legal

Privacy Policy

Last updated: May 13, 2026

This Privacy Policy explains how Culturo LLC (“we,” “us,” “our,” or “Culturo”) collects, uses, and protects information when you use the Culturo mobile application, websites, and related services (the “Service”). We’ve written it in plain language because the relationship between what an app does with your data and what it tells you it does should be clear.

By using the Service, you agree to the practices described here.

---

1. What we collect

We collect three categories of information:

Information you give us directly

• Account identifiers — email address (or Apple/Google sign-in identifier), first name, public handle, date of birth (used for age verification only)
• Trip preferences — travel style, pace preference, depth preference, food preferences, allergies, dietary restrictions, favorite cuisines, languages spoken
• Optional identity context — gender (if you provide it), LGBTQ+ safety preference (opt-in), cultural passions (heritage, military, religious, etc. — all opt-in)
• Home location — city/region you tell us is your home base, rounded to ~1km precision (we do not store precise coordinates)
• Trip data — the destinations, dates, companions, and feedback you log when planning trips
• Communications — what you send to us when you submit feedback or contact support

Information collected automatically

• Usage events — what screens you visit, what cards you tap, how long you take to make a decision. Used to improve recommendations and surface friction patterns.
• Device information — device type, OS version, app version, push token. Used for delivering push notifications and diagnosing crashes.
• Approximate location — when needed for “nearby” or “day-trip” features, only with your explicit permission via iOS/Android location services

Information from third parties

When you sign in with Apple or Google, we receive the identifier they share with us. We do not receive your contacts, calendar, photos, or other data from your Apple/Google account.

2. What we DON’T collect

• We do not access your contacts, calendar, photos, or microphone
• We do not collect precise GPS location continuously
• We do not collect health/fitness data (yet — if we ever do, we will request HealthKit/Google Fit permission explicitly)
• We do not collect financial information; Culturo does not process payments
• We do not collect biometric data
• We do not track you across other apps or websites

3. How we use your information

We use the information we collect to:

1. Build trips for you. Your preferences, behavior, and history feed our recommendation engine. The more you use Culturo, the better the recommendations get.
2. Operate the Service — authenticate you, save your trips, sync across devices, send you notifications you’ve enabled
3. Improve the Service — diagnose bugs, measure friction, calibrate recommendations
4. Communicate with you — respond to your support inquiries, send transactional emails (e.g., trip-ready notifications), and (rarely) product announcements
5. Comply with legal obligations — respond to lawful requests from regulators or courts, prevent fraud, enforce our Terms

We use AI (currently Anthropic’s Claude) to generate trip itineraries from your preferences. Your data is sent to Anthropic only as needed to generate your trip. Anthropic does not retain your data beyond what’s required to complete the request, and does not use it to train their models. See Anthropic’s privacy practices.

4. Who we share your information with

We do not sell your personal information. Period.

We share information with:

• Service providers that help us operate Culturo:
  • Supabase (database + authentication)
  • Render (backend hosting)
  • Anthropic (AI generation)
  • Google Places (geocoding, only city-level data)
  • OpenWeather (weather forecasts for destinations, no personal data)
  • Expo (push notifications via device tokens)
  • PostHog (product analytics)
• Other users on a trip — if you invite someone to a shared trip, they will see your first name and handle and may see your trip preferences as they apply to that specific trip
• Legal authorities — when required by law, court order, or to prevent fraud or harm

We do not share your information with advertisers, data brokers, or marketing companies.

5. International data transfers

Culturo is operated from the United States and uses service providers in the United States and the European Union. If you are located outside these regions, your information will be transferred to and processed in jurisdictions whose laws may differ from yours. By using the Service, you consent to these transfers.

6. How long we keep your information

• Active accounts: as long as your account exists
• Deleted accounts: account data is hard-deleted 30 days after you request deletion (cancellable by signing back in)
• Aggregated/anonymized data: retained indefinitely for product improvement; no longer associated with you

7. Your rights

Depending on your location, you may have the following rights:

• Access — see what data we have about you (visible in your profile + accessible by request to hello@culturo.com)
• Correction — update inaccurate information (do this in the app’s profile screen, or email us)
• Deletion — delete your account and all associated data via the in-app “Delete my account” flow
• Data portability — request a copy of your data in a structured format (email hello@culturo.com)
• Opt out of marketing — we send minimal product email; unsubscribe links are in every email
• Withdraw consent — for opt-in features (LGBTQ+ safety preference, identity passions, etc.) — turn the toggle off

For California residents (CCPA/CPRA): You have additional rights, including the right to know what information we have, to delete it, to correct inaccurate information, to opt out of “sales” of personal information (we don’t sell), and to non-discrimination for exercising your rights.

For EU/EEA residents (GDPR): We process data based on (a) consent (for opt-in features), (b) contract performance (to operate the Service), and (c) legitimate interest (for analytics and product improvement). You have rights to access, correction, deletion, portability, restriction, and to object. You can lodge a complaint with your local data protection authority.

To exercise any right, email hello@culturo.com.

8. Security

We take security seriously. Specific measures:

• All data in transit is encrypted via HTTPS/TLS
• All data at rest in our database is encrypted (Supabase platform encryption)
• Row-level security is enforced — users can only access their own data
• Sensitive operational tables (cost logs, abuse flags, internal alerts) are accessible only via backend service-role
• Account-deletion sweep runs daily to enforce the 30-day deletion promise
• Substrate observability monitors for silent data corruption
• Access to production data is limited and logged

We are early-stage and not yet SOC 2 certified. We hold ourselves to commercial-grade practices but cannot guarantee perfect security.

9. Children’s privacy

Culturo is not intended for users under 18. We do not knowingly collect information from anyone under 18. If you believe a child has provided us with information, please contact hello@culturo.com and we will delete it.

10. Changes to this Policy

We may update this Privacy Policy as the Service evolves. When we make material changes, we will notify you via the app or via the email associated with your account. The “Last updated” date at the top reflects the most recent revision.

11. Contact us

Questions about this Privacy Policy or about your data? Email hello@culturo.com. We respond within a few business days.

---

Culturo is operated by Culturo LLC, based in North Carolina, USA.