Privacy Policy
Last updated: 26 April 2026 · Effective: 26 April 2026
Made It Out The GC (“we”, “us”, “our”) is an independent trip-planning app. This policy explains what personal data we collect when you use our trip-planning service at www.mitgc.app, why we collect it, who we share it with, and your rights. We are the data controller under UK GDPR and EU GDPR.
1. Data we collect and why
Service data
What: group name, participant names, and the calendar dates you mark as unavailable.
Why: this data is the service. Without it we cannot calculate overlapping availability.
Legal basis: contract performance — processing is necessary to deliver the service you requested.
We do not require an account. You access your group via a private link. We do not collect your email address.
Push notifications
What: your device's push notification token.
Why: to send you group reminders when requested.
Legal basis: consent — we only store your token if you explicitly grant notification permission. You can revoke permission at any time in your device Settings. We delete your token within 30 days of revocation or upon a deletion request.
Analytics
What: anonymised usage events (e.g. “group created”, “calendar viewed”). All text inputs are masked — we never capture names or dates.
Why: to understand how the app is used and where it can be improved.
Legal basis: consent — analytics are off by default. Nothing is sent to our analytics provider until you opt in via the in-app prompt. You can change your preference at any time using the toggle above; withdrawal does not affect any lawful processing before that point.
Technical / server logs
What: IP address and device/browser type, logged automatically by our infrastructure when you load the app.
Why: security, abuse detection, and standard infrastructure operation.
Legal basis: legitimate interests — this is a necessary part of running any internet service. This data is not linked to your identity.
Local device storage
We use your browser's sessionStorage and localStorage for app functionality — for example, to avoid re-showing a celebration animation on reload. Our analytics provider (PostHog) also stores an anonymous device identifier and your analytics preference in localStorage. This identifier contains no name or contact information and is not shared with any party other than PostHog if you opt in to analytics.
2. Third-party processors
We share data with the following providers, each of whom processes data only on our instructions and under a data processing agreement:
| Provider | Role | Location |
|---|---|---|
| Supabase, Inc. | Database | USA |
| Vercel, Inc. | Hosting | USA |
| PostHog, Inc. | Analytics (if consented) | EU |
| Google Firebase | Push notifications (if consented) | USA |
We do not sell, rent, or share your data with any other third party, and we do not use your data for advertising.
3. International data transfers
Some of our processors are based in the United States. Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place — specifically, Standard Contractual Clauses (SCCs) approved by the European Commission and incorporated in each provider's Data Processing Agreement. PostHog data remains EU-hosted and does not transfer outside the EEA.
4. How long we keep your data
| Data type | Retention period |
|---|---|
| Group and participant data | Until you request deletion |
| Push notification tokens | Until revoked or deletion request (deleted within 30 days) |
| Analytics data (if consented) | 12 months, then automatically deleted |
| Server logs | Up to 24 hours depending on provider (hosting: 1 hour; database: 24 hours). Logs are not retained long-term. |
To request deletion of your group's data, email privacy@mitgc.app with your group's link. We will delete all associated records within 30 days.
5. Your rights
EEA and UK residents (GDPR / UK GDPR)
You have the right to: access the personal data we hold about you; correct inaccurate data; request erasure; restrict or object to processing; receive your data in a portable format; withdraw consent at any time (where processing is consent-based); and lodge a complaint with your supervisory authority — UK: the ICO at ico.org.uk; EU: your national data protection authority.
California residents (CCPA / CPRA)
You have the right to: know what personal information we collect, use, and disclose; request deletion of your personal information; correct inaccurate personal information; opt out of the sale or sharing of personal information for advertising (we do not sell or share personal information — this right does not apply to our current practices); and non-discrimination for exercising your rights.
To submit a California privacy request, email privacy@mitgc.app. We will respond within 45 days. You may designate an authorised agent to make a request on your behalf.
Canadian residents (PIPEDA)
You have the right to access the personal information we hold about you and to challenge its accuracy. Contact privacy@mitgc.app.
All users
To exercise any right, email privacy@mitgc.app. We will acknowledge your request within 72 hours and fulfil it within 30 days (extendable by 60 days where permitted by law, with notice).
6. Children
This service is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from anyone under 13. If you believe a child has submitted data through our service, contact us at privacy@mitgc.app and we will delete it promptly.
7. Changes to this policy
If we make material changes to this policy, we will notify you by posting a notice within the app at least 14 days before the changes take effect. We will never treat your continued use of the service as consent to any change in how we process your personal data.
8. Contact
For privacy enquiries, data subject requests, or complaints:
Email: privacy@mitgc.app
Response time: within 72 hours