Alast — Privacy Policy
Effective date: 10 June 2026 · Last updated: 10 June 2026
This policy explains what Alast ("we", "us") collects, why, who we share it
with, and your choices. Alast is a personal trip manager: you bring your travel
bookings together into one itinerary, and the app helps you keep track of them.
Who we are
Alast is operated by Anthony Lucas, Australia.
Contact: privacy@alastapp.org
What we collect
We collect only what's needed to run the app.
1. Account information
- Your email address, used to sign you in (we send a one-time code) and to
identify your account. We do not use passwords.
2. Your trip content (the data you put in)
- The bookings and itinerary details you add — flights, stays, transport,
activities, including times, place names, addresses, providers, and confirmation numbers.
- Photos and PDFs you choose to add (booking confirmations / e-tickets) so
we can extract the details. We only access images you explicitly select; we do not browse
your photo library.
- The content of booking emails you forward to your private Alast address
(
u-<code>@alastapp.org) — sender, subject, body text, and any PDF
attachment — so we can turn them into itinerary items for your review.
- Messages you send to the in-app trip co-pilot.
3. Derived location data
- For places in your itinerary, we look up approximate coordinates (latitude
/ longitude) from the place's name or address, to show them on a map and to check distances
between stops.
- We do NOT collect your device's location / GPS. The app does not track
where you are.
4. Limited usage data
- A small per-day counter of co-pilot messages, used only to apply
fair-use limits.
We do not collect: device location, contacts, payment or financial
information, biometric data, or advertising identifiers. The app contains no
third-party advertising or analytics trackers.
How we use your data
- To provide the core service: store your itinerary, extract bookings, detect
scheduling conflicts, compute "leave-by" and check-in reminders, and answer
questions about your trip.
- To authenticate you (sign-in codes by email).
- To apply fair-use limits and keep the service secure and working.
We do not sell your personal data, and we do not use it for advertising.
Service providers (subprocessors)
We use a small number of trusted services to operate Alast. Your data is shared
with them only to provide the service:
| Provider |
What it processes |
Purpose |
| Supabase |
Account, itinerary, forwarded emails, usage counter |
Database, authentication, hosting |
| Anthropic (Claude API) |
Booking text/images/PDFs and itinerary you send for help |
AI extraction of bookings and the co-pilot. Per Anthropic's API terms, this data is not used to train their models. |
| OpenStreetMap / Nominatim |
Place names and addresses |
Looking up map coordinates |
| Resend |
Your email address |
Sending sign-in code emails |
| Cloudflare |
Forwarded booking emails (in transit) |
Receiving and routing email to your Alast address |
| Apple / Google / Expo |
App delivery |
Distributing and updating the app |
Some of these providers process data on servers in the United States and
other countries, so your information may be transferred internationally.
Data retention
- Your account and itinerary are kept until you delete them or delete your account.
- Forwarded emails are held for you to review and remain until you remove them or delete your account.
- When you delete your account, your associated data (trips, items, places,
forwarded emails, usage records) is deleted from our database.
Your rights and choices
- Access / correct: view and edit your bookings in the app at any time.
- Delete: delete individual items, or delete your entire account (and its data) from the app's settings.
- Depending on where you live (e.g. EU/UK GDPR, California/CCPA), you may
have additional rights to access, correct, delete, or port your data, and to object to certain
processing. To exercise these, contact privacy@alastapp.org.
Security
- Data is encrypted in transit (HTTPS/TLS).
- Each account's data is isolated at the database level (row-level security), so one user cannot access another's data.
- Secrets and API keys are held server-side and are never shipped in the app.
- No method is perfectly secure, but we take reasonable measures to protect your information.
Children
Alast is not directed to children under 16, and we do not knowingly collect their data.
Changes to this policy
We may update this policy; we'll revise the "Last updated" date and, for material changes,
notify you in the app or by email.
Contact
Questions or requests: privacy@alastapp.org