Privacy Policy — StayEatDo
Effective: 2026-06-23 · Last updated: 2026-06-23
StayEatDo (“we,” “us”) is a travel social network. This policy explains what data we collect, why, how we protect it, and the choices and rights you have. We aim to collect the minimum data needed to provide the service.
1. Information we collect
- Account & identity. Your phone number, used to authenticate you (SMS one-time-passcode via our provider, Stytch). We do not store passwords.
- Bank transaction data (via Plaid), only if you connect an account. With your authorization we use Plaid to access your transaction history(Transactions product only — not balances, identity, or investments), limited to a ~24-month lookback. We use it solely to detect travel-related activity and build trip memories you can review. We do not store raw transaction details (amounts, account/card numbers, merchant strings) beyond what is needed to classify them — only a minimized derived result (a destination name + category) is kept.
- Email-derived travel signals (via the platform, only if you connect Gmail). Our platform’s ingestion service extracts travel signals and provides us only minimized results. Raw email content is never sent to or stored by the StayEatDo app.
- Approximate location (only with your permission). If you allow it, we use your device’s approximate location to show what’s happening near you. It’s resolved to a town in your browser and only the town is stored — never your precise coordinates or a continuous location history.
- Content you create. Stay/Eat/Do posts, trips, lists, comments, groups, RSVPs, and your saved places/brands/activities.
- Limited technical data needed to operate and secure the service.
2. How we use your information
To provide your feed, trips, lists, groups, and travel memories; to surface relevant places, brands, and activities (with optional booking links in the commerce surface only); and to authenticate you and keep your data secure. We do not sell your personal information, and we do not use your bank or email data for advertising.
3. Consent & legal basis
We process your data based on your consent and to provide the service you request. Connecting a financial account (Plaid) or your inbox (Gmail) requires an explicit, affirmative authorization step, and you can disconnect at any time.
4. How we share information
- Service providers: Plaid (bank connectivity), Stytch (auth), Railway (hosting/database), and our platform identity/graph and ingestion services — processing data on our behalf under their own obligations.
- Affiliate/booking links: tapping a booking link in the commerce surface routes you to a partner via an attribution redirect; we may earn a commission. These appear only in the commerce surface, never in your friend feed.
- Shared identity/vibe graph: we contribute only minimized, non-identifying signals — never raw financial data, raw email content, account/card numbers, or transaction amounts.
- Legal: when required by law or to protect rights and safety.
5. Data retention & deletion (your right to be forgotten)
We retain personal data only as long as needed, then delete or anonymize it (bounded by design — e.g., the ~24-month Plaid lookback, minimized storage). You can request deletion of your account and data, and disconnect Plaid or Gmail at any time (which revokes our access and removes stored tokens). On deletion we remove your app-local records and signal connected services to erase or anonymize their copies. Limited non-re-identifying records may be kept for integrity, security, or legal reasons.
6. Your rights & choices
Depending on where you live, you may have rights to access, correct, delete, or export your data, to withdraw consent, and to disconnect linked accounts. Use the in-app controls or contact us (Section 9). We honor applicable data-protection laws (e.g., GDPR) on a good-faith, reasonable-efforts basis.
7. Security
We protect data using commercially-reasonable, best-effort measures appropriate to our size and stage — including encryption in transit (TLS), encryption at rest, encryption of sensitive access tokens, data minimization, and access controls. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
8. International, children, and changes
Data may be processed in the United States and our providers’ regions. The service is not directed to children under 13 (or the minimum age in your jurisdiction). We may update this policy; we will revise the “Last updated” date and provide reasonable notice of material changes.
9. Contact
Questions or requests: privacy@stayeatdo.co. We respond on a reasonable-efforts basis.
Provided in good faith, to the best of our knowledge and ability, as of the effective date; subject to change; not legal advice. Our handling of data via third parties (Plaid, Stytch, Railway, platform services) is also governed by their respective policies, which we do not control.