Privacy Policy

**Last updated: 1 June 2026**

This Privacy Policy explains what personal data we collect when you use

the Plany mobile app or the website at https://plany.travel (together,

the "Service"), why we collect it, who we share it with, and the choices

you have.

The data controller is Loopsware SA,

("Plany", "we", "us", or

"our"). You can contact us at any time at

[support@plany.travel](mailto:support@plany.travel) for privacy-related

questions or to exercise the rights described below.

This policy should be read alongside our [Terms of Service](https://plany.travel/terms).

--

## 1. Summary

We collect the data you give us when you sign in, plan trips, save

spots, capture stamps, chat with our AI assistant, or share content with

other users — plus a limited amount of technical and usage data we need

to operate the Service securely and to improve it.

We do **not** sell your personal data, and we do **not** use your trip

content for advertising.

Photos you capture for stamps stay on your device unless you explicitly

share them; we never upload them to our servers.

You can permanently delete your account and all associated data from

inside the app at any time (Profile → Account → Delete Account).

## 2. The Data We Collect

### 2.1 Account and Identity Data

When you sign in with Google or Apple, our authentication provider

(Clerk) shares the following with us:

- your email address;

- your name (first and last, where the provider supplies it);

- your profile picture (where the provider supplies it);

- a unique sign-in identifier; and

- the provider you used (Google or Apple).

We do not receive or store your provider password.

### 2.2 Content You Create

The Service stores the content you create or generate, including:

- travel plans (destination, dates, day-by-day activities, AI-suggested

spots, budget estimates);

- saved spots (place name, city, country, coordinates, the source URL

of the social-media post you imported the spot from, where

applicable);

- visited-country and stamp records (country, date, the metadata

associated with each stamp such as the trip title and location);

- chat history from our AI assistant (your messages and the assistant's

responses);

- share tokens you generate to let other people view a trip.

**Stamp photos:** Photos you take or pick for a stamp are stored on

your device only. They are never uploaded to our servers. The stamp

record on our servers contains the title, location, and date of the

stamp — not the photo itself.

### 2.3 Subscription Data

If you purchase a Plany Pro subscription, our subscription provider

(RevenueCat) and the Apple App Store or Google Play share with us:

- your subscription tier (Pro or free);

- the active subscription status (e.g. active, cancelled, expired);

- the product identifier (monthly or yearly);

- the renewal or expiry date.

We do **not** receive your full payment-card details or Apple ID / Google

account password — billing is handled entirely by the App Store or Play

Store.

### 2.4 Imported Content

When you share a social-media post (currently TikTok, Instagram, or

YouTube) into Plany, we send the URL and your authentication token to

our backend, which uses a third-party scraping provider

(ScrapeCreators) to fetch the public post metadata (title, author

handle, thumbnail, transcript or caption text). That data is then

processed by an AI model to extract suggested spots.

We do **not** download or re-host the original video. The thumbnail URL

and post URL are stored alongside the resulting spot so that the

"Saved from" attribution and the "View on X" link work.

### 2.5 Location Data

To return relevant search results, the Service may use the approximate

location associated with a destination you type or a trip you create

(handled by Mapbox). The Service does **not** request continuous

background location access. When the app uses your device's foreground

location (for example, to bias spot search), it only does so while the

app is open and only if you grant the OS-level permission.

### 2.6 Notifications Data

If you grant notification permission, the operating system provides us

with a push token that we store so we can send you trip reminders and

service notifications. Your reminder preferences (timing, on/off) are

stored alongside your account.

### 2.7 Analytics and Technical Data

We use PostHog to understand how the Service is used, identify bugs,

and measure feature performance. The events we collect include:

- when you sign in, create a trip, save a spot, capture a stamp, open

the AI chat, or view the paywall;

- coarse attributes such as the language you have set, the platform

you're on (iOS or Android), the app version, and the timezone of

the destinations you plan trips for;

- a stable identifier derived from your Clerk user ID, so that we can

understand activity across sessions and devices.

We do not include the content of your chats, the names of your spots,

or your stamp photos in analytics events.

If you opted out at the OS level (Apple's "Allow Apps to Request to

Track" prompt, Android's advertising-ID controls), we honour that

signal.

### 2.8 Diagnostic and Crash Data

We collect basic crash and error data via our backend logs so we can

fix bugs. These logs include the date and time, the device family,

the app version, the user identifier associated with the request, and

the technical details of the error.

## 3. How We Use Your Data

We use the data described above to:

- create and maintain your account;

- generate AI itineraries and chat responses tailored to your input;

- import and display spots from links you share;

- store and display your trips, stamps, and share links;

- charge and manage your Plany Pro subscription;

- send the notifications you have asked for;

- detect, prevent, and respond to abuse, fraud, or technical issues;

- improve the Service (debugging, performance, feature decisions);

- communicate with you about updates, security, or support requests;

- comply with our legal obligations.

We do **not** use your trips, spots, stamps, or chat content for

behavioural advertising, and we do **not** sell personal data to data

brokers.

