth, and similar engagement metrics. We use IP-anonymisation and have configured GA4 not to share data with Google's other products for advertising. If you would prefer not to be measured at all, you can install the Google Analytics opt-out browser add-on, or block analytics in your browser settings.
No advertising, no third-party trackers
We do not run advertising on Farside. We do not embed Facebook pixels, TikTok pixels, LinkedIn Insight tags, or any similar advertising trackers. We do not share data with data brokers. We do not participate in retargeting networks.
If you don't want the journal, we'll stop sending it the moment you click unsubscribe.
The only marketing email we send is the Farside journal — one weekly editorial issue, plus occasional administrative messages about your subscription. Every journal email has an "unsubscribe" link in the footer. Clicking it removes you immediately and notifies our internal database so we never email you again.
If you experience any difficulty unsubscribing, email hello@farside.earth and we will remove you manually within one business day.
If you have a Passport account, marking the "Receive editorial updates" preference as off in your account settings has the same effect as unsubscribing from the journal.
Farside is not intended for users under 16.
The Farside Passport, the enquiry forms, and the journal subscription are intended for adults. We do not knowingly collect personal data from anyone under the age of 16 (in the European Economic Area) or under the age of 13 (in the United States). If we learn that we have inadvertently collected personal data from a child, we will delete it as soon as possible.
If you believe a child has provided us with personal data, please contact us at privacy@farside.earth and we will investigate and delete promptly.
Concrete measures, not vague reassurances.
Security is a moving target and no system is perfectly secure. Within the limits of that reality, the following are the specific safeguards we use:
Encryption in transit. Every connection to farside.earth is over HTTPS with modern TLS. We also use HSTS to instruct browsers to refuse plain-HTTP connections.
Encryption at rest. Our service providers (Netlify, Turso, Resend, Airtable, Stripe) encrypt customer data on disk by default.
Passwordless authentication. Farside Passport uses single-use magic-link sign-in tokens. No passwords means no password-reuse attack surface. Tokens are stored as one-way SHA-256 hashes in our database, so a database leak cannot be reversed into valid sign-in links.
Rate limiting. Sign-in attempts, friend invites, contact-discovery requests, and form submissions are all rate-limited per user and per IP to prevent brute-force and enumeration attacks.
CSRF and origin checks. Every state-changing API request must come from a same-origin browser context. Cross-site request forgery is blocked at the function level.
Web Application Firewall. Netlify's edge layer blocks common attack patterns (SQL injection probes, automated scanners, known-bad IP ranges).
Webhook signature verification. Inbound webhooks from Resend, Stripe, and similar services are cryptographically verified before being processed, so an attacker cannot forge a "user unsubscribed" or "subscription cancelled" event.
Audit logging. Security-relevant actions are logged with timestamps, IP-country codes, and truncated IP addresses so we can investigate incidents quickly.
Principle of least privilege. Only the people who genuinely need access to a given system have access to it. We do not maintain ad-hoc shared logins; every team member accesses systems under their own credentials.
Annual security audit. Farside performs a written security audit of its codebase and infrastructure at least annually, and acts on any High-severity findings within 30 days.
We will tell you, and quickly.
If a security breach affects your personal data in a way likely to result in a risk to your rights or freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33).
If the breach is likely to result in a high risk to you, we will also notify you directly, in plain language, without undue delay (GDPR Article 34). The notification will describe what happened, what data was involved, what we are doing in response, and what steps you can take to protect yourself.
We maintain an internal incident-response plan and review it after each material incident.
We do not make significant decisions about you using only automation.
Farside does not use any fully automated decision-making (with no human involvement) that produces legal or similarly significant effects on you, within the meaning of GDPR Article 22.
Some service surfaces are personalised by simple logic — for example the Passport may suggest destinations that overlap with your friends' wishlists, or surface a travel-personality summary based on your visit history. These are presentational features only. They do not create legal effects, do not restrict access to any service, and do not result in any consequential decision being made about you.
If we ever introduce automated decision-making with legal or significant effects, we will update this policy in advance and seek your consent where required.
We'll tell you before any material change.
We may update this policy from time to time as Farside evolves, as we add new services or service providers, or as the legal landscape changes. Every revision will be dated at the top of this page and assigned a version number.
For material changes — meaning changes that affect how your data is collected, used, shared, or retained — we will notify you in advance by email (if you have an account) and by a banner on farside.earth. You will have a reasonable opportunity to review the changes before they take effect, and to delete your account if you object.
Past versions of this policy are retained internally and can be made available on request.
One inbox for all data-protection matters.
For any question, concern, or request related to this policy or to the personal data we hold about you:
Email: privacy@farside.earth
General contact: hello@farside.earth
Operating entity: Farside, operated from Hong Kong.
We aim to respond to all data-protection requests within seven calendar days and to resolve them within 30 days. Where local law sets shorter or longer response windows we comply with whichever provides the stronger right.
If you are not satisfied with our response, you have the right to lodge a complaint with the data-protection supervisory authority in your country, as described in section 9 above.