Privacy Policy

This Privacy Policy explains how Zackery Griffin ("I", "me", "my") collects, uses, and protects information when you use:

• The PlanThat mobile application (the "App")
• The planthat.app website and related pages (the "Website")

Together, the App and Website are referred to as the "Services". If you do not agree with this Privacy Policy, please do not use the Services.

1. Who is responsible for your data

The Services are owned and operated by:

Owner: Zackery Griffin (sole proprietor)
Location: California, United States
Contact email: [email protected]

I am the data controller for personal information collected through the Services.

2. Information I collect

I collect information needed to run PlanThat, keep accounts secure, comply with legal obligations, and improve the product.

2.1 Information you provide directly

When you use the Services, you may provide:

• Contact information
  First name, last name, and email address.
• Account credentials
  Passwords (stored only as secure hashes via Supabase; I never see your plain password).
• Profile details
  Optional profile information such as birthday and profile photo/avatar.
• Plan and event information
  Plan titles, notes, dates and times, "Where" field content (addresses, place names, or any text you type), home, work, and custom addresses you save, duration, family/group associations, and whether a plan is shared.
• Family and group information
  Your membership in a family group and which plans are shared with which family members or groups.
• RSVP and guest information
  RSVPs (for example, going / not going / maybe). If invitees provide them, their name and email address are stored to confirm their submission and send confirmation emails.
• Purchase information
  Information relating to PlanThat+ purchases, such as subscription status, renewal status, and non-sensitive purchase history. Payment details are handled by Apple; I do not receive your full card information.
• Support and contact messages
  Any information you provide when contacting support, including your email address and the content of your message.

2.2 Information collected automatically

When you use the Services, some information is collected automatically, such as:

• Device and usage information
  Device type, operating system, browser type, IP address, app version, and dates and times of access.
• Identifiers
  Supabase user ID, anonymous or pseudonymous analytics identifiers, and technical identifiers used to keep you signed in and secure your account.
• Usage data
  Basic events such as app opens, sign-ins/sign-outs, feature usage, and errors to help keep the Services reliable and improve them over time.

2.3 Location and places

PlanThat is about real-world plans, so location-related information is part of the product:

• Addresses and places you enter, including home, work, and custom addresses, school or activity locations, and any address or location description entered in "Where" or related fields. These can be precise locations tied to your identity or your family.
• When maps or weather details are shown, addresses or coordinates related to a plan may be sent to map and weather providers (for example, Apple Maps and Apple WeatherKit) solely to provide those features (route estimates, weather, etc.).

I do not use your data to track your real-time movement for advertising or sell your location data to third parties, but I do store the addresses and places you save as part of your plans.

3. How I use your information

I use the information described above to:

• Provide and maintain the Services, including creating and managing accounts, storing plans and families, syncing data between the App and Website, and showing plan-related context such as drive times and weather.
• Communicate with you, including sending verification emails, password reset links, RSVP confirmations, and responses to support or data-related requests. I do not send marketing or promotional emails at this time.
• Support PlanThat+ subscriptions, including recognizing whether your account has an active subscription through Apple and unlocking PlanThat+ features.
• Improve and secure the Services by diagnosing issues, understanding which features are used, and protecting against fraud, abuse, or misuse.
• Comply with legal obligations, enforce Terms of Service, and protect the rights, property, or safety of users and others where necessary.

4. Legal bases (EEA/UK users)

If you are located in the European Economic Area or the United Kingdom, I process your personal data under the following legal bases:

• Performance of a contract, to provide the Services you request and manage your account.
• Legitimate interests, to secure and improve the Services, prevent abuse, and respond to your requests, where these interests are not overridden by your rights.
• Consent, where required by law, for certain optional features or analytics. You can withdraw consent at any time by contacting me or using available settings.

5. How information is stored and shared

I use third-party providers to run PlanThat. They act as data processors or service providers on my behalf and are only allowed to use your information to operate the Services, not for their own independent marketing.

5.1 Service providers

• Supabase (authentication, database, storage), which stores account data, profiles, plans, RSVPs, and handles user sessions and file storage such as avatar images.
• Mail providers (such as Mailgun or similar) to send transactional emails including verification, password reset, RSVP confirmations, and data or deletion communications.
• Analytics providers (such as Mixpanel or similar) to collect pseudonymous usage data and events for product improvement. These providers are used as service providers, not for cross-site advertising.
• Formspree (or similar) to process messages you send via the Website contact form.
• Apple and other platform providers for App Store billing and platform services, as well as Apple Maps and Apple WeatherKit where used.

Where helpful, you can review their own privacy notices (for example: Supabase, Mixpanel, Mailgun, Formspree, Apple).

5.2 No selling of personal data

I do not sell your personal information. I do not share your personal information with third parties for their own advertising or for cross-context behavioral advertising.

