palaner.your personal social intelligence

Legal

Privacy Policy

Last updated: 31 May 2026

Draft for review.This policy is a working draft prepared for Palaner's beta launch and is awaiting solicitor review. The list of sub-processors is accurate as of the last-updated date.

1. Who's the data controller

Dreic Labs Ltd, based in London, United Kingdom, is the controller of your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Reach us at hello@palaner.com.

2. What we collect

Account data. Email address, hashed password (or your Google account identifier if you sign in with Google), and the date you joined.

Profile data you give us.Things you tell palaner during onboarding or chat — for example your home area, hobbies, favourite music or comedians, what you don't like, and similar. You choose what to share. You can edit or delete this from your profile settings at any time.

Activity data. Events you save, plans you build, feedback signals you give (thumbs-up / thumbs-down / hide), chat messages exchanged with palaner, voice transcripts if you use voice mode.

People you tell palaner about.If you mention friends, partners, or others in chat (e.g. "my friend Marko likes techno"), or upload a screenshot of someone else's dating profile to help plan a date, palaner extracts those details and stores them in your account so it can remember next time. We do not contact those people, and we don't persist any images you upload — they're passed to the AI provider and deleted in the same request.

Technical data. IP address, browser user-agent, broad device type, and basic page-load timings, collected through our hosting and content-delivery providers. We also use privacy-friendly, cookieless analytics (PostHog, EU) to count page views and key actions in aggregate. With your consent we additionally record anonymised session replays and link activity to your account. We never use advertising or cross-site tracking SDKs.

3. Why we use it (and the lawful basis)

  • To provide the service — running your account, personalising your event feed, holding chat history, syncing your saved plans across devices. Lawful basis: performance of contract.
  • To make the service better — debugging errors, improving the ranking algorithm, monitoring cost. Lawful basis: legitimate interest.
  • To keep it safe — preventing abuse, enforcing rate limits, investigating suspected fraud. Lawful basis: legitimate interest.
  • To tell you about service news — important account or product changes. Lawful basis: legitimate interest. Marketing emails (if we ever send them): explicit opt-in.
  • To comply with law — responding to lawful requests from regulators or law enforcement.

4. Who we share it with

We share personal data with the following sub-processors, strictly to operate the service. Each is bound by a data processing agreement and processes data on our instructions only. We do not sell your data.

  • Supabase (auth and database) — your account record, profile, plans, chat history. Region: EU.
  • Fly.io (backend hosting) — runs the API that talks to Supabase. Region: London (LHR).
  • Vercel (frontend hosting) — serves the Palaner web app to your browser.
  • Cloudflare (DNS and edge proxy) — sees request metadata (IP, URL, user-agent) on the way in.
  • Anthropic(Claude AI) — receives chat messages, profile context, and (if you upload one) any screenshot you ask palaner to analyse. Anthropic's consumer-API terms say they do not train models on API inputs.
  • OpenAI(Whisper speech-to-text, TTS voice) — receives audio you record for voice mode and any text palaner reads aloud. OpenAI's API terms say they do not train models on API inputs by default.
  • ScrapingBee — used to fetch public event pages on our behalf. Does not receive your account or profile data.
  • ScrapingAnt — like ScrapingBee, used to fetch public event pages on our behalf. Does not receive your account or profile data.
  • PostHog (product analytics + optional session replay, EU Cloud) — aggregate page-view and event counts run cookielessly for everyone; session replay and linking activity to your account run only if you accept analytics in the consent banner.
  • Sentry (error and performance monitoring, EU) — receives crash reports and latency traces (which can include your user id, URL, and technical context) so we can fix bugs.
  • MusicBrainz (and Last.fm) — we look up the genres of artists you like to translate your music taste into real-world event categories. We send artist names, never your identity.
  • Event sources (Resident Advisor, Eventbrite, Luma, Skiddle, Ticketmaster, Bandsintown, etc.) — when you click an event link, you are sent to that site, which has its own privacy policy.

Several of these providers process data outside the UK and EEA (typically in the United States). Where they do, the transfers are covered by Standard Contractual Clauses or the UK International Data Transfer Addendum.

5. How long we keep it

  • Account, profile, plans, chat history — for as long as your account is open. Deleted within 30 days of you closing your account.
  • Voice recordings — never persisted. Audio is sent to OpenAI, the transcript stored, audio discarded in the same request.
  • Uploaded images — never persisted, same pattern as above.
  • Server logs — kept for up to 30 days for debugging and abuse-prevention, then deleted or aggregated.
  • Backups — Supabase keeps point-in-time backups for up to 7 days, which is the maximum window in which deleted data may still exist before it is purged from cold backup storage.

6. Your rights

Under UK GDPR you have the right to:

  • Ask for a copy of the personal data we hold on you.
  • Ask us to correct anything that's wrong.
  • Ask us to delete your account and the data tied to it.
  • Restrict or object to certain processing.
  • Receive your data in a portable format and ask us to send it to another controller.
  • Withdraw consent at any time, where we relied on consent.
  • Complain to the Information Commissioner's Office (ICO) at ico.org.uk. We'd ask you to tell us first so we can try to put things right.

To exercise any of these rights, email hello@palaner.com. We'll respond within one month.

7. Cookies and similar technologies

Palaner uses a small number of strictly necessary cookies to keep you signed in (set by Supabase auth) and to remember UI preferences. Our default analytics (PostHog, EU) run in a cookieless mode that counts visits in aggregate without setting any tracking cookie or building a profile of you. We ask for your consent before turning on session replay or linking analytics to your account; you can accept or decline in the banner shown on your first visit, and change your mind at any time by clearing the choice in your browser. We do not use advertising cookies or third-party tracking pixels.

8. Children

Palaner is not for under-18s. We don't knowingly collect data from anyone under 18. If you believe a child has signed up, please email us and we will remove the account.

9. Security

We use HTTPS in transit, encrypted-at-rest storage via Supabase, and least-privilege access controls for the small team that maintains Palaner. No system is perfectly secure. If we become aware of a breach affecting your data we will notify you and the ICO as required by law.

10. Changes to this policy

We may update this policy. If a change is material we'll tell you by email or in-product before it takes effect. We'll always update the "last updated" date at the top.

11. Contact

Anything about your data, hello@palaner.com gets you to the right place.