Privacy Statement

We collect information in three ways:

2.1 Information you provide directly

• Account info: name, email, and profile photo provided by Google when you sign in.
• Profile customization: your chosen brand color, optional city/neighborhood, optional display-name changes.
• Recommendations and their metadata: the place/person name, location, contact info, your “why” text, category, and visibility setting (circle or public) for every rec you post.
• Asks: questions you broadcast to your circle, with the topic, optional city, and optional context note. We generate a shareable link with a random token; anyone with the link can respond without an account.
• Ask responses (about you or from you): when you respond to someone's ask via a shared link, we collect the first name you enter, the message you type, and any photos surfaced from Google Places during the organize step. Your first name and submission are shown to the asker. If you're signed in when you respond, the submission is also tied to your account so you can see your own ask history; if you respond as a guest, only your typed first name is stored. The asker can choose to import your recs into their own profile, at which point those recs become attributed to them and visible to their circle.
• Saves: recs you bookmark, plus any private notes you attach.
• Friend connections: who you invite, who accepts, who you accept from.
• Contact-form messages: name, email, topic, subject, and message text when you contact us.

2.2 Information from third-party services you connect

• Google Contacts (optional — never requested at sign-in): Sign-in only asks for your basic Google profile (name + email). If you later choose to use the Contacts import on the Friends page, we ask Google for read access to your contact list as a separate, explicit consent flow. We then read your contacts once, in your browser session, to surface which contacts are already on Trendosity. We do not store the full contact list; we only persist a friend request or invite link when you explicitly send one. You can revoke this permission anytime at myaccount.google.com/permissions.
• Imported recs (optional): if you bulk-paste text or upload a JSON file in the onboarding flow, that content becomes recs you authored. Same visibility rules apply.

2.4 Passkey / Face ID / Touch ID credentials

If you enroll a passkey for passwordless sign-in, your device's secure enclave / TPM generates a public–private keypair specific to Trendosity. The private key never leaves your device; we never see it, never store it, never could store it. We store only:

• The public credential id and public key, used to verify signatures during sign-in.
• A monotonic signature counter, used to detect replay attacks.
• Optional transport hints (usb / ble / hybrid / internal) provided by your device.
• The device label if you give us one (e.g. “Leila's iPhone”).

We never receive or store your biometric data (face image, fingerprint, etc.). Biometrics never leave your device — they only locally unlock the private key your device created. If your platform syncs your passkey across devices (iCloud Keychain, Google Password Manager, 1Password, Dashlane, Bitwarden, etc.), that sync is between your devices and your password manager — Trendosity is not involved. You can delete any enrolled passkey at any time from Settings (forthcoming credential list) or by deleting your account.

2.3 Information collected automatically

• Product usage events: minimal first-party analytics — pages you visit, features you use, actions like “posted a rec” or “accepted an invite”. Stored in our events table, tied to your account so we can diagnose your own issues.
• Server logs: standard request logs including IP address, user agent, and request paths. Retained for security and abuse prevention.
• Cookies and similar technologies: see Section 6.

• Operate the service: show your discover feed, deliver recs to the right friends, generate invite links, run the Ask flow, render your profile.
• Process responses to your asks: when someone responds to your shareable Ask link, we save their submission (first name they typed, the text they wrote, any photos surfaced via Google Places, and the parsed/organized version they approved). Their first name is shown alongside their submission to you. If you choose to import their recs into your own profile, the imported recs are attributed to you going forward and visible to your friends.
• Friend discovery: match your Google Contacts to existing Trendosity accounts (when you grant the permission) so you can request friendships in one tap.
• Safety, integrity, and abuse prevention: detect and remove spam, harassment, scraping, fake accounts, and content that violates our Terms of Use.
• Communications: service emails about your account, security alerts, and (only if you opt in) product updates. We don't spam.
• Product analytics: understand aggregate, de-identified usage patterns (“X% of users post a rec in their first week”) to improve the product.
• Legal compliance: meet our obligations under applicable law, valid legal process, and to protect rights and safety.

Today, we do not sell your personal information and we do not share it for cross-context behavioral advertising. We don't use your content to train third-party AI models. We may in the future introduce optional advertising or affiliate features (for example, surfacing a “Book on Booking.com” link for a hotel a friend recommended, or a discount on a recommended product). If we do, we will update this Statement, the Cookie Policy, and the cookie banner, and you will be able to opt out at any time — both via the in-app preferences and via /do-not-sell.

