Smart Concierge Buddy ("the app") is a personal travel departure concierge. This policy describes what data Smart Concierge Buddy collects, how it is used, and your choices. The short version: your data is used only to run your own travel board, it is never sold, never used for advertising, and you can delete it at any time.
Account email and password (authentication), trips and reservations you add, your traveler profile (home airport, routine preferences, saved places), and optional content you submit for import (pasted confirmation emails or screenshots). This data is stored in our database (Supabase) under your account and is visible only to you, enforced by row-level security.
If you choose to connect Gmail, Smart Concierge Buddy requests the read-only scope gmail.readonly to find your travel confirmation emails (flights and hotels) and turn them into trips on your board.
Smart Concierge Buddy's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Smart Concierge Buddy uses Supabase (database and authentication), Vercel (application hosting), Cloudflare (push notification delivery infrastructure), Anthropic (automated parsing and assistant features), AeroDataBox (live flight status lookups by flight number — no personal data is sent), Open-Meteo (weather by airport coordinates — no personal data is sent), and Apple Push Notification service (notifications to your device). Each receives only the minimum data needed to perform its function.
Leave-by alarms are scheduled on your device. If you enable them, server-sent delay alerts use your device push token. Location (if you grant it) is used on-device to compute drive times and, optionally, to detect hotel arrival; your location is not stored on our servers.
Your data is kept while your account is active. Delete individual trips in the app at any time. To delete your account and all associated data, use the in-app option or email rushilpatel@favordeliveryheb.com — deletion is completed within 30 days.
Data is encrypted in transit (TLS) and at rest by our storage providers. Access to your rows is enforced with database row-level security tied to your authenticated session. API keys and push credentials are held server-side only.
We will post any material changes to this page and update the effective date above.