Privacy Policy

Effective Date: October 31, 2025 | Last Updated: October 31, 2025

Our Privacy Commitment

PurpleMangos ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cruise travel planning service.

We never sell your data. We never share your health data with advertisers or third parties for marketing purposes.

Information We Collect

Account Information

  • Email address
  • Name (optional)
  • Profile preferences

Trip Information

  • Destination, dates, cruise details
  • Traveler names, ages, relationships
  • Mobility levels and dietary restrictions
  • Travel preferences and interests

Health Data (With Your Explicit Consent)

  • Medication names, dosages, and timing
  • Special handling requirements (refrigeration, controlled substances, injectables)
  • Prescribing doctor information (optional)
  • Medication-related notes

How We Use Your Information

Trip Planning & AI Assistance

  • Generate personalized travel recommendations
  • Provide AI-powered travel advice through our chatbot
  • Create medication travel checklists
  • Calculate medication timing across time zones
  • Locate pharmacies at your destination

Service Improvement

  • Improve our AI responses and recommendations
  • Analyze usage patterns (aggregated, anonymized data)
  • Debug technical issues

Health Data - Special Protections

Your medication data receives the highest level of protection:

  • Explicit Consent Required: We only collect medication data after you provide explicit consent
  • Bank-Level Encryption: All medication data is encrypted at rest and in transit
  • Never Sold or Shared: We never share your medication information with advertisers, marketers, or third parties
  • AI Processing: Medication data may be sent to Anthropic's Claude AI API for travel advice generation. Anthropic does not train models on your data and does not retain it beyond processing your request
  • Access Controls: Only you can access your medication data through row-level security policies
  • Audit Logging: All access to medication data is logged for security purposes

You Have Full Control: You can view, export, update, or delete your medication data at any time from your Privacy Dashboard.

Third-Party Services

We use the following trusted third-party services:

Anthropic (Claude AI)

Purpose: AI-powered travel advice generation
Data Shared: Your questions and trip context (including medications if you provide consent)
Privacy: Anthropic does not train models on your data and does not retain it beyond processing

Supabase

Purpose: Database hosting and authentication
Data Shared: All account and trip data
Privacy: SOC 2 Type II certified, encrypted at rest and in transit

Upstash (Redis)

Purpose: Caching and session management
Data Shared: Cached API responses (may include medication data)
Privacy: GDPR compliant, encrypted connections

Your Privacy Rights

You have the following rights regarding your data:

Right to Access
View all data we have about you at any time from your Trips page
Right to Data Portability
Export your data in JSON or CSV format from your Privacy Dashboard
Right to Erasure
Delete specific trips, all medication data, or your entire account at any time
Right to Withdraw Consent
Withdraw medication data consent at any time, which will delete all medication records
Right to Correction
Update or correct any inaccurate information from your Trips page

State-Specific Rights:

  • California (CCPA/CPRA): Right to know, delete, opt-out of sale (we don't sell data)
  • Washington (My Health My Data Act): Enhanced consent requirements for health data (we comply)
  • New York (NY HIPA): Additional health information privacy protections

Data Security

We implement industry-standard security measures:

  • Encryption at rest (database level)
  • Encryption in transit (HTTPS/TLS)
  • Row-level security policies (only you access your data)
  • Audit logging for medication data access
  • Rate limiting to prevent abuse
  • Regular security assessments

Data Breach Notification

In the unlikely event of a data breach affecting your medication information, we will notify you within 60 days as required by the FTC Health Breach Notification Rule. We will also notify the FTC if 500 or more users are affected.

Children's Privacy

Our service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice on our service. Your continued use of the service after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Email: privacy@purplemangos.com

Privacy Dashboard: View & Manage Your Data