• Recommendations: default visibility is “circle” — only your friends. You may mark a rec “public”, which makes it visible to anyone on Trendosity.
• Profile (name, color, optional photo, optional city): visible to your friends and to people who have your invite link.
• Email address: never displayed to other users; used only for account login and to let friends find you by exact email match (we don't support fuzzy email search to prevent profile enumeration).
• Friendship list: visible to your other friends; not visible publicly. Mutual friends can be inferred only through ordinary social signals (e.g., seeing the same rec from a shared friend).
• Asks (public link version): when you create an “Ask for recs,” we generate a shareable link. Anyone who has that link can open it and respond — they don't need a Trendosity account. The ask's topic, your first name, and (if set) your profile photo and color are shown to anyone with the link, so the responder knows who they're sending recs to.
• Responses to your asks: visible to you (the asker) and to the responder. The responder's first name (whatever they typed) is shown next to their submission so you know who sent what. Each response has its own dedicated page at /asks/[id]/from/[subId], accessible only to you. The original message text, photos pulled from Google Places, and the parsed/organized version are all visible to you.
• Importing responder recs to your profile: from a response page, you can “Save these to my profile.” If you do, those recs become part of your profile, attributed to you, and visible to your friends like any other rec you posted. The fact that they originated from a specific responder's submission is recorded internally (in an imported_from field) for audit and undo, but is not displayed to your friends.
• Saves: private to you.

• Strictly necessary auth cookies set by Supabase to keep you signed in (sb-…-auth-token, ~1 year).
• Short-lived “invite” cookie (trendosity_invite, 10 min) when you arrive via someone's invite link, so we can consume the invite after you sign in.
• Short-lived “post-OAuth” cookie (trendosity_post_oauth, 10 min) so we can return you to the shared list / ask / invite you came from after sign-in.
• Short-lived consent cookies (trendosity_consent_tos, trendosity_consent_privacy, 10 min) that record your acceptance versions so we can write them to your audit log after sign-in.
• Cookie-banner preference (tr_cookies, 1 year) recording your “Accept all / essential only” choice.
• Do-Not-Sell-or-Share preference (tr_dns, 1 year) recording your CCPA/CPRA opt-out.

Cookie banner. On first visit, a banner asks how you'd like to handle cookies in four categories: essential, functional, performance, and marketing. You can accept all, reject non-essential, or toggle each category. You can change your choice anytime in your Settings or by re-opening the banner via the Cookie Policy page.

Global Privacy Control (GPC). If your browser sends the GPC signal, we automatically treat it as “essential only” AND as a Do Not Sell or Share opt-out, and we do not show the banner. CCPA/CPRA require us to honor GPC; we do.

You can clear cookies via your browser at any time; if you clear the auth cookies you will need to sign in again.

• Supabase (San Francisco, CA; data in US East / AWS us-east-1) — Postgres database, authentication, file storage, real-time. Touches: profile, recs, friendships, consent log, uploaded media.
• Vercel (San Francisco, CA; Edge + serverless functions globally) — application hosting + CDN + Edge runtime. Touches: every page render (your IP, user-agent in request logs).
• Google Maps Platform — Places API (New) (Mountain View, CA) — looks up the canonical name + address + photo of a place you add to a rec. Touches: only the place name + city you type when adding a rec. No personal information is sent.
• Google Identity (Sign in with Google) — OAuth provider when you choose “Continue with Google.” We request only basic profile scopes (openid, email, profile) — your Google name, email, and profile photo. We do NOT request your contacts at sign-in. If you later choose Contacts import on the Friends page, that is a separate optional consent flow.
• WebAuthn / passkey platforms — when you use Face ID / Touch ID / Windows Hello, your device's OS-level authenticator (Apple, Google, Microsoft) performs the cryptographic operations locally. Trendosity sees only the resulting public credential + signature.
• Anthropic (San Francisco, CA) — Claude AI model called by our server to parse a pasted rec list into structured fields when you bulk-import. Touches: only the text you paste. Anthropic processes the text under its Commercial Terms and does not train on it. (Only used if our API key is configured; otherwise we fall back to a local heuristic parser.)
• Resend (San Francisco, CA) — sends transactional email (nudges, weekly digest, magic-link sign-in confirmations). Touches: your email address + the body of each transactional message.
• Wikipedia / Wikimedia — fetches free thumbnail images for trip city pages (e.g. a photo of Paris). Touches: only the city name. No personal information is sent.
• GitHub — source-code hosting (no user content).
• GoDaddy — DNS for trendosity.com (no user content).

Subprocessors. All providers above are bound by their own privacy commitments and process data only on our instructions, as documented in their respective Data Processing Agreements. We use the EU Standard Contractual Clauses for any cross-border transfers from the EEA/UK.

