Privacy Policy

Last updated: May 7, 2026

Charlie Labs, Inc. ("Charlie Labs," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy covers all products and services published by Charlie Labs, including the Charlie personal finance app and website (getcharlie.co) and the Voyage iOS travel app, as well as any future products we release (collectively, the "Services"). Where a data practice applies only to a specific product, we say so. Please read this policy carefully. If you disagree with its terms, please discontinue use of the Services.

1. Information We Collect

We collect information you provide directly to us, information generated automatically when you use the Services, and information from third-party sources. The specific data we collect depends on which Service you use.

Identity and contact information

• Email address — collected when you create an account or join the waitlist. In Voyage, your email is used for one-time passcode (OTP) authentication; if you sign in with Apple, Apple may provide a private relay email address instead of your real one.
• Phone number — collected by the Charlie app and website when you sign up for early access.
• Display name — optionally provided in Voyage's Settings. May be auto-populated from Sign in with Apple on first sign-in.

Account and app-generated identifiers

• User ID (UUID) — a unique identifier assigned when you create an account in Voyage. Used to scope all your data via row-level security on our backend. Not linked to your name or email in any externally visible way.
• Referral code — a randomly generated 6-character alphanumeric code assigned to each Voyage user, shareable to grant both parties free Pro time. We record which code you shared, which code (if any) you redeemed, and how many users have redeemed your code.

Subscription and billing state

• Subscription status and expiration — whether your account is on the free or Pro tier, your Pro expiration date (including any referral credit), processed via Apple StoreKit. We do not receive or store your payment card details — those are handled entirely by Apple.

User-generated content (Voyage)

• Saved places — Google Place ID, name, address, rating, price level, coordinates, photo reference, category (Eat / Stay / Sip / Do), and originating city for each place you save.
• Personal notes and ratings (Pro only) — free-text notes and a 1–5 star rating you assign to a saved place.
• Trips — trip name, emoji, optional start and end dates, free-text notes, and the day-by-day assignment of saved places including a visited flag and per-place note.

Financial account information (Charlie app)

• When you connect a bank account through our third-party data aggregation partners (such as Plaid), we receive account balances, transaction history, and related financial data. Your banking credentials are never stored by Charlie Labs — they are handled entirely by the aggregation partner.

Location data

• Coarse current location (Voyage) — collected only when you explicitly tap "Use my location" in the city picker. Used immediately to reverse-geocode a nearby city name and coordinates for biasing search results. Your raw location coordinates are not stored on our servers. Your chosen active city (which may match your location) is stored locally on your device only.

Local device storage

• iOS local preferences (Voyage) — last viewed city, budget filter, search radius, and onboarding completion status are stored in iOS UserDefaults on your device only and are not transmitted to our servers.
• Authentication tokens (Voyage) — your Supabase session token is stored in the iOS Keychain by the Supabase SDK and used solely to authenticate API calls. It is not shared with third parties.

Usage and technical data

• Website analytics (Charlie) — pages visited, features used, time spent, and actions taken on getcharlie.co, collected via Google Analytics.
• Device and technical data (Charlie website) — IP address, device type, operating system, browser type, and unique device identifiers.
• No analytics SDK (Voyage) — the Voyage iOS app does not include any third-party analytics, advertising, or tracking SDK. No behavioral data about your in-app activity is sent to analytics services.

Communications

• Messages, feedback, or support requests you send us directly.

2. How We Use Your Information

We use the information we collect only to operate and improve the Services. We do not use any user data for advertising, behavioral profiling, or marketing to third parties.

• Authentication — your email and user ID are used to verify your identity, send OTP sign-in codes, and maintain your session across devices.
• Service operation and personalization — saved places, trips, notes, and ratings are synced across your devices and used to power your personal itineraries.
• Place search (Voyage) — when you search for places, we send your query text and a coordinate (city center or your current location if granted) to the Google Places API to retrieve results. No user identity is included in these queries.
• Subscription and feature gating — subscription status and Pro expiration date are used to enable or restrict Pro-only features.
• Referral program (Voyage) — referral codes and redemption counts are used to credit both the referring and referred user with 30 days of Pro access when a valid referral is redeemed.
• Financial insights (Charlie app) — connected financial account data is used to surface spending insights, identify savings opportunities, and power automated money actions within the Charlie app.
• Transactional communications — we may send you sign-in codes, account notifications, and early access updates. We do not send marketing emails without your consent, and you may opt out at any time.
• Fraud prevention and security — to detect and prevent unauthorized access, abuse, and fraudulent activity.
• Legal compliance — to meet applicable legal obligations.

