Privacy Policy

Effective Date: May 12, 2026

This Privacy Policy explains how Zackery Griffin ("I", "me", "my") collects, uses, and protects information when you use:

The PlanThat mobile application (the "App")
The planthat.app website and related pages (the "Website")

Together, the App and Website are referred to as the "Services". If you do not agree with this Privacy Policy, please do not use the Services.

1. Who is responsible for your data

The Services are owned and operated by:

Owner: Zackery Griffin (sole proprietor)
Location: California, United States
Contact email: [email protected]

I am the data controller for personal information collected through the Services.

2. Information I collect

I collect information needed to run PlanThat, keep accounts secure, comply with legal obligations, and improve the product.

2.1 Information you provide directly

When you use the Services, you may provide:

Contact information
First name, last name, and email address.
Account credentials
Passwords (stored only as secure hashes via Supabase; I never see your plain password).
Profile details
Optional profile information such as birthday and profile photo/avatar.
Plan information
Plan titles, notes, dates and times, tasks, "Where" field content (addresses, place names, or any text you type), home, work, and custom addresses you save, duration, family/group associations, and whether a plan is shared.
Plan templates
Reusable plan structures you create and save, including their titles, notes, and any location or duration details you configure.
Family and group information
Your membership in a family group and which plans are shared with which family members or groups.
RSVP and guest information
RSVPs (for example, going / not going / maybe). If invitees provide them, their name and email address are stored to confirm their submission and send confirmation emails.
Purchase information
Information relating to PlanThat+ purchases, such as subscription status, renewal status, and non-sensitive purchase history. Payment details are handled by Apple; I do not receive your full card information.
Support and contact messages
Any information you provide when contacting support, including your email address and the content of your message.

2.2 Information collected automatically

When you use the Services, some information is collected automatically, such as:

Device and usage information
Device type, operating system, browser type, IP address, app version, and dates and times of access.
Identifiers
Supabase user ID and technical identifiers used to keep you signed in and secure your account.
Usage data
In-app events such as feature interactions, sign-in/sign-out flows, onboarding steps, plan and task actions, paywall views, and subscription events. These events are collected by PostHog to help improve the App and understand how features are used. Plan content (titles, notes, locations) is never included in analytics events.
Activity and gamification data
Daily activity history, current and longest streak counts, total plans created, total tasks completed, and achievement unlocks. These are computed from your plan and task activity and stored in your account to power the stats dashboard, streak tracking, and achievement features.
Notification interaction
If you enable push notifications, the App may deliver plan reminders, time-sensitive alerts, and streak reminders. I do not track which individual notifications you open or dismiss.

2.3 Location and places

PlanThat is about real-world plans, so location-related information is part of the product:

Addresses and places you enter, including home, work, and custom addresses, school or activity locations, and any address or location description entered in "Where" or related fields. These can be precise locations tied to your identity or your family.
GPS location (on-demand): when you tap "Use current location," the App requests your device's GPS coordinates through iOS. Those coordinates are reverse-geocoded on-device using Apple's mapping services to produce a street address. The raw GPS coordinates are not sent to my servers. Only the resulting address text is stored if you choose to save it to a plan.
Stored coordinates: when you save a location to a plan, the associated geographic coordinates (latitude and longitude) may be stored on my servers (via Supabase) to enable plan-related features such as drive-time estimates and weather conditions. These coordinates are tied to your plan, not used to track your real-time movement, and are removed within 30 days of deleting the plan or your account.
When drive-time or weather details are shown, coordinates or addresses related to a plan are sent to Apple Maps or Apple WeatherKit solely to provide those features. These providers' own privacy policies apply to data they receive.

I do not use your location data for advertising or sell it to third parties.

