Privacy Policy
Version: 1.0
Last updated: April 6, 2026
Tripppler ("we", "our", "us") operates the website tripppler.app and the web application at web.tripppler.app (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service.
Tripppler is an EU-based service. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and all applicable EU and member state data protection laws.
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
Table of Contents
- Data Controller
- Data We Collect
- How We Use Your Data
- Legal Basis for Processing (GDPR)
- AI-Generated Content & Data Processing
- Data Sharing & Third Parties
- International Data Transfers
- Data Storage & Security
- Data Retention
- Your Rights (GDPR)
- Cookies & Tracking
- Children's Privacy
- Changes to This Policy
- Contact Us & Complaints
1. Data Controller
The data controller responsible for your personal data is Tripppler, operated from the European Union.
For any privacy-related inquiries, data subject requests, or complaints, please contact us at:
- Email: contact@tripppler.app
- Website: tripppler.app
2. Data We Collect
2.1. Account Data
When you create an account, we collect:
- Email address
- Display name (if provided)
- Profile avatar (if uploaded)
- Authentication credentials (managed securely by our authentication provider, Supabase)
2.2. Onboarding & Preference Data
When you set up your profile or create trips, we collect:
- Trip preferences (interests, group type, travel dates)
- Onboarding quiz responses
- Default travel preferences
2.3. Usage Data
When you use the Service, we collect:
- Cities and points of interest you browse, save, or mark as visited
- Trips you create, modify, clone, or share
- Favorite places you mark
- Search queries within the Service
2.4. Location Data
With your explicit consent (via browser permission prompt), we may access your approximate geographic location to show nearby destinations. This data is used in real time for the "Nearby" feature and is not stored on our servers. You can revoke location permission at any time through your browser settings.
2.5. Payment Data
If you purchase a subscription, payment processing is handled entirely by Stripe. We do not store your full credit card number, CVV, or other sensitive payment details. We receive only:
- A transaction identifier
- Subscription status (active, cancelled, expired)
- Billing email address
- Last four digits of your payment card (for display purposes)
2.6. Technical Data
We automatically collect:
- IP address
- Browser type and version
- Operating system and device type
- Pages visited, timestamps, and referral source
- Error logs and performance metrics
3. How We Use Your Data
We use your personal data to:
- Provide the Service — create and manage your account, generate personalized trip itineraries, display relevant points of interest, enable trip sharing
- Personalize your experience — tailor recommendations based on your interests, preferences, and location
- Process payments — manage subscriptions and billing through Stripe
- Improve the Service — analyze usage patterns to fix bugs, enhance features, and optimize performance
- Ensure security — detect and prevent fraud, abuse, and unauthorized access
- Communicate with you — send essential service notifications (account security, billing, significant service changes)
- Comply with legal obligations — respond to lawful requests from authorities
We do not use your data for advertising purposes. We do not sell your data. We do not build advertising profiles.
4. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds:
- Contract performance (Art. 6(1)(b) GDPR) — to provide the Service you signed up for, process your subscriptions, and fulfill our contractual obligations
- Legitimate interest (Art. 6(1)(f) GDPR) — to improve the Service, ensure security, prevent fraud, and analyze aggregated usage data. We balance our interests against your rights and freedoms
- Consent (Art. 6(1)(a) GDPR) — for optional features such as location access. You may withdraw consent at any time without affecting the lawfulness of prior processing
- Legal obligation (Art. 6(1)(c) GDPR) — to comply with applicable laws, such as tax and accounting requirements for subscription payments
5. AI-Generated Content & Data Processing
Tripppler uses artificial intelligence (via third-party AI providers including Anthropic, OpenAI, and Google) to generate trip itineraries and enrich point-of-interest descriptions.
When generating a trip, we send to AI providers:
- Your selected destination city
- Your travel preferences (interests, group type)
- Travel dates
- Anchor POI (if generating from a specific place)
We do not send your email address, name, IP address, or any other personally identifiable information to AI providers. AI providers process this data under their respective privacy policies and data processing agreements.
AI-generated content may be cached to improve performance but is not used to train AI models on your behalf.
6. Data Sharing & Third Parties
We do not sell your personal data. We share data only with the following service providers, each bound by data processing agreements compliant with GDPR:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication & database | Account data, usage data |
| Stripe | Payment processing | Billing email, payment details |
| Anthropic / OpenAI / Google | AI trip generation | Anonymized preferences only |
| Mapbox | Maps & geocoding | Map tile requests (IP address) |
We may also share data if required by law, to respond to lawful requests from public authorities, or to protect our rights and safety.
7. International Data Transfers
Your primary data is stored within the European Union (Supabase EU region). However, some third-party providers (AI providers, Stripe) may process data outside the EU/EEA. When this occurs, we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs)
- Adequacy decisions by the European Commission
- Data processing agreements with appropriate security measures
8. Data Storage & Security
Your data is stored on servers located within the European Union. We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Access controls and principle of least privilege
- Secure authentication via Supabase (with JWT tokens)
- Payment data handled entirely by PCI-DSS compliant Stripe
- Regular security reviews and dependency updates
While we take reasonable precautions, no system is completely secure. We cannot guarantee the absolute security of your data.
9. Data Retention
We retain your personal data for as long as your account is active and as necessary to provide the Service. Specifically:
- Account data — retained until you delete your account
- Trip data — retained until you delete your account or individual trips
- Payment records — retained for up to 7 years as required by tax and accounting laws
- Technical logs — retained for up to 90 days, then automatically deleted
If you delete your account, we will erase your personal data within 30 days, except where retention is required by law.
10. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the following rights:
- Right of access (Art. 15) — request a copy of your personal data
- Right to rectification (Art. 16) — correct inaccurate or incomplete data
- Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten")
- Right to restriction (Art. 18) — limit how we process your data
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of prior processing
- Right to lodge a complaint — with a supervisory authority in your EU member state
To exercise any of these rights, contact us at contact@tripppler.app. We will respond within 30 days. We may ask you to verify your identity before processing your request. If your request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act.
11. Cookies & Tracking
We use only essential cookies required for the Service to function:
- Authentication cookie — maintains your logged-in session (Supabase)
- Preference cookie — stores your UI preferences (e.g., sidebar state)
We do not use:
- Third-party tracking cookies
- Advertising cookies
- Analytics cookies that track individual users
- Social media tracking pixels
Because we only use strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive. You can manage cookies through your browser settings, but disabling essential cookies may prevent the Service from functioning.
12. Children's Privacy
The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at contact@tripppler.app and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on this page
- Updating the "Last updated" date and version number
- Sending an email notification for significant changes
Continued use of the Service after changes constitutes your acknowledgment of the updated policy. We encourage you to review this page periodically.
14. Contact Us & Complaints
If you have questions about this Privacy Policy, wish to exercise your data rights, or want to file a complaint:
- Email: contact@tripppler.app
- General support: contact@tripppler.app
- Website: tripppler.app
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.