Back

Privacy Policy

Privacy Policy

Last updated: May 5, 2026

This Privacy Policy explains what data On Island collects, why we collect it, how we use it, and the choices you have. We try to keep this short and direct.

1. What we collect

If you browse anonymously: standard server logs (IP address, browser, page accessed, timestamp). Used for security, abuse detection, and aggregate traffic analysis. Not associated with you personally.

If you create an account: email address, password (stored as a salted hash by our auth provider — we never see the plaintext), display name, optional phone number, your selected user type (visitor / local / villa owner / snowbird), and timestamps for sign-up and last sign-in.

If you save listings or write reviews: the listings you saved, the reviews you wrote (visible publicly with your display name), and engagement events (which businesses you viewed or called).

If you list a business: your owner name, business name, contact phone + email, business address, GPS pin or service-area radius, photo, optional menu file, USVI license number (if provided), social media URLs, hours, description, and the subscription plan and payment status.

If you submit a beach report (locals only): the beach, conditions you reported, and the timestamp.

Cookies and similar: a session cookie when signed in, plus a Sentry trace cookie for error monitoring. We do not use advertising or cross-site tracking cookies.

2. Why we collect it

  • Run the directory: display listings, route phone calls, sort search results, render the daily Brief
  • Account features: save / review / report functions only work with a logged-in user
  • Payments: business subscriptions and premium-slot bookings need billing data
  • Moderation: prevent abuse, fraud, fake businesses, and review spam
  • Communication: send transactional email (signup confirmation, password reset, business approval / decline, renewal reminders, suspend notices)
  • Analytics: business owners see aggregated views/calls/saves on their own listings

3. Who we share it with

On Island does not sell, rent, or trade your personal data. We share data only with:

  • Hosting and infrastructure — Supabase (database, auth, storage), Vercel (hosting), Sentry (error monitoring)
  • Payments — Stripe (subscriptions, premium-slot purchases). Stripe holds full payment-method data; we only receive a customer ID and last-4 of the card.
  • Email — Resend (transactional email delivery)
  • Maps — Mapbox (renders pins; we send no personal data, only the page request)
  • Aggregated public data sources — NOAA, USGS, Open-Meteo, NDBC, AeroDataBox, CruiseMapper. These are read-only data feeds; we send no personal data to them.
  • Legal compliance — if required by law, court order, or to protect On Island, our users, or the public

We do not run third-party advertising networks. There is no tracking pixel from Google, Facebook, or anyone else.

4. Where data is stored

Data is hosted on Supabase (US-East-1 region) and Vercel (global edge). Backups are encrypted at rest. We retain data while your account is active and for a reasonable period after deletion to satisfy legal, tax, and audit requirements (typically 7 years for transactional records, immediately for browsing data).

5. Your rights

You can:

  • Access the data we have about you — email support@onisland.app
  • Correct inaccurate data via your account or business dashboard
  • Delete your account by signing out and emailing us; we will purge personal data within 30 days subject to legal retention requirements above
  • Export your data as JSON on request
  • Opt out of non-essential email by replying "unsubscribe" or contacting support

6. Children

On Island is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has signed up, contact us and we will delete the account.

7. Security

We use industry-standard practices: encrypted connections (HTTPS), password hashing, row-level database security, signed-JWT email actions, rate limiting, and an audit log of admin actions. No system is perfectly secure; if we detect a breach affecting your data we will notify you within 72 hours where required by law.

8. Changes to this policy

We will update this page and bump the "Last updated" date when we make material changes. For significant changes that affect how we use your data, we will email account holders before the change takes effect.

9. Contact

Privacy questions, data requests, or complaints: support@onisland.app

Mailing address: On Island, U.S. Virgin Islands.