Privacy Policy
English 日本語 (courtesy translation)
1. Who This Privacy Policy Applies To
This Privacy Policy describes how Tabiflow LLC, a New Jersey limited liability company, handles information when you use Tabiflow (the “Service”). It applies to all users of Tabiflow.
2. Summary
In Tabiflow v1.0, the architecture is designed to handle as little personal information as possible:
- No accounts. You do not sign up. You do not create a profile.
- No server-side storage of your itineraries. Everything you build stays in your browser.
- No advertising trackers. No Facebook Pixel, no Google Analytics, no third-party ad networks.
- No selling of personal data. We do not sell or rent personal data to anyone, and we never will.
Some data necessarily passes through service providers when you use a web app — page requests, IP addresses for routing, geolocation if you grant browser permission. We describe each of these below.
3. Information We Handle
3.1 Itinerary content you create
This includes trip stops, place names, notes, tags, coordinates, route-link choices, and any export data you generate. In v1.0, this stays in your browser’s local storage. Tabiflow LLC does not store it on our servers. You can clear it at any time by clearing your browser data, opening Tabiflow in a private/incognito window, or using your browser’s site-data management tools.
3.2 Location data (geolocation)
We use your device location only when you tap “Use current location” and grant your browser’s geolocation permission. The location reading is used only for the immediate pin action and is not retained, transmitted, or stored on Tabiflow LLC servers. You can refuse the browser permission at any time without losing access to the Service.
3.3 Technical and operational data
When you load Tabiflow, your browser communicates with our hosting providers. This generates standard internet log data — including your IP address, request URL, request time, browser user agent, and similar — that is necessary to deliver the page to you. This data is processed by our subprocessors (see §6) and is not used to build a personal profile.
3.4 Support correspondence
If you email support@tabiflow.net or legal@tabiflow.net, we receive and retain your message, your email address, and any information you choose to include. We use this only to respond to you and to operate the Service.
4. How We Use Information
We use the information described in §3 to:
- Display your itinerary, save your work to your browser’s local storage, and render the Service
- Deliver web pages and assets through our hosting and CDN providers
- Protect the Service against bots, scraping, and abuse
- Respond to support requests
- Comply with legal obligations
We do not use information described in §3 to build advertising profiles, retarget you, or sell to third parties.
5. Legal Bases (for users with applicable rights)
Where applicable (e.g., GDPR, UK GDPR, Japan APPI), we process information on the following bases:
- Performance of the Service — to deliver the planner functions you have asked for
- Legitimate interests — operating the Service securely, preventing abuse, responding to support
- Your consent — for optional features such as browser geolocation
- Legal obligation — where we are required by law
6. Subprocessors
The following third parties process limited operational data on our behalf:
| Subprocessor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. (and Cloudflare Pages) | Hosting, content delivery, bot protection (Turnstile) | Global (U.S. headquartered) |
| Stadia Maps, LLC | Map tiles, autocomplete, geocoding | U.S. / Global |
| Google LLC | Outbound navigation links (you choose when to open them; no embedded Maps in v1.0) | Global |
We will publish an updated subprocessor list at tabiflow.net/legal/subprocessors as it changes. If we add a new subprocessor, we will update that page.
7. International Data Transfers
Because our subprocessors operate globally, your requests may be routed through points of presence located outside your country, including the United States and the European Union. Where applicable law requires it, we rely on standard contractual clauses or equivalent transfer mechanisms with our subprocessors.
8. Retention
- Itinerary content: stays in your browser until you clear it. We do not have a copy.
- Operational logs (Cloudflare): retained per Cloudflare’s standard retention (generally short — typically days to weeks).
- Support correspondence: retained for up to three (3) years from last interaction, then deleted.
- Consent and Terms-acceptance records (when introduced): retained for the life of the account or for seven (7) years, whichever is longer, for legal-defense purposes.
