Privacy Policy

Last updated: May 4, 2026

This is a convenience translation. The German version (Datenschutzerklärung) is the legally binding version.

Thank you for your interest in our mobile application Trippin. The protection of your personal data is very important to us. Below we provide detailed information about how we process your data in accordance with Art. 13 of the General Data Protection Regulation (GDPR).

1. Controller (Art. 13(1)(a) GDPR)

Trippin Osterried GbR
Alt Schürkesfeld 29
40670 Meerbusch
Germany

Authorized representatives: Melanie Osterried, Marc Osterried
Email: trippintravel@outlook.com
Phone: +49 160 93078269

Trippin Osterried GbR is a small business exempt from VAT pursuant to § 19 UStG (German small business regulation).

We are not required to appoint a data protection officer. For all data protection inquiries, please contact us at the email address above.

2. Purposes and Legal Basis for Processing (Art. 13(1)(c) and (d) GDPR)

a) Account Creation and Authentication

We process your email address, name, and password (or your Apple ID or Google account) to create and manage your user account.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Processing is necessary to enable your use of the app.

b) Trip Planning and Collaboration

We process trip data (destinations, dates, budgets, itineraries, expenses, packing lists, availability, Vibe Check responses, votes, quest data, booking information, flight/accommodation details, and activity feed entries) to enable collaborative trip planning within your group.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract). This processing is the core of the contractual service.

c) In-App Purchases

For in-app purchases (Group Bundle, Per-Person purchase, Annual subscription, Monthly subscription), we process purchase receipts and entitlement data via RevenueCat and Apple/Google. Payment data itself is processed exclusively by Apple or Google.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

d) AI-Powered Suggestions

We use AI (Groq) to generate travel suggestions (destinations, daily itineraries, packing lists, quests, conflict detection, Vibe Check synthesis). Only trip-level context data (destination, dates, budget, group size, preferences) is sent to the AI provider — no personal data (name, email, account details).

Legal basis: Art. 6(1)(b) GDPR (performance of a contract), insofar as the suggestions are part of the contractual service; additionally Art. 6(1)(f) GDPR (legitimate interest in improving the user experience). You may object to processing based on legitimate interest pursuant to Art. 21 GDPR.

e) Push Notifications

We send you push notifications about trip updates if you have enabled them in the app. For this purpose, we process your push notification token.

Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time via your device settings or the app settings.

f) Usage Analytics

We log certain in-app events (e.g., trip creation, sign-in, paywall views, feature usage, onboarding completion) including your user ID, platform, app version, and optional context (e.g., trip ID). This data is stored in our database (Supabase, EU servers) and used exclusively to improve the app. It is not shared with third-party analytics services.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving and optimizing our app). You have the right to object to this processing pursuant to Art. 21 GDPR.

g) Error Reporting (Sentry)

To ensure app stability, we use Sentry for crash and error reporting. This may include device type, operating system version, and anonymous error data. No personal content is transmitted.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in bug fixing and app stability). You have the right to object to this processing pursuant to Art. 21 GDPR.

h) Waitlist

When you sign up for our waitlist, we process your email address to notify you about the app launch.

Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time by emailing trippintravel@outlook.com.

i) Smart Nudges

Trippin uses a Smart Nudge system to help your group make decisions and avoid planning stalls. For this purpose, we process:

Screen views: Which trip screens you have viewed (e.g., budget, availability, destinations) to detect when you have seen a decision but not yet participated
Activity patterns: Your preferred usage times to send notifications at the optimal moment
Participation data: Whether you have submitted votes, budgets, or availability selections to determine the relevance of a nudge

Nudges are limited to a maximum of 4 per day per user and can be managed via the notification settings in the app.

Legal basis: Art. 6(1)(a) GDPR (consent). Smart Nudges are opt-in and can be disabled at any time.

