Privacy Policy

Effective Date: March 7, 2026

Tabiday ("we," "us," or "our") operates the Tabiday mobile application and website at tabiday.com (collectively, the "Service"). This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Service.

We are based in Taiwan and comply with the Taiwan Personal Data Protection Act (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Information We Collect

1.1 Information You Provide

• Account information: email address, display name, and profile photo when you create an account.
• Trip content: itineraries, saved places, notes, and preferences you create within the Service.
• Communications: messages you send to us for support or feedback.

1.2 Information Collected Automatically

• Device information: device type, operating system, app version, and unique device identifiers.
• Usage data: features used, pages visited, actions taken, timestamps, and session duration.
• Location data: approximate location based on IP address. We do not collect precise GPS location without your explicit consent.
• Log data: IP address, browser type, referring/exit pages, and crash reports.

1.3 Information from Third Parties

• Social login: if you sign in via Google or Apple, we receive your name, email, and profile photo as permitted by the provider.

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service.
• Generate AI-powered trip suggestions and place recommendations.
• Enable trip sharing and collaboration features.
• Send service-related notifications (e.g., account security, feature updates).
• Analyze usage patterns to improve user experience.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations.

Legal Bases (GDPR)

• Contract performance: processing necessary to provide the Service you requested.
• Legitimate interests: analytics, security, and service improvement.
• Consent: marketing communications and optional data collection (you may withdraw consent at any time).
• Legal obligation: compliance with applicable laws.

3. How We Share Your Information

We do not sell your personal information. We may share it with:

• AI service providers: trip content may be sent to third-party AI providers (e.g., OpenAI, Anthropic) to generate suggestions. This data is processed according to their data processing agreements and is not used to train their models.
• Infrastructure providers: cloud hosting (Supabase, Vercel), analytics, and error monitoring services that process data on our behalf.
• Other users: trip content you choose to share publicly is visible to anyone with the link.
• Legal requirements: when required by law, court order, or governmental authority.

4. Cross-Border Data Transfers

Your data may be transferred to and processed in countries outside of your residence, including the United States (where our cloud infrastructure and AI providers operate). We ensure appropriate safeguards are in place, including standard contractual clauses where required by GDPR.

5. Data Retention

• Account data: retained while your account is active and for up to 30 days after deletion to allow recovery.
• Trip content: deleted when you delete a trip or your account, subject to backup retention periods (up to 90 days).
• Usage analytics: retained in aggregated, anonymized form indefinitely.
• Legal obligations: certain data may be retained longer as required by law.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request deletion of your personal data.
• Portability: request your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Restriction: request restriction of processing in certain circumstances.
• Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise these rights, contact us at privacy@tabiday.com. We will respond within 30 days (or as required by applicable law). Under Taiwan PDPA, you may also exercise your rights by contacting us directly.

7. Cookies and Tracking

• Essential cookies: required for authentication and session management.
• Analytics cookies: used to understand how visitors interact with the website. You can opt out through your browser settings.

The mobile app does not use cookies but may use similar technologies for analytics purposes.

8. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. Children's Privacy

The Service is not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected data from a child under 16, please contact us at privacy@tabiday.com, and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the Service or by other reasonable means, and update the "Effective Date" at the top. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: privacy@tabiday.com
Website: https://tabiday.com

This is a template for informational purposes. Consult with a qualified attorney for legal advice specific to your situation.