← Back to TripKit

Privacy Policy

Last updated: March 28, 2026

This Privacy Policy explains how TripKit ("we", "us", "our") collects, uses, stores, and shares your personal data when you use the TripKit web application (tripkit.app). Please read it carefully.

1. Who We Are (Data Controller)

TripKit is operated as a personal / small-team project. For any privacy questions or to exercise your rights, contact us at: nikhil.ha@gmail.com

2. Personal Data We Collect

We collect the following categories of personal data:

Account & Profile Data

• Email address — collected on sign-up via email/password or Google OAuth. Stored in Supabase Auth and your profile.
• Display name — optional; visible to your co-trip-members.
• Phone number — optional; visible to your co-trip-members.
• Avatar emoji and profile photo — optional; your profile photo is stored in a publicly accessible storage bucket (anyone with the URL can view it).
• Preferred currency — used to display trip expenses.

Trip & Travel Data

• Itinerary items — destinations, dates, times, costs you enter for trip planning.
• Expenses and splits — amounts, currencies, payers, and participants.
• Checklists and notes — items and their completion status.
• Trip documents — files you upload voluntarily, which may include passports, flight tickets, hotel bookings, or other sensitive travel documents. You are solely responsible for deciding whether to upload sensitive identity documents. These files are stored in Supabase Storage and are accessible only to authenticated members of your trip group.
• Trip photos — photos you upload are stored in a publicly accessible storage bucket.
• Chat messages — messages in the group trip chat are visible to all members and viewers of that trip.

Location Data

• Real-time GPS coordinates — if you enable live location sharing in a trip, your precise latitude/longitude is transmitted in real-time to other trip members via Supabase Realtime. This is always opt-in and can be stopped at any time by leaving the location sharing session.

Behaviour & Engagement Data

• Login streak and last-seen timestamp — used for in-app gamification (streaks, badges). Not shared with third parties.
• Achievement badges — milestones based on your in-app actions.

Technical Data

• Session tokens (cookies) — authentication session cookies set by Supabase (see Section 6).
• Push notification subscription tokens — cryptographic tokens used to deliver push notifications to your browser. Stored in our database and used only to send you notifications you have enabled.

3. How We Use Your Data

Purpose	Legal Basis (GDPR)
Creating and managing your account	Performance of contract (Art. 6(1)(b))
Trip planning features (itinerary, expenses, checklists, chat)	Performance of contract (Art. 6(1)(b))
Live location sharing	Explicit consent (Art. 6(1)(a)) — you initiate it each session
Sending push notifications	Consent (Art. 6(1)(a)) — you opt in via browser permission prompt
Streak, badges, and gamification	Legitimate interest (Art. 6(1)(f)) — improves engagement and user experience
AI-generated features (see Section 5)	Performance of contract / legitimate interest (Art. 6(1)(b)/(f))

4. Data Sharing — Third-Party Services

We use the following third-party services that process your data:

Supabase (EU / US)

Our database, authentication, file storage, and real-time messaging are provided by Supabase, Inc.. All your account, trip, chat, and file data is stored with Supabase. They act as a data processor under a Data Processing Agreement.

Google (Google OAuth)

If you choose "Continue with Google", your Google account identity and email address are shared with Google and passed to Supabase Auth to create your account. Google's privacy policy applies to the OAuth flow.

Groq Cloud (AI — United States)

When you use AI-powered features — including AI itinerary generation, AI checklist suggestions, daily story cards, and when you mention @tripkit in the group chat — your trip data (destination, itinerary summary, member names) and your chat message are sent to Groq Cloud, Inc. in the United States for processing. Groq does not use this data to train its models. The data is transferred under Groq's standard contractual commitments.

Google Gemini (AI fallback — United States)

If Groq is unavailable, the same trip and chat data may be sent to Google Gemini (Google LLC, US) as a fallback AI service for the same features described above.

AeroDataBox / RapidAPI (Flight Data)

When viewing flight status, your flight number and date are sent to AeroDataBox via RapidAPI to retrieve real-time flight information.

OpenStreetMap, Open-Meteo, and Overpass API

Map tiles are served by OpenStreetMap (your IP address is exposed). Place-name geocoding uses Open-Meteo's free API. Nearby venue searches use the Overpass API. These services receive minimal data (place names or coordinates) and are subject to their own open-data terms.

Cloudflare CDN and jsDelivr CDN

Icon assets are loaded from Cloudflare CDN and jsDelivr CDN. Your IP address and browser information are exposed to these CDNs when loading these assets.

