Privacy Policy — Vacationist

1. Who We Are

Vacationist is operated as a personal side project by Gary Lude, based in Switzerland (hereinafter "we", "us", or "the developer").

Contact: meetdeep.de@gmail.com

This privacy policy applies to the Vacationist mobile application ("the App") available on the Google Play Store.

2. Data We Collect

We collect only the data necessary to provide the service.

Account Information

Name and email address (provided via Google Sign-In or magic link)
Google account profile picture (optional, only if you sign in with Google)
Preferred locale and timezone (set during onboarding)

Trip & Planning Data

Trip names, dates, destinations, and member lists
Activities, votes, expenses, shopping lists, notes, accommodations, and transfer details you create
Invitation links you generate or use

Travel Documents

      Travel document details (passport or national ID number, expiry date, issuing country) are stored exclusively in encrypted form using AES-256 encryption (pgcrypto). The data is never stored in plain text, is never accessible to us, and is only decryptable on your device after biometric authentication.
    

Device Data

Push notification token (to send you in-app notifications; stored until you sign out or uninstall)
IP address (collected by Supabase infrastructure at the network level, not stored by us in application data)

3. How We Use Your Data

To create and maintain your account
To provide the collaborative trip planning features of the App
To send push notifications about activity relevant to your trips (only with your device's permission)
To authenticate you securely (via Supabase Auth)

We do not use your data for advertising, profiling, or marketing purposes. We do not sell your data.

4. Data Storage & Security

Your data is stored on servers provided by Supabase Inc. (infrastructure hosted in the EU, Central Europe / Zurich region). Supabase is a US-based company operating EU-hosted infrastructure; their privacy policy is available at supabase.com/privacy.

All data is transmitted over TLS. Travel documents are encrypted at the application layer before being written to the database.

Authentication is handled by Supabase Auth. Google Sign-In tokens are exchanged server-side and are not stored by us.

5. Third-Party Services

Supabase — database, authentication, file storage, edge functions (Privacy Policy)
Google Sign-In (Google LLC) — optional sign-in method (Privacy Policy)
Expo (Expo Inc.) — push notification delivery service (Privacy Policy)
Sentry (Functional Software Inc.) — anonymised crash reporting (Privacy Policy)

6. Data Retention

Your data is retained for as long as your account exists. If you delete your account, all personal data — including trip data, travel documents, and push tokens — is permanently deleted within 30 days.

Anonymous/guest accounts that have never been upgraded are automatically purged after 90 days of inactivity.

7. Your Rights

Under the Swiss Federal Act on Data Protection (nDSG) and, where applicable, the EU General Data Protection Regulation (GDPR), you have the following rights:

Right of access — you may request a copy of the personal data we hold about you
Right to rectification — you may correct inaccurate data at any time via the Profile screen
Right to erasure — you may request deletion of your account and all associated data
Right to data portability — you may request your data in a structured, machine-readable format
Right to object — you may object to processing where we rely on legitimate interest

To exercise any of these rights, contact us at meetdeep.de@gmail.com. We will respond within 30 days.

8. Children's Privacy

The App is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this policy from time to time. When we do, the "Last updated" date at the top of this page will change. For material changes, we will notify users via in-app notification. Continued use of the App after changes constitutes acceptance of the updated policy.

10. Contact

For questions, data requests, or complaints, contact the developer at:
meetdeep.de@gmail.com

If you are unsatisfied with our response, you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch.