Privacy policy
Effective 3 May 2026
Reely is a notebook for travel inspiration. You save reels from Instagram, TikTok, and YouTube; we organise them into trips and surface bookable activities. This page explains what we collect, why, where it lives, and how to make us delete it.
What we collect
Three categories, listed by the system that holds them.
Account & auth
- The opaque user ID Apple gives us when you sign in with Apple, plus your name and email if you choose to share them on first sign-in.
- If you use the email magic-link path instead, the email address you typed and a Supabase-issued session token.
Content & saves
- The URLs you save from the iOS share sheet, plus the public metadata our partners return for each (caption, creator handle, thumbnail, video).
- The locations our pipeline detects from those captions and the affiliate offers it matches to them.
- The trips you create, including any name and dates you attach, and the order you arrange reels in.
- Any referral code you redeem.
Behavioural & intent events
Every interaction Reely needs to improve itself — opening the app, saving a reel, viewing a location, tapping an offer — lands as a structured event. Each event carries a session ID, the app and OS versions, and only the IDs of the rows it refers to. The full catalogue of event names is fixed in our product spec; new events ship behind a schema review.
Crash and performance traces from Sentry round this out — they describe what the app was doing when something failed, never what was on screen.
What we don’t collect
- No IDFA or other advertising identifier.
- No precise device location. Your IP address reaches our backend in passing and is dropped immediately after we derive a two-letter country code from it.
- No microphone, camera, contacts, calendar, or photo-library access.
- No browsing history or any data from social platforms beyond what you actively share with us.
- No social-platform credentials. The share sheet hands us URLs only.
Who we share it with
Each subprocessor below is named with the slice of data it touches and the region that processes it. Vendors marked “international” transfer data outside the EEA under the EU Standard Contractual Clauses.
| Subprocessor | Role | Region |
|---|---|---|
| Supabase | Database, auth, realtime, file storage | EU (Frankfurt) |
| Mux | Video archive of reels you save | US · international |
| Trigger.dev | Background pipeline orchestration | US · international |
| ScrapeCreators | Public reel metadata fetch | US · international |
| Google (Gemini + Maps) | Location detection from captions | US · international |
| Viator | Activity offer matching | Global · only when you tap an offer |
| Vio | Hotel offer matching | Global · only when you tap an offer |
| PostHog | Analytics ingestion + dashboards | EU (Frankfurt) |
| Sentry | Crash + error reporting | EU (Frankfurt) |
| Resend | Magic-link email delivery | US · international |
We do not sell personal information. We do not share your data with travel platforms or anyone else for marketing or profiling. When v1.1 introduces aggregated, anonymised panels for travel-platform partners, we will ask for your explicit consent first and update this policy before any data leaves our infrastructure.
Where data is stored
Your account, reels, trips, locations, offers, click logs, and intent events live in Supabase’s Frankfurt region. Analytics events also land in PostHog’s Frankfurt region. The video archive, background pipeline, and AI calls run in the US under Standard Contractual Clauses.
How long we keep it
- Account, content, and trips stay as long as your account exists. Deleting your account removes them within 30 days.
- Intent events stay live for thirteen months. After that, each row is moved into
intent_events_archivewith the user ID replaced by a one-way hash. The hashed rows persist as an aggregate signal; they no longer reference you. - Crash reports follow Sentry’s default 90-day retention.
- Click logs (one row per affiliate-offer tap) persist while your account does and are removed when you delete it.
Your rights
Under GDPR (Articles 15–20) and analogous laws including CCPA, you can:
- Access — ask us for a copy of what we hold on you. Email hello@videreo.com and we’ll respond within 30 days.
- Delete — tap “Delete my account” in Settings. We call
DELETE /v1/account, which cascades through every Reely table and queues teardown of your archived videos. Hashed rows inintent_events_archiveare exempt from this cascade because they no longer reference you — that is the point of the hashing pipeline. - Rectify — edit detected locations in the app, or email us about anything else.
- Port — the export endpoint ships in v1.1. Until then we will fulfil portability requests manually if you email us.
- Object or restrict processing — email us. Withdrawing consent for analytics will land as a Settings toggle in v1.1; in v1 the only opt-out is account deletion.
Children
Reely is for ages 13 and up. We do not knowingly collect information from children under 13. If you believe a child under 13 has signed up, email us at hello@videreo.com and we’ll delete the account.
Changes
We update this policy when the product changes. Material changes are surfaced inside the app before they take effect; the date at the top is the source of truth for the version in force.
Contact
Reely is operated by Videreo. Reach us at hello@videreo.com for any privacy question or to exercise the rights above.