5.3 Other disclosures

I may disclose information if:

• Required by law, subpoena, or legal process.
• Necessary to enforce my Terms of Service.
• Necessary to protect the rights, property, or safety of myself, users, or others.

6. Cookies and local storage

The Website and App primarily use local storage or similar mechanisms for Supabase authentication tokens so you can stay signed in and access your account. These are strictly necessary for the Services to function.

I do not currently use third-party advertising cookies or cross-site tracking cookies. If this changes, I will update this Privacy Policy and, where required, ask for your consent or provide opt-out options.

7. Analytics and your choices

I use or may use analytics tools (such as Mixpanel) to understand how the Services are used and to make better product decisions. These tools typically use pseudonymous identifiers and do not receive your password or sensitive financial information.

Where required by law, analytics will be limited, disabled, or run on the basis of your consent. You can request that analytics associated with your account be limited or disabled by emailing [email protected]. If in-app or in-site settings are available in the future, those settings will also let you control certain analytics.

8. Data retention

I keep your personal data for as long as it is reasonably necessary to provide the Services, comply with legal obligations, and resolve disputes. In practice:

• Account and profile data are retained while your account is active, unless you request deletion.
• Plans and related data are retained while your account exists, unless you delete them or request deletion of your account.
• Analytics and usage data may be retained for up to 24 months for product improvement and diagnostics, after which they are aggregated or deleted where feasible.
• Server and security logs may be retained for up to 12 months to investigate and prevent abuse.
• Backup copies may persist for a limited period (for example, up to 30–90 days) before being overwritten in the normal course of operations.

9. Your rights and choices

Depending on your location, you may have certain rights over your personal data. In general, I support the following for all users:

• Access: You can request a copy of the personal data I hold about you.
• Correction: You can update your profile (name, birthday, avatar, etc.) through the App or account page.
• Deletion: You can request deletion of your account and associated data.
• Export: You can request an export of your PlanThat data.
• Restriction/objection: In some regions, you may have rights to restrict or object to certain processing, including non-essential analytics.

To exercise any of these rights, contact [email protected]. I may need to verify your identity before acting on your request. Requests may take up to 30 days to process, depending on the type of request and applicable law.

10. Additional rights for California residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including:

• The right to know what categories of personal information are collected, used, and disclosed.
• The right to request access to specific pieces of personal information I hold about you.
• The right to request deletion of your personal information, subject to certain exceptions.
• The right to correct inaccurate personal information.
• The right to limit the use and disclosure of sensitive personal information to what is necessary to provide the Services.
• The right to be free from discrimination for exercising your privacy rights.

I do not sell or share your personal information as “sell” and “share” are defined under the CCPA/CPRA. If this ever changes, I will update this Privacy Policy and provide clear “Do Not Sell or Share My Personal Information” and “Your Privacy Choices” options.

You can exercise your California privacy rights by emailing [email protected]. Where supported, you may also see a “Your Privacy Choices” link in the Website footer or within the App.

11. Children and family data

The Services are designed for adults to manage family plans and are intended for users aged 13 and older. I do not knowingly allow children under 13 to create their own PlanThat accounts or directly submit personal information through the Services.

Parents and legal guardians may choose to store limited information about their children (such as a child’s first name and birthday) as part of managing their family schedule. By entering personal information about a child, you represent that you are the child’s parent or legal guardian, or that you have appropriate authority to provide that information, and you consent to its use in accordance with this Privacy Policy.

Children under 13 should not use the Services directly or create their own accounts. If I learn that a child under 13 has created an account or provided personal information directly, I will take reasonable steps to delete that information. If you believe this has happened, please contact me at [email protected].

12. International data transfers

The Services are operated from the United States. If you use the Services from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where my providers operate. These countries may have data protection laws that differ from those in your country.

Where required by law, I rely on appropriate safeguards for international transfers, such as Standard Contractual Clauses incorporated into agreements with my service providers, and other measures they implement to protect your data. You can review the privacy notices of key providers for more detail on their transfer mechanisms.

13. Security

I use reasonable technical and organizational measures to protect your information, including secure communication (HTTPS), authentication and access controls, secure password hashing via Supabase, and limited access to production data. However, no method of transmission or storage is completely secure, and I cannot guarantee absolute security.

14. Automated decision-making and profiling

I do not use your personal information to make automated decisions that have legal or similarly significant effects on you. If I introduce features that involve meaningful automated decision-making in the future, I will update this Privacy Policy and, where required, provide you with additional information and choices.

15. Changes to this Privacy Policy

I may update this Privacy Policy from time to time. When I make changes, I will update the effective date at the top of this page. If changes are material, I may provide additional notice through the App or Website.

Your continued use of the Services after an updated Privacy Policy is posted means you accept the changes.

16. Contact

If you have questions about this Privacy Policy or how your data is handled, contact:

Email: [email protected]
Owner: Zackery Griffin, California, USA