Privacy Policy

1. Introduction

TripGenie (“we”, “us”, “our”) operates the website at tripgenie.ai and the TripGenie mobile application (iOS and Android, bundle identifier: ai.tripgenie.app), collectively referred to as the “Service.”

This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have regarding your data. By using the Service, you agree to the collection and use of information as described in this policy. This policy is incorporated into and subject to our Terms of Service.

2. Information We Collect

2.1 Information You Provide

• Account information — name and email address provided through OAuth providers (Apple Sign-In, Google Sign-In) or direct email registration.
• Travel preferences — selected travel vibes, traveler type, budget preferences, and other planning inputs.
• Trip data — destinations, dates, itineraries, notes, and other trip-related content you create or save.
• Communications — messages you send to our support team.

2.2 Information Collected Automatically

• Usage data — pages visited, features used, buttons clicked, search queries, and interactions within the Service.
• Device information — operating system, browser type and version, device type, screen resolution, and unique device identifiers.
• Log data — IP address, access times, referring URLs, and error logs.
• Location data — approximate location derived from your IP address. Precise location data (GPS) is collected only with your explicit permission on mobile devices and used solely for nearby recommendations.
• Push notification tokens — device tokens for delivering push notifications, collected only if you opt in to notifications on the mobile app.

2.3 Affiliate & Booking Interaction Data

When you interact with affiliate links or booking options within the Service, we collect:

• Click data — which affiliate links you click, the time and context of the click (e.g., which itinerary and activity it relates to).
• Conversion data — whether a click resulted in a completed booking on the third-party provider's site. We receive limited conversion information from our affiliate partners (typically a confirmation that a booking occurred and the commission amount, but not the full details of your booking such as payment information).
• Referral identifiers — unique tracking IDs appended to affiliate URLs to attribute referrals. These identifiers do not contain your personal information.

3. Cookies & Tracking Technologies

We use cookies and similar technologies on our website to provide, protect, and improve the Service:

• Essential cookies — required for the Service to function (e.g., session management, authentication state). These cannot be disabled.
• Analytics cookies — help us understand how visitors use the Service (e.g., page views, navigation patterns). We use privacy-focused analytics.
• Affiliate tracking cookies — placed by our affiliate partners (Booking.com, Viator) when you click an affiliate link. These cookies allow the partner to attribute your booking to TripGenie. These cookies are governed by the respective partner's cookie policy.

You can manage cookie preferences through your browser settings. Blocking essential cookies may affect the functionality of the Service.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery — create and manage your account, generate AI-powered itineraries, and sync trips across devices.
• Personalization — tailor recommendations based on your travel preferences and past activity.
• Affiliate services — facilitate referrals to third-party booking providers and track affiliate commissions owed to us.
• Communications — send trip reminders, push notifications (if opted in), and respond to support requests.
• Improvement — analyze usage patterns and feedback to improve the Service, AI models, and user experience.
• Safety & security — detect, prevent, and respond to fraud, abuse, and security incidents.
• Legal compliance — comply with applicable laws, regulations, and legal processes.

5. How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances:

5.1 Third-Party Service Providers

We share data with service providers who help us operate the Service:

• Supabase — authentication, database, and data storage.
• Google Places API — destination search and autocomplete. Your search queries are sent to Google.
• Apple Sign-In — authentication for iOS users.
• Google Sign-In — authentication for Google users.

5.2 Affiliate Partners

When you click an affiliate link, you are directed to a third-party provider's website. At that point, the provider may collect your information under their own privacy policy. Our affiliate partners include:

• Booking.com — hotel and accommodation bookings. When you click a Booking.com link, a referral identifier is included in the URL. Booking.com may set cookies on your device.
• Viator — tours, activities, and experience bookings. When you click a Viator link, a referral identifier is included in the URL. Viator may set cookies on your device.

We do not share your name, email, or account information with affiliate partners. The only data transmitted is the referral identifier embedded in the link URL.

5.3 AI Service Providers

To generate itineraries, your travel preferences (destination, dates, travel vibes, traveler type) are sent to our AI processing provider. This data does not include your name, email, or account information. We contractually require our AI providers to not use your data to train their models.

