Last updated: May 21, 2026Effective: May 21, 2026Version 2.0
Plain-language summary: Kulas collects only what's needed to run the app. We do not sell your data. You can delete your account and all associated data at any time from within the app. This policy applies to users worldwide, including those in the European Union (GDPR) and California (CCPA).
01
Who We Are
Kulas is a mobile application for group travel, developed and operated by Amit Meshulam ("we", "our", or "us"). The app is available on the Apple App Store under the bundle ID com.amit.kulas.
For the purposes of the General Data Protection Regulation (GDPR), we are the Data Controller of your personal information.
Account information — your name, username, and email address when you sign up
Profile information — your profile photo and country of residence, if you choose to provide them
Trip content — photos, expense records, activity plans, and comments you add to shared trips
Authentication data — credentials via Apple Sign In or Google Sign In (we never see your Apple or Google password)
Information collected automatically
Crash and error reports — via Sentry, if the app crashes we collect device type, OS version, and the error stack trace. No personal content is included.
Purchase records — via RevenueCat, a record of in-app purchases (trip creation). We never see or store your payment card details — these are handled entirely by Apple.
Currency conversion data — when you use multi-currency expense tracking, the exchange rate is fetched from Frankfurter (a public API). No personal data is sent.
Information we do NOT collect
Precise or background location data
Contacts or address book
Device identifiers for advertising (IDFA)
Browsing history or cross-app tracking data
Payment card or banking information
03
How We Use Your Information
To provide the service — creating and managing your account, enabling trip collaboration, storing and serving your uploaded photos
To process purchases — verifying in-app purchases through Apple and RevenueCat to unlock trip creation
To provide customer support — responding to your enquiries sent to support@kulas.app
To maintain stability — using crash reports to identify and fix bugs
To comply with legal obligations — retaining certain records as required by applicable law
We do not use your data for advertising, profiling, or selling to third parties.
04
Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases as defined by GDPR Article 6:
Contract (Art. 6(1)(b)) — processing necessary to provide the service you signed up for, including account management, photo storage, and trip collaboration
Legitimate interests (Art. 6(1)(f)) — crash reporting and error monitoring to maintain app stability. Our interest in a functioning app does not override your rights.
Legal obligation (Art. 6(1)(c)) — retaining transaction records as required by applicable tax and commercial law
Consent (Art. 6(1)(a)) — where we explicitly ask for your consent, such as optional profile information
05
Data Sharing & Third-Party Providers
We do not sell, rent, or trade your personal information. We share data only with the following service providers, solely to operate Kulas:
SupabaseDatabase, authentication, and file storage (EU West region)Privacy ↗
AppleSign In with Apple, App Store, in-app purchase processingPrivacy ↗
RevenueCatIn-app purchase management and entitlement trackingPrivacy ↗
SentryCrash reporting and error monitoringPrivacy ↗
FrankfurterCurrency exchange rate lookup (no personal data sent)Site ↗
Each provider is bound by their own privacy policy and, where applicable, by Data Processing Agreements that comply with GDPR requirements.
Disclosure required by law
We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such action is necessary to comply with a legal obligation or protect the rights and safety of Kulas users.
06
Data Retention
Active account data — retained for as long as your account exists
Trip content (photos, expenses, activities) — retained until you or a trip owner deletes them, or until your account is deleted
Purchase records — retained for 7 years to comply with tax and accounting obligations
Crash reports — retained by Sentry for 90 days
Deleted account data — permanently and irreversibly deleted within 30 days of account deletion, except where retention is required by law
When you delete your account via Profile → Settings → Delete Account, all your personal data, photos, and trip content are permanently deleted from our systems.
07
Your Rights
Depending on your location, you have the following rights regarding your personal data:
Right of Access
Request a copy of all personal data we hold about you.
Right to Rectification
Correct inaccurate or incomplete personal data directly in the app or by contacting us.
Right to Erasure
Delete your account and all associated data via Profile → Settings → Delete Account.
Right to Portability
Request your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests at any time.
Right to Restriction
Request that we restrict processing of your data in certain circumstances.
Withdraw Consent
Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
Lodge a Complaint
You have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your EU member state's DPA).
To exercise any of these rights, contact us at support@kulas.app. We will respond within 30 days.
08
California Privacy Rights (CCPA / CPRA)
California Residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
Right to Know — request disclosure of what personal information we collect, use, disclose, and sell
Right to Delete — request deletion of your personal information
Right to Opt-Out of Sale — we do not sell personal information. No opt-out is needed.
Right to Non-Discrimination — we will not discriminate against you for exercising any CCPA rights
Right to Correct — request correction of inaccurate personal information
Right to Limit Use of Sensitive Personal Information — we do not process sensitive personal information beyond what is necessary to provide the service
To submit a CCPA request, email us at support@kulas.app with the subject line "CCPA Request". We will verify and respond within 45 days.
Do Not Sell or Share My Personal Information: Kulas does not sell, share, or disclose personal information to third parties for cross-context behavioral advertising. No opt-out action is required.
09
Children's Privacy
Kulas is not directed at children. The minimum age to use Kulas is:
13 years old — in the United States (COPPA)
16 years old — in the European Economic Area and United Kingdom (GDPR Art. 8)
The applicable local minimum age — in all other jurisdictions
We do not knowingly collect personal information from children below these ages. If you believe a child has provided us with personal information, please contact us immediately at support@kulas.app and we will delete it promptly.
10
Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:
All data encrypted in transit using TLS
All data encrypted at rest in Supabase infrastructure
Row-Level Security (RLS) policies so users can only access their own data and trips they are members of
Trip photos accessible only to confirmed trip members — not publicly accessible
No storage of payment card information — all payments processed by Apple
No method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at support@kulas.app.
11
International Data Transfers
Kulas is operated from Israel. Your data is stored on Supabase infrastructure located in the EU West (Ireland) region. Some of our third-party providers (such as RevenueCat and Sentry) may process data in the United States.
Israel has been granted an adequacy decision by the European Commission, meaning transfers to Israel are treated equivalently to transfers within the EEA. For transfers to other third countries (including the US), our providers use Standard Contractual Clauses (SCCs) or other approved mechanisms under GDPR Chapter V to ensure adequate protection of your data.
12
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the app, our practices, or applicable law. When we make material changes, we will:
Update the "Last updated" date at the top of this page
Notify you via an in-app notification for significant changes
Your continued use of Kulas after changes are posted constitutes your acceptance of the revised policy. We encourage you to review this page periodically.
13
Contact Us
For any questions, requests, or complaints about this Privacy Policy or your personal data, please contact us:
We aim to respond to all privacy requests within 30 days.
If you are in the EEA and are unsatisfied with our response, you have the right to lodge a complaint with your national data protection authority. A list of EU data protection authorities is available at edpb.europa.eu.