Privacy Policy

Last updated: March 9, 2026

Summary: We only collect data necessary for app functionality and never sell your data. You have full control over your information and can delete it at any time directly within the app.

One Bag ("we", "our", "the app") is a travel packing assistant developed by One Bag Travel. Users can use the app without creating an account. This policy explains what data we collect, why we collect it, how we store it, and your rights regarding that data.

1. Data We Collect

Summary: We collect only what is needed to provide packing lists, reminders, and optional cloud sync. Most data stays on your device.

Data Type	Examples	Purpose	Storage
Account data	Email address, hashed password	Authentication, account management	Supabase (optional sign-up)
Trip data	Destination, dates, travel profile, packing items	Core app functionality	Device (Isar) + Supabase (if signed in)
Document metadata	File names, expiry dates, thumbnails	Document vault feature	Device only
Usage patterns	Forget scores, late-checked items	Smart packing suggestions	Device (Isar) + Supabase (if signed in)
Notification preferences	Reminder schedule, quiet mode	Packing reminders	Device only
Destination city name	e.g. "Barcelona"	Fetch representative cover photo via Pexels	Transmitted to our server function only; no personal identifiers included
Crash reports	Stack traces, device model, OS version	Bug fixing and stability	Sentry (no PII)
Ad identifiers	IDFA (iOS) / GAID (Android), with consent	Personalized ads (free tier)	Google AdMob

2. How We Use Your Data

Summary: Your data is used solely to provide app features. We do not sell, rent, or trade your personal data to third parties.

Core functionality: Generate packing lists, track progress, manage documents, send reminders
Destination cover images: When you enter a destination city, we send only the city name to our secure server-side function, which queries the Pexels photo library to fetch a representative image. The result is cached server-side so the same city is only queried once. No personal data is ever sent to Pexels.
Personalization: Learn which items you tend to forget (Forget Score) to improve future suggestions
Cloud sync: Back up and synchronize your trips across devices (optional, requires sign-in)
Crash reporting: Identify and fix bugs to improve app stability
Advertising: Show ads to free-tier users (removed for premium subscribers)

We do not sell, rent, or trade your personal data to third parties.

3. Data Storage and Security

Summary: Data is stored locally on your device by default. Cloud sync is optional and protected by encryption and row-level security.

Local Storage (Default)

All data is stored locally on your device using Isar embedded database. The app is fully functional without an internet connection or user account.

Cloud Storage (Optional)

If you create an account and enable sync, your trip data is stored in Supabase (hosted on AWS). All cloud data is protected by:

Row-Level Security (RLS) policies ensuring only you can access your data
TLS encryption in transit
AES-256 encryption at rest
Last-Write-Wins (LWW) conflict resolution for offline sync

Document Vault

Documents stored in the vault remain on your device. They are not uploaded to cloud servers. Optional biometric lock (Face ID / fingerprint) adds an additional layer of protection.

Destination Cover Images

When you create a trip, the app sends only the destination city name to our server-side Edge Function (hosted on Supabase). This function queries the Pexels API on your behalf and returns a cover photo URL. The photo URL is then stored alongside your trip data. No personal identifiers, account details, or device information are transmitted to Pexels. Fetched images are cached server-side to minimize repeat requests.

4. Third-Party Services

Summary: We use limited third-party services for authentication, images, crash reporting, ads, and subscription management. Each has its own privacy policy.

Service	Purpose	Data Shared	Privacy Policy
Supabase	Authentication, cloud sync	Email, trip data	supabase.com/privacy
Pexels	Destination cover images	City name only (no personal data)	pexels.com/privacy-policy
Sentry	Crash reporting	Stack traces, device info (no PII)	sentry.io/privacy
Google AdMob	Advertising (free tier)	Ad identifiers, device info	policies.google.com/privacy
RevenueCat	Subscription management	Purchase receipts, user ID	revenuecat.com/privacy

5. Forget Score Learning

Summary: The app learns which items you tend to forget to give better suggestions. This is optional and can be disabled anytime.

The Forget Score feature tracks which items you pack late or leave unchecked near departure. This data is processed entirely on your device by default. If you enable cloud sync, forget scores are synced to your personal account only. You can disable this feature at any time in Settings > "Learn from my packing habits".

6. Advertising and Tracking

Summary: Free-tier users see ads. We obtain user consent for personalized advertising where required by law. Premium subscribers see no ads.

Free-tier users see banner ads served by Google AdMob. We obtain user consent for personalized advertising where required by law (e.g., GDPR, CCPA).

On iOS, we request App Tracking Transparency (ATT) permission before any ad personalization. If you decline, non-personalized ads are shown.

On Android, advertising identifiers (such as GAID) may be used for ad personalization, subject to user consent. You can reset or opt out of ad personalization via your device settings (Settings > Privacy > Ads).

Premium subscribers see no ads and no ad-related data is collected.

7. Image Credits

Summary: Destination photos are sourced from Pexels under the Pexels License. We do not claim ownership of any destination images.

Destination cover photos are provided by Pexels and are used under the Pexels License. Photos are free to use for commercial purposes. We do not claim ownership of any destination images displayed in the app. Images are fetched on demand and cached to minimize API usage.

8. Children's Privacy

Summary: Our app is not for children under 13. We do not knowingly collect their data.

We do not knowingly collect personal data from children under 13 and do not target our services to children. One Bag is designed for adult travelers. If you believe a child has provided us with personal data, please contact us immediately and we will delete it promptly.

9. Your Rights

Summary: You can access, correct, export, or delete your data at any time. Account deletion is available directly within the app.

Depending on your jurisdiction (including GDPR, CCPA, KVKK), you may have the right to:

Access your personal data
Correct inaccurate data
Delete your account and all associated data
Export your data in a portable format
Withdraw consent for optional processing (ads, sync, forget score)
Object to processing for specific purposes

Account Deletion

Account deletion is available directly within the app without requiring external contact. Navigate to Settings > Account > Delete Account. This permanently removes all your data from our servers within 30 days. Local data can be cleared separately from Settings > Account > Delete Local Data, or by uninstalling the app.

You can also request deletion by emailing onebagtravelapp@gmail.com.

Data Deletion Request Page

https://coinsayfasi.github.io/onebag-legal/data_deletion_en.html

10. Data Retention

Summary: We keep your data only as long as needed. Deleted accounts are fully purged within 30 days.

Active accounts: Data retained while account is active
Deleted accounts: All data permanently deleted within 30 days
Crash reports: Retained for 90 days, then automatically purged
Cached city images: Stored indefinitely server-side as non-personal public data; not linked to any user account
Local-only users: Data exists only on device; removed when app is uninstalled

11. International Transfers

If you use cloud sync, your data may be processed in the United States (AWS infrastructure used by Supabase). We rely on standard contractual clauses for EU/EEA data transfers.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via in-app notification. The "Last updated" date at the top reflects the most recent revision.

13. Contact Us

For privacy questions or data requests: