PlanTheMagic
Menu
Start free trial

Legal

Privacy policy

Version 2026-04-29T17:06:35Z

Cookie settings

Review or update

1. Who we are

PlanTheMagic is a digital trip-planning service available at planthemagic.net and related web pages, dashboards, billing areas, progressive web app features, and support features.

PlanTheMagic is operated by Island Ascent Limited, trading as PlanTheMagic.

For data protection purposes, the controller is:

Island Ascent Limited trading as PlanTheMagic

Company number: 17186774

Registered office and geographical address: Island Ascent Limited,  71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

ICO registration number: [Pending with ICO - please contact us]

Email: privacy@planthemagic.net

This Privacy Policy explains how we collect, use, store, and share personal data when you use PlanTheMagic.

2. Scope of this policy

This policy applies to personal data we collect when you:

  • visit our website;
  • create or use a PlanTheMagic account;
  • start a trial or subscribe;
  • use trip planning, dining, AI, billing, feedback, and support features;
  • contact us; or
  • receive emails from us.

Our service is designed for consumers aged 18 or over. It is not intended for children.

3. The personal data we collect

3.1 Data you provide directly

We may collect:

  • your name;
  • your email address;
  • your password in hashed form;
  • your email verification status;
  • your profile details;
  • saved Disney membership flags;
  • trip details and trip settings;
  • planner items, meal plans, notes, confirmation numbers, links, and other content you choose to store in the Service;
  • feedback submissions, bug reports, feature requests, and support messages;
  • your marketing preferences; and
  • account deletion requests or other privacy requests.

3.2 Billing and subscription data

When you start a trial or subscribe, we and our payment provider may process billing-related data, including:

  • Stripe customer ID;
  • Stripe default payment method ID;
  • card brand;
  • last four digits of your card;
  • expiry month and year;
  • Stripe subscription ID;
  • Stripe price ID;
  • subscription and trial status;
  • renewal, trial, and billing-period dates;
  • cancellation status and end dates;
  • invoice history; and
  • related metadata.

We do not store your full payment card number or card security code.

3.3 Technical and usage data

When you use the Service, we may automatically collect:

  • IP address;
  • browser, device, and operating system information;
  • approximate location derived from IP address;
  • timestamps;
  • log data;
  • authentication events;
  • cookie and similar technology identifiers;
  • service usage data, such as pages viewed and features used;
  • error, diagnostic, and performance data; and
  • local device storage data, such as local storage, IndexedDB, service worker cache, and similar technologies used for app functionality.

3.4 Data from third parties

We may receive personal data from third parties, including:

  • Stripe, for payment, subscription, invoice, and billing-status information;
  • Amazon SES and Amazon WorkMail, in connection with email delivery and communications;
  • Google Analytics, for website and service usage statistics;
  • OpenAI, when you use certain AI-powered features; and
  • GitHub, where feedback workflows or issue-sync functions are used.

4. How we use your personal data

We use personal data to:

  • create and manage your account;
  • verify your email address and authenticate your access;
  • provide the planner, dining, export/import, dashboard, billing, and profile features;
  • process trials, subscriptions, renewals, invoices, and cancellations;
  • send essential service emails, such as verification emails, password resets, billing notices, account alerts, planning reminders, and service updates;
  • provide optional marketing emails where you have opted in;
  • operate and improve AI-powered features such as “Must Eats”;
  • provide customer support and investigate issues;
  • monitor, secure, maintain, and improve the Service;
  • detect, prevent, and investigate fraud, misuse, scraping, account sharing, excessive use, and other breaches of our Terms;
  • maintain audit logs and internal records;
  • handle feedback and sync certain feedback items into GitHub workflows;
  • comply with legal and regulatory obligations; and
  • establish, exercise, or defend legal claims.

5. Our lawful bases

Depending on the context, we rely on one or more of the following lawful bases under UK data protection law:

5.1 Contract

We process personal data where necessary to provide the Service you requested, including:

  • account creation and login;
  • trip planning and planner storage;
  • billing and subscription administration;
  • password resets and account communications;
  • CSV import/export and related features; and
  • optional features you choose to use, including AI recommendations.

