Last updated: 2026-05-18
Status: Draft pending legal review. Engineer-authored, with operator + governing-law placeholders pre-filled per docs/legal/README.md. Remaining [TBD — pending legal review] placeholders are flagged inline for counsel.
This Privacy Policy describes how the Yosemite trip planner ("the Service," "we," "us") handles personal information collected from people who use it. The Service is currently a private group trip planner used by a small invited group; this policy is also written to be the basis of the public-product version that may follow.
The party responsible for personal information collected through the Service (the "data controller" for the purposes of GDPR / DPDP Act terminology) is Akshay Kumar, contactable at support@aksh04ay.com.
1. What we collect
We try to collect only what the Service actually needs to function. In practical terms, that breaks down into three buckets.
1.1 Account / identity information
When an account is created for you, we store:
- Username. A short handle you sign in with (e.g.
akshay). Usernames are visible to other members of any trip you join. - Password. Stored only as a salted hash by Supabase Auth — we never see or store the plaintext after sign-up / reset. We do not log passwords or send them in email.
- Display name ("full name" as shown in the UI).
- Avatar color (a hex string used to render your initials chip).
- Optional phone number.
- Optional emergency contact name and phone.
- Optional payment / payback handles — for example a Venmo username, a
Zelle handle, a PayPal handle, a UPI ID, or a Cash App
$cashtag. You choose which (if any) to add and which to mark as default. These are stored inprofile_payback_handles.
Internally, every account also has a synthetic email of the form
<username>@trip.local that exists purely so Supabase Auth can use its
standard email-based password machinery. We do not send mail to that address;
nothing ever delivers there. Some legacy accounts may still carry the real
personal email of the human who created them as their underlying Supabase Auth
identifier — that email is not displayed in the UI and is not used for any
mail or marketing.
1.2 Trip content you create
Anything you type, upload, or click inside a trip is stored in our database. That includes:
- Chat messages in the group chat (
chat_messages), including any reactions you add (chat_reactions). - Expenses you log — amount, currency, description, who paid, who owes
(
expenses,expense_participants,expense_splits). - Photos you upload, including the photo file itself in object storage and
the public URL that points to it (
photos). Photos can carry EXIF metadata in the file (camera model, date/time, and — if the photo was taken on a phone with location services on — GPS coordinates). The Service reads and stores some of this EXIF data in thephotos.exifcolumn so it can display things like "taken at 2:14pm." See §1.4 below for what to know about photo storage in particular. - Likes and comments on photos and announcements (
photo_likes,photo_comments,announcement_upvotes,announcement_comments). - Hike proposals and votes you submit (
hikes, ).
1.3 Operational / diagnostic information
- HTTP request data generated by Vercel as it serves the Service — IP address, user agent, request path, response status. Vercel retains this on our behalf. We use it only to operate the Service (e.g. debug an outage, rate-limit abuse).
- Error reports sent to Sentry when something in the Service crashes. These can include stack traces, the URL you were on, your username if you were signed in, and the values of variables relevant to the error. We have not enabled Sentry session replay. If we ever do, we will update this policy before turning it on.
- A signed session cookie named
trip_app_session(HMAC-signed; see §5).
1.4 Notes specifically about photos
Photos uploaded via /photos are written to a public Supabase Storage
bucket called trip-photos. "Public" here means: the URL of an uploaded
photo, if guessed or shared, can be fetched by anyone with the URL — there is
no per-request authentication on the storage object itself today. The
in-app feed only shows photos to signed-in members of your trip, but the
underlying file should be considered "shared with anyone who has the link."
Don't upload anything to /photos that you would mind a stranger seeing
if they obtained the link. A future revision of this Service may move
photos behind authenticated storage; we will update this policy when that
ships.
EXIF metadata embedded in a photo file (including any GPS coordinates the camera wrote) stays embedded in the file when it is stored. If you would prefer not to share GPS data, strip EXIF from your photos before uploading (most phones offer a "remove location" toggle in the share sheet).
1.5 What we don't collect
- We don't ask for your email address as part of the user-facing sign-in flow. (Some legacy accounts have one for historical reasons; see §1.1.)
- We don't ask for your real name, only a display name you choose.
- We don't ask for your date of birth, government ID, or financial account numbers. The "payment handle" you optionally save (e.g. Venmo username) is a public-facing handle, not an account or card number.
- We don't run third-party advertising or marketing analytics SDKs (no Google Analytics, no Meta Pixel, no Mixpanel, no advertising cookies).
2. How we use what we collect
We use the information described in §1 only for the following purposes:
- To provide the Service. Show you your trips, members, chats, photos, expenses, etc. Authenticate you when you sign in. Render notifications. Compute who-owes-whom on the costs page. Talk to the El Capo chat bot (Cloudflare Workers AI; see §3).
