Privacy Policy

Effective Date: April 1, 2026

The TabiDay mobile application and website at tabiday.com (collectively, the "Service") is operated by RINSAI TECH Inc. (株式会社凛彩テック, hereinafter "we," "us," or "our"), a company incorporated in Fukuoka, Japan (Corporate Number: 2290001113175). This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Service.

We comply with the Act on the Protection of Personal Information (APPI) of Japan, the Personal Data Protection Act (PDPA) of Taiwan, the Personal Information Protection Act (PIPA) of Korea, and where applicable, the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).

1. Information We Collect

1.1 Information You Provide

• Account information: display name, email address, and profile photo when you create an account via Apple Sign-In, Google Sign-In, or email.
• Trip planning data: destination names and coordinates, travel dates, group size, and travel preferences (interests, pace, budget level, dietary restrictions, accessibility needs).
• User-generated text: free-form descriptions or prompts you enter when creating AI trips (up to 500 characters), and messages you send in the AI chat feature.
• Saved content: itineraries, saved places, bookmarks, and bookmark categories you create within the Service.
• Communications: messages you send to us for support or feedback.

1.2 Information Collected Automatically

• Device information: device type, operating system, app version, and unique device identifiers.
• Usage data: features used, actions taken, timestamps, and session duration.
• Crash reports: application errors and diagnostic data. Personally identifiable information is removed before transmission (see Section 3.4).
• Location data: approximate location based on IP address only. We do not collect precise GPS location.

1.3 Information from Third Parties

• Social login: if you sign in via Google or Apple, we receive your name, email, and profile photo as permitted by the provider.

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service.
• Generate AI-powered trip itineraries and provide AI chat assistance using third-party AI services (see Section 3.1).
• Enable place search, autocomplete, and photo display.
• Send service-related notifications (e.g., account security, feature updates).
• Analyze usage patterns in aggregate to improve user experience.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations.

Legal Bases (GDPR)

• Contract performance: processing necessary to provide the Service you requested.
• Legitimate interests: analytics, security, and service improvement.
• Consent: AI data processing and optional data collection (you may withdraw consent at any time).
• Legal obligation: compliance with applicable laws.

3. Third-Party Services and Data Sharing

We do not sell your personal information. We share data with the following third-party service providers:

3.1 Google LLC — Gemini AI (Generative AI)

We use Google Gemini AI via server-side API calls to power AI features. Your data is transmitted from our servers to Google's servers in the United States. The app requests your explicit consent via an in-app modal before any data is sent to Google Gemini for the first time. You may withdraw consent at any time via Settings > Privacy in the app, which will disable AI-powered features.

Data sent to Google Gemini by feature:

• Trip Generation: destination name and coordinates, travel dates, interests, pace, budget level, dietary restrictions, accessibility needs, group size, free-form text prompt, saved place names with categories and coordinates, and accommodation location.
• AI Chat: your chat messages and conversation context necessary to generate a response.
• Place Enrichment: publicly available place information only (name, address, category, rating). No user personal data is involved.

Data NOT sent to Google Gemini: your name, email address, login credentials, payment information, precise device location, IP address, or device identifiers.

Google does not use data submitted via their API to train or improve their AI models. Processing is governed by the Gemini API Terms of Service.

3.2 Google LLC — Places API

We use the Google Places API to provide place search, autocomplete, place details, and place photos. When you search for a place, your search query and destination coordinates (not your device location) are sent to Google. See Google's Privacy Policy.

3.3 Supabase Inc. (Backend Infrastructure)

Our backend database, authentication, and server functions are hosted on Supabase (backed by Amazon Web Services) in the United States. Your account data, trip data, saved places, and preferences are stored on Supabase infrastructure and processed on our behalf under a data processing agreement.

3.4 Functional Software Inc. (Sentry — Crash Monitoring)

We use Sentry for application error monitoring. Before any crash report is sent, our app removes personally identifiable information via a client-side filter. Sentry receives only technical diagnostic data (stack traces, device type, OS version, app version). No user content, names, emails, or trip data is sent to Sentry.

3.5 Legal Requirements

We may disclose personal information when required by law, court order, or governmental authority in any applicable jurisdiction.

4. Cross-Border Data Transfers

Your data may be transferred to and processed in countries outside of your residence, primarily the United States, where our infrastructure providers (Supabase/AWS, Google) operate. Our company is based in Japan. We ensure appropriate safeguards are in place for these transfers in accordance with applicable law, including standard contractual clauses where required.

5. Data Retention

• Account data: retained while your account is active. Deleted within 30 days of account deletion via the in-app "Delete Account" function.
• Trip content and saved places: deleted when you delete your account.
• AI-processed data: data sent to Google Gemini is processed in real-time to generate a response. We do not store raw AI request/response payloads beyond the session.
• Publicly shared content: trip templates rated or used by other users may be retained in anonymized form after account deletion (your name and profile are removed).
• Usage analytics: retained in anonymized, aggregated form for product improvement. Anonymized data cannot identify you.
• Crash reports: retained in Sentry for 90 days, then automatically deleted.
• Fraud prevention identifiers: when you delete your account, we retain a one-way cryptographic hash of your login provider identity for up to 90 days to prevent abuse of promotional credits. This hash cannot be reversed to identify you and is automatically purged after 90 days.
• Legal obligations: certain data may be retained longer as required by law.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request deletion of your personal data.
• Portability: request your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Restriction: request restriction of processing in certain circumstances.
• Withdraw consent: withdraw consent for AI data processing at any time via Settings > Privacy in the app.

How to exercise your rights:

• AI consent: open the app, go to Settings > Privacy, and toggle off AI Data Sharing.
• Account deletion: open the app, go to Settings > Delete Account.
• All other requests: email privacy@rinsaitech.com. We will respond within 30 days (or as required by applicable law).

7. Cookies and Tracking

• Website: essential cookies for authentication and session management. Analytics cookies to understand website usage (you can opt out via browser settings).
• Mobile app: does not use cookies. Uses device-local storage for preferences and consent records. Does not use IDFA or advertising identifiers.

8. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS) and at rest, row-level security on all database tables, server-side API key management, and regular security reviews. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. Children's Privacy

The Service is not directed to children under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe we have collected data from a child, please contact us at privacy@rinsaitech.com, and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes — particularly to the third-party AI data sharing practices described in Section 3.1 — we will notify you through the app or by other reasonable means, and update the "Effective Date" at the top. Where required, we will request renewed consent. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy, except where renewed consent is required by law.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact:

Data Controller: RINSAI TECH Inc. (株式会社凛彩テック)
Representative: En-Hao Lin (林恩豪)
Address: #302, 3-13-3 Akasaka, Chuo-ku, Fukuoka-shi, Fukuoka 810-0042, Japan
Privacy inquiries: privacy@rinsaitech.com
General support: support@tabiday.com
Website: https://tabiday.com