5.2 Legitimate interests

We process personal data where necessary for our legitimate interests, provided those interests are not overridden by your rights. These interests include:

  • keeping the Service secure;
  • preventing misuse, fraud, scraping, and abusive behaviour;
  • troubleshooting and support;
  • improving the performance, design, and reliability of the Service;
  • understanding how the Service is used at an aggregate level;
  • handling feedback and product development;
  • maintaining audit records;
  • enforcing our Terms; and
  • protecting our legal position.

5.3 Legal obligation

We process personal data where necessary to comply with legal obligations, including tax, accounting, fraud-prevention, law-enforcement, and regulatory requirements.

5.4 Consent

We rely on consent where appropriate, including for:

  • marketing emails and similar promotional communications; and
  • any processing where the law specifically requires consent.

Where we rely on consent, you can withdraw it at any time. Withdrawal will not affect processing already carried out before you withdrew consent.

6. AI features

PlanTheMagic may offer AI-powered features, including “Must Eats”.

For this feature, we send restaurant-focused data only, such as:

  • restaurant name;
  • meal service;
  • area and area type;
  • cuisines;
  • service flags;
  • an official menu URL where available; and
  • technical request settings.

We do not send your account information, trip name, or free-form trip notes in that request.

We use AI outputs to provide recommendations inside the Service. AI outputs may be inaccurate, incomplete, or out of date and should be treated as informational only.

OpenAI is not permitted by us to use this data to train its models for this feature.

7. Cookies, local storage, analytics, and similar technologies

We use cookies and similar technologies, including local storage, IndexedDB, and service worker cache, for the following purposes:

7.1 Essential technologies

Some technologies are necessary for core functionality, such as:

  • keeping you signed in;
  • maintaining session security;
  • remembering basic app state;
  • supporting the progressive web app;
  • storing offline assets or fallback content; and
  • protecting the Service from abuse.

7.2 Analytics technologies

We use Google Analytics to understand how visitors and users interact with the website and Service, and to improve performance, layout, navigation, and product decisions.

This may involve the collection of information such as:

  • number of users and sessions;
  • approximate geolocation;
  • browser and device information;
  • page usage and navigation patterns; and
  • similar aggregate or statistical usage information.

7.3 Your choices

You can control some storage and access technologies through your browser or device settings.

You can also object to our use of Google Analytics for service-improvement statistics by using: [insert your on-site analytics opt-out control, privacy settings route, or equivalent mechanism].

If we use any non-essential storage or access technologies for purposes beyond the scope described above, we will update this policy and, where required, provide an appropriate consent or choice mechanism.

8. Account access, support access, and audit logging

We restrict internal access to personal data to those who need it for legitimate business purposes.

PlanTheMagic staff may access or impersonate a user account only where reasonably necessary to:

  • provide support;
  • investigate suspected breaches of the Terms of Service;
  • maintain security;
  • prevent fraud or misuse; or
  • respond to a lawful request from an appropriate authority.

Such actions are logged. Audit logs may record the support agent involved, the action taken, and the date and time.

9. Feedback and GitHub issue sync

If you submit feedback through the Service, we may review, categorise, and use it to improve PlanTheMagic.

Where our workflow includes GitHub issue syncing:

  • we do not intentionally send your personal data to GitHub unless you include it yourself in the free-text field; and
  • otherwise, the sync may include a user ID and internal metadata that can only be correlated with your identity by PlanTheMagic staff.

Please do not include sensitive or unnecessary personal data in feedback submissions.

10. Who we share personal data with

We may share personal data with:

  • Stripe, for payment processing, billing, and invoicing;
  • Amazon Web Services (AWS), for hosting and infrastructure;
  • Amazon SES and Amazon WorkMail, for sending and managing communications;
  • OpenAI, for limited AI feature processing;
  • Google Analytics, for usage analytics;
  • GitHub, for issue-management workflows connected to feedback;
  • professional advisers, such as lawyers, accountants, insurers, or auditors;
  • regulators, courts, law-enforcement bodies, or other authorities where required or appropriate; and
  • a purchaser, successor, or reorganisation party if we sell, transfer, or restructure all or part of the business.

We require service providers to handle personal data only as needed for the relevant service, subject to appropriate contractual and security measures.

11. International transfers

We primarily operate our infrastructure from the United Kingdom and Ireland.

