Home

Privacy Notice

Last updated: May 15, 2026

This Privacy Notice explains how Hey Judy (trading as "Judy", "we", "us") collects and uses personal data when you use the Service. We act as the data controller for the personal data described here.

1. Data we collect

  • Account data: name, email address, password hash, sign-in provider (e.g. Google), profile preferences.
  • Trip and content data: destinations, dates, travelers, prompts, itineraries you generate, chat messages, uploaded documents (passports, tickets), and group memberships.
  • AI inputs and outputs: the prompts you submit and the responses our AI generates, used to provide the Service.
  • Usage and device data: IP address, device and browser identifiers, pages visited, feature usage, error logs, push-notification tokens.
  • Support data: messages you send to support and any attachments.

Payment card details are collected and processed directly by our Merchant of Record, Paddle — we do not see or store your full card number.

2. How we use your data and legal bases

  • Provide the Service (create accounts, generate itineraries, track flights, manage groups) — performance of our contract with you.
  • Operate billing and entitlements with Paddle — performance of contract and legal obligation.
  • Security, fraud prevention, and abuse detection — legitimate interests (protecting users and our Service).
  • Improve the Service (debug errors, analyze aggregate usage) — legitimate interests.
  • Customer support — performance of contract and legitimate interests.
  • Transactional emails (account, booking confirmations, security alerts) — performance of contract.
  • Marketing emails and push notifications — your consent, which you can withdraw at any time.

3. AI processing

We send your prompts and the minimum context needed (e.g. trip parameters) to third-party AI model providers via the Lovable AI Gateway to generate responses. We do not use your personal trip data to train third-party foundation models. Do not submit sensitive personal data (e.g. health, government IDs in chat) to the AI; use the document vault for documents you need to store.

4. Who we share data with

  • Service providers (subprocessors): cloud hosting and database (Supabase / Cloudflare), AI model providers (via Lovable AI Gateway), email delivery, push-notification services, error monitoring, image search APIs (Pexels, Pixabay), flight data (FlightAware AeroAPI, Duffel).
  • Merchant of Record: Paddle, for sales, subscription management, payments, tax compliance, and invoicing — see Paddle's Privacy Policy.
  • Other group members: when you join or are invited to a group trip, your name, email, messages, and trip contributions are visible to other group members.
  • Professional advisers (legal, accounting) where necessary.
  • Authorities where required by law or to protect rights, safety, or property.
  • Successors in connection with a merger, acquisition, or asset sale, subject to equivalent protections.

We do not sell your personal data.

5. International transfers

Our providers may process data outside your country, including in the United States and the European Economic Area. Where required, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and adequacy decisions.

6. Retention

We keep account and trip data for as long as your account is active. If you delete your account, we delete or anonymize your personal data within 90 days, except where we must retain it for legal, tax, accounting, fraud-prevention, or dispute-resolution purposes (typically up to 7 years for billing records). Backups are overwritten on a rolling schedule.

7. Your rights

Depending on where you live, you may have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • delete your data ("right to be forgotten");
  • restrict or object to processing;
  • port your data to another service;
  • withdraw consent (e.g. marketing) at any time;
  • complain to your local data-protection authority.

To exercise these rights, email privacy@heyjudy.app. We respond within one month.

8. Security

We use appropriate technical and organizational measures to protect your data, including encryption in transit (HTTPS), encryption at rest, role-based access controls, row-level security in our database, and regular security review. No system is 100% secure — please use a strong, unique password.

9. Children

Judy is not directed to children under 16. If you believe a child has given us personal data, contact us and we will delete it.

10. Cookies and similar technologies

We use a small number of cookies and local-storage items that are strictly necessary to operate the Service (sign-in session, security, remembering your subscription tier). We do not use third-party advertising or cross-site tracking cookies. If we add analytics cookies in the future, we will ask for your consent first.

11. Changes

We may update this Privacy Notice. Material changes will be communicated in-app or by email.

12. Contact

Questions or requests: privacy@heyjudy.app.

TermsPrivacyRefundsAI Disclaimer