3. Categories of Personal Data

We process the following categories of personal data:

Account data: Email address, name, password hash, Apple ID or Google account identifier
Trip data: Destinations, dates, budgets, daily itineraries, activities, booking information, flight/accommodation details, transport
Photos: Images captured or uploaded via the Sync Shot feature
Financial data: Expense entries, currency information, settlement data (no payment details such as credit card numbers — these are processed exclusively by Apple/Google)
Device data: Push notification token, device type, operating system version, app version
Behavioral data: In-app events, screen views, preferred usage times, participation data for votes and decisions
Content reports: Reports about flagged content, blocks of other users (content type, reason, optional description)

4. Recipients and Categories of Recipients (Art. 13(1)(e) GDPR)

Your personal data may be shared with the following recipients or categories of recipients:

Members of your trip group: Trip data is shared with members of your trip group whom you have invited or who have joined via your invite code
Supabase (database and authentication provider): Account data, trip data, photos — EU servers
RevenueCat (payment processing): Purchase receipts, entitlement data
Groq (AI provider): Only anonymous trip-level context data (no personal data)
Sentry (error reporting): Anonymous error and device data
Expo (push notifications): Push notification tokens
Apple / Google (authentication and payments): Authentication data, payment data
GetYourGuide, Trip.com, KiwiTaxi, GetTransfer (affiliate partners): When using affiliate links: destination, travel dates, number of travelers (no personal data such as name or email)
Frankfurter API: No personal data (currency queries only)

We do not sell your personal data to third parties.

5. Transfers to Third Countries (Art. 13(1)(f) GDPR)

Some of the service providers we use are based in the United States (third country). We ensure through appropriate safeguards that your data is adequately protected when transferred to third countries:

Service Provider	Location	Safeguard
Supabase	EU servers	No third-country transfer — data remains in the EU
Sentry	USA	EU-US Data Privacy Framework (adequacy decision by the European Commission pursuant to Art. 45 GDPR)
RevenueCat	USA	Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
GetYourGuide	Germany (EU)	No third-country transfer — data remains in the EU
Trip.com (Trip.com Group)	Singapore	Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
Google	USA	EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR)
Groq	USA	Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR
Expo	USA	Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR
Apple	USA	Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR

You may request further information about the applicable safeguards by contacting us at trippintravel@outlook.com.

6. Storage Duration (Art. 13(2)(a) GDPR)

We retain your personal data only for as long as necessary for the respective purpose:

Account data: Until you delete your account
Trip data: As long as the respective trip exists. If a trip you created has other members, ownership is transferred to the longest-standing remaining member rather than the trip being deleted — this avoids erasing data that belongs to other users (their photos, expenses, etc. remain). Solo trips you created are deleted in full when you delete your account.
Photos (Sync Shot): As long as the associated trip exists or until you manually delete the photos
Purchase records: 10 years in accordance with German commercial and tax law retention obligations (§§ 147 AO, 257 HGB)
Error reports (Sentry): 90 days
Push notification tokens: Until you withdraw consent or delete your account
Usage analytics data: 12 months, then anonymized or deleted
Smart Nudge logs: 90 days (for rate limiting and relevance optimization)
Waitlist emails: Until you withdraw consent or 24 months after sign-up, whichever comes first
Content reports and blocks: Until you delete your account. Upon account deletion, all associated reports and blocks are permanently deleted.

7. Your Rights as a Data Subject (Art. 13(2)(b)–(d) GDPR)

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR): You have the right to request information about the personal data we process about you.
Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data or the completion of incomplete personal data without undue delay.
Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data, provided there is no legitimate reason for continued storage. You can delete your account directly in the app via Profile → Delete Account.
Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data.
Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, or to request its transfer to another controller.
Right to object (Art. 21 GDPR): You have the right to object at any time to the processing of your personal data based on Art. 6(1)(f) GDPR (legitimate interest). This applies in particular to usage analytics, error reporting, and AI-powered suggestions (insofar as based on legitimate interest).
Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent (push notifications, waitlist, Smart Nudges), you may withdraw your consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

To exercise your rights, please contact us at trippintravel@outlook.com.

Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR. The competent supervisory authority for our company is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2–4
40213 Düsseldorf
Germany
Email: poststelle@ldi.nrw.de
Website: www.ldi.nrw.de

8. Automated Decision-Making and Profiling (Art. 13(2)(f) GDPR)

Trippin uses a limited form of automated processing within the Smart Nudge system:

Timing profiling: We determine your preferred usage times (aggregated peak activity hour) to deliver push notifications at the optimal time. This is based on analyzing your in-app activity patterns.
Relevance determination: The system automatically determines which nudges are relevant to you, based on which trip screens you have viewed and which decisions you have already participated in.

This automated processing has no legal effect and does not significantly affect you in a similar manner. It is solely used to optimize the timing and relevance of notifications. You can disable Smart Nudges at any time in the notification settings of the app.

