Privacy Policy

Last updated: March 29, 2026

This Privacy Policy explains how TripKit ("we", "us", "our") collects, uses, stores, and shares your personal data when you use the TripKit web application (tripkit.app). Please read it carefully.

1. Who We Are (Data Controller)

TripKit is operated as a personal / small-team project. For any privacy questions or to exercise your rights, contact us at: nikhil.ha@gmail.com

2. Personal Data We Collect

We collect the following categories of personal data:

Account & Profile Data

Email address — collected on sign-up via email/password or Google OAuth. Stored in Supabase Auth and your profile.
Display name — optional; visible to your co-trip-members.
Phone number — optional; visible to your co-trip-members.
Avatar emoji and profile photo — optional; your profile photo is stored in a publicly accessible storage bucket (anyone with the URL can view it).
Preferred currency — used to display trip expenses.

Trip & Travel Data

Itinerary items — destinations, dates, times, costs you enter for trip planning.
Expenses and splits — amounts, currencies, payers, and participants.
Checklists and notes — items and their completion status.
Trip documents — files you upload voluntarily, which may include passports, flight tickets, hotel bookings, or other sensitive travel documents. You are solely responsible for deciding whether to upload sensitive identity documents. These files are stored in Supabase Storage and are accessible only to authenticated members of your trip group.
Trip photos — photos you upload are stored in a publicly accessible storage bucket.
Chat messages — on E2EE-enabled trips, messages are encrypted on your device before transmission using AES-256-GCM. Only the encrypted ciphertext is stored on our servers; we are technically unable to read the content. On non-E2EE trips, messages are stored in plaintext and are visible to all members and viewers of that trip.

Location Data

Real-time GPS coordinates — if you enable live location sharing in a trip, your precise latitude/longitude is transmitted in real-time to other trip members via Supabase Realtime. This is always opt-in and can be stopped at any time by leaving the location sharing session. On E2EE-enabled trips, your coordinates are encrypted on your device before transmission; the server stores only ciphertext and cannot determine your location.

Behaviour & Engagement Data

Login streak and last-seen timestamp — used for in-app gamification (streaks, badges). Not shared with third parties.
Achievement badges — milestones based on your in-app actions.

Technical Data

Session tokens (cookies) — authentication session cookies set by Supabase (see Section 6).
Push notification subscription tokens — cryptographic tokens used to deliver push notifications to your browser. Stored in our database and used only to send you notifications you have enabled.
IP-derived location (country & city) — on first login and refreshed once per week, your IP address is resolved to a country and city via the ip-api.com API (see Section 4). We store country name, ISO country code, and city name on your profile. We do not store your IP address itself. This data is used solely for admin analytics (user country distribution) and is not shown to other users.
AI request metadata — when you use AI-powered features, we log the endpoint called, AI model used, token counts, request latency, and success/failure. No message content is logged — only metadata. This is used for abuse monitoring and capacity planning.
End-to-end encryption keys — to enable E2EE, your device generates a cryptographic keypair (ECDH P-256). Your public key is stored on our servers so other trip members can securely share trip keys with you. Your private key is encrypted locally on your device using a PBKDF2-derived key from your vault password (600 000 iterations) before being stored; we receive and store only the encrypted form and can never access the plaintext private key. Per-trip symmetric keys are wrapped with your public key and stored as ciphertext.

3. How We Use Your Data

Purpose	Legal Basis (GDPR)
Creating and managing your account	Performance of contract (Art. 6(1)(b))
Trip planning features (itinerary, expenses, checklists, chat)	Performance of contract (Art. 6(1)(b))
Live location sharing	Explicit consent (Art. 6(1)(a)) — you initiate it each session
Sending push notifications	Consent (Art. 6(1)(a)) — you opt in via browser permission prompt
Streak, badges, and gamification	Legitimate interest (Art. 6(1)(f)) — improves engagement and user experience
AI-generated features (see Section 5)	Performance of contract / legitimate interest (Art. 6(1)(b)/(f))
IP-derived country/city lookup	Legitimate interest (Art. 6(1)(f)) — aggregate analytics, no precise location
End-to-end encryption (generating and storing keypairs, distributing trip keys)	Performance of contract (Art. 6(1)(b)) — necessary to provide the E2EE feature you have opted into

