1. Who we are
Tripdox (“Tripdox”, “we”, “us”) is a travel-planning service operated under the domain tripdox.com and distributed as a mobile application (“Tripdox”) on Android. This Privacy Policy applies to both the web app and the mobile app.
2. Information we collect
We collect information in three ways:
2.1 Information you give us directly
- Account details — email address and display name when you sign up.
- Trip data — cities, dates, travelers, preferences, and itinerary edits.
- Uploaded documents — PDF/image files of flight, train, or hotel bookings you choose to upload so we can auto-populate your trip.
- Home location — the city or address you optionally enter as your trip origin.
- Support messages — content of any message you send through in-app Help & Support.
2.2 Information we collect automatically
- Device & app info — device model, OS version, app version, crash logs.
- Usage data — pages/screens visited, features used, time spent (for product analytics).
- Authentication tokens — session tokens issued by our authentication provider, stored securely on your device.
2.3 Information from third parties
- If you sign in with Google, your Google account email and profile name (no password is ever shared with us).
3. How we use your information
- To create and manage your account.
- To generate AI-powered trip plans, itineraries, and suggestions.
- To search for flights, trains, hotels, and directions, and return results to you.
- To extract booking details from PDFs you upload, and match them to the correct leg of your trip.
- To sync your trips across devices.
- To respond to your support requests.
- To detect abuse, debug crashes, and improve the product.
We do not sell your personal information. We do not use your data for third-party advertising.
4. Third parties we share data with
To deliver the service, we share the minimum necessary data with trusted processors:
- Supabase — authentication, database, and file storage. Stores your account, trips, and uploaded files.
- OpenAI / Anthropic — large-language-model providers that generate itineraries and parse the contents of booking PDFs. We send the prompt, trip context, or PDF text to these providers for processing. We do not use your data to train their models (LLM calls use zero-retention or short-retention API modes where available).
- Google Places / Google Maps Platform — city autocomplete, place photos, driving directions, and distance calculations.
- Flight, train, and hotel search providers — we query public search providers with your origin, destination, and dates to surface availability and prices.
- Analytics — Google Analytics for aggregate product usage metrics. IP addresses are anonymised where supported.
- Crash reporting — crash stack traces may be transmitted to error-reporting services to help us fix bugs.
We may also disclose information if required by law (subpoena, court order) or to protect the safety, rights, or property of our users or others.
5. Data retention
- Account & trips — kept for as long as your account is active.
- Deleted trips — soft-deleted and purged after 30 days.
- Uploaded documents — kept while the trip exists; deleted when you delete the trip or your account.
- Support messages — kept for up to 24 months for quality and dispute handling.
- Server logs — generally retained for up to 90 days for security and debugging.
6. Your rights
Depending on where you live, you may have the right to:
- Access a copy of the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and all associated personal data.
- Export your trip data.
- Object to or restrict certain types of processing.
- Withdraw consent where processing is based on consent.
Account deletion is self-service — open the mobile app, go to Settings → Delete account. The web app offers the same option under Settings. Your account and associated trips, files, and support messages are deleted. For any other right, contact us through in-app Help & Support.
7. Security
All data is transmitted over TLS (HTTPS). Passwords are hashed by our authentication provider. Uploaded files and database rows are protected by row-level security so that only you can access your own trips. No system is perfectly secure — if you believe your account has been compromised, contact us immediately via Help & Support.
8. International data transfers
Our providers (Supabase, OpenAI, Anthropic, Google) operate globally. Your data may be stored or processed in regions outside your home country, including the United States and the European Union. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.
9. Children
Tripdox is intended for users aged 18 and over. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA/UK). If you believe a child has provided us with personal data, contact us and we will delete it.
10. Cookies and local storage
The web app uses essential cookies and browser local storage to keep you signed in, remember your preferences (currency, language), and run analytics. The mobile app uses AsyncStorage / SecureStore for the equivalent purposes. You can clear these at any time from your browser or device settings, but doing so will sign you out.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced in-app or by email. The “Last updated” date at the top always reflects the current version.
12. Contact us
Questions, concerns, or data-rights requests? The fastest way to reach us is through the in-app Help & Support screen. You can also write to us at support@tripdox.com.