← Back

Privacy Policy

Last updated: April 30, 2026

This app is a private family trip coordinator for a group of 19 people travelling together on Royal Caribbean's Hero of the Seas in 2027. It is not a public service.

We collect phone numbers for authentication only — specifically, to send a one-time verification code via SMS when a family member signs in. Phone numbers are stored in our database and are never shared with third parties or used for marketing.

Names, relationships, packing checklists, photos, and trip coordination data that users enter into the app are stored so that family members can see them. This data is visible only to other members of the family trip group and is not shared externally.

We also store whether a user is identified as a minor (under 18). This flag affects what content the AI assistant will discuss with that user and is set by the trip organizer, not self-reported.

SMS messages are delivered via Twilio. Standard message and data rates may apply from your mobile carrier.

AI assistant

The FAQ page includes an AI chat assistant powered by Anthropic's API. When you send a message, it is transmitted to Anthropic to generate a response. We do not currently log or store chat messages on our servers — conversations exist only in your browser while the page is open.

Please do not share sensitive personal information (passport numbers, payment details, medical records, etc.) in the chat.

Organizer notifications

When the AI assistant is asked a trip question it can't answer from its knowledge base, the app sends a short email to the trip organizer so they can fill in the missing detail for the next person who asks. These emails are delivered via a transactional email provider (Postmark).

Each notification contains the question the user typed and an indication of who sent it. For adults, this includes the user's first name so the organizer knows who to follow up with. For minors, the sender is identified only as "a minor" — a child's name is never included in these emails.

Phone numbers, crew identifiers, cabin numbers, family roles, and family-unit information are never included. These emails go only to the trip organizer and are not shared with any other third party beyond Postmark, which acts as the delivery service.

Error reporting

When something breaks in the app, we send a small error report to Sentry (a developer tool) so the organizer can diagnose and fix it. These reports are automatically sent from your browser or from our servers when an error occurs, so we can see what broke without needing you to describe it.

Before a report leaves your device (or our server), it is automatically scrubbed to remove personally identifying information. The following fields are redacted wherever they appear in a report:

  • Names
  • Family role (adult, teen, child, toddler, organizer)
  • Crew IDs (the short identifiers used internally)
  • Phone numbers

In addition, the full contents of any request to our checklist/packing-list routes are stripped before sending — so the text of your packing list items is never included in an error report.

What a typical report does include is a stack trace (which line of code failed), the URL path that was loaded, the browser and operating system version, and the time of the error. These are used strictly to fix bugs and are not shared with third parties beyond Sentry.

Children and error reports

The error-report scrubbing above applies uniformly — whether the user is an adult, teen, or child. In practice, this means that when a child uses the app, Sentry never receives:

  • The child's name
  • The fact that the user is a minor
  • The child's phone number or crew identifier
  • Any text the child has typed into a packing list
  • Any message the child has typed into the AI assistant (those messages never pass through Sentry at all)

The same principle applies to the organizer-notification emails described above: when a minor's AI question can't be answered, the notification email sent to the organizer identifies the sender only as "a minor" — a child's name is never sent to the email provider.

What a report about a child's session can include is the same non-identifying technical context as an adult's: the URL path they were on, the stack trace of the failing code, and browser/device info. None of this is tied back to the child's identity.

Photo storage

Photos uploaded by users are stored in Amazon Web Services (AWS) S3 in a US region. Photos are accessible only to invited app users via authenticated, time-limited URLs.

Uploaded photos are retained for the duration of the trip plus 90 days, then deleted. We do not use uploaded photos for any purpose other than displaying them within the app. Users may request deletion of their photos at any time by contacting the trip organizer.

Children's privacy

The app may be used by or on behalf of children under 13. Parents or guardians are responsible for supervising minors' use of the app. We do not knowingly collect data from minors independently of their traveling party.

Users identified as minors (under 18) are served a restricted version of the AI assistant. The assistant will not discuss or respond to questions about alcohol, gambling, adult-only venues, drugs, violence, or other content inappropriate for minors — regardless of how the question is asked. It redirects to kid-friendly content instead.

The minor flag is set by the trip organizer at account setup and is not self-reported by the user.

To request deletion of your data or to ask questions, contact the trip organizer directly.