Concairge, Inc. – Privacy Policy

1. Information We Collect

We collect information in the following categories:

1.1 Personal Information You Provide

• Contact details (name, email address, phone number)
• Account credentials
• Payment or billing information (if applicable)
• Preferences, feedback, or communications you send to us
• Calendar or booking data you voluntarily connect
• Booking or reservation confirmations you forward to us (see Section 1.4)
• Voice and audio input, when you use voice features to add events, reminders, or requests by speaking
• Profile photos or images you choose to provide — for example a photo you take or select from your device to use as a family member's avatar

When you use voice input, your speech is transcribed by your device's built-in speech-recognition service (provided by Apple on iOS and Google on Android). Concairge receives only the resulting text; we do not store voice recordings, and we do not use voice data for advertising.

1.2 Automatically Collected Information

• Device identifiers (IP address, advertising ID, device ID)
• Browser type and operating system
• App usage data, logs, crash reports, and performance metrics
• Precise location data (such as your device's latitude and longitude), when you grant location permission. We use it to recommend nearby family activities, classes, and events, to surface location-relevant reminders, and to estimate travel time to scheduled events. You can disable location access at any time in your device settings; location-based suggestions will then be unavailable. We do not use precise location for advertising, and we do not sell or share it.
• Cookies and similar technologies (see Section 9)

1.3 Information from Third Parties

• Data from integrated third-party services (e.g., booking, mapping, weather, or calendar apps)
  • If you connect a Google or Microsoft calendar, see Section 4 (Calendar Integrations) for the full disclosure, including scopes, our Limited Use commitment for Google data, data retention, and how to revoke access.
• Sign-in information from Google or Apple. If you create an account or sign in using Google or Sign in with Apple, we receive basic profile information from that provider — typically your name and email address — to create and secure your account. If you use Sign in with Apple's private email relay ("Hide My Email"), we receive that relay address instead of your personal email. We manage sign-in through a trusted third-party authentication provider and use this information only to create and authenticate your account.
• Publicly available data or analytics services we use to enhance our offerings

1.4 Email-Based Booking Import (Optional)

If you choose to forward booking or reservation confirmations to Concairge — for example, forwarding a flight, hotel, restaurant, or event confirmation email to a Concairge address — we receive and process the contents of those emails, including the subject line, sender and recipient addresses, and message body, solely to extract the relevant booking details and add them to your family schedule as calendar events. We do not use the contents of forwarded emails for advertising, and we do not sell or share them.

Forwarded emails may contain information about other individuals (such as the sender or other named participants). We process that information only as necessary to create and manage the corresponding event on your behalf, and we rely on your instruction in forwarding the email as the basis for doing so. You can stop using this feature at any time and request deletion of imported email data as described in Sections 6 and 8.

Sensitive Personal Information

To help recommend activities, venues, and plans that suit your family, Concairge lets you record accessibility and support needs for each family member — for example mobility, sensory, communication, or health-related accommodations (our "Special Needs" options). This information concerns health or disability and is "special category" data under the GDPR/UK GDPR and "sensitive personal information" under U.S. state law.

Providing it is entirely optional; you can use the App without it, and you can edit or remove it at any time in Settings → Family or by deleting your account. We use it solely to tailor activity and venue recommendations to your family's accessibility and support needs. We do not use it for advertising, and we do not sell or share it. We process it on the basis of your explicit consent (GDPR/UK GDPR Article 9(2)(a)) and corresponding conditions under U.S. state law. Where this information relates to a child, it is provided by the parent or guardian managing the family account, who consents on the child's behalf.

We do not request, and you should not provide, the following through the Services: government identification numbers, financial account numbers, payment-card information (except where processed directly by the App Store or our payment processor), biometric or genetic identifiers, racial or ethnic origin, religious or philosophical beliefs, or sexual orientation.

We may also generate aggregated, anonymized, or de-identified information derived from personal data, which is not considered personal information under applicable law.