9. Your Rights
Depending on where you live, you may have some or all of the following rights:
- Right to access, correct, or delete personal information we hold about you
- Right to restrict or object to certain processing
- Right to data portability
- Right to withdraw consent
- Right not to be subject to certain automated decision-making
- Right to lodge a complaint with your supervisory authority
To exercise any right, email legal@tabiflow.net. We will respond within 30 days (or sooner if required by law).
Tabiflow v1.0 architecture means most data is in your own browser — for deletion, you can simply clear your browser’s site data for tabiflow.net. If you contact us, we will confirm what (if anything) we hold about you and assist you with deletion.
10. U.S. State Privacy Rights (California, Virginia, Colorado, Connecticut, Texas, and others)
If you are a resident of a U.S. state with a comprehensive privacy law, you have the rights listed in §9 to the extent provided by your state’s law. We do not sell personal information as that term is defined in the California Consumer Privacy Act (CCPA). We do not engage in “sharing” for cross-context behavioral advertising. We do not engage in profiling or automated decision-making that produces legal or similarly significant effects.
To exercise a state-law right, email legal@tabiflow.net and identify the state whose right you are exercising. We do not require you to create an account to exercise a right.
11. Japan (APPI)
Tabiflow LLC is a foreign business operator located in the United States. Although Tabiflow is offered to non-residents of Japan, we acknowledge that foreign travelers using the Service while physically located in Japan are data subjects under the Japan Act on the Protection of Personal Information (APPI).
For users physically in Japan:
- Operator: Tabiflow LLC, registered in New Jersey, U.S.A. Contact: legal@tabiflow.net.
- Personal data we handle: In v1.0, none on our servers. Your itinerary content stays in your browser. Cloudflare and Stadia Maps may receive standard internet log data necessary to deliver the Service.
- Purpose: Operate the planner, deliver map tiles, and protect against bots.
- Cross-border transfer: Your requests are served by Cloudflare’s global network and may be routed through points of presence outside Japan, including the United States and the European Union. Map tiles and geocoding requests are served by Stadia Maps. By using Tabiflow you consent to this cross-border handling. You may withdraw this consent at any time by ceasing to use the Service.
- Your rights: You may request access, correction, suspension of use, or deletion of any personal information we hold about you by emailing legal@tabiflow.net. We will respond within 30 days.
Tabiflow LLC does not currently target or market the Service to residents of Japan. If we open the Service to Japan residents in a future release, we will commission a Japanese-language version of these documents reviewed by Japan counsel and update this section accordingly.
12. Europe and the United Kingdom (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland and the GDPR or UK GDPR applies to our processing, you have the rights listed in §9. The controller is Tabiflow LLC. Contact legal@tabiflow.net. You may lodge a complaint with your national data protection authority.
13. Children
Tabiflow is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected personal information from a child under 13, contact legal@tabiflow.net and we will take appropriate steps to delete it.
14. Security
We use reasonable technical and organizational measures to protect the limited information we handle, including HTTPS encryption in transit, Cloudflare’s security stack, and access controls on operational accounts. No system is perfectly secure, and we cannot guarantee absolute security.
In v1.0, the strongest single security control is architectural: most of your data never leaves your device.
15. Data Breach Notification
If we become aware of a breach affecting personal information we handle, we will notify affected users without undue delay, and in any event within the time frames required by applicable law (including, where applicable, the 72-hour window under GDPR Article 33), and will notify relevant supervisory authorities as required.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top and post the updated version at tabiflow.net/privacy. If the change is material, we will display an in-app notice.
17. Language
This Privacy Policy is written in English. We provide a Japanese-language version (プライバシーポリシー) as a courtesy translation at tabiflow.net/privacy/ja. In case of any conflict or difference in meaning between the English and Japanese versions, the English version controls.
18. Contact
legal@tabiflow.net — privacy questions, data rights requests, complaints
support@tabiflow.net — general support
— End of Privacy Policy.