Privacy Policy
Effective date: 26 April 2026 Last updated: 26 April 2026
TripDeets is operated by Apex Aspire Limited, a company registered in England and Wales ("we", "us", "our"). This policy explains what personal data we collect, why we collect it, where it is stored, and your rights under UK GDPR and the UK Data Protection Act 2018.
1. Who is the data controller?
Apex Aspire Limited Governing law: England & Wales
Contact for data matters: privacy@tripdeets.app
2. Data we collect
2.1 Account data
- Email address — used to identify your account and send transactional messages (booking confirmations, password resets, invitation emails).
- Password — stored as a salted hash; we never store or transmit your plain-text password.
- Display name — optional, used within your household.
2.2 Household and trip data
TripDeets uses a household model: two or more people can share a single pool of trips.
- Household membership — which users belong to which household, their role (owner or member), and the date they accepted an invitation.
- Trip metadata — trip names, destinations, travel dates, and any free-text notes you add.
- Travel segments — flight details (airline, flight number, departure and arrival airports, scheduled times), accommodation bookings (property name, address, check-in/check-out), parking reservations, events, and entry documents.
- Expenses — amount, currency, category, notes, and an optional receipt image.
- Uploaded documents — PDFs (e.g. boarding passes, hotel confirmations, visa letters) attached to trips or forwarded by email to your personal TripDeets inbound address.
2.3 Location data (leave-by reminders)
If you enable leave-by reminders, we request your device's current location at the time the reminder is calculated to determine your drive time to the airport. This location is used in a single Google Maps API call and is not stored persistently on our servers or in our database.
2.4 Push notification tokens
If you grant push-notification permission on iOS or Android, we store a Firebase Cloud Messaging (FCM) registration token for your device. This token is associated with your user account and is used solely to send you flight-status alerts and leave-by reminders you have opted in to. Tokens are deleted when you sign out.
2.5 Usage and technical data
- IP addresses — processed transiently by our hosting provider (Vercel) for request routing; not stored by us.
- Authentication session cookies — httpOnly cookies managed by Supabase Auth; necessary for your session to remain valid across browser restarts.
2.6 Inbound email forwarding
You may forward booking-confirmation emails to a personalised address ({token}@in.tripdeets.app). When you do, we receive the sender address, subject line, and email body. The body is parsed to extract booking data and any attached PDFs; raw email content is not stored after parsing is complete.
3. Lawful bases for processing
| Purpose | Lawful basis |
|---|---|
| Creating and maintaining your account | Contract (Art. 6(1)(b) UK GDPR) |
| Storing and displaying your trip data | Contract |
| Sending transactional email (password resets, invitations) | Contract |
| Leave-by reminders using location | Consent (you enable the feature explicitly) |
| Push notifications | Consent (you grant OS permission and opt in per category) |
| Flight-status polling via AeroDataBox | Legitimate interest (core feature) |
| Keeping the service running (server logs, health checks) | Legitimate interest |
4. Where your data is stored
All personal data is stored within the European Economic Area (EEA) or equivalent regions:
| Data type | Processor | Region |
|---|---|---|
| Accounts, trips, household data | Supabase (Postgres) | EU West (London, eu-west-2) |
| Uploaded documents and receipt images | Cloudflare R2 | EU jurisdiction (tripdeets-documents bucket) |
| Transactional emails | Resend | EU region (eu-west-1) |
Documents are stored in Cloudflare R2 under a path scoped to your household (households/{household_id}/...). Access requires a server-minted, short-lived signed URL; documents are not publicly accessible.
5. Third-party processors
We share data with the following sub-processors. All are used only to operate the service.
| Processor | Purpose | Data shared | Privacy reference |
|---|---|---|---|
| Supabase | Database, authentication, real-time sync | Accounts, trips, household data | supabase.com/privacy |
| Cloudflare | Document storage (R2), inbound email routing | Uploaded PDFs, receipt images, inbound email bodies | cloudflare.com/privacypolicy |
| Vercel | Application hosting | IP addresses (transient) | vercel.com/legal/privacy-policy |
| Resend | Transactional email delivery | Your email address | resend.com/privacy |
| Google (Firebase / FCM) | Push notification delivery | FCM device tokens | policies.google.com/privacy |
| Google Maps | Drive-time calculation for leave-by reminders | Your device location (at reminder-calculation time only) | policies.google.com/privacy |
| AeroDataBox (via RapidAPI) | Live flight-status data | Flight numbers you have entered | aerodatabox.com/privacy |
| Apple (APNs) | Push notification delivery on iOS | FCM token (proxied through Firebase) | apple.com/legal/privacy |
We do not sell your data to any third party. We do not use your data for advertising.
6. Data retention
| Data | Retention period |
|---|---|
| Account and trip data | Until you delete your account |
| Uploaded documents | Until you delete the document or your account |
| Push notification tokens | Until you sign out or uninstall the app |
| Inbound email bodies | Deleted immediately after parsing |
| Transactional emails | Governed by Resend's retention policy |
When you delete your account, we delete all associated data from Supabase. Documents in Cloudflare R2 are deleted as part of the same account-deletion process. Backups are purged within 30 days.
7. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data ("right to be forgotten").
- Restriction — ask us to pause processing your data in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing carried out on the basis of legitimate interests.
- Withdraw consent — for consent-based processing (location, push notifications), you can withdraw at any time via the app's Settings screen.
To exercise any of these rights, email privacy@tripdeets.app. We will respond within 30 days.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.
8. Children
TripDeets is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us data, please contact privacy@tripdeets.app and we will delete it promptly.
9. Changes to this policy
We may update this policy when we change the service in ways that affect how we process personal data. We will post the updated policy at tripdeets.app/privacy and update the "Last updated" date above. For material changes, we will notify you by email or in-app message.
10. Contact
Apex Aspire Limited Email: privacy@tripdeets.app