Privacy Policy

This policy explains what personal data Second Star collects, how we use it, with whom we share it, and the choices you have.

Second Star is an independent trip-planning tool for theme-park visits. It is not affiliated with, endorsed by, or sponsored by The Walt Disney Company or any of its subsidiaries. All Disney park names, ride names, and trademarks belong to their respective owners.

Who we are

Second Star is a service operated by Scot n Nerdy Ltd, a company registered in Scotland, trading as Second Star. References in this policy to “Second Star,” “we,” “us,” or “our” mean Scot n Nerdy Ltd. If you have any questions about this policy or about your data, please contact us at privacy@secondstar.app.

Information we collect

Account information

When you create an account, we collect your email address and a display name. Authentication is handled by Supabase, our identity provider, which sets a session cookie in your browser so that you remain signed in across visits.

Trip and itinerary data

When you plan a trip we store the destination, parks, dates, and arrival times you select, the number of adults and children in your group, the ages of any children in the group (used solely to filter rides by height requirement), the rides you mark as “must do,” “would like,” or “skip,” any fixed plans you add (such as dining reservations and breaks), and the itineraries we generate for you.

Billing information

If you subscribe to a paid plan, our payment processor Stripe handles your card details directly. We do not see or store full payment information. We retain a Stripe customer identifier, your active plan, and your subscription status so that we can give you access to paid features.

Automatically collected information

When you use Second Star we automatically collect product analytics about which pages you visit and which actions you take (via PostHog), performance telemetry such as page-load time (via Vercel Speed Insights), and error reports when something goes wrong (via Sentry, configured to strip authentication headers, request bodies, and IP addresses before transmission). We also retain standard server logs, including IP address, browser type, and request paths, for a short period for security and abuse prevention.

We do not collect uploads, photos, or audio.

How we use your information

We use the data above to:

• Provide the planning service — generate itineraries, save trips, and surface live ride information
• Authenticate you and keep your account secure
• Process payments and manage subscriptions
• Improve the product and diagnose problems
• Prevent abuse, including by rate-limiting requests

We do not sell your personal information.

Sub-processors

We share data only with the third-party services we need to operate Second Star. We do not share your data with advertisers.

• Supabase — authentication, account data, trip and itinerary storage (United States).
• Anthropic— AI itinerary generation. See “AI processing” below for the full list of fields we send (United States).
• Stripe — subscription billing (United States, with EU sub-processors).
• Queue-Times — live ride wait-time data. We send only park identifiers; no user data.
• Upstash Redis — rate-limiting and per-trip generation counters.
• PostHog — product analytics.
• Sentry — error monitoring (United States).
• Vercel — hosting and performance telemetry (United States).
• Mapbox — map tiles (United States).

If we add or change a sub-processor, we will update this list and revise the “Last updated” date at the top of this page.

AI processing

We use Anthropic’s Claude model to generate itineraries. The prompt we send includes the park you selected and its land layout, your ride preferences and the corresponding live wait-time context, the composition of your group (the number of adults, the number of children, and the ages of any children) so that the model can respect ride height limits, and any times or reservations you have anchored to the day.

We do not send your name, email address, account identifier, or trip name to Anthropic. We do not use your data to train Anthropic models, and Anthropic does not use API inputs to train its models by default.

Public share links

When you create a share link for a day, the recipient can view the itinerary at a public URL. The shared view shows the day’s items and their times, the park names, and, for multi-park hopper days, the transport mode between parks.

The shared view does not show your name, email address, or any account identifier. Anyone with the share link can view the itinerary until the share is revoked. To revoke a share, open the share dialog within the app and use the Revoke control, or contact us at privacy@secondstar.app if you cannot reach that control.

Cookies and similar technologies

Second Star uses:

• A session cookie from Supabase to keep you signed in.
• A combination of localStorage and a first-party cookie for PostHog analytics.
• No third-party advertising cookies.

You can clear these at any time through your browser. Clearing the Supabase session cookie will sign you out.

Data retention and deletion

We retain account and trip data for as long as your account is active. To request deletion of your account or a copy of your data, please contact us at privacy@secondstar.app and we will fulfil the request manually. We are working to add automated deletion and export endpoints; this section will be updated when those are available.

Children

Second Star is intended for adults planning trips. Adult account holders may enter the ages of children in their group so we can filter rides by height requirement. We do not create accounts for children, do not collect any other information about them, and do not direct the service at them.

Second Star requires account holders to be at least 18 years old. If you believe a child has provided personal information to us directly, please contact us at the address above and we will remove the data.

International transfers

Second Star is operated from the United Kingdom (Scotland). Several of our sub-processors store and process data in the United States and the European Union. When data is transferred outside the United Kingdom, we rely on appropriate safeguards — the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision where available — to ensure equivalent protection.

For users in the European Economic Area, transfers outside the EEA are covered by the EU Standard Contractual Clauses with each sub-processor that requires them.

Your rights

Subject to applicable law, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Request deletion of your data
• Request a portable copy of your data
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent

Contact us at privacy@secondstar.app to exercise any of these rights. We will respond within the period required by your local law (and within 30 days where no specific period applies).

If you are in the United Kingdom and believe we have not addressed your concern, you may lodge a complaint with the Information Commissioner’s Office (ICO). If you are in the European Economic Area, you may lodge a complaint with your local data-protection authority.

Changes to this policy

If we make material changes to this policy we will update the “Last updated” date and, where required, notify you via email or an in-product notice. Continued use of Second Star after the effective date of an updated policy constitutes acceptance of the new terms.

Governing law

This policy and any disputes arising from it are governed by the laws of Scotland.

Contact

Questions about this policy or about your data: privacy@secondstar.app.