3. Third-Party Service Providers

We do not sell your personal information. We share data only with the following processors that help us operate the Services, and only to the extent necessary for that purpose:

• Supabase, Inc. — backend database (PostgreSQL), authentication, and file storage for Voyage. All Voyage account, subscription state, saved places, trips, and user content are stored here. Supabase processes data under its Data Processing Agreement.
• Apple, Inc. — Sign in with Apple authentication (Voyage), App Store distribution, and in-app subscription processing via StoreKit 2. Apple's privacy policy governs its handling of your authentication and billing data.
• Google LLC (Google Maps Platform) — Voyage sends search queries (e.g., city name, category, budget level) and a coordinate to the Google Places API to retrieve place data and photos. No user identity or account information is included in these requests. Google's standard API usage terms and privacy policy apply.
• Plaid Technologies, Inc. — financial account data aggregation for the Charlie app. Plaid handles your banking credentials directly; Charlie Labs receives only read-only transaction and balance data. Plaid's privacy policy applies to the credential exchange.
• Loops — email and SMS delivery for Charlie waitlist communications.
• Google Analytics — website usage analytics for getcharlie.co. Data is aggregated and subject to Google's privacy policy.

We may also disclose information in connection with a merger, acquisition, or sale of assets, or when required by law, subpoena, or legal process.

4. Data Retention and Deletion

We retain your personal information for as long as your account is active or as needed to provide the Services.

Voyage account deletion is self-serve and immediate. Tapping Settings → Delete Account permanently and atomically removes your profile, all saved places, all trips, all referral history, and your underlying authentication record in a single transaction. This action is irreversible. Note that Supabase's standard disaster-recovery backups may retain deleted data for up to 30 days before those backups expire.

Charlie app and waitlist — you may request deletion of your data at any time by contacting us at [email protected]. We will complete verified deletion requests within 30 days, subject to any legal retention obligations.

5. Data Security

We implement industry-standard technical and organizational measures to protect your information, including:

• Encryption in transit using HTTPS / TLS 1.2 or higher across all Services.
• Row-level security on the Voyage database — each user can only read and write their own rows; no cross-user data access is possible at the application layer.
• Authentication tokens stored in the iOS Keychain (not in UserDefaults or local storage), isolated from other apps.
• Account deletion and referral redemption operations run as server-side transactions with explicit access controls, preventing partial or unauthorized execution.
• Regular security reviews and access controls on backend infrastructure.

No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

6. Your Rights and In-App Controls

Depending on your location, you may have rights to access, correct, delete, or port your personal data. In addition to submitting a request to [email protected], Voyage users have the following controls directly in the app:

• Sign out — Settings → Sign Out.
• Edit display name — Settings → tap your name.
• Manage subscription — Settings → Pro → Manage Subscription (links to iOS Settings → Subscriptions).
• Delete account — Settings → Delete Account. Immediately and permanently deletes all your data as described in Section 4.
• Opt out of marketing communications — use the unsubscribe link in any email, or reply STOP to any SMS from Charlie Labs.
• Revoke location access (Voyage) — via iOS Settings → Privacy & Security → Location Services → Voyage.

7. Cookies, Tracking, and Analytics

Website (getcharlie.co): We use cookies and Google Analytics to collect aggregated usage data. You can control cookies through your browser settings. We do not currently respond to "Do Not Track" signals.

Voyage iOS app: The app does not use cookies, tracking pixels, advertising SDKs, or any third-party analytics SDK. Voyage does not track users across other apps or websites. The app's Privacy Manifest declares no tracking domains.

8. Children's Privacy

Our Services have different age requirements depending on the product:

• Charlie (personal finance app and waitlist) is intended for users 18 and older. We do not knowingly collect personal information from anyone under 18.
• Voyage is not targeted at children and does not contain features designed for users under 13. We do not knowingly collect personal information from children under 13.

If we become aware that we have inadvertently collected information from a user below the applicable age threshold, we will promptly delete it. Contact us at [email protected] if you believe this has occurred.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) to know what personal information we collect and how it is used, to delete your personal information, to correct inaccurate personal information, and to opt out of the sale or sharing of personal information. We do not sell or share personal information as defined under California law. To submit a verifiable consumer request, contact us at [email protected].

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, for material changes, notify you via email or a prominent notice within the relevant Service. Your continued use of the Services after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Charlie Labs, Inc.
[email protected]