Legal

Privacy Policy

Last updated:

We collect the minimum to make the app work. No tracking, no selling, no ads. Your data sits in the EU. The detail is below; if anything's unclear, email us.

1. Who we are

Kindiro is operated by Tatooine Technology Ltd, limited company in the United Kingdom, acting as data controller. Contact: support@kindiro.com.

2. What we collect

  • Account data from your Google account: email address, display name, and (optionally) avatar image URL. We use Google Sign-In via Supabase Auth; we don't store your Google password and never see it.
  • Trip content you enter: trip names, dates, destinations, members' display names, expenses, payments, schedule items, and any hero images you upload.
  • Session cookies: two short-lived cookies that keep you signed in. Strictly necessary — the app doesn't work without them. Not used for tracking.
  • Server logs: request metadata (timestamp, path, status code) and error traces, held briefly for operational troubleshooting.

For product analytics on our public pages we use Plausible — a privacy-friendly, EU-hosted tool that is cookieless, counts visits in aggregate, and never collects personal data or tracks you across sites. Inside the signed-in app we use PostHog (EU) to see which features get used and how the product is working — it's tied to your account and uses first-party storage on your device for that, never for advertising or cross-site tracking. There are no advertising or cross-site trackers on any Kindiro page.

3. Why we collect it

To sign you in and to run the product you signed up for: showing your trips, letting your friends join them, computing who owes whom. That's the only purpose.

Legal basis under UK-GDPR: performance of a contract with you (article 6(1)(b)) — we need the data to provide the service you've asked for.

4. Where it lives

Your data sits on managed infrastructure in the European Union:

  • Supabase (EU region) — database and authentication.
  • Render (Frankfurt) — application servers and managed Redis cache.
  • Cloudflare — DNS, CDN edge for static assets and uploaded images. Cloudflare may route your request through a point of presence outside the EU for performance; the data it handles in transit is encrypted end-to-end.
  • Resend (via Supabase SMTP relay) — outbound transactional email (sign-in links). Stores the minimum needed to deliver mail.
  • Open-Meteo — used for the weather forecast on trip pages. We send only the trip's destination coordinates and date range; no personal data.
  • Google — we use Google Sign-In. Google sees that you authenticated to Kindiro and returns your email + basic profile; we don't send anything else.
  • Sentry (EU region) — error tracking and performance traces. When the app crashes or a request fails, Sentry receives the stack trace, request path, and an anonymised user identifier (your trip-member id, never your email or auth token). We use this to debug bugs and slow paths; events expire on a rolling 90-day window.
  • Plausible (EU) — privacy-friendly, cookieless analytics for our public marketing pages. Records aggregate visit counts and referral sources; sets no cookies and stores no personal data or cross-site identifiers.
  • PostHog (EU Cloud, Frankfurt) — product analytics inside the signed-in app, tied to your account to measure feature usage and retention. Uses first-party storage on your device; no session recording, no advertising, no cross-site tracking.

Each of these is a sub-processor under standard data-protection terms. If this list changes, we'll update this page.

5. Who can see your data

The members of a trip can see that trip's content (that's the whole point). AI assistants you've explicitly connected via MCP can read and write the same content on your behalf — see section 6 for what that involves and how to revoke. Nobody else gets access to your trips, expenses, or payments.

We don't sell your data. We don't share it with advertisers or brokers. We only disclose it if legally compelled to (e.g. by a court order), and we'll push back on overreaching requests where we reasonably can.

6. AI assistants (MCP)

Kindiro ships a public Model Context Protocol (MCP) server at mcp.kindiro.com. It lets AI assistants you choose — Claude, ChatGPT, or any MCP-capable client — read and write your trip data on your behalf, after you explicitly connect them. We never connect an assistant for you.

What an assistant can see and act on, scoped to the trips you're a member of (not all trips on Kindiro):

  • Read your trips, their members' display names and roles, expenses, payments, schedule items, your own balance, and the trip's settlement plan.
  • Write on your behalf: add a trip, expense, or schedule event; mark one of your own payments as sent; mint or surface a shareable invite link to add new members to a trip; update or delete content you're already allowed to edit on the web app (the same role rules apply — owners and co-owners can edit trip-wide content and invite, members can edit their own).

What we deliberately don't expose through MCP:

  • Other members' email addresses or passwords.
  • Your or anyone else's authentication tokens.
  • Conversation data from your AI assistant — we don't see what you ask Claude.

Authentication. Connecting an assistant runs OAuth 2.1 with PKCE against Supabase, scoped to the same Kindiro account you use on the web. The assistant receives a short-lived access token issued by Supabase. Kindiro doesn't see and doesn't store the tokens issued to the assistant.

Once connected, the assistant (and its provider's infrastructure) holds an access token and possibly a refresh token. What it does with them — caching, logging, conversation storage — is governed by that provider's privacy policy, not this one. For Claude specifically that's Anthropic's policy.

Revoking access. Disconnect the connector in your assistant's settings (in Claude.ai: Settings → Connectors → Kindiro → Disconnect). The assistant's access token expires within an hour and stops working. To revoke immediately on our side, sign out of Kindiro on the web — your existing tokens stop working straight away.

7. How long we keep it

We hold your data for as long as your account is active. If you ask us to delete your account, we delete your profile and the trips you own within 30 days. Trips where you were a member but not the creator will have your membership removed but won't be deleted — they belong to the trip creator.

Server logs and encrypted database backups may persist for up to 30 days beyond that for operational reasons (debugging, disaster recovery). They're not queried for any other purpose.

8. Your rights

Under UK-GDPR you have the right to access, correct, delete, or export your personal data, and to object to or restrict our processing of it. Email support@kindiro.com with any of these requests — we'll respond within 30 days.

If you're unhappy with how we handle your data, you can complain to the UK Information Commissioner's Office at ico.org.uk.

9. Changes

We'll update this policy when the app or its sub-processors change. The "Last updated" date at the top of the page always reflects the current version. For material changes we'll do our best to email signed-in users in advance.