5.4 Legal & Safety

We may disclose your information if required to do so by law, or if we believe in good faith that disclosure is necessary to:

• Comply with legal obligations, subpoenas, or court orders.
• Protect and defend the rights, property, or safety of TripGenie, our users, or the public.
• Detect, prevent, or address fraud, security issues, or technical problems.

5.5 Business Transfers

If TripGenie is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.

6. Data Storage & Security

Your data is stored in the cloud via Supabase with encryption in transit (TLS 1.2+) and at rest (AES-256). On mobile devices, sensitive tokens (authentication tokens, session data) are stored using Expo SecureStore, which utilizes the platform's secure enclave (iOS Keychain / Android Keystore).

We implement industry-standard security measures including access controls, regular security audits, and monitoring for unauthorized access. However, no method of electronic transmission or storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

7. International Data Transfers

TripGenie is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from your jurisdiction.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission, or other legally recognized transfer mechanisms, to ensure adequate protection of your personal data.

8. Data Retention

• Account data is retained for as long as your account remains active.
• Trip data is retained until you choose to delete it.
• Affiliate click and conversion data is retained for up to 24 months for commission reconciliation and reporting purposes, then anonymized or deleted.
• Analytics data is retained in anonymized/aggregated form and does not contain personal identifiers.
• Log data (IP addresses, error logs) is retained for up to 90 days for security and debugging purposes.

You can delete your account at any time through the app or website settings, or by contacting us at support@tripgenie.ai. Upon account deletion, your personal data will be removed from our active systems within 30 days. Some data may persist in encrypted backups for up to 90 days before being permanently deleted.

9. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your personal data.
• Data portability — request an export of your data in a structured, machine-readable format.
• Opt-out of analytics — disable analytics tracking in your account settings.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.
• Restrict processing — request that we limit how we use your data.
• Object to processing — object to processing based on legitimate interests.

To exercise any of these rights, contact us at privacy@tripgenie.ai. We will respond within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.

10. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

Categories of Personal Information Collected

• Identifiers — name, email address, IP address, device identifiers.
• Internet activity — browsing history within the Service, search history, interaction data.
• Geolocation data — approximate location from IP; precise location only with consent.
• Inferences — travel preferences and interests derived from your usage.

Your California Rights

• Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete — request deletion of your personal information.
• Right to Correct — request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing — we do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights.

To submit a request, email privacy@tripgenie.ai with the subject line “CCPA Request.” We will verify your identity and respond within 45 days.

11. EU/EEA Residents (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and applicable local laws provide you with additional protections.

Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract performance — processing necessary to provide the Service you requested (e.g., generating itineraries, managing your account).
• Legitimate interests — processing necessary for our legitimate business interests (e.g., improving the Service, fraud prevention, analytics), balanced against your rights.
• Consent — processing based on your explicit consent (e.g., location data access, push notifications, optional marketing communications).
• Legal obligation — processing necessary to comply with applicable laws.

Your GDPR Rights

In addition to the rights listed in Section 9, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your data protection rights.

Automated Decision-Making

Our Service uses AI to generate travel itineraries based on your inputs (destination, dates, preferences). This processing is automated but does not produce legal effects or similarly significant effects on you. The AI generates travel suggestions only — you are free to use, modify, or disregard them. No automated decisions are made regarding your access to the Service, pricing, or eligibility.

12. Do Not Track

Some browsers transmit a “Do Not Track” (DNT) signal. There is currently no industry-standard way to respond to DNT signals. We do not currently respond to DNT signals, but we do not engage in cross-site tracking of our users.

13. Children's Privacy

The Service is not directed at children under 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under this age. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@tripgenie.ai and we will promptly delete that information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via the app, email, or a prominent notice on the website at least 30 days before they take effect. The “Last updated” date at the top of this page will be revised. Your continued use of the Service after the updated policy takes effect constitutes your acceptance. If you do not agree to the updated policy, you should stop using the Service and delete your account.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us:

• Privacy inquiries: privacy@tripgenie.ai
• General support: support@tripgenie.ai
• Visit our Support page