Last updated: 2026-04-21
1. Operator
cream (Representative: Kohei Sato, hereinafter "we") sets forth this Privacy Policy regarding the handling of personal information on the Service.
2. Information We Collect
2-1. Automatically collected
- Access logs (IP address, browser, access time)
- Browsing info via cookies and similar technologies
- Device info (OS, screen size)
- Rate-limit events for abuse detection (discarded after 30 days)
2-2. Account & authentication
Sign-in is available via Supabase Auth using either:
- Google OAuth (email, display name, profile picture)
- Email + password (hashed by Supabase Auth; we never store the plaintext password)
- TOTP (two-factor authentication) — when enrolled, a 6-digit one-time code from your authenticator app is required at sign-in
Signup and high-attempt signin flows are protected by Cloudflare Turnstile CAPTCHA.
2-3. User-generated content
- Posts (photos, text, place info), comments, reactions, saves (bookmarks), follow graph
- Uploaded images (avatar, cover, trip photos)
- Profile info (display name, bio, optional home airport, etc.)
- Trip plans (itinerary, destinations, actions, memos)
- share_token (for link-share visibility)
- Report records (reporter / target / reason — NOT shown to reported party)
- User block relationships
- Contact form submissions (category, optional reply email, body)
2-4. Other
- Newsletter subscription email
- Price watch settings
- Stripe customer ID (only if paid features are introduced later)
3. Purpose of Use
Collected information is used for:
- Operating, providing, and improving Service features
- Displaying user content per the visibility you set
- Usage analytics
- Detecting and preventing unauthorized use, content moderation
- Handling reports and audit logging
- Important notices (terms changes, security alerts)
We never return email, auth internal IDs, or Stripe IDs in API responses. Row Level Security prevents private data belonging to other users from being retrieved.
4. Use of Artificial Intelligence (AI)
This Service uses external AI services (Anthropic Claude API) for features such as generating post drafts from trip plans, travel suggestions, and chat support.
4-1. Information Sent to AI
Only the following itinerary-related information is sent when using AI features:
- Trip plan itinerary (destination names, duration, activity names, place names)
- User-entered questions or requests
The following personal information is never sent to AI services:
- Email addresses, names, profile images
- User IDs, authentication credentials, passwords
- Payment or credit card information
- IP addresses, cookie data
4-2. Data Retention & Training
The Anthropic API we use does not use data submitted via the API for AI model training (per Anthropic's API Terms of Service). Submitted data is processed in real-time and discarded.
4-3. Security Measures
- All communication with AI services uses TLS encryption (HTTPS)
- API keys are stored in server-side environment variables and never exposed to the client (browser)
- AI-generated content is only published after user review and editing
- Rate limiting prevents excessive AI usage
4-4. AI Crawler Blocking
We employ technical measures to prevent unauthorized collection and training by external AI services, including AI crawler blocking via robots.txt and X-Robots-Tag headers (noai, noimageai). These measures protect user-generated content from being used as training data by external AI systems.
5. Third-Party Services
We may use the following third-party services. Please refer to each provider's privacy policy:
- Vercel (hosting, Web Analytics, Speed Insights — for traffic and page-load metrics)
- Supabase (Auth, database, storage)
- Anthropic Claude API (AI per-country FAQ and itinerary assistance)
- Cloudflare Turnstile (CAPTCHA / bot protection)
- Upstash Redis (distributed rate limiting)
- Resend (transactional email delivery — password resets, welcome notifications; via the VIIGL mail gateway)
- Sentry (error & crash monitoring)
- OpenStreetMap / Nominatim (place name search / geocoding)
- External booking partners (Trip.com / Agoda / Klook / KKday / Travelpayouts, etc.) — data is shared only when you click an outbound link
- Google Analytics (active only when NEXT_PUBLIC_GA_ID is configured AND user accepts "All" in the cookie banner)
5-2. Disclosure to Other Users
User information is exposed to other users based on visibility settings:
- Public profile: display name, avatar, bio, public post count (exposed via the
public_profiles view — email and payment links are never disclosed) - Public posts / plans: shown per the visibility you set
- Link-share (share_token): viewable only by those who know the URL; not editable
- Report records: visible only to moderators/admins, NOT to the reported party
- Audit logs: visible only to admins/moderators; never to general users
5-3. Retention
- User content: during account lifetime + 30 days after deletion (logical retention)
- IP / rate-limit events: 30 days
- Audit logs: 180 days
- Backups: 30-day rolling generations
- Or as legally required, whichever is longer
6. Cookies
We use cookies and similar technologies for the following purposes:
- Strictly necessary: Supabase Auth session, CSRF protection, dark-mode preference. Required regardless of consent.
- Analytics: Google Analytics — only loaded if you click "Allow All" in the cookie banner.
- Consent: A small
localStorage entry records your choice (All / Essential only). You can change it anytime.
You can disable cookies in your browser, but disabling strictly-necessary ones will break features like sign-in.
7. Data Security
We take reasonable security measures to prevent leakage, loss, or damage of collected information.
8. Disclosure, Correction, and Deletion
If you wish to request disclosure, correction, or deletion of your personal information, please contact us at the address below.
9. Changes to This Policy
We may update this Policy at any time. Changes take effect when posted on this page.
Contact
cream
Representative: Kohei Sato
Email: hi@pteranodontrip.com
Address: Nishi-Shinjuku Mizuma Bldg 6F, 3-3-13 Nishi-Shinjuku, Shinjuku-ku, Tokyo 160-0023, Japan