Privacy Policy

1. Introduction

Welcome to tripcode ("we", "us", or "our"). We operate the tripcode mobile application and website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

2. Information We Collect

Account Information

When you create an account, we collect your email address, name, profile photo, travel style preferences, interest tags, and biographical information you choose to provide.

During account setup we also collect your date of birth. We use your date of birth for the following purposes:

• Age verification. To confirm you meet the 18+ requirement set out in our Terms.
• Trip matching. When a trip host sets a participant age range on their trip, we may use your computed age (whole years) to determine whether and how prominently the trip is shown to you. We do not share your date of birth with the host.
• Optional profile display. Your age is hidden from other users by default. You may opt in from Settings to display your age (in whole years) on your public profile. Your full date of birth is never displayed to other users — only the computed age, and only with your explicit opt-in.

The legal bases for this processing are the performance of our contract with you (the Terms), our legitimate interest in matching travellers to suitable trips, and — for the optional profile display — your consent, which you can withdraw at any time by toggling the setting off.

Trip Information You Set as a Host

When you create a trip, you may set a preferred participant age range. This range is shown publicly on the trip page so prospective participants can self-select. The age range reflects your preference for the trip and is not derived from any individual user's date of birth.

For trips you have set to public, we display the trip's title, destination, dates, and your first-letter avatar on our public marketing pages (e.g. tripcode.io). This metadata contains no third-party personal data and is licensed to us under our Terms.

Your uploaded cover image is handled separately. We display it on our marketing pages only when you have explicitly opted in by enabling the "Feature my cover image on tripcode.io" toggle on the trip. The opt-in is off by default; when off, we may substitute a stock photograph (e.g. licensed via Unsplash) representative of the destination, so the trip can still appear on the marketing page without exposing any people identifiable in your upload. You can disable the cover-featuring opt-in at any time by editing the trip; your cover will be removed from the marketing page on the next deploy. When you opt in, you confirm that you have any necessary consents from anyone identifiable in your cover image. If anyone identifiable in your cover image objects to its display, they (or you) can request removal directly from each card or by emailing hello@tripcode.io; we action removal requests within a reasonable timeframe.

Waitlist Information

If you sign up for our waitlist via the landing page, we collect your email address and the source of your submission.

Trip & Travel Data

When you create or join trips, we collect trip destinations, dates, itineraries, trip status, participant lists, and related planning details.

Social Content

We collect content you post through the Service, including chat messages, trip reviews, ratings, and photos shared in trip albums.

Financial Data

If you use the expense tracking feature, we collect expense descriptions, amounts, and split details. Tripcode does not directly process payments between users.

Device & Usage Data

We collect push notification tokens, device type, operating system, app version, and general usage analytics to improve the Service.

Authentication Data

If you sign in using Sign in with Apple or Sign in with Google, we receive the email address (or relay address, in the case of Apple's private email relay) and the name and profile information you have authorised that provider to share. We do not receive your password.

Sensitive Data

Some of the information you share through tripcode warrants particular care. We treat the following as sensitive and apply heightened safeguards (Row-Level Security, narrow access, transport encryption):

• Location data — trip destinations, geographic coordinates of trips you create or join, and any place names you add to itineraries. tripcode does not collect background or live device location.
• Photos — images you upload to trip albums. Photos are visible only to participants of the trip in which they are posted.
• Chat messages — direct and group messages exchanged with other trip participants. Messages are stored on our infrastructure to enable delivery and history; they are not end-to-end encrypted.

3. How We Use Your Information

We use the information we collect to:

• Create and manage your account
• Provide, maintain, and improve the Service
• Facilitate trip discovery, creation, and collaborative planning
• Enable communication between trip participants via in-app chat
• Send push notifications about trip updates, applications, and messages
• Send waitlist and service-related email communications
• Track and display trip expenses among participants
• Display user profiles, reviews, and reputation within the community
• Monitor and analyse usage trends to improve the Service
• Detect, prevent, and address fraud or security issues

4. How We Share Your Information

With Other Users

Your profile information, trip activity, reviews, chat messages, and shared photos are visible to other trip participants and, where applicable, the broader tripcode community. Your profile name, photo, and travel style may be visible to other users browsing trips.

With Service Providers

We share information with third-party service providers that help us operate the Service, including:

• Supabase (USA / EU) — database hosting, authentication, and real-time infrastructure
• Expo (USA) — push notification delivery
• Resend (USA / EU) — transactional email delivery (waitlist welcome messages and feedback acknowledgements)
• Apple Inc. — Sign in with Apple authentication, when you choose to use it
• Google LLC — Sign in with Google authentication, when you choose to use it
• Google Fonts — typography rendering on the website

For Legal Compliance

We may disclose your information if required to do so by law, in response to a court order or subpoena, or to protect our rights, property, or safety, or that of our users or others.

We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5. Data Storage & Security

Your data is stored on secure cloud infrastructure provided by Supabase. We implement industry-standard security measures including:

• Row-Level Security (RLS) policies on all database tables, ensuring users can only access data they are authorised to see
• Encrypted authentication using JSON Web Tokens (JWT)
• Secure HTTPS connections for all data transmission
• Server-side JWT verification for all authenticated requests

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Breach Notification

If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay and, where feasible, no later than 72 hours after becoming aware of it. Where required, we will also notify the competent supervisory authority within the same timeframe (revFADP Art. 24, GDPR Art. 33–34).

Notifications will be sent to the email address associated with your account and, where appropriate, surfaced inside the app. They will include the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address it.

7. Your Rights & Choices

Depending on your location, you may have the following rights under applicable data protection laws, including the Swiss Federal Act on Data Protection (revFADP, in force from 1 September 2023), the EU/EEA General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA):

• Access: You have the right to request a copy of the personal data we hold about you.
• Correction: You have the right to request correction of inaccurate or incomplete personal data.
• Deletion: You have the right to request deletion of your personal data. You can delete your account through the app settings, or contact us to request deletion.
• Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Restriction of Processing: You have the right to request that we restrict the processing of your personal data under certain circumstances.
• Objection: You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis.
• Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.
• Notifications: You can manage your push notification preferences in your device settings and within the app.
• Waitlist: You can unsubscribe from waitlist communications at any time by contacting us.

For California Residents (CCPA)

If you are a California resident, you have the right to: (1) know what personal information we collect, use, and disclose; (2) request deletion of your personal information; (3) opt out of the sale of your personal information — we do not sell your personal information; and (4) not be discriminated against for exercising your privacy rights.

To exercise any of these rights, you may contact us at hello@tripcode.io. We will respond to your request within the timeframe required by applicable law.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. If you delete your account, we will delete or anonymise your personal data within a reasonable timeframe, unless we are required to retain it for legal or legitimate business purposes.

Waitlist email addresses are retained until you unsubscribe or the Service launches and you are notified, whichever comes first.

9. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

10. International Data Transfers

Tripcode is operated from Zurich, Switzerland. Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country. Where we transfer personal data outside of Switzerland or the European Economic Area, we ensure appropriate safeguards are in place in accordance with applicable data protection laws. By using the Service, you consent to the transfer of your information to such countries.

11. Beta Service & Data Handling

tripcode is currently distributed as an invitation-only beta via Apple TestFlight and Google Play internal testing. During this period, we may reset, migrate, or restructure data as the Service evolves. We will notify affected users by email and/or in-app message before any destructive operation that would result in the loss of user-generated content (trips, photos, chat history, reviews). Routine schema changes that do not affect user-visible content are made without prior notice.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Effective date" above. We encourage you to review this Privacy Policy periodically for any changes.

13. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

hello@tripcode.io