Privacy Policy

Passage ("we", "us", "our") is a family travel journal application available at mypassage.co. We are operated by an individual based in Canada. If you have any questions about this policy, contact us at privacy@mypassage.co.

This policy covers Passage — the travel journal app. It does not cover any other products or services. Passage is not a health app and collects no health or medical data of any kind.

When you use Passage we collect:

• Account information — your name and email address when you sign up
• Journal content — text entries, photos, and drawings you create or upload
• Voice transcriptions — if you use voice recording, your speech is transcribed to text and stored. We do not store the raw audio
• Location data — place names and map coordinates you choose to attach to entries or save as places
• Trip information — trip names, dates, cover photos, and collaborator relationships
• Usage data — basic logs such as when you signed in, generated automatically by our infrastructure

We do not collect health data, financial data, or device identifiers beyond what is standard in web server logs.

Passage allows parents to create accounts for their children. We do not allow children to create accounts independently. By creating an account for a child, the parent or guardian confirms they have the authority to consent on the child's behalf.

If you believe a child account has been created without proper parental consent, contact us at privacy@mypassage.co and we will delete it promptly.

We comply with the Children's Online Privacy Protection Act (COPPA) for users in the United States. We do not knowingly collect personal information from children under 13 without verifiable parental consent.

We use your data solely to operate Passage:

• To provide and display your journal, trips, photos, and places
• To enable collaboration between family members on shared trips
• To process voice recordings into text using AI (see Third parties below)
• To send transactional emails such as account confirmation and password reset
• To maintain security and prevent abuse

We do not use your data for advertising. We do not sell your data. We do not share your data with third parties except as described in this policy.

We use a small number of trusted third-party services to operate Passage:

• Supabase — database, file storage, and authentication. Data is stored on servers in the United States (US East region). Supabase is SOC 2 certified.
• Anthropic — AI text processing. When you use the "Clean up text" feature, your journal text is sent to Anthropic's API to improve readability. Anthropic does not use API data to train its models by default.
• Resend — transactional email delivery (account confirmation, password reset). Only your email address is shared.

We do not use advertising networks, analytics platforms, or any other third-party data services.

Your data is stored on servers located in the United States. We use industry-standard security practices including encrypted connections (HTTPS), row-level security on our database, and access controls that ensure each user can only access their own data and trips they have been invited to.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@mypassage.co.

Regardless of where you are located, you have the right to:

• Access — request a copy of the data we hold about you
• Correction — ask us to correct inaccurate data
• Deletion — request that we delete your account and all associated data
• Portability — request your journal data in a portable format
• Withdrawal of consent — stop using Passage at any time and request deletion

To exercise any of these rights, email privacy@mypassage.co. We will respond within 30 days. For EU residents this is a right under GDPR. For California residents this is a right under CCPA. For Canadian residents this is a right under PIPEDA.

We retain your data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required to retain it by law.

Passage uses only essential cookies required for authentication (to keep you signed in). We do not use advertising cookies, tracking cookies, or analytics cookies.

Your data is stored in the United States. If you are located in the EU or UK, this means your data is transferred outside your jurisdiction. We rely on standard contractual clauses and Supabase's data processing agreements to ensure adequate protection under GDPR.

If we make material changes to this policy we will notify you by email and update the effective date above. Continued use of Passage after notification constitutes acceptance of the updated policy.

For any privacy questions or requests: privacy@mypassage.co