1. Who we are
PlanTheMagic is a digital trip-planning service available through planthemagic.net, related web pages, dashboards, billing areas, progressive web app features, native mobile applications, and support features.
PlanTheMagic is operated by Island Ascent Limited, trading as PlanTheMagic.
For data protection purposes, the controller is:
Island Ascent Limited trading as PlanTheMagic
Company number: 17186774
Registered office and geographical address: Island Ascent Limited, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Data protection enquiries are handled at the email address below.
Email: privacy@planthemagic.net
This Privacy Policy explains how we collect, use, store, and share personal data when you use PlanTheMagic.
2. Scope of this policy
This policy applies to personal data we collect when you:
- visit our website or use the native Android mobile application;
- create or use a PlanTheMagic account;
- start a trial or subscribe;
- use trip planning, dining, AI, billing, referral, offline, feedback, diagnostic, and support features on the website or mobile application;
- contact us; or
- receive emails from us.
Our service is designed for consumers aged 18 or over. It is not intended for children.
3. The personal data we collect
3.1 Data you provide directly
We may collect:
- your name;
- your email address;
- your password in hashed form;
- your email verification status;
- your profile details;
- saved Disney membership flags;
- trip details and trip settings;
- planner items, meal plans, notes, confirmation numbers, links, optional trip photos, uploaded CSV files, restaurant activity, and other content you choose to store in the Service. New trip-photo uploads are decoded and re-encoded before storage, so their stored copies do not retain the original files' EXIF or GPS location metadata. Earlier stored photos are handled through a separate metadata-sanitisation process;
- feedback submissions, bug reports, feature requests, and support messages;
- your marketing preferences, optional referral code, and affirmative referral-disclosure choice; and
- account deletion requests or other privacy requests.
3.2 Billing and subscription data
When you start a trial or subscribe, we and the billing provider that processed the purchase may process billing-related data, including:
- Stripe customer ID for web billing;
- Stripe default payment method ID;
- card brand;
- last four digits of your card;
- expiry month and year;
- Stripe subscription ID;
- Stripe price ID or Google Play package, product, base-plan, offer, purchase-token, order, and subscription-state identifiers;
- subscription and trial status;
- renewal, trial, and billing-period dates;
- cancellation status and end dates;
- invoice history; and
- related metadata.
We do not store your full payment card number or card security code. Stripe and Google Play collect payment details under their own terms. PlanTheMagic stores Google Play purchase-token references in encrypted form and may retain token hashes and order references for verification, fraud prevention, billing administration, and account records.
3.3 Technical and usage data
When you use the Service, we may automatically collect:
- IP address;
- browser, device, operating system, app version, locale, and related technical identifiers;
- approximate location derived from IP address;
- timestamps;
- log data;
- authentication events;
- cookie and similar technology identifiers, including consented Google Analytics browser and session identifiers that may be associated with your numeric PlanTheMagic user ID after account creation;
- service usage data, such as pages viewed and features used, and a limited first-party summary of the campaign, referring site, referral code, landing page, or free tool through which you reached PlanTheMagic;
- error, diagnostic, and performance data; and
- local device storage data, such as local storage, IndexedDB, service worker cache, and mobile-app account, token, sync, and planner caches used for app functionality and limited offline access. Android cloud backup and device-to-device transfer of PlanTheMagic app data are disabled, but local app data may remain until you sign out, clear app storage, or uninstall the app.
3.4 Data from third parties
We may receive personal data from third parties, including:
- Stripe, for web payment, subscription, invoice, and billing-status information, and Google Play, for Android purchase, subscription, order, renewal, cancellation, and entitlement information;
- Amazon SES and Amazon WorkMail, in connection with email delivery and communications;
- Google Analytics, for website and service usage statistics;
- OpenAI, when you use certain AI-powered features; and
- Sentry, for error reports, diagnostics, performance information, and customer feedback, and GitHub, when configured, for system-detected Must Eats data issues.
