1. Who We Are (Controller)

Kacci Lab Inc. is the data controller for personal data processed via TripPlanGo.

Registered address: 298 Jarvis Street, Toronto, ON M5B 2M4, Canada

Websites in scope: mytripplango.com (product) and kaccilab.com (corporate pages referencing this Policy), as well as our mobile apps.

If you are in the EEA/UK/Switzerland, you may have the right to lodge a complaint with your local data protection authority.

2. Scope

By accessing or using the Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

This Policy does not apply to third-party sites/services you access via links from our Services.

3. Information We Collect

• Account & Profile: name, email, password hash/federated sign-in, profile photo, settings.
• Contacts & Collaboration: names/emails of invited trip members; relationships to trips/groups.
• Trip & Itinerary Content: destinations, dates, bookings (flights, trains, buses, rental cars), accommodations, activities, restaurants, notes, packing items, budgets, expenses, and files you upload (PDFs/images).
• Forwarded Emails & Booking Data: when you forward confirmations to your trip address, we receive the message content/attachments to parse structured booking info and store it in your trip.
• Messages, Discussions & Media: messages, reactions, polls, mentions, and media you share. Chat/thread media auto-expires after 7 days.
• AI Inputs & Outputs: prompts/context you provide (e.g., itinerary, packing, summaries) and generated outputs.
• Location & Device Signals: approximate/precise location if permitted (e.g., FunWalking); device model/OS/app version, crash logs, performance metrics.
• Step Counts (FunWalking): step/activity counts from device fitness APIs with your permission. No health diagnoses or medical records.
• Payments & Subscriptions: app store transaction metadata (status, product IDs, renewal dates). For Android and web app, Stripe provides secure payment processing services (status, product IDs, renewal dates). We do not receive full card details.
• Cookies/Local Storage (Web): for authentication, preferences, analytics.

4. Sources of Information

We collect data from: you; your device; trip collaborators; our service providers/integrations; and limited public sources (e.g., map/POI data).

5. How We Use Data (Legal Bases)

• Provide & operate the Services (accounts, imports, timeline, collaboration, offline caching). Contract; legitimate interests.
• AI features (itinerary/packing, summaries, email parsing). Contract; legitimate interests; consent where required.
• FunWalking (convert steps to coins; spawn collectibles). Contract; consent (location/steps).
• Safety & integrity (security, fraud/abuse, troubleshooting). Legitimate interests; legal obligations.
• Communications (service messages, trip updates, policy changes). Contract; legitimate interests; legal obligations.
• Improve Services (analytics, research, QA). Legitimate interests; consent where required.
• Compliance with laws and regulations. Legal obligations.

Automated decision-making: AI assists with classification/recommendations. We do not make decisions that produce legal or similarly significant effects solely by automated means.

6. AI Processing Disclosure

We use AI (including OpenAI) to parse forwarded confirmations/tickets and to generate itineraries, summaries, and packing/activity suggestions. We configure providers not to use your data to train their models where such controls are available. We do not sell or license your personal travel data; AI processing is solely to deliver features you request.

7. Sharing & Disclosure

We do not sell personal information and do not share it for cross-context behavioral advertising.

• Trip collaborators you invite, per your per-trip category privacy settings (Bookings, Expenses, Documents).
• Service providers/processors (e.g., Google Cloud/Firebase/Firestore, Google Maps/Places, OpenAI, SendGrid, analytics/telemetry) under contract to act on our instructions.
• Legal/compliance recipients when required by law or to protect rights/safety.
• Business transfers (e.g., merger or acquisition) subject to this Policy or a successor with materially similar protections.

8. International Transfers

We and our providers may process data in countries outside your own (e.g., Canada, United States, EU/UK regions). Where required, we use appropriate safeguards (such as Standard Contractual Clauses). Your data may be accessible to foreign courts, law enforcement, and national security authorities.

9. Security

We employ administrative, technical, and physical safeguards appropriate to the data (e.g., encryption in transit, restricted Firestore access, least-privilege credentials, monitoring). No system is 100% secure. If we learn of a data incident affecting you, we will notify you and/or regulators as required.