Beyond this, no automated decision-making within the meaning of Art. 22 GDPR takes place.

9. Vibe Check

Trippin offers a Vibe Check feature that allows trip groups to collectively determine preferences on topics such as budget, activities, accommodation style, and more. Your Vibe Check responses (budget preferences, activity ratings, commitment levels, concerns) are displayed to your group anonymously — no member can see who submitted which response. However, responses are stored in our database linked to your user account to enable AI synthesis and prevent duplicate submissions. The AI synthesis produces exclusively aggregated group-level insights and never reveals individual responses.

10. Affiliate Disclosures

Trippin participates in affiliate programs with the following partners:

GetYourGuide: Activity and experience links in the Daily Planner may contain affiliate tracking. If you book through these links, Trippin may receive a commission at no additional cost to you.
Trip.com: Hotel and flight search links on the Accommodation and Flights screens may contain affiliate tracking. If you book through these links, Trippin may receive a commission at no additional cost to you.
KiwiTaxi (via TravelPayouts): Airport transfer links may contain affiliate tracking. If you book a transfer, Trippin may receive a commission at no additional cost to you.
GetTransfer (via TravelPayouts): Ground transportation links may contain affiliate tracking. If you book a transfer, Trippin may receive a commission at no additional cost to you.

When you click an affiliate link, the destination, travel dates, and number of travelers may be shared with the respective booking partner to pre-fill your search. No personal data (name, email, account data) is shared with partners through affiliate links.

11. Children and Minors

Trippin is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that we have collected data from a child under 16, please contact us immediately at trippintravel@outlook.com so that we can delete the data without delay.

12. Cookies and Tracking Technologies

Trippin is a native mobile app and does not use tracking cookies. Our website (landing page) also does not use tracking cookies or third-party analytics tools. Only technically necessary data is processed (e.g., waitlist sign-ups stored in our database).

13. Data Security

We implement industry-standard security measures to protect your data, including:

Encrypted connections (HTTPS/TLS) for all data transmissions
Row-level security policies at the database level (Supabase)
Secure authentication via Supabase Auth (including Sign in with Apple and Google)
Server-side processing of all AI and external API calls
Server-side rate limiting and abuse prevention

Your device never communicates directly with AI providers or external data providers.

14. Account Deletion

You can delete your account directly in the app via Profile → Delete Account. Upon account deletion:

Your profile and personal data are permanently deleted
For trips you created that have other members: ownership is transferred to the longest-standing remaining member, and you are removed as a member. The trip itself, and the data of the remaining members, is preserved — we do not delete other users' contributions (expenses, photos, etc.).
For solo trips you created (no other members): the trip and all data within it is permanently deleted.
Your own contributions to other people’s trips (your expenses, votes, photos, settlements) are removed.
Any active subscription is revoked via RevenueCat to prevent further charges.
This action is irreversible.

14a. Content Moderation & Takedown

Per Article 16 of the EU Digital Services Act, you can report any user-generated content (photos, quest completions, activities, profiles) directly inside the app via the “Report” option on the affected item.

Submitting a report automatically blocks the reported user’s content from appearing in your feed.
If a single piece of content is reported by two or more independent users, it is automatically hidden from everyone pending human review.
We aim to review reported content within 7 days. Confirmed violations result in permanent removal; legitimate content is restored.
For takedown requests outside the app (e.g. copyright, doxxing, child sexual abuse material, threats of violence), email trippintravel@outlook.com with the subject line “Abuse report”. Suspected CSAM is reported to the relevant authorities (BKA in Germany, NCMEC in the US) without prior notice to the uploader.

You may appeal a moderation decision by replying to the notification email; we will review within 14 days.

14b. Settlement Undo

If you accidentally record a settlement payment in a trip’s expense splitter, you can undo it by long-pressing the entry within 48 hours of recording. After 48 hours the entry is locked — this protects everyone’s books from being changed retroactively. Contact us at trippintravel@outlook.com if you need help with an older entry.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via the app or by email. Your continued use of Trippin after changes are published constitutes acceptance of the updated Privacy Policy.

16. Contact

If you have any questions about this Privacy Policy or about your personal data, please contact us:

Trippin Osterried GbR
Alt Schürkesfeld 29
40670 Meerbusch
Germany
Email: trippintravel@outlook.com
Phone: +49 160 93078269