4. How we use your personal data
We use personal data to:
- create and manage your account;
- verify your email address and authenticate your access;
- provide the website and mobile planner, dining, photo, CSV import/export, offline, syncing, dashboard, billing, and profile features;
- process and verify trials, subscriptions, renewals, invoices, Google Play purchases, entitlements, and cancellations;
- send essential service emails, such as verification emails, password resets, billing notices, account alerts, planning reminders, and service updates;
- provide optional marketing emails where you have opted in;
- operate and improve AI-powered features such as “Must Eats”;
- provide customer support and investigate issues;
- monitor, secure, maintain, and improve the Service;
- detect, prevent, and investigate fraud, misuse, scraping, account sharing, excessive use, and other breaches of our Terms;
- maintain audit logs and internal records;
- handle feedback, monitor errors and diagnostics, operate referral attribution, qualification, reward, and creator-commission records, and investigate system-detected Must Eats catalog data issues;
- comply with legal and regulatory obligations; and
- establish, exercise, or defend legal claims.
5. Our lawful bases
Depending on the context, we rely on one or more of the following lawful bases under UK data protection law:
5.1 Contract
We process personal data where necessary to provide the Service you requested, including:
- account creation and login;
- trip planning and planner storage;
- billing and subscription administration;
- password resets and account communications;
- CSV import/export and related features; and
- optional features you choose to use, including AI recommendations.
5.2 Legitimate interests
We process personal data where necessary for our legitimate interests, provided those interests are not overridden by your rights. These interests include:
- keeping the Service secure;
- preventing misuse, fraud, scraping, and abusive behaviour;
- troubleshooting and support;
- improving the performance, design, and reliability of the Service;
- understanding how the Service is used at an aggregate level;
- handling feedback and product development;
- maintaining audit records;
- enforcing our Terms; and
- protecting our legal position.
5.3 Legal obligation
We process personal data where necessary to comply with legal obligations, including tax, accounting, fraud-prevention, law-enforcement, and regulatory requirements.
5.4 Consent
We rely on consent where appropriate, including for:
- marketing emails and similar promotional communications, and the referral disclosure you affirm when you choose to register with a referral code; and
- any processing where the law specifically requires consent.
Where we rely on consent, you can withdraw it at any time. Withdrawal will not affect processing already carried out before you withdrew consent.
6. AI features
PlanTheMagic may offer AI-powered features, including “Must Eats”.
For this feature, we send restaurant-focused data only, such as:
- restaurant name;
- meal service;
- area and area type;
- cuisines;
- service flags;
- an official menu URL where available; and
- technical request settings.
We do not send your account information, trip name, or free-form trip notes in that request.
We use AI outputs to provide recommendations inside the Service. AI outputs may be inaccurate, incomplete, or out of date and should be treated as informational only.
OpenAI is not permitted by us to use this data to train its models for this feature.
7. Cookies, local storage, analytics, and similar technologies
We use cookies and similar website technologies, including local storage, IndexedDB, and service worker cache. The native mobile application also uses local app storage and caches for the following purposes:
7.1 Essential technologies
Some technologies are necessary for core functionality, such as:
- keeping you signed in;
- maintaining session security;
- remembering basic app state;
- supporting the progressive web app and native mobile application, including limited offline access;
- storing offline assets or fallback content; and
- protecting the Service from abuse.
7.2 Acquisition and first-touch records
We record a limited first-party summary of how a visitor reached PlanTheMagic and which page or free tool they first used. This may include campaign tags, the referring website, a creator or member referral, and the landing page, but not raw advertising click identifiers or unrelated query details. Before signup, this summary stays in the current browser session and is saved to the resulting account if one is created. When you allow analytics, an encrypted first-touch cookie can also carry the earliest summary across visits for up to 90 days; without analytics, it is not retained between browser sessions before signup.
