Privacy Policy
Last updated: 2026-05-07
1. Who We Are
YourTurn.group is operated by Caellwyn AI LLC. This policy describes how we collect, use, and protect your personal information when you use our group event coordination service.
2. Information We Collect
Information you provide directly
- Account information: Email address, name, and password (stored as a secure hash, never in plain text)
- Profile information: Phone number (used only for SMS notifications if you opt in via your member profile), business/company name, website, bio, and profile photo (all optional)
- Group information: Group name, event schedule, timezone, theme preference, group logo, and group meeting location (city name and coordinates)
- Member emails: Email addresses of people you invite to your group
- Ratings and comments: Event ratings and optional comments you submit
Information collected automatically
- Session data: We use a signed session cookie to keep you logged in. This cookie is HTTP-only, secure (in production), and expires after 30 days of inactivity
- Email engagement: Our email provider (Postmark) tracks delivery status, bounces, and basic engagement metrics (opens, clicks) to ensure reliable delivery
- Browser geolocation: If you grant permission, we may use your browser's location to set your group's meeting area or to show nearby venue search results. This data is used only for venue search and is never shared with third parties beyond the search request to Google Places. You can deny the browser prompt with no loss of functionality — you'll just enter your city manually instead
Information we do NOT collect
- We do not use third-party analytics or tracking cookies
- We do not track your browsing activity across other websites
- We do not sell, rent, or share your personal information with advertisers
3. How We Use Your Information
- Operating the Service: Managing groups, scheduling events, sending notifications, and processing host rotations
- Transactional emails: Event announcements, hosting reminders, invitation links, and rating requests sent on behalf of your group
- SMS notifications (if opted in): Event announcements, RSVP requests, host reminders, and cancellation notices sent via Twilio. SMS is strictly opt-in via your member profile after a verification code is confirmed. See our SMS Terms & Opt-in Policy
- Billing: Processing subscription payments through Stripe
- Security: Protecting accounts via password hashing, CSRF protection, and bot detection
4. Third-Party Services
We use the following third-party services to operate YourTurn.group:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email address, subscription tier |
| Postmark | Transactional email delivery | Recipient email, name, email content |
| Twilio | SMS delivery (members who opt in only) | Phone number (E.164), message content, delivery status callbacks |
| Cloudflare R2 | Image storage (profile photos, logos) | Uploaded image files only |
| Google Places | Venue search and details | Search queries and group location coordinates (city-level, not personal addresses) |
| Google reCAPTCHA v3 | Bot detection on signup | IP address, browser signals (per Google's terms) |
| Railway | Application hosting | All application data (hosted on their infrastructure) |
Each service has its own privacy policy. We encourage you to review them.
5. Profile Visibility
Your name is visible to other members of your group. All other profile information (phone, email, website, bio) is private by default. You can choose to make your profile public to other group members via the "Make profile public" toggle in your profile settings.
6. Data Security
We protect your data through:
- Passwords stored using industry-standard secure hashing (never in plain text)
- HTTPS encryption for all data in transit
- HTTP-only, secure session cookies with SameSite protections
- CSRF protection on all forms
- Content Security Policy headers to prevent cross-site scripting
7. Data Retention
- Active accounts: Data is retained as long as your account or group is active
- Deleted accounts: Upon request, we will delete your personal data within 30 days. Some data may be retained in backups for up to 90 days
- Email logs: Delivery records are retained for operational purposes and automatically aged out
- SMS consent logs: Records of opt-in / opt-out events (timestamp, IP address, user-agent, exact disclosure text shown at the moment of consent) are retained indefinitely as required by US/Canadian carrier audit policy. These records exist solely for compliance proof and are never used for marketing
8. Your Rights
You have the right to:
- Access: View all personal information we hold about you (available in your profile)
- Correct: Update your personal information at any time via your profile settings
- Delete: Request deletion of your account and personal data
- Export: Request a copy of your data in a portable format
- Withdraw consent: Leave a group to stop receiving its communications
To exercise these rights, contact us at admin@yourturn.group.
9. Children's Privacy
YourTurn.group is not intended for children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email to group secretaries. The "Last updated" date at the top reflects the most recent revision.
11. Contact
Questions or concerns about your privacy? Contact us at admin@yourturn.group.