Our AWS environment is in London, United Kingdom.

Our database is in Dublin, Ireland.

Certain personal data connected with AI features may be processed in the United States by OpenAI.

Certain payment-related data may be stored or processed by Stripe in the United States and other countries where Stripe or its service providers operate.

Analytics and other support providers may also process data outside the UK from time to time.

Where we transfer personal data outside the UK, we take steps intended to ensure it remains appropriately protected. Depending on the circumstances, this may include relying on adequacy regulations, contractual safeguards, transfer addenda, or other lawful transfer mechanisms.

You can contact us if you would like more information about the safeguards we rely on for relevant transfers.

12. Data retention

We keep personal data only for as long as reasonably necessary for the purposes described in this policy.

In general:

  • we keep account, profile, and trip data while your account remains active;
  • if you sign up but do not convert to a paid service and the account remains dormant, we may delete it after 6 months;
  • if you delete your account, we will remove your active account and trip data from our live systems promptly, subject to limited retention described below;
  • billing, payment, invoice, compliance, fraud-prevention, tax, accounting, audit, and similar records may be kept for 5 years or more after the end of the business relationship or the date of the last transaction, and longer where reasonably necessary or legally required;
  • support records, feedback records, and audit logs may be kept for as long as reasonably necessary to deal with support, security, misuse, compliance, disputes, and product history; and
  • backup copies may remain for a limited rolling period until they are overwritten in the ordinary course.

If we do not apply a fixed retention period, we decide how long to keep the data based on the nature of the data, the purpose for which it was collected, the sensitivity of the data, legal requirements, operational need, and the risk of harm from unauthorised use or disclosure.

13. Sensitive data

PlanTheMagic is not designed for storing special category personal data or other highly sensitive information.

Please do not submit sensitive personal data through planner notes, feedback forms, or other free-text fields unless it is strictly necessary. This includes information about:

  • health or medical conditions;
  • allergies;
  • accessibility needs;
  • religion or beliefs; or
  • other similarly sensitive matters.

If you submit sensitive data anyway, we may delete it, redact it, or handle it only as needed to operate the Service, respond to your request, protect legal claims, or comply with law.

14. Children

PlanTheMagic is intended only for adults aged 18 or over.

We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it.

15. Your rights

Depending on your location and the circumstances, you may have the right to:

  • access the personal data we hold about you;
  • ask us to correct inaccurate or incomplete personal data;
  • ask us to delete your personal data;
  • ask us to restrict how we use your personal data;
  • object to processing based on legitimate interests;
  • receive a copy of certain personal data in a portable format;
  • withdraw consent where we rely on consent; and
  • complain to the Information Commissioner’s Office (ICO) or, where applicable, another supervisory authority.

To exercise your rights, contact us at contact@planthemagic.net.

We may ask for reasonable proof of identity before actioning certain requests.

16. Marketing communications

We may send you marketing emails such as newsletters, product updates, feature launches, offers, or reminders if you have opted in, or where otherwise permitted by law.

You can unsubscribe from marketing emails at any time using the unsubscribe link in the email or by contacting us.

We will still send essential service-related communications, such as billing notices, account alerts, password resets, and important updates about the Service.

17. Security

We use technical and organisational measures designed to protect personal data, including measures such as:

  • encryption in transit;
  • access controls;
  • least-privilege access practices;
  • audit logging; and
  • security monitoring and review.

No method of transmission or storage is completely secure. We therefore cannot guarantee absolute security.

18. Third-party websites and services

The Service may link to third-party websites and services, including Disney websites, reservation pages, menus, maps, Stripe-hosted billing pages, and other third-party resources.

We are not responsible for the privacy practices of those third parties. Their own privacy notices and terms will apply.

19. Automated decision-making

We do not use your personal data to make solely automated decisions that produce legal effects, or similarly significant effects, about you.

20. Changes to this policy

We may update this Privacy Policy from time to time.

When we do, we will post the updated version on the website and update the effective date above. If the changes are material, we may also notify you by email or in-app notice.

21. Contact us

Island Ascent Limited trading as PlanTheMagic

Company number: 17186774

Registered office and geographical address: Island Ascent Limited, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

ICO registration number: [Pending with ICO - please contact us]

Email: privacy@planthemagic.net