Privacy Policy

When you create an account, we store your email address and display name. If you sign in with Google, we receive your name and email from Google; we do not access your contacts, calendar, or other Google data.

When you use the app, we store the trip planning data you create: trips, games, companies, schedules, lodging, and comments. Location data you enter (company addresses, lodging addresses, arrival and departure points) is sent to Mapbox for geocoding and route calculation.

Your data is used to provide and improve the trip planning service. We do not sell, share, or use your data for advertising.

• Analytics: We analyze usage data in aggregate (for example, how many trips are created or how many games are booked) to understand how the service is used and to improve it. These statistics do not identify individual users.
• Authentication: Your email and password (or Google sign-in) are managed by Supabase Auth. Passwords are hashed and never stored in plaintext.
• Trip planning: The data you enter is stored in a Supabase-hosted PostgreSQL database and is accessible only to you and the trip members you invite.
• Map and routing: Company and lodging addresses are sent to Mapbox APIs for geocoding and for computing driving directions and travel times.
• Operating hours: When you add a company, we may query Google Places API to pre-fill its operating hours.
• Game data enrichment: When you view games in the app, we fetch community scores, ratings, awards, and player count estimates from Morty (morty.app). These requests contain only Morty game identifiers and no personal data.
• Morty reporting: If you flag a manually-added room as missing from Morty's database, we may share the game name, company name, and address with Morty to help them expand their directory. This is opt-in and only includes information about the escape room, not your personal data.
• Splitwise (optional): If you connect your Splitwise account, we store an OAuth access token to act on your behalf. When you track costs on booked games, we create and update expenses in your Splitwise group containing the game name, cost, currency, and how the cost is split among players. We also store a mapping between your trip members and Splitwise group members, which includes Splitwise user IDs for members of the selected group (including members who have not signed up for Skeleton Key). Names and profile pictures for these members are fetched from Splitwise at display time and are not stored. You can disconnect Splitwise at any time, which revokes our access and removes the stored token. Member mappings are retained so that previously synced expenses remain attributable, but no further Splitwise API calls are made after disconnection.

We use cookies only for session management (keeping you logged in). We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

Your data is retained as long as your account is active. You may request deletion of your account and all associated data by contacting us. Deleting your account removes your profile, and any trips you created will be deleted along with their associated data.

Data is transmitted over HTTPS. The database is hosted on Supabase's managed infrastructure in the United States with row-level security policies that restrict access to authorized users. The application is hosted on Vercel in the United States.

We may update this policy from time to time. Changes will be posted on this page with an updated date.

For questions about this policy or to request data deletion, email hello@useskeletonkey.com.