Plan With Friends

Privacy Notice

Last updated: April 27, 2026

This notice explains what personal data Plan With Friends collects, why we collect it, who we share it with, and the rights you have over it.

1. Who we are

Plan With Friends is operated by Lucas Didier ("we", "us", "our"), acting as the data controller for the personal data described in this notice. You can reach us at hello@lucasdidier.com.

2. What data we collect

  • Account data — your email address, password hash, and authentication tokens (or, if you sign in with Google, your Google profile email and identifier).
  • Profile data — your display name and any preferences you set.
  • Session content — the dinners and trips you create, the participant names you add, the food/travel preferences voted by participants, and the AI suggestions generated for your sessions.
  • Communications — emails you send to us, support messages, and unsubscribe preferences.
  • Usage and device data — IP address, browser type, device identifiers, pages visited, and approximate location derived from IP. We use this for security, fraud prevention, and to improve the product.
  • Payment data — when you make a purchase, payment details (card number, billing address, tax info) are collected and processed by Paddle, our Merchant of Record. We do not see or store full payment-card details; we only receive a customer identifier and transaction status from Paddle.

3. Why we collect it (purposes & legal bases)

  • To provide the service (creating accounts, hosting your sessions, generating AI suggestions, sending invites) — legal basis: performance of a contract.
  • To process payments and manage subscriptions — legal basis: performance of a contract (with you) and legitimate interest (in being paid).
  • To keep the service secure (rate limiting, fraud detection, abuse prevention) — legal basis: legitimate interest in protecting the service and users.
  • To improve the product (aggregated analytics, debugging) — legal basis: legitimate interest in improving Plan With Friends.
  • To send service communications (account confirmations, receipts, security alerts) — legal basis: performance of a contract / legal obligation.
  • To comply with legal obligations (tax records, responding to lawful requests) — legal basis: legal obligation.

4. Who we share it with

We don't sell your personal data. We share it only with the categories of recipients below, and only as needed:

  • Paddle.com — our Merchant of Record. Paddle handles checkout, billing, tax compliance, invoicing, refunds, and subscription management. See Paddle's Privacy Policy.
  • Hosting and infrastructure — Supabase (database, authentication, file storage) and Cloudflare (edge hosting, CDN).
  • AI providers — Google (Gemini) and OpenAI, used to generate recipe and destination suggestions. Prompts may include your session preferences but not your account email or payment data.
  • Email delivery — Resend, used to send transactional emails (account confirmations, password resets, invites).
  • Professional advisers — accountants and legal advisers, where required.
  • Authorities — when we are legally required to disclose data (e.g. court order, fraud investigation).

5. International transfers

Some of our service providers are based outside the European Economic Area (notably in the United States). When data is transferred internationally, we rely on the European Commission's Standard Contractual Clauses or an adequacy decision to ensure your data is protected to a standard equivalent to EU/UK law.

6. How long we keep it

  • Account & session data — for as long as your account is active. When you delete your account, we delete your personal data within 30 days, except where retention is required by law.
  • Payment records — kept by Paddle and us for up to 10 years to comply with tax and accounting obligations.
  • Server logs — typically retained for 30–90 days for security and debugging.

7. Your rights

Depending on where you live, you have the right to:

  • access the personal data we hold about you;
  • correct inaccurate or incomplete data;
  • delete your data ("right to be forgotten");
  • restrict or object to certain processing;
  • receive your data in a portable format;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with your local data-protection authority (in France, the CNIL).

To exercise any of these rights, email hello@lucasdidier.com. We respond within one month.

8. Security

We use appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest, access controls, and regular backups. No system is perfectly secure, but we work hard to keep yours safe.

9. Cookies

Plan With Friends uses only essential cookies needed for the service to work — for example, to keep you logged in and to remember your theme preference. We don't use advertising or third-party tracking cookies.

10. Children

Plan With Friends is not intended for children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this notice

We may update this notice from time to time. Material changes will be communicated by email or in-product notice.

12. Contact

Questions or complaints? Email hello@lucasdidier.com.