4. Data Sharing — Third-Party Services

We use the following third-party services that process your data:

Supabase (EU / US)

Our database, authentication, file storage, and real-time messaging are provided by Supabase, Inc.. All your account, trip, chat, and file data is stored with Supabase. They act as a data processor under a Data Processing Agreement. For E2EE-enabled trips, Supabase only receives and stores encrypted ciphertext for messages and GPS coordinates — the plaintext is never transmitted to or accessible by Supabase.

Google (Google OAuth)

If you choose "Continue with Google", your Google account identity and email address are shared with Google and passed to Supabase Auth to create your account. Google's privacy policy applies to the OAuth flow.

Groq Cloud (AI — United States)

When you use AI-powered features — including AI itinerary generation, AI checklist suggestions, daily story cards, and when you mention @tripkit in the group chat — your trip data (destination, itinerary summary, member names) and your chat message are sent to Groq Cloud, Inc. in the United States for processing. Groq does not use this data to train its models. The data is transferred under Groq's standard contractual commitments. AI features are automatically disabled for E2EE-enabled trips; no trip content from those trips is sent to Groq.

Google Gemini (AI fallback — United States)

If Groq is unavailable, the same trip and chat data may be sent to Google Gemini (Google LLC, US) as a fallback AI service for the same features described above. This fallback is also disabled for E2EE-enabled trips.

AeroDataBox / RapidAPI (Flight Data)

When viewing flight status, your flight number and date are sent to AeroDataBox via RapidAPI to retrieve real-time flight information.

OpenStreetMap, Open-Meteo, and Overpass API

Map tiles are served by OpenStreetMap (your IP address is exposed). Place-name geocoding uses Open-Meteo's free API. Nearby venue searches use the Overpass API. These services receive minimal data (place names or coordinates) and are subject to their own open-data terms.

ip-api.com (IP Geolocation)

On first login and once per week thereafter, your IP address is sent server-side to ip-api.com to determine your approximate country and city. This is processed entirely server-side; your browser does not contact ip-api.com directly. ip-api.com's free tier is used and no API key is shared. The result (country name, ISO code, city) is stored on your profile; your raw IP address is never stored by TripKit.

Cloudflare CDN and jsDelivr CDN

Icon assets are loaded from Cloudflare CDN and jsDelivr CDN. Your IP address and browser information are exposed to these CDNs when loading these assets.

Web Push (VAPID)

If you enable push notifications, your browser's push subscription endpoint (provided by your browser vendor — e.g. Google FCM for Chrome) is used to deliver notifications. The notification payload is sent from our server to your browser via the W3C Web Push protocol.

5. AI Processing Disclosure

Several features in TripKit use AI language models (Groq / Google Gemini):

Generating itinerary items from your trip destination and notes
Suggesting checklist items
Generating daily story cards and fun facts
@tripkit chat bot: when you type @tripkit in the group chat, your message and trip context are sent to an AI service. Other trip members can see the AI's replies.

What data is sent to AI services: trip title, destination, itinerary summary, member display names, and the triggering chat message. We do not send passport documents, photos, exact GPS coordinates, expense details, or passwords to AI services. AI features are entirely disabled for E2EE-enabled trips — no content from those trips is sent to any AI service. The @tripkit bot will not respond in an E2EE trip chat.

AI responses may occasionally be inaccurate. Do not rely solely on AI for critical travel decisions.

6. Cookies and Local Storage

Cookies (HTTP)

We use strictly necessary authentication cookies set by Supabase (sb-* cookies). These are required for you to log in and stay logged in. Because they are strictly necessary for the service to function, they do not require your consent under the GDPR ePrivacy Directive.

We do not set any tracking, advertising, or analytics cookies.

Local Storage

We store small preference values in your browser's local storage (no expiry, device-local): dark mode preference, display currency, PWA install prompt dismissal, chat read timestamps, and AI hint dismissal. These are not transmitted to our servers and are used solely to remember your in-app preferences.

