Privacy Policy

Last updated: May 3, 2026

1. Who we are

Grasstile is a travel planning and outdoor activity app operated by Spike (the “Service”). Questions about this policy can be sent to spikethegreenyboy@gmail.com.

2. Public beta & launch list

If you create a beta account, we collect your email address and optional preferences (interests, frequency, and whether you want beta access) to provide the app, prioritize feedback, send founder pricing information, and share product updates.

If you use a “notify me” form without creating a full account, we collect only your email address and store it in our launch subscriber list. We use it solely to notify you when Grasstile has important launch or beta updates.

You can unsubscribe from launch emails or request deletion of your email at any time by contacting us at spikethegreenyboy@gmail.com.

3. What we collect

  • Account data — your email address and the password hash stored by Supabase Auth when you sign up.
  • Profile & preferences — travel style, pace, interests, and the theme you choose inside the app.
  • Trip data — trips, itineraries, places, activities, photos, budgets, and notes you create.
  • Usage data — coarse product analytics (for example which screens or flows are used), planning-use counts (used to enforce your plan limits), and optional error telemetry. We do not sell analytics profiles.
  • Payment data — processed entirely by Stripe. We store only your Stripe customer ID and subscription tier; we never see your card number.
  • Device data — browser type, operating system, and IP address, collected automatically by our hosting provider (Vercel).

4. How we use your data

  • Provide, operate, and improve the Service.
  • Generate editable itineraries and suggestions using your trip context (sent to recommendation providers — see Section 5).
  • Send transactional emails: invitation links, subscription receipts, and billing-related notices from Stripe where applicable.
  • Enforce plan limits (trips, planning uses, storage).
  • Detect and prevent fraud or abuse.

We do not sell your data. We do not serve ads.

5. Data storage & security

Your data is stored in a Supabase PostgreSQL database hosted in the EU (Frankfurt region) with row-level security on every table. Photos are stored in Supabase Storage. All data is encrypted at rest and in transit (TLS 1.2+).

6. Third-party services

  • Supabase — database, auth, and file storage. Privacy policy.
  • Stripe — payment processing. Privacy policy.
  • Recommendation providers — editable itinerary generation and Touch Grass–style suggestions. Trip context, preferences, or free-text you submit may be sent to generate output. We do not send your password; we avoid sending your email to providers where technically feasible.
  • Mapbox — interactive maps. Privacy policy.
  • Google Places — place search and details (server-side proxy only; API key is not exposed to browsers).
  • Resend — transactional email delivery.
  • Vercel — hosting and edge network. Privacy policy.
  • Upstash (Redis) — short-lived caching and rate-limit counters; may store hashed IP prefixes or opaque keys, not a history of everywhere you go.
  • PostHog — optional, privacy-oriented product analytics when enabled (for example flow completion). Configured without advertising cookies; see PostHog's policy.
  • Sentry — optional error monitoring when enabled, to diagnose crashes without browsing your trip content.

7. Feedback & communications

You may voluntarily email feedback, bug reports, suggestions, inconsistencies, or testimonials to spikethegreenyboy@gmail.com. You may also use in-app feedback or “report suggestion” forms: we may store your text, coarse context (such as page path or preference fields you already chose in the app), browser type, and a one-way hash of your IP address to prevent spam — not a precise location trail.

These messages may be used to improve Grasstile. We may not be able to respond to every message. Submitting feedback does not create any obligation on our part to implement suggestions.

8. Cookies & local storage

Supabase Auth sets cookies needed to keep you signed in. We do not run third-party advertising networks.

If product analytics (PostHog) is enabled for your deployment, PostHog may use first-party cookies or similar storage to distinguish sessions in a privacy-oriented configuration — not for ad retargeting.

Your theme and font preferences are stored in localStorage on your device. Browser geolocation prompts are handled by your browser; coarse city or coordinates you approve may be sent to our servers only to generate nearby ideas for that request, consistent with in-app copy.

9. Your rights (GDPR / CCPA)

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — update your email or profile via Settings.
  • Deletion — delete your account and all associated data via Settings → Delete account. Deletion is permanent and processed within 30 days.
  • Portability — export your trips in multiple formats (JSON, CSV, Markdown, plain text, GPX, GeoJSON, and calendar/ICS files) at any time from the trip view.
  • Objection — opt out of marketing emails at any time. Your marketing preference is stored as part of your account and can be changed by contacting us. Transactional emails (billing, security) cannot be disabled.

To exercise any right, email spikethegreenyboy@gmail.com. We respond within 30 days.

10. Data retention

We keep your data as long as your account is active. Cached generated itineraries are purged after 30 days. After account deletion, backups are purged within 30 days.

11. Children

Grasstile is not directed at children under 16. If you believe a child has created an account, email us and we will delete it promptly.

12. Changes to this policy

We may update this policy. We will notify you by email or an in-app banner at least 14 days before material changes take effect.

13. Contact

spikethegreenyboy@gmail.com