Skip to main content
Back to Plan The Hang

Privacy Policy

Last updated: March 2026 — added AES-256-GCM encryption and RLS lockdown

What is Plan The Hang?

Plan The Hang is a free, no-account group scheduling tool. You create an event, share a link, and your friends pick the dates that work for them. We then show the best overlap. That's it.

What data do we collect?

  • Names — the organiser's name and names of invited friends (first name only, as entered by the organiser or the invitee).
  • Email addresses — optional. Only collected if you choose to enter one (e.g. to receive the admin link or date notifications).
  • Date availability — which dates you selected as available for a specific event.
  • Profile photo — optional. Only if you choose to upload one.
  • Event details — event name, type, description, and location (if entered by the organiser).

How is data used?

All data is used solely to operate the event you created or were invited to. We do not sell, share, or use your data for advertising, analytics, or any purpose beyond showing you and your crew which dates overlap.

If you provide an email address, we may send you transactional emails related to that specific event only (e.g. your admin link, or a notification when dates are confirmed).

How long is data kept?

All event data — including names, availability, and photos — is automatically and permanently deleted 30 days after the last event date chosen. There is no archive, no backup, and no way to recover it after deletion. We do this to keep the app free and to minimise the data we hold.

The event organiser can also permanently delete an event at any time from the admin page — before the 30-day window — using the "Delete this event now" option. This immediately and irreversibly removes all event data, all friend responses, all invite links, and any uploaded photos.

Third-party services

  • Supabase — database hosting. Data is stored in Supabase-managed infrastructure.
  • Vercel — app hosting and edge functions.
  • Resend — transactional email sending (only if you provided an email address).

Your rights

If you are the event organiser, you can delete your event and all associated data at any time directly from the admin page — no need to contact us. For all other deletion or access requests, use the feedback form at the bottom of any page.

If you are in the EU, UK, or Australia, you have the right to access, correct, or request deletion of your personal data under GDPR, UK GDPR, and the Australian Privacy Act respectively.

Security & Encryption

All sensitive personal data — including names, email addresses, location details, and event descriptions — is encrypted using AES-256-GCM at the application layer before being written to the database. This is the same encryption standard used by banks and governments. It means that even someone with direct database access — including us — cannot read your data without the separate encryption key.

The database is additionally protected by Row Level Security (RLS) policies that allow only our server to read or write data. The public API key visible in browser network requests has zero direct access to any table — all data flows through our server, which decrypts it only for the authorised request and never exposes ciphertext to clients.

In plain terms: if someone broke into the database and downloaded it, they would see scrambled, unreadable data for all sensitive fields. The encryption key is stored separately from the database and is never logged or exposed.

Cookies and tracking

Plan The Hang does not use advertising cookies or third-party tracking. We use Vercel Analytics for anonymous aggregate traffic data (page views, country — no personal identifiers).

Contact

Questions about this policy? Use the feedback form at the bottom of any page, or use the "Report a Bug" button to reach us.

Plan The Hang — free forever, no account needed.

Back to home