- To keep the Service working and safe. Detect, debug, and fix errors
(Sentry). Investigate suspected abuse. Keep audit trails like
activity_feed. - To communicate with you about the Service itself if there is something you specifically need to know — e.g. a security incident requires it. Today we have no email or push channel to do this and would have to reach you out-of-band; this is forward-looking.
We do not use your information for:
- Behavioral advertising.
- Profiling for marketing purposes.
- Selling, renting, or otherwise transferring it to data brokers or advertisers. We have not sold personal information in the last 12 months and have no plans to.
- Training general-purpose AI models. (Specifically: we do not feed your chat messages, photos, or any other trip content into a model-training pipeline. When you talk to the El Capo bot, your message is sent to Cloudflare Workers AI to generate a single reply — see §3 for what that vendor does with it.)
3. Service providers we use
The Service runs on a small number of vendors. Each receives only the slice of data it needs to do its job.
| Vendor | What we send them | Why |
|---|---|---|
| Vercel (USA) | All HTTP traffic to the Service. They host the Next.js app. | Application hosting, edge compute. |
| Supabase (Postgres + Storage + Realtime + Auth, hosted on AWS in us-west-1 (Northern California)) | All structured data described in §1.1 and §1.2; uploaded photo files. | Primary database, file storage, real-time subscriptions, password verification. |
| Cloudflare (R2 object storage, Workers AI) | Static audio assets (R2). User chat-bot prompts and the resulting replies (Workers AI). | Audio asset delivery; AI chat replies in /chat. |
| Sentry (USA) | Crash reports as described in §1.3. | Error monitoring. |
| Open-Meteo (no account, anonymous request) | A latitude / longitude for the dashboard weather widget. We send Yosemite's coordinates, not yours. | Weather forecast on the dashboard. |
| (optional) |
We have no other third-party data recipients. We do not share your data with data brokers, ad networks, or analytics resellers.
If we ever add a new vendor that processes personal information we will update this list.
4. Where data is stored
- Database (Supabase Postgres) and uploaded photo files (Supabase Storage): AWS region us-west-1 (Northern California, USA). Confirmed from the project's Supabase connection string at the time this policy was written.
- Application / edge compute (Vercel): USA, with edge caching at Vercel POPs worldwide.
- Audio assets (Cloudflare R2): Cloudflare's globally distributed object storage.
- Chat-bot inference (Cloudflare Workers AI): Cloudflare's global compute network. Individual inference requests may be served from a region near you.
- Error reports (Sentry): Sentry's primary US infrastructure.
If you are accessing the Service from outside the United States, your information will be transferred to and processed in the United States and the other regions listed above. By using the Service you understand and accept that transfer.
5. How we protect your information
- Passwords are hashed by Supabase Auth — the Service never stores or logs the plaintext.
- Sessions are tracked via a cookie called
trip_app_sessionthat is signed with an HMAC secret held only on the server. A tampered or unsigned cookie is rejected by middleware (proxy.ts) and the request is redirected to the login page. The cookie is the only first-party cookie the Service sets. - Database access from the browser uses the Supabase
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY, which is intentionally browser-safe. Server-only operations that need elevated privileges use a separate service-role key that never reaches the browser. - Row Level Security (RLS) is enabled on every user-facing table. The Service is currently in the middle of a multi-phase rollout that progressively tightens those RLS predicates from "anyone signed into the app" toward "only members of the specific trip." Phase 2 (browser traffic authenticates as the signed-in user, not as anonymous) is in production at the time this policy was written; Phase 3 (per-trip membership predicates) is planned. Until Phase 3 lands, the application-layer perimeter (signed session cookie + UI gating) is the load-bearing access control for cross-trip isolation. Treat the Service accordingly.
- Transport to the Service uses HTTPS / TLS.
- Secrets (API keys, the HMAC session secret, the Supabase service-role key) are held in the hosting provider's encrypted environment-variable store, not in the codebase.
No system is perfectly secure. If we ever discover a breach affecting your information we will notify you, in accordance with the breach-notification laws applicable to you (e.g. CCPA in California, the DPDP Act in India, GDPR Art. 33–34 if you are in the EU).
6. Cookies and similar technologies
The Service sets exactly one cookie of its own: trip_app_session, a
signed session token that lets the server remember that you are logged in.
This cookie is essential — the Service does not work without it — and is
exempt from cookie-consent requirements that apply to optional / advertising
cookies under, e.g., the EU ePrivacy Directive.
We do not set any third-party cookies. We do not embed advertising tags, analytics tags, or social-media tracking pixels.
The Service also uses localStorage in the browser for purely client-side
state (e.g. which guide chapters you have already played, an offline audio
cache for the GPS guide, a "current user" hint for the wildlife game). That
data does not leave your device.
7. Sharing within a trip
Most of what you do inside a trip is, by design, visible to the other members of that trip. For example, your chat messages, expenses, photos, hike votes, trivia score, and wildlife sightings are visible to your fellow members. That is the point of the Service. If you do not want something seen by other members of your trip, do not enter it.