7.3 Analytics technologies
We use Google Analytics 4 to understand how visitors use the site, improve important journeys, and measure which parts of the planner are working well. In regions where consent is required, analytics stays in a limited cookieless mode until you allow it. In other regions, analytics may be enabled by default and you can still change that later from this Privacy page. When analytics is allowed and you create an account, we may associate the consented Analytics browser and session identifiers with your numeric PlanTheMagic user ID so we can understand the journey through signup and membership. If you later turn analytics off, we remove the locally stored Google identifiers for that browser and stop future identified collection; information already received by Google remains subject to Google Analytics retention and deletion controls.
This may involve the collection of information such as:
- number of users and sessions;
- approximate geolocation;
- browser and device information;
- page usage and navigation patterns; and
- similar aggregate or statistical usage information.
7.4 Your choices
You can control some storage and access technologies through your browser or device settings.
You can also review or change whether PlanTheMagic may use Google Analytics cookies on this browser by using the Cookie settings control on this Privacy page.
If we use any non-essential storage or access technologies for purposes beyond the scope described above, we will update this policy and, where required, provide an appropriate consent or choice mechanism.
8. Account access, support access, and audit logging
We restrict internal access to personal data to those who need it for legitimate business purposes.
PlanTheMagic staff may access or impersonate a user account only where reasonably necessary to:
- provide support;
- investigate suspected breaches of the Terms of Service;
- maintain security;
- prevent fraud or misuse; or
- respond to a lawful request from an appropriate authority.
Such actions are logged. Audit logs may record the support agent involved, the action taken, and the date and time.
9. Feedback, error reporting, diagnostics, and catalog issue management
If you submit feedback through the Service, we may review, categorise, and use it to improve PlanTheMagic.
When error reporting or customer feedback is sent to Sentry:
- reports may include your PlanTheMagic user ID, name, email address, device and app details, diagnostic logs, and information about the error or feedback; and
- we configure automated reports to limit unnecessary personal data and do not intentionally include trip plans, free-form planner notes, confirmation numbers, photos, or uploaded files in automated error reports. When GitHub issue syncing is configured, PlanTheMagic also sends system-detected Must Eats data issues to GitHub for investigation. After this privacy update, new automated GitHub issues include restaurant, dining-catalog, service-availability, issue timing, and technical issue details, but do not include customer, trip, or plan-item identifiers. Automated issues created earlier may contain pseudonymous numeric customer, trip, and plan-item identifiers; PlanTheMagic is reviewing and removing those identifiers as part of this privacy rollout.
Please do not include sensitive or unnecessary personal data in feedback submissions.
10. Who we share personal data with
We may share personal data with:
- Stripe, for web payment processing, billing, and invoicing, and Google Play, for Android subscription purchases, verification, billing management, and related store services;
- Amazon Web Services (AWS), for hosting and infrastructure;
- Amazon SES and Amazon WorkMail, for sending and managing communications;
- OpenAI, for limited AI feature processing;
- Google Analytics, for usage analytics;
- Sentry, for error monitoring, diagnostics, performance information, and customer feedback, and GitHub, when configured, for system-detected Must Eats data issues;
- a member or creator whose referral code you choose to use, limited to the fact and timing of an attributed registration and its paid or qualifying status, without your name or email address; professional advisers, such as lawyers, accountants, insurers, or auditors;
- regulators, courts, law-enforcement bodies, or other authorities where required or appropriate; and
- a purchaser, successor, or reorganisation party if we sell, transfer, or restructure all or part of the business.
We require service providers to handle personal data only as needed for the relevant service, subject to appropriate contractual and security measures.
11. International transfers
We primarily operate our infrastructure from the United Kingdom and Ireland.
Our AWS environment is in London, United Kingdom.
Our database is in Dublin, Ireland.
Certain personal data connected with AI features may be processed in the United States by OpenAI.
Certain payment-related data may be stored or processed by Stripe, Google Play, or their service providers in countries outside the UK.
Analytics, app-store, error-monitoring, issue-management, and other support providers, including Google, Sentry, and GitHub, may also process data outside the UK from time to time.
