Privacy Policy — Alight (Draft)

1. About this Policy

Accipiter Industries, Inc. ("Alight," "we," "our," "us") provides Alight, a travel-management product currently consisting of (a) the marketing website at alighttravel.app (the "Site"), (b) a phone-number waitlist for our forthcoming iOS app, and (c) once released, the Alight iOS application (the "App"). The Site, the waitlist, and the App are together the "Service."

This Privacy Policy describes what personal information we collect, how we use it, who we share it with, and the rights you have over it. By using the Service you agree to the practices described here.

2. The short version

A summary, not a substitute for the rest of this Policy:

We do not sell or rent your personal information.
We do not show ads in the Service and we do not use third-party advertising networks.
We collect the minimum information needed to operate the Service.
We use first-party analytics only (PostHog, reverse-proxied through our own domain on the Site, and embedded inside the App). Configured to minimize personal data — no session recording, no cross-site tracking, anonymous visitors.
If you join our SMS waitlist, we will send you one or more text messages about Alight's launch. You can reply STOP at any time.
We use third-party processors (listed in Section 6) to run the Service. They process your data only to provide services to us.
You can request access to or deletion of your information at any time by emailing hello@alighttravel.app.

3. Information we collect

3.1 When you visit the Site

We use PostHog for first-party page analytics on the Site. PostHog requests are routed through our own domain (alighttravel.app/ingest/*), and we have configured PostHog with the most privacy-respecting options available: no session recording, no surveys, anonymous person profiles only (we do not identify website visitors), and respect for your browser's Do Not Track signal.

PostHog collects information such as page URLs, referrer, browser type, anonymized IP, anonymized country, screen size, and aggregated interaction events (clicks, form interactions). We use this information to understand which parts of the Site are useful and which are not, and to detect bugs.

PostHog uses a small amount of localStorage on the Site to store an anonymous distinct ID and to debounce duplicate events. This identifier is not linked to your name, email, or phone number unless you separately submit them through the waitlist form (see Section 3.2).

Cloudflare may set strictly necessary cookies for security (for example, to deliver Cloudflare Turnstile, our anti-bot challenge).

3.2 When you join the SMS waitlist

When you submit the waitlist form on the Site, we collect:

Phone number (required, normalized to E.164 international format)
Email address (optional)
Name (optional)
The text of the consent disclosure displayed at the time of submission, and the timestamp of submission
Your IP address and browser user-agent, used to detect abuse and rate-limit submissions
A Cloudflare Turnstile token to verify you are not a bot

This data is stored in Cloudflare KV (key-value storage) keyed by phone number.

3.3 When you create an Alight account in the App (post-launch)

When you sign up for and use the App, we collect:

Authentication identifiers — email address and/or phone number used to sign in (one-time-password / "magic link" authentication)
Profile information — display name and optional avatar image you choose to provide
Trip data — itineraries, bookings, confirmation numbers, dates, locations, notes, and other content you add to your trips
Forwarded emails — when you forward a booking confirmation email to our designated address, we receive and parse the contents of that email to construct trip items on your behalf
Device and usage information — device type, operating system version, App version, crash reports, and product analytics events (see Section 4.4)
Friend connections — links between your account and accounts you have explicitly connected with for shared-trip features

3.4 Information we do not collect

We do not access your phone's contacts, calendar, photos, or location unless you explicitly grant permission for a specific feature within the App, and only for the purpose of that feature.
We do not collect biometric information.
We do not collect financial account details. Booking-related identifiers (confirmation codes, frequent-traveler numbers) included in trips you save are user-supplied content, not collected from financial institutions.

4. How we use your information

4.1 To provide the Service

We use your information to operate the Service: store your trips, sign you in, parse forwarded emails into structured trip items, share trips with friends you have explicitly connected with, and provide the features you have signed up for.

4.2 To send the SMS waitlist message(s)

If you joined our waitlist, we will send you one or more SMS messages about the App's launch and early-access opportunities. By submitting the waitlist form, you have agreed to receive these messages at the number you provided. Message frequency varies. You can opt out at any time by replying STOP. Reply HELP for help. Message and data rates may apply.

We do not use waitlist phone numbers for any other purpose, and we do not share waitlist phone numbers with third parties for their own marketing.

4.3 To communicate with you

We use your contact information to send transactional and service communications (for example, sign-in codes, security notices, important changes to the Service or to this Policy). These communications are not marketing and you cannot opt out of them while using the Service.

4.4 To improve the Service

We use PostHog product analytics inside the App to understand how features are used in aggregate (for example: which screens are visited, which actions are taken, when crashes occur). This data is associated with a per-installation identifier and your account ID, but is not sold or shared for advertising purposes. We use it to prioritize improvements and detect bugs.