Inside a single trip, users with the owner or admin role have additional
abilities (e.g. editing or deleting items they did not create, or removing
members). Account and password management (across all trips) is restricted
to the global super-admin (profiles.is_super_admin) — today a single human
operator.
We do not share trip content across trips. A user in Trip A cannot see Trip B through the Service's UI.
8. Your rights
Depending on where you live, you may have some or all of the following rights with respect to your personal information:
- Right to access the personal information we hold about you.
- Right to correct inaccurate information.
- Right to delete ("right to erasure" under GDPR; "right to deletion" under CCPA; "right to erasure" under DPDP §13).
- Right to data portability — receive your information in a structured, machine-readable format.
- Right to object to certain processing, or to restrict it.
- Right to non-discrimination for exercising these rights (CCPA).
- Right to withdraw consent, where processing is based on consent.
- Right to lodge a complaint with your local data protection authority (e.g. the California Attorney General; the Data Protection Board of India; your EU member-state DPA).
How to exercise: today, the way to make any of these requests is to email support@aksh04ay.com. Most rights are not yet supported by an in-product UI. We will respond within the timeframes the applicable law requires (e.g. 45 days under CCPA, 30 days under GDPR, the timelines specified under the DPDP Act once its operational rules are in force).
What is and isn't currently in-product:
- Edit your profile: ✔ available in
/membersand/account. - Reset your own password: ✔ available at
/reset-password. - Export your data: ✘ not yet self-serve. Request via email.
- Delete your account / leave a trip: ✘ not yet self-serve. Request via email; we will hard-delete identity records and either delete or pseudonymize content you authored, at your choice.
We will not charge you for exercising these rights, and we will not retaliate or degrade the Service for users who exercise them.
8.1 Specific notice for California residents (CCPA / CPRA)
The categories of personal information we collect, the purposes for which we use them, and the categories of recipients are described in §1, §2, and §3 respectively. We have not sold or "shared" (as defined under CPRA) personal information in the last 12 months and we do not use sensitive personal information for any purpose beyond providing the Service. You have the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing (we do neither), and the right to non-discrimination.
8.2 Specific notice for India residents (DPDP Act, 2023)
You are the "Data Principal" with respect to information about you. We process your information primarily on the basis of your consent (when you sign up and submit content) and, where applicable, on the basis of legitimate use to provide the Service you have asked for. You may withdraw consent at any time by contacting us; withdrawal will not affect the lawfulness of processing before withdrawal. You have the right to access, correction, erasure, and grievance redressal. Our grievance officer is [TBD — pending legal review], reachable at support@aksh04ay.com.
8.3 Specific notice for users in the EU / UK (GDPR / UK GDPR)
The legal bases on which we process your personal data are: (a) consent (Art. 6(1)(a)) for the content you actively submit; (b) performance of a contract (Art. 6(1)(b)) for processing necessary to deliver the Service to you; and (c) legitimate interests (Art. 6(1)(f)) for security, abuse prevention, and basic operational diagnostics. You have the rights described above plus the right to lodge a complaint with your supervisory authority. We do not currently rely on Standard Contractual Clauses or other transfer mechanisms; if we begin offering the Service to users in the EU/UK in a material way we will put appropriate transfer safeguards in place and update this section.
9. How long we keep your information
We keep account and trip content for as long as your account exists or for as long as needed to provide the Service. Backups taken by Supabase, Vercel, and Sentry may persist for the retention windows of those vendors (typically a few weeks) after a delete request is processed.
When you ask us to delete your account, we will delete identity records (profile, username, password hash) within 30 days, and we will delete or pseudonymize content you authored according to your preference at the time of the request. Some content (e.g. chat messages other members have replied to) may be retained in pseudonymized form so that the conversation is not broken for other users; we will tell you which records fall into this category when you ask.
10. Children
The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where that is the relevant threshold). If you are a parent or guardian and you believe a child has provided us personal information, please contact us at support@aksh04ay.com and we will delete the information promptly.
11. Changes to this Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this document will reflect the most recent change. For material changes, we will use a more visible notice in the Service (e.g. a banner on the dashboard) before the change takes effect.
12. Contact
Questions, requests, or complaints about this policy or your information go to:
- Email: support@aksh04ay.com
- Postal: [TBD — pending legal review]
13. Data retention periods
Beyond the high-level retention notes in §9, the specific per-table retention windows (e.g. how long deleted chat threads stay in audit logs, how long Sentry crash reports persist, how long backups are kept after account deletion) are [TBD — pending legal review].
This document is a draft prepared by an engineer for review by counsel prior to public launch. Governing law (California) and operator identity (Akshay Kumar) are pre-filled per the launch checklist; remaining bracketed placeholders await legal review. It is not legal advice and should not be relied upon as such.