Privacy Policy

Kinpool is operated by Legacy Sync LLC, a Tennessee limited liability company (“Kinpool,” “we,” or “us”). You can reach us at brent@kinpool.app for any privacy-related question or request.

This policy describes the personal information we collect when you use the Kinpool web app at kinpool.app and any related communication channels (transactional email, push notifications). It explains why we collect it, who we share it with, how long we keep it, and the choices you have.

Account information

• Your email address (required to sign in).
• Display name and avatar URL, if you sign in with Google (provided by Google’s OAuth identity claim).

Profile and household information you choose to enter

• Your phone number (optional).
• A home or pickup address (optional). We send this to our geocoding provider (see below) to convert it to map coordinates.
• Information about children in your household: name, age or grade (optional), notes you choose to share with your group.
• Information about your vehicles: make, model, color, license plate, seat count.

Group and activity information

• Group memberships and your role within each group.
• Consent records: which drivers you have authorized to transport which of your children, and when those records were created.
• Events, ride claims, ride requests, and the resulting schedule.
• Calendar feeds you import (Google Calendar, league iCal feeds, etc.).

Technical information

• A session cookie from our authentication provider (Supabase), marked httpOnly and secure.
• If you opt in to push notifications: your browser’s push subscription endpoint and the associated public key, so we can deliver notifications.
• Standard request metadata kept by our hosting and database providers (IP address, user agent, timestamps) for operational purposes such as security and abuse prevention.

• To operate the service and coordinate rides among your group.
• To enforce access control: row-level security depends on accurate group membership and consent records.
• To send transactional email and push notifications (ride confirmations, invite links, password-less sign-in links).
• To convert addresses you provide into approximate map coordinates, via OpenStreetMap’s Nominatim service.
• To investigate abuse, security incidents, or legal requests.

We do not sell your personal information, share it with advertisers, or use it to build profiles for marketing purposes.

We rely on a small set of sub-processors to run the service. Each is governed by its own privacy policy:

• Supabase Inc.— database, authentication, and storage. supabase.com/privacy
• Vercel Inc. — hosting and edge delivery. vercel.com/legal/privacy-policy
• Resend — transactional email delivery. resend.com/legal/privacy-policy
• OpenStreetMap Foundation (Nominatim)— geocoding addresses you enter. osmfoundation.org/policies/nominatim
• Google LLC— only if you choose to sign in with Google. policies.google.com/privacy

We may also disclose information when required by law (subpoena, court order, lawful regulatory request) or to investigate suspected fraud, abuse, or security incidents.

Children’s names and related details are entered by parents or guardians acting on their own children’s behalf. We do not knowingly collect personal information directly from a child under 13 years of age. Account holders must be at least 18 years old.

If you believe a child has provided us with personal information directly, please contact brent@kinpool.app and we will delete it.

• Active accounts: we retain your account and associated records for as long as your account is active.
• Deleted accounts: upon request to brent@kinpool.app, we will delete your account and personal data within 30 days. Consent records may be retained for audit purposes with identifying information redacted.
• Operational logs: retained by our sub-processors per their defaults (typically 30 days).

Depending on your jurisdiction (including California under the CCPA and the EU/UK under the GDPR), you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Request deletion of your personal information.
• Receive a portable copy of your data.
• Object to or restrict certain processing, where the law provides that right.

Most profile information can be edited in-app. For everything else, email brent@kinpool.app and we will respond within 30 days. You may also have the right to lodge a complaint with your local data-protection authority.

We do not sell personal information, so the CCPA opt-out of sale does not apply.

All traffic between your browser and Kinpool is encrypted with TLS. Row-level security policies in our Postgres database scope reads and writes to your group(s). Authentication sessions live inhttpOnly cookies. We continue to harden the security surface; please report suspected vulnerabilities to brent@kinpool.app.

No security program is perfect. If we suffer a security incident that affects your personal information, we will notify you as required by applicable law.

Kinpool is operated from the United States. By using the service, you understand that your information will be processed in the United States by us and our sub-processors. Where required, we rely on Standard Contractual Clauses or equivalent legal mechanisms with our sub-processors for international transfers.

We may update this policy from time to time. We will update the effective date at the top of the page and, for material changes, notify you by email or through the app before the change takes effect.

Legacy Sync LLC · brent@kinpool.app