Where we transfer personal data outside the UK, we take steps intended to ensure it remains appropriately protected. Depending on the circumstances, this may include relying on adequacy regulations, contractual safeguards, transfer addenda, or other lawful transfer mechanisms.
You can contact us if you would like more information about the safeguards we rely on for relevant transfers.
12. Data retention
We keep personal data only for as long as reasonably necessary for the purposes described in this policy.
In general:
- we keep account, profile, and trip data while your account remains active;
- if you sign up but do not convert to a paid service and the account remains dormant, we may delete it after 6 months;
- if you delete your account, we will remove your active account and trip data from our live systems promptly, subject to limited retention described below;
- billing, payment, invoice, Google Play purchase-token and order references, referral, compliance, fraud-prevention, tax, accounting, audit, and similar records may be kept for up to six years from account closure, and longer where reasonably necessary or legally required;
- support records, feedback records, Sentry error and diagnostic records, historical GitHub Must Eats data issues pending identifier review, and audit logs may be kept for as long as reasonably necessary to deal with support, security, misuse, compliance, disputes, and product history, subject also to provider retention and deletion controls; and
- backup copies may remain for a limited rolling period until they are overwritten in the ordinary course.
If we do not apply a fixed retention period, we decide how long to keep the data based on the nature of the data, the purpose for which it was collected, the sensitivity of the data, legal requirements, operational need, and the risk of harm from unauthorised use or disclosure.
13. Sensitive data
PlanTheMagic is not designed for storing special category personal data or other highly sensitive information.
Please do not submit sensitive personal data through planner notes, feedback forms, or other free-text fields unless it is strictly necessary. This includes information about:
- health or medical conditions;
- allergies;
- accessibility needs;
- religion or beliefs; or
- other similarly sensitive matters.
If you submit sensitive data anyway, we may delete it, redact it, or handle it only as needed to operate the Service, respond to your request, protect legal claims, or comply with law.
14. Children
PlanTheMagic is intended only for adults aged 18 or over.
We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it.
15. Your rights
Depending on your location and the circumstances, you may have the right to:
- access the personal data we hold about you;
- ask us to correct inaccurate or incomplete personal data;
- ask us to delete your personal data;
- ask us to restrict how we use your personal data;
- object to processing based on legitimate interests;
- receive a copy of certain personal data in a portable format;
- withdraw consent where we rely on consent; and
- complain to the Information Commissioner’s Office (ICO) or, where applicable, another supervisory authority.
To exercise your rights, contact us at contact@planthemagic.net.
We may ask for reasonable proof of identity before actioning certain requests.
16. Marketing communications
We may send you marketing emails such as newsletters, product updates, feature launches, offers, or reminders if you have opted in, or where otherwise permitted by law.
You can unsubscribe from marketing emails at any time using the unsubscribe link in the email or by contacting us.
We will still send essential service-related communications, such as billing notices, account alerts, password resets, and important updates about the Service.
17. Security
We use technical and organisational measures designed to protect personal data, including measures such as:
- encryption in transit;
- access controls;
- least-privilege access practices;
- audit logging; and
- security monitoring and review.
No method of transmission or storage is completely secure. We therefore cannot guarantee absolute security.
18. Third-party websites and services
The Service may link to third-party websites and services, including Disney websites, reservation pages, menus, maps, Stripe-hosted billing pages, Google Play, and other third-party resources.
We are not responsible for the privacy practices of those third parties. Their own privacy notices and terms will apply.
19. Automated decision-making
We do not use your personal data to make solely automated decisions that produce legal effects, or similarly significant effects, about you.
20. Changes to this policy
We may update this Privacy Policy from time to time.
When we do, we will post the updated version on the website and update the effective date above. If the changes are material, we may also notify you by email or in-app notice.
21. Contact us
Island Ascent Limited trading as PlanTheMagic
Company number: 17186774
Registered office and geographical address: Island Ascent Limited, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Data protection enquiries are handled at the email address below.
Email: privacy@planthemagic.net