## 4. Legal Bases (EEA, UK, Switzerland)

If you are in the European Economic Area, the United Kingdom, or

Switzerland, we rely on the following legal bases under the GDPR / UK

GDPR:

| Purpose | Legal basis |

|--------|-------------|

| Providing the Service (account, trips, spots, stamps, chat) | Performance of a contract (Art. 6(1)(b)) |

| Charging your subscription | Performance of a contract (Art. 6(1)(b)) |

| Sending product notifications you opted into | Consent (Art. 6(1)(a)) |

| Analytics, crash reporting, security | Our legitimate interests in running and improving the Service (Art. 6(1)(f)) |

| Complying with tax, accounting, and legal obligations | Legal obligation (Art. 6(1)(c)) |

You can withdraw consent at any time by changing your in-app settings

or by emailing us. Withdrawal does not affect processing already

performed.

## 5. Sharing Your Data

We share personal data only with the following categories of recipients

and only to the extent necessary:

| Recipient | Purpose | Data shared |

|-----------|---------|-------------|

| **Clerk** | Authentication, identity | Email, name, profile picture, sign-in identifier |

| **RevenueCat** | Subscription management | Subscription identifier, anonymised user ID |

| **Apple App Store / Google Play** | Payment processing for subscriptions | Information they require to bill your account |

| **Mapbox** | Mapping, geocoding, search suggestions | Approximate location for queries you initiate, search terms |

| **ScrapeCreators** | Fetching public social-media post metadata | The URL you shared |

| **PostHog** | Product analytics, crash reporting | Pseudonymous identifier and event metadata described in §2.7 |

| **Railway / our infrastructure host** | Hosting backend services and storing your data | All data described in §2 above |

| **Public share-link recipients** | Letting other users view a trip you chose to share | The trip content you chose to share, until you disable the link |

We do not share personal data with any other third party except where

required by law, where you direct us to, or where we transfer the

business (in which case the new operator will be bound by this policy

or a successor policy with equivalent protections).

## 6. International Data Transfers

Some of the providers listed above process data in countries outside

your country of residence, including the United States. Where required

by law (in particular under the GDPR / UK GDPR), we rely on appropriate

safeguards such as the European Commission's Standard Contractual

Clauses or equivalent mechanisms, supplemented as needed to address

the specific recipient country.

## 7. Data Retention

We retain personal data for as long as your account is active and for

a short period afterwards so we can handle billing, security, and

legal-compliance matters.

- **Account data, trips, spots, stamps, chat history:** retained until

you delete the corresponding item or your account.

- **Subscription records:** retained for at least 7 years after your

last transaction to comply with accounting and tax obligations.

- **Analytics events:** retained for up to 18 months in identifiable

form, then aggregated.

- **Backend logs (crash, debug, security):** retained for up to 90

days, then deleted.

When you delete your account, the corresponding rows in our database

are removed transactionally. Backups that include earlier copies are

cycled out within 30 days. Trips you previously shared with other users

remain in their accounts unless they delete them.

## 8. Your Rights

Regardless of where you live, you have the right to:

- **access** the personal data we hold about you;

- **rectify** inaccurate or incomplete data;

- **delete** your data (use the in-app Delete Account flow or email

us);

- **export** your data in a portable format; and

- **object to or restrict** certain processing.

If you are in the EEA, UK, or Switzerland, you additionally have the

right to lodge a complaint with the supervisory authority in your

country.

If you are in California, you additionally have the rights described

in §9 below.

To exercise any of these rights, email

[support@plany.travel](mailto:support@plany.travel). We will respond

within the time allowed by applicable law (within 30 days under the

GDPR, 45 days under the CCPA). We may need to verify your identity

before acting on a request.

## 9. California Residents

If you are a California resident, the California Consumer Privacy Act

(as amended by the California Privacy Rights Act) gives you additional

rights to:

- know what personal information we collect, use, and disclose;

- correct inaccurate personal information;

- delete personal information we have collected from you;

- opt out of the "sale" or "sharing" of personal information; and

- limit the use of sensitive personal information.

**We do not sell or share personal information** as those terms are

defined under the CCPA. We do not use sensitive personal information

for purposes that would trigger the right to limit use.

To exercise any CCPA right, email

[support@plany.travel](mailto:support@plany.travel). You can also

designate an authorised agent to make a request on your behalf.

We will not discriminate against you for exercising your rights.

## 10. Children's Privacy

The Service is not directed to children under 13, and we do not

knowingly collect personal data from anyone under 13. If you believe a

child under 13 has provided personal data to us, please email

[support@plany.travel](mailto:support@plany.travel) and we will delete

the data promptly.

## 11. Security

We use industry-standard administrative, technical, and physical

safeguards to protect personal data, including encryption in transit

(HTTPS / TLS), short-lived authentication tokens, scoped database

access, and routine review of our infrastructure providers. No system

can guarantee absolute security; if we ever experience a breach that

affects you, we will notify you in accordance with applicable law.

## 12. Local Storage

The mobile app uses secure on-device storage (Keychain on iOS,

Keystore-backed storage on Android) to keep authentication tokens, the

onboarding-complete flag, language preference, and other small state

between launches. This data does not leave your device.

The website at https://plany.travel uses only the minimum cookies and

local storage required to operate. We do not place advertising or

cross-site-tracking cookies.

## 13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last

updated" date at the top of this page will reflect the most recent

revision. Where the change is material, we will give you advance notice

in the app or by email where reasonably possible. Continuing to use the

Service after the change takes effect constitutes acceptance of the

updated policy.

## 14. Contact

Loopsware SA

San Carlos #122A, El Rosario León Guanajuato

Email: team@plany.travel