Back

Privacy Policy

Last updated · May 13, 2026

This policy describes what data Paxawa collects, why, and what control you have. We try to keep it short and in plain language.

What we collect

Account data. When you sign up (email or Google OAuth) we store your email, a display name you choose, and a unique user ID. Guest joiners may provide only a display name.

Trip data. Trip names, destinations, dates, itinerary items, votes, expenses, packing items, chat messages, and uploaded documents — all the stuff that makes up the planning. Stored in our Supabase Postgres database in Tokyo (hnd1).

Device data for push notifications. When you opt in to web push, we store the browser-provided push endpoint and encryption keys so we can deliver notifications. We don't read or analyze them — they're just routing data.

Operational data. Anonymous error reports (via Sentry), uptime / latency metrics (via Vercel), and — once you accept the cookie banner — product-analytics events (via PostHog). Analytics tracks aggregate actions (signed up, created a trip, opened a vote) — not what you wrote inside them.

What we don't collect

  • We don't sell your data.
  • We don't train AI models on your trip content.
  • We don't track you across other websites or use advertising cookies.
  • We don't collect payment information — Paxawa doesn't process payments between members.

Who we share data with

We use a small set of trusted infrastructure providers, each of whom receives only the data they need to do their job:

  • Supabase — database, authentication, and file storage. Our primary data store.
  • Vercel — application hosting and edge network.
  • Anthropic (Claude API) — AI itinerary planner, smart action chips, and budget nudges. Only the relevant prompt is sent; Anthropic does not train on your inputs by default.
  • Resend — transactional email delivery (invites, vote alerts, expense alerts).
  • Sentry — error monitoring. We send error details including your user ID (no email, no content), so we can debug what broke for you specifically.
  • PostHog — product analytics. Only after you accept the cookie banner.
  • Google (Places API) — geocoding location names you add to itinerary items.

Cookies

We use a few cookies:

  • Session cookies from Supabase to keep you signed in. Required for the app to work.
  • Theme preference (light / dark / system) stored locally. Required for the app to work.
  • Analytics cookies from PostHog. Optional — you control these via the cookie banner.

Your rights

You can:

  • View and edit everything we hold about you through the app itself.
  • Export your data — email hello@paxawa.com and we'll send you a JSON dump.
  • Delete your account at any time from Settings. Deletion removes your profile and all trips you solely own.
  • Object to processing or ask for correction by emailing us.

If you're in the EU/UK, you have GDPR rights including the right to lodge a complaint with your local data-protection authority.

Data retention

We keep your data as long as your account is active. Deleted accounts and their content are permanently removed within 30 days. Error logs and operational metrics are retained for up to 90 days.

Security

We use Row Level Security on every database table so users can only read and write data they're authorized to access. All connections are TLS-encrypted, and access tokens are encrypted at rest. Webhook secrets, API keys, and OAuth state are stored as encrypted environment variables.

Changes to this policy

We'll update this page when we change how we handle data. Material changes get announced in-app or by email.

Contact

Privacy questions, data requests, or concerns: hello@paxawa.com.