3. How I use your information

I use the information described above to:

Provide and maintain the Services, including creating and managing accounts, storing plans and families, syncing data between the App and Website, and showing plan-related context such as drive times and weather.
Communicate with you, including sending verification emails, password reset links, RSVP confirmations, and responses to support or data-related requests. I do not send marketing or promotional emails at this time.
Support PlanThat+ subscriptions, including recognizing whether your account has an active subscription through Apple and unlocking PlanThat+ features.
Power gamification and engagement features, including tracking activity streaks, computing stats, and unlocking achievements based on your in-app activity.
Improve and secure the Services by diagnosing issues, understanding which features are used, and protecting against fraud, abuse, or misuse.
Comply with legal obligations, enforce Terms of Service, and protect the rights, property, or safety of users and others where necessary.

4. Legal bases (EEA/UK users)

If you are located in the European Economic Area or the United Kingdom, I process your personal data under the following legal bases:

Performance of a contract, to provide the Services you request and manage your account.
Legitimate interests, to secure and improve the Services, prevent abuse, and respond to your requests, where these interests are not overridden by your rights.
Consent, where required by law, for certain optional features. You can withdraw consent at any time by contacting me or using available settings.
Right to lodge a complaint: you have the right to contact your local data protection supervisory authority if you believe your personal data has not been handled in accordance with applicable law.

5. How information is stored and shared

I use third-party providers to run PlanThat. They act as data processors or service providers on my behalf and are only allowed to use your information to operate the Services, not for their own independent marketing.

5.1 Service providers

Service providers include, for example:

Supabase (authentication, database, storage), which stores account data, profiles, plans, RSVPs, and handles user sessions and file storage such as avatar images. Supabase is a US-based provider and your data may be stored on US servers.
Resend, used as the email delivery provider for transactional emails including account verification, password reset, RSVP confirmations, and data or deletion communications.
OneSignal, used to deliver push notifications to your device, such as RSVP updates and in-app alerts. OneSignal receives your device's push token in order to route notifications to you.
Formspree (or similar) to process messages you send via the Website contact form.
Apple and other platform providers for App Store billing and platform services, as well as Apple Maps and Apple WeatherKit where used.
PostHog, used for in-app analytics in the App. PostHog collects usage events (such as feature interactions, onboarding steps, and subscription actions) and account properties (such as timezone and subscription status) to help me understand how the App is used and improve it over time. Plan content (titles, notes, locations) is never sent to PostHog. PostHog is a US-based provider.

Where helpful, you can review their own privacy notices (for example: Supabase, Resend, OneSignal, PostHog, Formspree, Apple).

5.2 No selling of personal data

I do not sell your personal information. I do not share your personal information with third parties for their own advertising or for cross-context behavioral advertising.

5.3 Other disclosures

I may disclose information if:

Required by law, subpoena, or legal process.
Necessary to enforce my Terms of Service.
Necessary to protect the rights, property, or safety of myself, users, or others.

6. Cookies and local storage

The Website and App primarily use local storage or similar mechanisms for Supabase authentication tokens so you can stay signed in and access your account. These are strictly necessary for the Services to function.

I do not currently use third-party advertising cookies or cross-site tracking cookies. If this changes, I will update this Privacy Policy and, where required, ask for your consent or provide opt-out options.

7. Analytics and your choices

The App uses PostHog for in-app analytics. PostHog collects anonymized usage events, including which features you interact with, steps completed during onboarding, plan and task actions, paywall views, and subscription events, to help me understand how the App is used and improve it over time. PostHog also receives your account's user ID and properties such as timezone, subscription status, and sync state. Plan content (titles, notes, locations, family information) is never included in analytics data.

Analytics data is used solely for product improvement. It is not used for advertising and is not sold to third parties. PostHog data may be retained for up to 24 months.

You can turn off analytics at any time in the App under App Settings → Analytics. You can also email [email protected] to request that your usage data be limited or deleted.

PlanThat does not track you across other companies' apps or websites and does not share your data with ad networks or data brokers for cross-app tracking purposes. Because no such tracking occurs, Apple's App Tracking Transparency (ATT) framework is not triggered and you will not see an ATT permission prompt when using PlanThat.