2. How We Use Your Information

We use your information to:

1. Provide, operate, and personalize the App and related services
2. Manage user accounts and authentication
3. Process transactions and subscriptions
4. Respond to inquiries and provide customer support
5. Send service announcements, updates, and security alerts
6. Improve and develop new features and user experiences
7. Detect, prevent, and respond to fraud, abuse, or security issues
8. Comply with legal obligations and enforce our rights under the EULA

Aggregated and De-Identified Data

We may use or create aggregated, anonymized, or de-identified information derived from personal data to analyze usage trends, develop insights, improve our products and services, and support business or research purposes. Such information does not identify any individual and cannot reasonably be re-linked to a specific person. We maintain safeguards to prevent re-identification and require any third parties receiving such data to do the same.

We do not sell or share personal information for cross-context behavioral advertising as defined under applicable U.S. state laws.

We collect special-category (sensitive) information only as described in the "Sensitive Personal Information" part of Section 1, and only with your explicit consent.

3. Legal Bases for Processing (EU/UK Users)

4. Calendar Integrations

Google

When you connect a Google Calendar to Concairge, we access your Google Calendar data through the Google Calendar API using two scopes:

• calendar.readonly — to read your linked calendars (including any partner's, children's, or grandparents' calendars you add) in order to (a) render your unified family schedule inside the App, (b) detect cross-family conflicts before recommending classes, appointments, or activities, and (c) tailor AI recommendations to fit around your family's existing commitments.
• calendar.events — to add events to your calendar when you confirm an AI-suggested booking or family activity, and to update or remove those events when plans change. With your authorisation, this includes updating events you added manually before connecting Concairge.

Limited Use commitment. Concairge's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide and improve the user-facing features described above.
• We do not transfer Google user data to third parties, except as needed to provide or improve those features (and only with service providers bound by equivalent confidentiality terms), to comply with applicable law, or as part of a merger or acquisition with appropriate notice to users.
• We do not use Google user data for serving advertisements, including personalised, retargeted, or interest-based advertising.
• We do not use Google user data to develop, improve, or train generalised AI or machine-learning models.
• We do not allow humans to read Google user data, except: with your explicit consent (e.g., a support ticket where you share an event), as needed for security purposes, to comply with applicable law, or for internal operations on data that has been aggregated and de-identified.

Microsoft (Outlook)

When you connect a Microsoft (Outlook) calendar, we access it through the Microsoft Graph API using the Calendars.ReadWrite, User.Read, and offline_access scopes — to read your calendars for your unified family schedule and to add or update events when you confirm an AI-suggested booking or family activity. We use Microsoft calendar data only to provide these features; we do not use it for advertising and do not sell or share it.

For Any Calendar You Connect

How long we keep calendar data. We store the events necessary to power the family schedule and AI suggestions in our database, encrypted at rest, and re-sync from the provider on a regular cadence. When you disconnect a calendar or delete your account, the corresponding data is deleted within 30 days.

How to revoke access. You can disconnect Concairge from a connected calendar at any time inside the App (Settings → Calendars). You can also revoke access directly with the provider — for Google, at https://myaccount.google.com/permissions; for Microsoft, in your Microsoft account security settings. Revocation is immediate; we will no longer fetch new data from that calendar.

5. Data Sharing and Disclosure

We share information only as necessary to operate and improve our services:

• Service Providers and Vendors – Cloud hosting, payment processing, analytics, customer support.
• Business Partners – Integrated third-party platforms you authorize.
• Legal and Compliance – When required by law, subpoena, or to protect our rights and users.
• Corporate Transactions – In connection with mergers, acquisitions, or asset transfers (subject to data-protection safeguards).
• Calendar Data – not shared with third parties except as described in Section 4 (Calendar Integrations).

We require all third parties to handle personal information consistent with this Policy and applicable law.

We may share aggregated or de-identified information with service providers, research partners, or other organizations for analytics, market research, or business purposes. Such information does not identify you personally.

6. Data Retention

We retain personal information only for as long as necessary to:

• fulfill the purposes described in this Policy,
• comply with legal or accounting obligations, or
• resolve disputes and enforce agreements.

When data is no longer needed, it is securely deleted or de-identified.

