Privacy Policy

1. Introduction

Planbutlr ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights regarding that data. We operate in accordance with the General Data Protection Regulation (GDPR) and Dutch privacy law.

We do not run ads in the app. We do not track you across other apps or websites.

2. Data Controller

We are a small organisation and have not appointed a Data Protection Officer. Under Article 37 GDPR, we are not required to appoint one because our processing does not involve large-scale monitoring or large-scale processing of special category data. For any privacy question, including those that would normally go to a DPO, write to privacy@planbutlr.com.

3. Information We Collect

We collect only the data necessary to operate the app's features. Below is every category of data we collect.

• AccountEmail address, display name, profile picture, optional bio, and account creation date. Collected when you register. Linked to your identity.
• EventsEvent title, description, cover image, start/end dates, location, currency, and the membership list (who is owner, co-planner, or member). Linked to your identity.
• Date CoordinationDate and time options you propose or vote on (available / maybe / unavailable). Linked to your identity.
• Checklist / ItemsItem names, quantities, categories, notes, URLs, and assignment to members. Linked to your identity.
• PollsPoll questions, options, and the votes you cast. Linked to your identity.
• Expenses & SettlementsExpense descriptions, amounts, currency, payer, split participants, and settlement records (who has paid whom). We do not process payments or store any financial account details. Settlements are tracked by you and other members manually. Linked to your identity.
• CarpoolPickup and drop-off coordinates (obtained from your device location or a typed address via geocoding), departure time, and seat capacity. Location data is used only to resolve addresses for carpool coordination. It is not tracked continuously. Linked to your identity.
• Photos & MediaImages and videos you choose to upload to a shared event album, captions, likes, and basic file metadata (file size, dimensions, MIME type). Photos are stored on our servers and visible only to members of that event. Linked to your identity. Metadata handling: photos uploaded to an event album are automatically re-encoded on your device before upload, which removes embedded EXIF metadata such as device model, capture timestamp, and any GPS coordinates your camera may have tagged. If the re-encode fails, the app refuses to upload the photo so the original file (with its metadata) is not sent to our servers. Profile pictures and event cover images use the same re-encode path but fall back to the original file if the re-encode fails, so in rare cases EXIF may survive for those two image types. Videos are uploaded without re-encoding and retain whatever container metadata was already in the file. If your camera tags videos with location, disable video location tagging in your camera settings or strip the metadata on your device before uploading. We plan to extend automatic stripping to videos in a future update.
• Timeline / ActivitiesActivity descriptions, location (if provided), timestamps, and assigned members. Linked to your identity.
• Butler venue suggestionsWhen you use the Butler feature to get venue ideas (restaurants, bars, museums, etc.) for your event, we send the city or location you typed and the type of venue you're looking for to Google Places (see Section 8). Returned venue suggestions are cached on our servers so the same query is faster next time. We do not link your identity to the cached results. Linked to your identity only for usage rate-limiting.
• Receipt scanningWhen you scan a receipt to add an expense, the photo is processed entirely on your device using on-device text recognition (Google ML Kit). The image is not uploaded to our servers and not sent to any third party. Only the parsed amount and merchant text you confirm are saved as part of the expense.
• Device & Notification DataExpo push notification token, device platform (iOS / Android), device type, and OS version. Collected to deliver push notifications to your device. Linked to your account but not shared externally beyond Expo (our push notification provider).
• App SettingsLanguage preference, theme preference, and notification preferences. Stored locally on your device and in your account record. Linked to your identity.
• Crash & Error DataPseudonymised error logs and stack traces collected automatically when the app crashes or encounters an error. We configure our error monitoring to exclude your name, email, and event content. Some technical identifiers (such as a session ID) may be included to correlate logs from the same session, which is why we describe these as pseudonymised rather than anonymised. Collected via Sentry (see Section 8).
• Rate-limit & Security LogsHashed identifiers, timestamps, and counters for login, signup, password reset, and similar sensitive actions, used to block brute-force attacks. Retained for a short period and not shared with anyone.

4. Device Permissions

The app requests the following device permissions. You can grant or revoke these at any time in your device settings.

5. Legal Basis for Processing (GDPR)

• Contract performance: processing your account, event, expense, settlement, carpool, photo, poll, and timeline data is necessary to deliver the service you signed up for.
• Legitimate interests: crash and error data (via Sentry) and rate-limit logs are processed to maintain app stability and security in a way that does not override your rights. Logs are pseudonymised or hashed and exclude content data and direct identifiers.
• Consent: camera, photo library, location access, calendar access, push notifications, and any marketing communications are only used when you grant permission. You can withdraw consent at any time in your device or app settings.
• Legal obligation: where we must retain or disclose data to comply with applicable law (for example, responding to a valid court order or tax record-keeping).

6. How We Use Your Data

• To create and manage your account and event memberships
• To facilitate event coordination, showing group members date votes, expense splits, settlement balances, carpool availability, poll results, shared photos, and the timeline
• To resolve location addresses for carpool pickup and event venues
• To provide Butler venue suggestions when you ask for ideas for an event
• To send transactional push notifications about event activity (new member, expense, poll, activity, photo)
• To detect and fix crashes and errors, keeping the app stable
• To prevent abuse such as brute-force login attempts and signup spam

7. Communications and Notifications

We send two kinds of messages, and we treat them differently under EU law (ePrivacy Directive and the Dutch Telecommunicatiewet).

