Privacy Policy.

The data controller is Nigel Atta-Mensah, a sole trader based in the United Kingdom and trading as Yenkoh. We process personal data in accordance with UK GDPR and the Data Protection Act 2018.

Privacy questions and requests: hello@yenkoh.com.

• Account data: your email address, display name, and profile details such as a favourite-trip preference.
• Application answers: the responses you give to questions Q1 to Q4 when you apply for membership, used to review your application.
• Trip data: destinations you propose and vote on, shortlists, schedules, bookings, and trip preferences you share for AI planning (origin, budget, vibes, occasion, notes).
• Crew messages and photos: posts, replies, likes, and images you share in crew chat and on trip pages.
• Ledger data: expenses, amounts, currencies, splits, payment schedules, and who-owes-whom balances within your trips.
• Referral data: your referral code, who applied using it, and the status of any rewards.
• Payment status: your subscription plan, billing interval, and payment state. Card details never touch our servers; Stripe collects and holds them. We only see tokens and status flags Stripe sends us.
• Technical data: authentication cookies (see the Cookie Policy) and basic logs needed to run and secure the service.

• To provide the service (accounts, trips, chat, ledger, notifications): performance of our contract with you.
• To review applications and run the invite-only cohort: steps taken at your request before entering a contract, and our legitimate interest in curating the community.
• To generate AI trip plans from the preferences and trip content you provide: performance of our contract with you.
• To process subscriptions and rewards: performance of our contract, and legal obligations around accounting records.
• To send service emails (application decisions, payment receipts and reminders, security notices): performance of our contract and our legitimate interest in keeping you informed.
• To secure and improve the service (logs, abuse prevention, aggregate usage measurement): our legitimate interests, balanced against your rights.

We do not sell your personal data, and we do not use it for third-party advertising.

We rely on a small set of service providers, each acting as a processor under a data processing agreement:

• Supabase: database, authentication, file storage, and realtime infrastructure. This is where your account, trip, message, and ledger data lives.
• Stripe: subscription payments. Stripe is an independent controller for the card and identity data it collects at checkout.
• Resend: transactional email delivery.
• Google: Gemini models generate trip plans and concierge replies; the Places API provides venue details and photos.
• Mapbox: location search when proposing destinations.
• SerpApi: flight price lookups for trip plans.
• Vercel: application hosting and privacy-respecting analytics.

We share with each provider only the data it needs for its function, and we will update this list if our providers change.

When you or a trip admin uses an AI feature, the relevant trip preferences and itinerary content (for example destination, dates, budget, vibes, notes, and shortlisted activities) are sent to Google Gemini to generate plans and concierge responses. We send what the feature needs, not your whole account.

We do not use your personal data to train AI models, and our agreement with Google for these API services does not permit your prompts to be used to train Google’s models. AI output is stored against your trip so your crew can see it.

Some of our providers process data outside the UK, mainly in the United States. Where that happens, transfers are protected by appropriate safeguards: the UK International Data Transfer Agreement or Addendum, EU Standard Contractual Clauses as incorporated for UK transfers, or an adequacy decision such as the UK extension to the EU-US Data Privacy Framework where the provider is certified.

• Account and trip data: kept while your account is active. When you delete your account we delete or anonymise your personal data within 30 days, except where we must keep it longer.
• Crew content in shared trips: messages and expenses you contributed to a shared trip may persist for the rest of the crew, with your identity removed, so shared records like the ledger stay coherent.
• Application data: kept for up to 12 months after a decision, then deleted.
• Billing records: kept for 6 years after the relevant tax year, as required by UK law.
• Backups: routine encrypted backups roll off on a fixed cycle, normally within 35 days.

Under UK GDPR you have the right to:

• access a copy of your personal data;
• have inaccurate data corrected;
• have your data erased;
• restrict how we process your data;
• receive your data in a portable format;
• object to processing based on legitimate interests, and to any direct marketing;
• not be subject to solely automated decisions with legal or similarly significant effects (we do not make any).

To exercise any of these, email hello@yenkoh.com. We respond within one month. You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk or on 0303 123 1113, though we would appreciate the chance to resolve any concern first.

We use a small number of essential cookies to keep you signed in. The full list, and how to control them, is in the Cookie Policy.

If we make material changes to this policy we will notify you by email or in the app before they take effect. The date at the top shows when it was last revised.

Nigel Atta-Mensah trading as Yenkoh, 100A George Street, Croydon CR0 1GP. Email: hello@yenkoh.com.