1. Data We Collect
We collect information you provide directly, data generated by your use of our service, and limited data from third-party integrations.
Information you provide
- Account information: email address, display name, and password (stored as a bcrypt hash — never in plain text).
- Trip data: destinations, travel dates, budget preferences, group size, and activity interests you enter when planning.
- Profile information: profile photo, travel style preferences, and notification settings.
- Communications: messages you send to our support team or via in-app feedback forms.
Information collected automatically
- Usage data: pages visited, features used, button clicks, and session duration.
- Device information: browser type and version, operating system, screen resolution, and language settings.
- Log data: IP address, timestamps, HTTP status codes, and referring URLs — retained for up to 90 days.
- Performance data: page load times and API response latency used to improve the service.
Information from third parties
- If you sign in via Google or another OAuth provider, we receive your email address and display name from that provider.
- If you connect a calendar application, we receive only the event data you explicitly choose to share.
2. How We Use Your Data
We use your data only for the purposes described below. We do not sell your personal information to third parties.
- Providing the service: generating personalised trip itineraries, saving your trips, and enabling collaboration with travel companions.
- AI trip planning: your destination, dates, budget, and preferences are passed to our on-premises AI model (Ollama) to produce itinerary recommendations. These inputs are not shared with external AI providers.
- Service improvement: analysing aggregated, anonymised usage patterns to improve features and performance.
- Communications: sending transactional emails (account verification, password resets, trip sharing notifications) and, with your explicit consent, product update newsletters.
- Security and fraud prevention: detecting and preventing abuse, unauthorised access, and violations of our Terms of Service.
- Legal compliance: retaining records required by applicable law or responding to valid legal requests.
3. Third-Party Services
TripAI integrates with the following third-party services. Each has its own privacy policy governing how they handle data.
| Service | Purpose | Data Shared |
|---|---|---|
| Flight & Hotel APIs | Real-time pricing and availability | Destination, dates, traveler count |
| Maps (MapLibre / OpenStreetMap) | Interactive route and location display | Destination coordinates only |
| OAuth Providers (Google) | Optional social sign-in | Email, display name (with your consent) |
| Email Delivery (Resend) | Transactional email delivery | Your email address and message content |
We require all third-party service providers to maintain appropriate security measures and prohibit them from using your personal data for any purpose other than fulfilling their contracted service.
4. Cookies & Tracking
TripAI uses a minimal set of cookies required for the service to function securely and efficiently.
Essential cookies
RequiredSession authentication tokens (HttpOnly, Secure, SameSite=Lax). These are required to keep you logged in and cannot be disabled without breaking the service.
Preference cookies
OptionalTheme selection (light/dark mode) and UI preferences. These are stored in localStorage on your device.
Analytics
OptionalWe use self-hosted, privacy-preserving analytics to understand aggregate usage patterns. No cross-site tracking or fingerprinting is performed.
We do not use third-party advertising cookies or share your browsing behaviour with advertising networks.
5. Your Rights (GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and applicable local law.
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Ask us to correct inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
Right to Restriction
Ask us to limit how we process your data in certain circumstances.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or direct marketing.
Withdraw Consent
Withdraw consent at any time for processing based solely on consent.
Lodge a Complaint
File a complaint with your local supervisory authority (e.g. ICO, CNIL).
To exercise any of these rights, email us at privacy@tripai.live. We will respond within 30 days. We may need to verify your identity before processing your request.
6. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the service. Specific retention periods:
- Account and trip data: retained while your account is active. Deleted within 30 days of a deletion request or account closure.
- Log and analytics data: automatically purged after 90 days.
- Backup snapshots: retained for up to 30 days before permanent deletion.
- Legal hold: data subject to a valid legal hold is retained until the hold is lifted.
7. Security
We implement industry-standard security measures to protect your data:
- All data is transmitted over TLS 1.2 or higher (HTTPS enforced everywhere).
- Passwords are hashed using bcrypt with a work factor of 12 — never stored in plain text.
- Authentication tokens use short-lived access tokens (15 minutes) and rotating refresh tokens (7 days).
- Database access is restricted to the application server via private networking.
- Regular security audits and dependency vulnerability scanning.
Despite these measures, no internet transmission is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@tripai.live.
8. Children's Privacy
TripAI is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us immediately and we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email (if you have an account) and update the “Last updated” date at the top of this page. Your continued use of TripAI after such changes constitutes acceptance of the updated policy.
10. Contact Us
For privacy-related enquiries, data subject requests, or to report a concern, please contact our Privacy team:
Privacy Team
privacy@tripai.liveYou also have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data lawfully. In the EU, a list of supervisory authorities is available at edpb.europa.eu.