We will disclose your data when required by law, valid legal process, or in good faith to prevent imminent harm. We will tell you about a legal request when permitted to do so.

• You send the message — we don't. When you tap “Text it to a friend” or “Send on WhatsApp”, your phone's messaging app launches with the message already typed. You choose the recipient, you can edit the text, and you tap send. Trendosity never has the recipient's phone number or contact information, never reads the message after you send it, and never sends marketing or promotional SMS on its own.
• Standard carrier rates may apply. Any text (SMS or MMS) you send is subject to your mobile carrier's rates and terms. If your plan does not include unlimited messaging, your carrier may charge you per message. WhatsApp uses your data plan and standard data rates may apply if you are not on Wi-Fi. Trendosity does not pay for and cannot control those charges.
• TCPA & consent. Because every message originates from your own device and is addressed to a recipient you personally chose, the share flow does not constitute automated or autodialed messaging under the U.S. Telephone Consumer Protection Act (47 U.S.C. § 227). You remain responsible for ensuring you have the recipient's permission to text them.
• International & roaming. If you are roaming or texting an international number, your carrier's international or roaming rates apply.
• Languages. Pre-filled messages are currently provided in English. Additional languages are planned and will follow your selected app language when available.

Full details: Messaging Notice.

• Access & portability: download a complete JSON export of your data anytime from Settings → Download my data (or by emailing us).
• Edit: change your name, color, city, profile photo (via Google), and any individual rec from the app.
• Delete: tap Settings → Delete my account. This permanently removes your profile, recs, saves, friendships, and invite links. Cannot be undone.
• Object/restrict: contact us via the privacy form if you want us to stop a specific processing purpose.
• Revoke Google Contacts permission: at myaccount.google.com/permissions.
• Communications preferences: opt out of non-essential email at any time.

• Right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose, and the categories of third parties with whom we share it.
• Right to delete personal information we have collected from you.
• Right to correct inaccurate personal information.
• Right to opt out of “sale” or “sharing” — we don't sell or share your personal information for cross-context behavioral advertising. Use the Do Not Sell or Share My Personal Information page to register your opt-out preference on the record.
• Right to limit use of sensitive personal information — we don't use sensitive PI beyond the purposes set out in this Statement.
• Right to portability — request a complete export of your data at any time.
• Right to non-discrimination for exercising any of the above.

Categories of personal information collected, by source and purpose:

• Identifiers (email, name, profile photo) — collected from you and your OAuth provider; used to operate the service and identify you to friends.
• Internet activity (IP, user-agent in request logs) — collected by Vercel; used for security and abuse prevention.
• User-generated content (recs, comments, reactions, asks, trips) — collected from you; used to provide the friend-to-friend recommendations service.
• Consent records — collected from you on sign-in / banner interaction; used to demonstrate compliance.

Sale or sharing of personal information. We have not sold or shared personal information in the preceding 12 months. We may, in the future, introduce optional affiliate and advertising features (such as a “Book on Booking.com” link tied to a friend's hotel recommendation). If we do, those features will require your explicit consent and will be disclosed here. You can register an opt-out in advance at any time via /do-not-sell; the opt-out will follow your account.

How to exercise your rights. Use the data-request form or email our contact form. You may also designate an authorized agent. We respond within 45 days as required by law.

Global Privacy Control (GPC). We honor GPC signals automatically — see Section 6.

Legal bases for processing:

• Contract performance for delivering the service you signed up for.
• Legitimate interests for security, abuse prevention, and aggregated product analytics — balanced against your rights.
• Consent for optional features such as Google Contacts import and any future marketing emails. You may withdraw consent at any time.
• Legal obligations for record-keeping where required.

Your GDPR rights include access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your supervisory authority. To exercise them, use the data-request form.

International transfers: our servers are in the United States. Where we transfer personal data from the EEA/UK/Switzerland to the US, we rely on the EU Standard Contractual Clauses with our processors and apply supplementary measures (encryption in transit and at rest, scoped access).

Global Privacy Control (GPC) — we honor it automatically. When your browser sends Sec-GPC: 1 or sets navigator.globalPrivacyControl=true, we:

• Treat it as a Do Not Sell or Share My Personal Information opt-out under CCPA/CPRA — recorded in the tr_dns cookie and (after sign-in) the user_consents audit log with source: 'gpc'.
• Set cookie preferences to “essential only” without showing the banner.
• Apply the preference at the browser/device level; if you sign in, we attach it to your account so it follows you across devices.

You can override GPC for a specific device by visiting /do-not-sell — but we'll keep honoring GPC on every visit unless your browser stops sending it.