8. Data retention

I keep your personal data for as long as it is reasonably necessary to provide the Services, comply with legal obligations, and resolve disputes. In practice:

Account and profile data are retained while your account is active, unless you request deletion.
Plans and related data are retained while your account exists, unless you delete them or request deletion of your account.
Stats and activity data (streak counts, activity history, achievement records) are retained while your account is active and deleted when you request account deletion.
Analytics and usage data may be retained for up to 24 months for product improvement and diagnostics, after which they are aggregated or deleted where feasible.
Server and security logs may be retained for up to 12 months to investigate and prevent abuse.
Backup copies may persist for a limited period (for example, up to 30 to 90 days) before being overwritten in the normal course of operations.

9. Your rights and choices

Depending on your location, you may have certain rights over your personal data. In general, I support the following for all users:

Access: You can request a copy of the personal data I hold about you.
Correction: You can update your profile (name, birthday, avatar, etc.) through the App or account page.
Deletion: You can request deletion of your account and associated data.
Export: You can request an export of your PlanThat data.
Restriction/objection: In some regions, you may have rights to restrict or object to certain processing, including non-essential analytics.

To exercise any of these rights, contact [email protected]. I may need to verify your identity before acting on your request. Requests may take up to 30 days to process, depending on the type of request and applicable law.

10. Additional rights for California residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including:

The right to know what categories of personal information are collected, used, and disclosed.
The right to request access to specific pieces of personal information I hold about you.
The right to request deletion of your personal information, subject to certain exceptions.
The right to correct inaccurate personal information.
The right to limit the use and disclosure of sensitive personal information to what is necessary to provide the Services.
The right to be free from discrimination for exercising your privacy rights.

I do not sell or share your personal information as “sell” and “share” are defined under the CCPA/CPRA. If this ever changes, I will update this Privacy Policy and provide clear “Do Not Sell or Share My Personal Information” and “Your Privacy Choices” options.

You can exercise your California privacy rights by emailing [email protected]. Where supported, you may also see a “Your Privacy Choices” link in the Website footer or within the App.

11. Children and family data

The Services are designed for adults to manage family plans and are intended for users aged 13 and older. I do not knowingly allow children under 13 to create their own PlanThat accounts or directly submit personal information through the Services.

Parents and legal guardians may choose to store limited information about their children (such as a child’s first name and birthday) as part of managing their family schedule. By entering personal information about a child, you represent that you are the child’s parent or legal guardian, or that you have appropriate authority to provide that information, and you consent to its use in accordance with this Privacy Policy.

Children under 13 should not use the Services directly or create their own accounts. If I learn that a child under 13 has created an account or provided personal information directly, I will take reasonable steps to delete that information. If you believe this has happened, please contact me at [email protected].

12. International data transfers

The Services are operated from the United States. If you use the Services from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where my providers operate. These countries may have data protection laws that differ from those in your country.

Where required by law, I rely on appropriate safeguards for international transfers, such as Standard Contractual Clauses incorporated into agreements with my service providers, and other measures they implement to protect your data. You can review the privacy notices of key providers for more detail on their transfer mechanisms.

13. Security

I use reasonable technical and organizational measures to protect your information, including secure communication (HTTPS), authentication and access controls, secure password hashing via Supabase, and limited access to production data. However, no method of transmission or storage is completely secure, and I cannot guarantee absolute security.

14. Automated decision-making and profiling

I do not use your personal information to make automated decisions that have legal or similarly significant effects on you. I do not use your data to train machine learning models. If I introduce features that involve meaningful automated decision-making in the future, I will update this Privacy Policy and, where required, provide you with additional information and choices.

15. Changes to this Privacy Policy

I may update this Privacy Policy from time to time. When I make changes, I will update the effective date at the top of this page. If changes are material, I may provide additional notice through the App or Website.

Your continued use of the Services after an updated Privacy Policy is posted means you accept the changes.

16. Contact

If you have questions about this Privacy Policy or how your data is handled, contact:

Email: [email protected]
Owner: Zackery Griffin, California, USA