EASYMILES PRIVACY POLICY Last updated: 2026-05-24 This Privacy Policy describes how EasyMiles ("we", "us", "our") handles your personal data when you use the EasyMiles mobile application (the "App"). By using the App you agree to this policy. 1. DATA WE COLLECT Account info. Email address, display name, and a sign-in identifier received from Apple or Google when you sign in. We never see or store your password. Trip data. Destinations, travel dates, traveler counts, pace, budget tier, interests, accommodation address, and any free-text notes you enter while planning. This is required to generate your itinerary. Generated itinerary. The day-by-day plan our AI produces for you. Diagnostic data. When the App errors out, we record a stack trace plus App and OS version. Free-text input and personal details are never included. Product interaction. When you generate or replan a trip we log an aggregate analytics event with the shape of the request: pace, budget tier, trip type, traveler count, duration in days, and the number of interests selected. No destination, account identifier, or free-text content is included. We do NOT collect: - Device GPS or precise location. - Contacts, calendar, photos, microphone, or camera. - Advertising or tracking identifiers. 2. HOW WE USE THE DATA - Sign you in. - Generate and store your itinerary. - Keep the App reliable (crash reports, performance traces). - Improve the App (aggregate analytics). We do not sell your data, share it with advertisers, or use it for profiling. 3. WHERE YOUR DATA IS STORED Your account and trip data live in Google Firebase Firestore in Belgium (europe-west1). All processing happens within the European Union. Data is encrypted in transit (TLS) and at rest (AES-256). 4. THIRD-PARTY PROCESSORS Each is contractually bound to handle your data only on our instructions: - Firebase Authentication (Google Ireland Ltd.): sign-in. - Cloud Firestore (Google Ireland Ltd.): data storage. - Cloud Functions (Google Ireland Ltd.): server-side trip generation. - Vertex AI Gemini (Google LLC): AI itinerary generation. Receives trip preferences only, no personal identifiers. - Google Places API (Google LLC): venue lookup. Receives the destination and search query. - Firebase Analytics (Google Ireland Ltd.): aggregate event analytics. Receives the trip-shape parameters listed in section 1. - Sentry (Functional Software, Inc.): crash and error reporting. Receives diagnostic data. - Sign in with Apple (Apple Inc.) and Google Sign In (Google Ireland Ltd.): sign-in options. Where data leaves the EU (Vertex AI inference, Sentry), it is governed by Google's Standard Contractual Clauses approved by the European Commission. 5. YOUR RIGHTS If you are in the EEA, UK, or another jurisdiction with comparable rights, you may: - Access the data we hold about you. - Correct inaccurate data. - Delete your account and all trip data. - Export your data in a portable format. - Restrict or object to certain processing. - Withdraw consent where consent is the legal basis. - Lodge a complaint with your local data protection authority. To exercise these rights, email abespolovwork@gmail.com. We respond within 30 days. You can also delete your account directly from the profile screen at any time. This permanently removes your account and trip data. 6. LEGAL BASIS (EEA / UK) We process your data based on: - Contract: providing the trip-planning service (Art. 6(1)(b) GDPR). - Legitimate interest: keeping the App reliable and secure (Art. 6(1)(f) GDPR). - Consent: for optional features, recorded separately. 7. DATA RETENTION - Account information: until you delete your account. - Trip data: until you delete the trip or your account. - Diagnostic / crash reports: 90 days. - Performance traces: 30 days. - Product-interaction events (Analytics): 14 months (GA4 default). After you delete your account we erase your data within 30 days. 8. CHILDREN The App is not directed at children under 16. We do not knowingly collect personal information from children. 9. SECURITY We protect your data with: - TLS 1.2+ encryption in transit. - Encryption at rest in Firestore (AES-256). - Restricted access controls. Only authorised personnel can access production systems, and only when required for support. - Server-side validation and rate limiting. If a breach affects your data we will notify you and the relevant regulator within the timeframes required by law (72 hours in the EEA). 10. CHANGES We may update this policy as the App evolves. Material changes are surfaced in the App and require your re-acceptance. Minor edits update the "Last updated" date. 11. CONTACT Email: abespolovwork@gmail.com