Approximate retention periods:

• Account profile data – deleted within 30 days of account deletion, except limited records we are required to retain for legal, tax, or audit purposes (up to 7 years).
• Transaction data – 7 years (tax and audit)
• Usage data – up to 5 years
• Marketing data – up to 3 years from last contact
• Forwarded booking emails – the original email is automatically deleted within 30 days of receipt; the calendar events extracted from it follow your account-data retention and are deleted within 30 days of account deletion.
• Calendar data (Google / Microsoft) – retained while your account is active; deleted within 30 days of calendar disconnection or account deletion.
• Accessibility / support-needs data – follows your account-data retention and is deleted within 30 days of account deletion or when you remove it.

We may retain aggregated or de-identified information for analytics or research purposes for as long as needed, because this data does not identify individuals.

7. Data Transfers

We store and process data primarily in the United States, but your information may be transferred to other jurisdictions.

For users in the EEA, UK, or Switzerland, we use one or more of the following lawful transfer mechanisms:

• Standard Contractual Clauses (SCCs) approved by the European Commission,
• UK International Data Transfer Agreement (IDTA), and
• Adequacy decisions where applicable.

Concairge maintains technical and organizational safeguards to protect data during cross-border transfers.

8. Your Rights

You can delete your account and its associated data directly in the App (Settings → Account → Delete Account).

8.1 U.S. State Privacy Rights

Residents of California, Delaware, Colorado, Texas, and other states with privacy laws have rights to:

• Access and obtain a copy of their personal information
• Delete personal information
• Correct inaccuracies
• Opt out of sale or sharing of personal data
• Limit use of sensitive data
• Non-discrimination for exercising privacy rights

Submit requests via https://concairge.ai/data-management or privacy@concairge.ai. We will verify your identity before processing your request.

8.2 EU/UK Data Subject Rights

Under GDPR/UK GDPR, you have the rights to:

• Access, rectify, or erase your data ("right to be forgotten")
• Restrict or object to processing
• Portability (receive your data in structured format)
• Withdraw consent at any time
• Lodge a complaint with a supervisory authority (e.g., ICO in the UK or local DPA in the EU)

To exercise these rights, contact privacy@concairge.ai.

Rights to access, delete, or opt out apply to personal information as defined under applicable law and do not extend to aggregated, anonymized, or de-identified data that cannot reasonably be linked to you.

9. Cookies and Tracking Technologies

Our App and website use cookies, SDKs, and similar technologies, which fall into two groups:

• Essential — required to maintain session authentication, security, and core functionality. These are always active.
• Analytics and advertising — on our website, we use Google Analytics 4 (GA4) to understand site usage and the Meta Pixel to measure the effectiveness of our marketing. These are non-essential and are loaded only after you engage with the site.

Where required by law (including in the EEA and UK), we ask for your consent before setting non-essential cookies, and you can change your choice at any time via our cookie settings. You can also control cookies through your browser settings and opt-out mechanisms such as Global Privacy Control (GPC), which we honor. The Concairge mobile app itself does not use third-party advertising cookies or SDKs.

10. Data Security

We implement industry-standard security measures, including:

• AES-256 encryption for data at rest
• TLS 1.3 for data in transit
• Access controls and multi-factor authentication
• Regular penetration testing and security audits

However, no system is completely secure. You use the App at your own risk, and we encourage strong passwords and device security practices.

11. Children's Privacy

Concairge complies with:

• U.S. COPPA (Children's Online Privacy Protection Act) – no personal data collection from children under 13 without verified parental consent.
• EU/UK GDPR Article 8 – parental consent required for users under 16 (or lower national age of consent, but never under 13).

Concairge is intended for use by adults who manage a family account. Where a family member's profile is a child, any information about that child — including any accessibility or health-related support needs — is provided by, and consented to by, the parent or guardian managing the account. We do not knowingly allow children to create their own accounts.

12. Changes to this Privacy Policy

We may update this Privacy Policy periodically to reflect changes in law, technology, or our practices.

We will notify users of material changes via in-app message, email, or website notice at least 30 days before the new policy takes effect.

The "Last Updated" date at the top indicates when revisions were made.

13. Contact Us

For privacy-related questions or to exercise your rights:

14. Additional Notices (Legal Disclosure)

• Concairge does not sell personal information as defined by the CCPA/CPRA.
• Concairge honors Global Privacy Control (GPC) signals for "Do Not Sell or Share" preferences.
• If we merge or reorganize, you will be notified and given the opportunity to opt out of continued processing.