10. Retention

• Uploaded tickets & documents: auto-deleted 6 months after trip completion. We send a reminder 7 days before deletion. Trip data itself is not removed.
• Chat/thread media (images/videos/audio): auto-expires after 7 days.
• Structured trip data (flights/hotels/activities/expenses, messages metadata): retained while your account/trip is active and until you delete it or request deletion, subject to backups/legal retention.
• Diagnostics/logs: retained for a reasonable period for security and troubleshooting.
• Aggregated/de-identified data: may be kept indefinitely (cannot reasonably identify you).

Deleted items may remain in backups for a limited time before being overwritten.

11. Your Controls & Choices

• Per-trip privacy: Use the 🛡️ Privacy panel to control sharing for Bookings, Expenses, and Documents (private, all members, or custom).
• Manage content: view/edit/delete profile data; manage trips, collaborators, messages, and uploads.
• Location & steps: disable in device settings at any time; related features may not function.
• Notifications: adjust in-app and device settings.
• Email forwarding: you can correct or delete misclassified items and re-forward originals.

12. Your Rights (GDPR/UK, CPRA, PIPEDA & Others)

Depending on your location, you may have rights to access, rectify, delete, restrict, port, object, and withdraw consent (e.g., for location/steps).

California (CPRA): rights to know/access, delete, correct, opt-out of sale/share (we do not sell/share), and limit use of sensitive personal information (we only use location/steps to provide requested features).

Canada (PIPEDA): rights to access and correct personal information; withdraw consent subject to legal/contractual restrictions.

How to exercise: use in-app controls where available or contact our privacy inbox below. We may verify your identity (and, in California, requests by an authorized agent). We will not discriminate for exercising your rights. If we deny a request where a legal exception applies, you may have the right to appeal by replying to our decision.

13. Children’s Privacy

The Services are not intended for children under 13 (or higher local age, e.g., 16 in some regions). We do not knowingly collect data from children. If you believe a child provided data, contact us and we will delete it.

14. Third-Party Services

• Google Cloud / Firebase / Firestore: hosting, databases, auth, storage.
• Google Maps & Places APIs: maps, search, image previews, FunWalking item placement.
• OpenAI: AI parsing/generation (see AI Processing Disclosure).
• SendGrid: processing forwarded booking emails to our endpoints.
• App Stores (Apple/Google): in-app purchases & subscription billing (we do not receive full payment card data).
• Stripe: in-app purchases & subscription billing for Android and web app (we do not receive full payment card data).
• Analytics/Telemetry: app performance, crash reporting, product analytics as configured.

We use these providers under their terms and, where required, provide attributions within the app/site.

15. Cookies & Tracking (Website)

We may use cookies/local storage to keep you signed in, remember preferences, enable features, and perform analytics. You can manage preferences via your browser or any cookie banner we present. Our Services may not respond to “Do Not Track” signals.

16. Offline Caching

To support offline use, certain trip content, tickets/PDFs, and messages you’ve opened may be cached on your device. You can clear the app cache via device settings (offline functionality will be limited until content is reloaded).

17. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you (e.g., via in-app notice or email). Your continued use of the Services after the effective date constitutes acceptance.

18. Contact Us

Primary privacy inbox (DSAR requests): privacy@mytripplango.com

General support: contact.us@mytripplango.com

Corporate contact: contact.us@kaccilab.com

Postal address: 298 Jarvis Street, Toronto, ON M5B 2M4, Canada

If you are in the EEA/UK/Switzerland, you may also contact your local data protection authority.

CPRA Notice at Collection (California)

Categories collected: identifiers (name, email), account/profile data, device/usage data, location (with permission), trip/itinerary content, messages/media (media expires after 7 days), forwarded emails & tickets, step counts (with permission), purchase/subscription metadata.

Purposes: provide Services; AI features; collaboration; FunWalking; security; analytics; communications; compliance.

Retention: see Retention (e.g., uploaded tickets/docs 6 months post-trip; media 7 days; other data while the account/trip is active or as needed).

Sale/Share: we do not sell personal information and do not share it for cross-context behavioral advertising.

Sensitive Personal Information: we may process location and step counts solely to provide requested features; we do not use SPI to infer characteristics beyond that.