Privacy Policy

HerdingKats ("we," "us," or "our") operates the HerdingKats web application at herdingkats.com. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and your rights regarding that information.

By using HerdingKats, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use our service.

Account Information

When you register, we collect your email address and display name. We also store your timezone (auto-detected from your browser) and language preference.

Event Planning Data

When you create or participate in events, we store event titles, descriptions, dates, locations (text and coordinates), and your availability selections.

Children's Information

For kids' events and playdates, organizers and parents may provide children's names, ages, allergies, dietary restrictions, medical notes, emergency contact information, and supervision preferences. This data is only visible to the event organizer and the parent who provided it.

Calendar Data

If you connect a Google or Microsoft calendar, we import free/busy status only. We never access, store, or display your calendar event titles, descriptions, attendees, or any other event content. Other participants only see aggregate availability (e.g., "4 of 6 people are free") — individual calendar data is never exposed.

Location Data

We store event locations, home addresses (if you choose to provide one for carpool features), carpool pickup/departure addresses, and their geographic coordinates.

Payment Information

Payment processing is handled entirely by Stripe. We never receive, store, or have access to your credit card numbers. We store only your Stripe customer ID and subscription status to manage your plan.

Communications

We store event chat messages you send within the app. We also log transactional emails and SMS messages we send to you (recipient address, delivery status) for operational reliability.

Technical Data

We store IP addresses in admin audit logs for security purposes. We use functional cookies (described below) but do not use analytics, tracking, or advertising cookies.

We use your information exclusively to:

• Provide and operate the HerdingKats service
• Send transactional notifications (event invitations, reminders, date confirmations)
• Process payments and manage subscriptions via Stripe
• Import calendar free/busy data to help find available times
• Provide weather forecasts for event planning (outdoor events only)
• Maintain security, prevent abuse, and troubleshoot issues

We want to be crystal clear about what we will never do with your data:

• We do NOT sell your personal data to anyone, for any reason, ever.
• We do NOT share your data with advertisers or ad networks.
• We do NOT use your data for profiling, behavioral analysis, or targeted advertising.
• We do NOT track you across other websites or services.
• We do NOT use analytics or tracking cookies.
• We do NOT read your calendar event details — only free/busy status.

We use the following third-party services to operate HerdingKats:

• Supabase — Database hosting, authentication, and real-time features (PostgreSQL)
• Stripe — Payment processing (PCI-DSS compliant; we never handle card data)
• Resend — Transactional email delivery
• Twilio — SMS message delivery (for premium SMS invitations)
• Google Calendar API — Calendar free/busy import (OAuth 2.0, read-only scope)
• Microsoft Graph API — Calendar free/busy import (OAuth 2.0, read-only scope)
• Cloudflare Turnstile — Bot protection on registration (no tracking cookies)
• Open-Meteo — Weather forecasts (no personal data sent; only event coordinates and dates)
• Vercel — Application hosting and deployment

Each of these services has its own privacy policy. We only share the minimum data necessary for each service to function.

We use functional cookies only. We do not use analytics, advertising, or tracking cookies.

• Authentication cookies — Session tokens managed by Supabase Auth (essential for login)
• Locale cookie — Stores your language preference (persists 365 days)
• Theme cookie — Stores your light/dark mode preference (persists 365 days)
• OAuth state cookies — Short-lived CSRF tokens used during calendar connection (HTTP-only, deleted after use)

We take the security of your data seriously. Our measures include:

• Row-Level Security (RLS) on every database table — users can only access events they created or were invited to
• Encrypted OAuth tokens — Calendar connection tokens are encrypted at rest
• HTTPS everywhere — All data in transit is encrypted
• Rate limiting — Protection against brute-force attacks
• CAPTCHA — Bot protection on registration
• Magic link tokens — Unique, time-limited tokens for guest access (expire after 30 days)

While no system is perfectly secure, we follow industry best practices to protect your information.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access — Request a copy of the personal data we hold about you
• Right to rectification — Request correction of inaccurate data
• Right to erasure — Request deletion of your personal data ("right to be forgotten")
• Right to data portability — Receive your data in a structured, machine-readable format
• Right to restrict processing — Request that we limit how we use your data
• Right to object — Object to processing of your data
• Right to withdraw consent — Withdraw consent at any time (where processing is based on consent)

Our legal basis for processing your data is contractual necessity (to provide the service you signed up for) and legitimate interest (security, fraud prevention). We do not process data based on consent for core functionality.

To exercise any of these rights, contact us at the email address listed below.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know — Request what personal information we collect, use, and disclose about you
• Right to delete — Request deletion of your personal information
• Right to opt-out of sale — We do not sell your personal information, so this right is automatically satisfied
• Right to non-discrimination — We will not discriminate against you for exercising your privacy rights

We do not sell, rent, or trade personal information. We do not share personal information for cross-context behavioral advertising. No "Do Not Sell" opt-out is necessary because we never sell data.

HerdingKats is not directed at children under 13. We do not knowingly collect personal information from children under 13 as account holders. If we learn that a child under 13 has created an account, we will delete it promptly.

Our kids' event features allow parents and guardians to enter information about their children (names, ages, allergies, medical notes) for event coordination purposes. This information is provided by the parent/guardian, is visible only to the event organizer and the submitting parent, and can be deleted at any time by either party.

We apply data minimization principles — only information necessary for safe event coordination is requested, and it is never used for any other purpose.

We retain your personal data for as long as your account is active or as needed to provide the service. Specifically:

• Account data — Retained while your account is active; deleted upon account deletion request
• Event data — Retained for the lifetime of the event; organizers can delete events at any time
• Calendar tokens — Deleted when you disconnect a calendar or delete your account
• Guest access tokens — Expire automatically after 30 days
• Audit logs — Retained for up to 12 months for security purposes

When you delete your account, we delete all associated personal data within 30 days, except where we are legally required to retain it.

Your data may be processed in the United States and/or European Union through our infrastructure providers (Supabase, Vercel, Stripe). These providers maintain appropriate safeguards including Standard Contractual Clauses (SCCs) for EU-to-US data transfers.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email (to the address associated with your account) and/or a prominent notice within the application prior to the changes taking effect.

The "Effective date" at the top of this page indicates when the policy was last updated.

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your information, please contact us at:

Email: privacy@herdingkats.com

We aim to respond to all data rights requests within 30 days.