Privacy Policy

Account information

When you sign in with Apple or Google via Supabase Auth we receive your email, display name, profile photo URL (if available), and a unique provider ID. We also store a Curio username you choose, optional bio, and your selected language and home country.

User-generated content

Any travel list you create — places, day plans, curator notes, cover images, prices, and metadata — is stored in our database. If you publish a list, that content becomes visible to other users and renderable on social-media unfurls via curioplaces.app.

Trip activity

When you start a Trip, we record the trip itinerary, your check-ins (timestamp + place reference), and any photos you take inside Trip mode. Photos are uploaded to Supabase Storage in a private bucket associated with your account.

Purchases & tips

Purchase records (which list you bought, which creator received a tip, currency, amount, and Apple transaction ID) are processed through Apple StoreKit and reconciled with RevenueCat. We never see your payment card or Apple ID password.

Referral data

If you redeem an invite, we record the inviter's referral code, the timestamp, the device's coarse IP for fraud prevention, and the outcome. Anti-fraud guards include a 60-second account-age window, an IP-match check, and a self-referral block.

Push tokens & analytics

We collect APNs/FCM device tokens to deliver push notifications you opt into, and event analytics (screen names, action types, no personally identifying content) via Firebase Analytics. Crash reports may be sent to Firebase Crashlytics.

• To provide the core Service: accounts, lists, purchases, trips, and search.
• To prevent fraud, abuse, and spam (especially in the referral program and reviews).
• To pay creators and reconcile platform fees and refunds with Apple.
• To send transactional emails, push notifications you opted into, and creator earnings updates.
• To improve the product through aggregated analytics and crash reports.
• To comply with applicable law and respond to lawful requests.

We rely on the following lawful bases under GDPR Article 6: (a) contract — to provide the Service you signed up for; (b) legitimate interests — fraud prevention, product security, and limited analytics; (c) consent — for push notifications, optional camera/photo access, and calendar integration; (d) legal obligation — tax, accounting, and lawful disclosure requirements.

We share the minimum data required with the following sub-processors, each bound by a data processing agreement:

We do not sell or rent personal information. We disclose data only: (a) to processors listed above, (b) when you publish content (lists, reviews, profile fields you mark public), (c) to comply with valid legal process, or (d) to protect rights, property, or safety in good faith.

• Location (when in use) — to center the map on your current city and surface nearby places. We do not log background location.
• Camera & photo library — to capture trip memories and upload list cover images.
• Calendar (full access, opt-in) — to add planned trips to your calendar with your explicit confirmation.
• Notifications — for trip reminders, list updates, and creator earnings.

We retain account data while your account exists. When you delete your account, we erase personal identifiers within 30 days, except where retention is required by law (e.g., tax records related to purchases — kept for 5 years per Turkish tax law). Public content you published may persist as anonymized data for the integrity of other users' purchases and reviews.

• Access — request a copy of your personal data.
• Rectification — correct inaccurate data.
• Erasure — delete your account from in-app settings.
• Portability — receive a machine-readable export.
• Restriction & objection — limit how we process your data.
• Withdraw consent — at any time, with no effect on prior lawful processing.
• Lodge a complaint — with your local supervisory authority (e.g., KVKK in Türkiye).

California residents may request the categories and specific pieces of personal information we collected; the categories of sources; purposes; and categories of third parties with whom we share information. You may also request deletion or correction. We do not sell or share personal information for cross-context behavioral advertising.

Some processors are located outside the EU/EEA, UK, or Türkiye. Transfers rely on Standard Contractual Clauses or equivalent mechanisms and are limited to what is necessary to operate the Service.

Curio is not directed to children under 13 (or the higher minimum age in your jurisdiction). We do not knowingly collect data from such users. If you believe a child has provided us data, contact us and we will delete it.

Data is encrypted in transit (TLS 1.2+). Database access is governed by row-level security so users can only read their own private data. OAuth flows use PKCE and nonce verification. We rotate keys, monitor access logs, and run periodic security reviews.

The website uses only strictly necessary cookies for routing and security. We do not use marketing or advertising trackers. The iOS app does not use web cookies for analytics; events are logged via first-party SDKs with anonymous identifiers.

We may update this Privacy Policy as the Service evolves. Material changes will be announced in-app and via email at least 14 days before they take effect. Your continued use after the effective date constitutes acceptance of the revised policy.