8. Third-Party Services (Sub-processors)

We use the following trusted third-party services. Each acts as a data processor on our behalf and is bound to protect your data under a data processing agreement.

If we add, replace, or materially change a sub-processor, we update this page and, where the change involves a new category of data or a transfer to a new jurisdiction, give at least 30 days' notice in advance through an in-app message or email before the change goes live. You can object to a material sub-processor change by deleting your account.

9. International Data Transfers

Your primary data is stored by Supabase in Dublin, Ireland (EU-West). The services below operate outside the EU and receive limited data as described above. For each, we rely on a transfer mechanism approved under Chapter V of the GDPR.

• Expo (United States)EU Standard Contractual Clauses (SCCs), Module 2 (controller to processor). Receives push token and notification payload only.
• Sentry (United States)EU Standard Contractual Clauses, Module 2. Receives pseudonymised crash data only.
• Google Places (United States)EU-US Data Privacy Framework certification (Google LLC). Receives city or venue type text only, no account identifier.
• Photon / NominatimGeocoding instances are hosted in the EU. If we ever fall back to a non-EU instance, only the address string is sent and we rely on SCCs.

10. Authentication & Session Security

• Sign-in is by email and password only. No social or OAuth login
• Email verification is required on signup before you can use the app
• Password reset is delivered via a time-limited email link
• Login, signup, and password reset are rate-limited to prevent abuse
• Sessions are stored using hardware-backed secure storage (iOS Keychain / Android Keystore)
• Passwords must meet a minimum complexity requirement (length and character variety)
• Changing your password automatically signs you out of all other devices

11. Security Measures

• All data is transmitted over HTTPS (TLS)
• Sensitive data on your device is stored in hardware-backed secure storage (iOS Keychain / Android Keystore)
• Database access is restricted by row-level security so you can only access data for events you belong to
• Photo storage is access-controlled per event. Only members can view or download an event's photos
• All user-provided input is validated and sanitised
• Access to production infrastructure is restricted to essential personnel only

12. Data Breach Notification

Even with the safeguards above, no system is fully immune to incidents. If we discover a personal data breach within the meaning of Article 4(12) GDPR, we will:

• Investigate the scope and impact promptly and contain the incident
• Notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms (Article 33 GDPR)
• Notify affected users without undue delay when the breach is likely to result in a high risk to your rights and freedoms (Article 34 GDPR), describing what happened, what data was affected, what we are doing about it, and what you can do to protect yourself
• Maintain an internal incident log documenting the facts of the breach, its effects, and the remedial action taken

13. Your Rights (GDPR)

Under the GDPR, you have the following rights. To exercise any of them, contact privacy@planbutlr.com. We respond within 30 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

If you live in another EU member state, you may also lodge a complaint with your local data protection authority. A directory is available at edpb.europa.eu.

14. Data Export & Account Deletion

You can export or delete your data at any time, directly in the app:

15. Data Retention and Inactive Accounts

We retain your data for as long as your account is active. Once you request deletion, your account is deactivated immediately and a 30-day grace period begins, during which you can cancel the deletion. After the grace period, all personal data is permanently removed from our active databases. Automated database backups expire within 7 additional days. Pseudonymised Sentry error logs may be retained for up to 90 days for debugging purposes. Cached Butler venue results that are not linked to any user are retained for up to 90 days.

If your account has shown no sign-in activity for 24 consecutive months, we will send you a reminder email. If we receive no response within 90 days of that reminder, we delete your account and the personal data tied to it, applying the same procedure as a user-initiated deletion. Events you participated in remain visible to other members but your personal name, email, and profile picture are removed from those records (see Terms of Service, Section 16).

16. Automated Decision-Making and Profiling

We do not make any decisions about you based solely on automated processing, and we do not perform profiling that produces legal or similarly significant effects on you. Features such as Butler venue suggestions are simple lookups based on the inputs you provide and do not analyse your behaviour or preferences.

17. Children's Privacy

Planbutlr is not directed at children under the age of 13 (or 16 in jurisdictions where that is the applicable minimum age under GDPR, including the Netherlands). On signup you confirm that you meet the minimum age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, contact privacy@planbutlr.com and we will delete the account and associated data promptly.

When we receive a credible report that an account belongs to a child below the applicable minimum age, we suspend the account immediately, contact the email address on file to request parental confirmation, and delete the account and associated data if we cannot verify that consent has been given by a parent or guardian. We do not request copies of identity documents to verify age; we rely on the user's representation and on credible reports from parents, guardians, or other users.

18. Disclosure to Law Enforcement and Authorities

We do not voluntarily disclose your personal data to law enforcement, government agencies, or other third parties. We will only disclose data when we are legally compelled to do so under Dutch or EU law (for example, a valid court order, a binding request from the Autoriteit Persoonsgegevens, or a similar instrument from another competent authority), or when disclosure is strictly necessary to prevent an imminent threat to life or physical safety. Where the law allows, we will notify the affected user before disclosure and will challenge requests that we believe are overbroad or unlawful. We do not run a transparency report at our current scale; if that changes we will publish one.

19. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, including changes that expand the categories of data we collect, the purposes for which we use it, or the parties with which we share it, we give at least 30 days' advance notice by posting the updated policy on this page, updating the "Last Updated" date, and sending an in-app notification or email. Non-material changes (such as clarifying wording or fixing typos) take effect when posted. The previous version remains available on request.

20. Contact Us

For privacy-related questions or to exercise your rights, email us. Postal correspondence can also be sent to the registered address below.