4.5 For safety, security, and abuse prevention

We use IP address, user-agent, Turnstile token, and other technical signals to prevent fraud, spam, and abuse — for example, rate-limiting the waitlist endpoint and detecting attempts to forge sign-ins.

4.6 To comply with the law

We may use, retain, or disclose information as required by law, regulation, legal process, or governmental request, or to enforce our Terms of Use.

5. Legal bases for processing (EEA / UK users)

If you are in the European Economic Area or United Kingdom, our legal bases for processing your personal information are:

Contract — to provide the Service you have signed up for
Consent — to send SMS messages to your waitlist phone number, and for any other processing where we have asked for and you have given consent
Legitimate interests — to operate, secure, and improve the Service in ways you would reasonably expect, where those interests are not overridden by your rights
Legal obligation — when processing is required by law

6. Service providers and subprocessors

We use the following processors to operate the Service. They process personal information solely on our instructions and are bound by appropriate data-protection agreements.

Processor	Purpose	Region
Cloudflare, Inc.	Site hosting, CDN, KV waitlist storage, Web Analytics, Turnstile anti-bot	United States
Supabase, Inc.	Database, authentication, file storage for the App	United States
Mailgun (Sinch)	Sending one-time-password emails; receiving forwarded booking emails	United States
Duffel Travel Limited	Flight search and booking integration in the App	United Kingdom
Anthropic, PBC and/or Google LLC	LLM-based parsing of forwarded booking emails	United States
PostHog Inc.	First-party page analytics on the Site (reverse-proxied) and product analytics inside the App	United States
Apple, Inc.	App distribution via the App Store, Push Notifications	United States

7. How we share information

We do not sell or rent your personal information. We share information in the following limited circumstances:

Subprocessors as listed in Section 6, only as needed to operate the Service
Friends you connect with in the App — content you share with another Alight user (such as a trip you have shared) becomes visible to that user
Legal compliance — to respond to lawful requests from public authorities, including to meet national-security or law-enforcement requirements
Corporate transactions — if Alight is involved in a merger, acquisition, financing, or sale of all or part of its business, your information may be transferred as part of that transaction. We will notify you of any change in ownership or control of your personal information.
With your consent — for any other purpose disclosed at the time of collection

8. How long we keep information

Site analytics are aggregated and retained per Cloudflare's defaults; they do not identify you individually.
Waitlist records are kept until either (a) you ask us to delete them, (b) you reply STOP and we suppress your number, or (c) the App has been generally available for [12 / 24] months and the waitlist is retired.
Account information and trip data are kept while your account is active. If you delete your account, we delete or anonymize your data within [30 / 60 / 90] days, except where we are required by law to retain certain records.
Logs and security data are typically retained for [30 / 90] days.

9. Your rights and choices

9.1 SMS opt-out

Reply STOP to any SMS message from Alight to immediately stop receiving SMS messages from us. Reply HELP for help. You can also email hello@alighttravel.app to be removed.

9.2 Access, correction, deletion

You can request:

A copy of the personal information we hold about you
Correction of inaccurate information
Deletion of your personal information (subject to limited legal exceptions)
Restriction of certain processing
Objection to certain processing based on legitimate interests
Portability of information you provided to us

To exercise any of these rights, email hello@alighttravel.app. We will respond within the time required by applicable law (typically 30–45 days).

9.3 California residents

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you specific rights, including the right to know, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information, and the right to limit the use of sensitive personal information. We do not sell or share your personal information for cross-context behavioral advertising. To exercise your rights, email hello@alighttravel.app.

9.4 EEA / UK / other regions

If you are in a region with data-protection rights (for example the EEA, UK, Brazil, or other jurisdictions), you have rights similar to those described above. You also have the right to lodge a complaint with your local data-protection authority.

10. Children's privacy

The Service is not directed to children under 13 (or under 16 in the EEA / UK). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact hello@alighttravel.app and we will delete it.

11. International data transfers

Our infrastructure is primarily located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. We rely on appropriate safeguards — including Standard Contractual Clauses where required — for cross-border transfers of personal information.

12. Security

We use industry-standard administrative, technical, and physical safeguards to protect your information, including encryption in transit (HTTPS) and at rest, access controls, and security monitoring. No system is perfectly secure; we cannot guarantee that unauthorized access, hardware or software failure, or other factors will never compromise the security of your information.

If we become aware of a security incident affecting your personal information, we will notify you and applicable regulators as required by law.

13. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you by email, by SMS to your verified phone number (where appropriate), or through the Service before the changes take effect. The "Last Updated" date at the top reflects the date of the most recent revision.

14. Contact us

For privacy questions or to exercise any of your rights:

Email: hello@alighttravel.app
Mail: Accipiter Industries, Inc., [STREET ADDRESS], [CITY, STATE ZIP], United States