Session Storage (E2EE Vault)

When you unlock your encryption vault, the decrypted private key is re-encrypted with a randomly generated session key and stored in your browser's sessionStorage under the keys tripkit_e2ee_skey and tripkit_e2ee_priv. This allows you to navigate between pages in the same browser tab without re-entering your vault password. This data is automatically cleared when you close the tab or sign out. It is never transmitted to our servers.

7. Data Retention

Session cookies expire according to Supabase defaults (access token ~1 hour, refresh token ~1 week).
Your profile, trip data, and uploaded files are retained until you delete your account or the trip owner deletes the trip.
Uploaded trip documents (including passport scans) are stored until the document is deleted by a trip member or the parent trip is deleted.
Trip photos are stored until deleted by the uploader, the trip owner, or the trip is deleted.
AI request log entries (ai_request_log) are retained for up to 90 days for abuse monitoring and capacity planning, then deleted.
IP-derived geo data (last_seen_country/city) is updated weekly and retained for as long as your account exists; it is deleted when you delete your account.
Push notification subscriptions are removed when you disable notifications or delete your account.

8. Your Rights

Depending on your location, you have the following rights:

GDPR Rights (EU/EEA/UK users)

Access — request a copy of your personal data
Rectification — correct inaccurate data (directly in Settings/Profile)
Erasure ("Right to be Forgotten") — delete your account via Profile → Delete Account; this permanently deletes your profile, auth record, and all directly-linked data
Restriction — request we limit processing of your data
Portability — request your data in a portable format
Objection — object to processing based on legitimate interest (e.g. streak/gamification data)
Withdraw consent — at any time for GPS location sharing (stop sharing) or push notifications (disable in Profile → Notifications)
Lodge a complaint — with your national data protection authority (e.g. Datatilsynet in Norway, ICO in the UK, CNIL in France)

CCPA Rights (California, USA residents)

Right to know what personal information we collect and how it is used
Right to delete your personal information — use Profile → Delete Account
Right to non-discrimination for exercising your privacy rights
We do not sell or share your personal information with third parties for advertising purposes

PIPEDA (Canadian users)

Canadian users have rights to access and correct their personal information. Contact us at nikhil.ha@gmail.com to exercise these rights.

9. Data Security

We use industry-standard measures to protect your data: HTTPS encryption in transit, Supabase Row Level Security (RLS) policies to restrict data access by user and trip membership, and VAPID-secured Web Push. However, no system is 100% secure. Do not upload highly sensitive identity documents unless you understand and accept the associated risks.

End-to-end encryption (E2EE) — for E2EE-enabled trips, messages and GPS coordinates are encrypted using AES-256-GCM on your device before transmission. Keys are derived using ECDH P-256 and PBKDF2-SHA-256 (600 000 iterations). Your unencrypted private key and plaintext message content are never transmitted to or stored on our servers. Even in the event of a server breach, encrypted content cannot be decrypted without your vault password and private key, which remain on your device.

Profile photos and trip photos are stored in publicly accessible storage buckets. The URLs contain random identifiers, but anyone who obtains a URL can access the file without authentication. Consider this before uploading identifiable photos.

10. Children's Privacy

TripKit is not directed at children under 13 years of age (or under 16 in the EU/EEA per GDPR Art. 8). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us to have it removed.

11. International Data Transfers

TripKit uses services based in the United States (Supabase, Groq, Google Gemini). Data transfers from the EU/EEA to the US are made under Supabase's DPA, Groq's standard contractual commitments, and Google's EU-US Data Privacy Framework participation.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. Continued use of TripKit after changes constitutes acceptance of the updated policy.

13. Grievance Officer (India)

In accordance with the Information Technology Act 2000 and the Digital Personal Data Protection Act 2023, the name and contact details of the Grievance Officer are:

Name: Nikhil
Email: nikhil.ha@gmail.com
Address: India
Response time: Grievances will be acknowledged within 48 hours and resolved within 30 days of receipt.

14. Contact Us

For any privacy-related questions, data access requests, or to exercise your rights: nikhil.ha@gmail.com