Web Push (VAPID)

If you enable push notifications, your browser's push subscription endpoint (provided by your browser vendor — e.g. Google FCM for Chrome) is used to deliver notifications. The notification payload is sent from our server to your browser via the W3C Web Push protocol.

5. AI Processing Disclosure

Several features in TripKit use AI language models (Groq / Google Gemini):

• Generating itinerary items from your trip destination and notes
• Suggesting checklist items
• Generating daily story cards and fun facts
• @tripkit chat bot: when you type @tripkit in the group chat, your message and trip context are sent to an AI service. Other trip members can see the AI's replies.

What data is sent to AI services: trip title, destination, itinerary summary, member display names, and the triggering chat message. We do not send passport documents, photos, exact GPS coordinates, expense details, or passwords to AI services.

AI responses may occasionally be inaccurate. Do not rely solely on AI for critical travel decisions.

6. Cookies and Local Storage

Cookies (HTTP)

We use strictly necessary authentication cookies set by Supabase (sb-* cookies). These are required for you to log in and stay logged in. Because they are strictly necessary for the service to function, they do not require your consent under the GDPR ePrivacy Directive.

We do not set any tracking, advertising, or analytics cookies.

Local Storage

We store small preference values in your browser's local storage (no expiry, device-local): dark mode preference, display currency, PWA install prompt dismissal, chat read timestamps, and AI hint dismissal. These are not transmitted to our servers and are used solely to remember your in-app preferences.

7. Data Retention

• Session cookies expire according to Supabase defaults (access token ~1 hour, refresh token ~1 week).
• Your profile, trip data, and uploaded files are retained until you delete your account or the trip owner deletes the trip.
• Uploaded trip documents (including passport scans) are stored until the document is deleted by a trip member or the parent trip is deleted.
• Push notification subscriptions are removed when you disable notifications or delete your account.

8. Your Rights

Depending on your location, you have the following rights:

GDPR Rights (EU/EEA/UK users)

• Access — request a copy of your personal data
• Rectification — correct inaccurate data (directly in Settings/Profile)
• Erasure ("Right to be Forgotten") — delete your account via Profile → Delete Account; this permanently deletes your profile, auth record, and all directly-linked data
• Restriction — request we limit processing of your data
• Portability — request your data in a portable format
• Objection — object to processing based on legitimate interest (e.g. streak/gamification data)
• Withdraw consent — at any time for GPS location sharing (stop sharing) or push notifications (disable in Profile → Notifications)
• Lodge a complaint — with your national data protection authority (e.g. Datatilsynet in Norway, ICO in the UK, CNIL in France)

CCPA Rights (California, USA residents)

• Right to know what personal information we collect and how it is used
• Right to delete your personal information — use Profile → Delete Account
• Right to non-discrimination for exercising your privacy rights
• We do not sell or share your personal information with third parties for advertising purposes

PIPEDA (Canadian users)

Canadian users have rights to access and correct their personal information. Contact us at nikhil.ha@gmail.com to exercise these rights.

9. Data Security

We use industry-standard measures to protect your data: HTTPS encryption in transit, Supabase Row Level Security (RLS) policies to restrict data access by user and trip membership, and VAPID-secured Web Push. However, no system is 100% secure. Do not upload highly sensitive identity documents unless you understand and accept the associated risks.

Profile photos and trip photos are stored in publicly accessible storage buckets. The URLs contain random identifiers, but anyone who obtains a URL can access the file without authentication. Consider this before uploading identifiable photos.

10. Children's Privacy

TripKit is not directed at children under 13 years of age (or under 16 in the EU/EEA per GDPR Art. 8). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us to have it removed.

11. International Data Transfers

TripKit uses services based in the United States (Supabase, Groq, Google Gemini). Data transfers from the EU/EEA to the US are made under Supabase's DPA, Groq's standard contractual commitments, and Google's EU-US Data Privacy Framework participation.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. Continued use of TripKit after changes constitutes acceptance of the updated policy.

13. Grievance Officer (India)

In accordance with the Information Technology Act 2000 and the Digital Personal Data Protection Act 2023, the name and contact details of the Grievance Officer are:

Name: Nikhil
Email: nikhil.ha@gmail.com
Address: India
Response time: Grievances will be acknowledged within 48 hours and resolved within 30 days of receipt.

14. Contact Us

For any privacy-related questions, data access requests, or to exercise your rights: nikhil.ha@gmail.com