Privacy Policy

Last updated: April 2026 · Version 1.2

1. Overview

TripVault ("we", "our", "us") is committed to protecting your privacy. This Policy explains what data we collect, how we use it, and your rights regarding that data.

2. Data We Collect

Account Data

When you sign in with Apple or Google, we receive your name and email address. We store this to identify you within the app and to trip members you share a vault with.

Photos and Media

Photos you upload are stored securely in our cloud storage (Supabase / AWS S3). Access within the app is strictly enforced: photos are only visible to members of the same trip vault, and photos marked private are only visible to you.

As the infrastructure operator, TripVault has technical access to stored data through our backend systems. We do not browse, view, or use your photo content for any purpose other than operating the service. The only circumstances in which a TripVault team member would access your content are: (a) at your explicit request for support, or (b) when required to do so by law.

Device and Usage Data

We collect anonymised usage analytics (via PostHog) and crash reports (via Sentry) to improve the app. This data does not identify you personally and is never sold to third parties.

Push Notification Tokens

If you enable notifications, we store your device push token to send you trip-related notifications (e.g. new photo uploads, trip-end reminders). You can disable these at any time in your device settings.

3. How We Use Your Data

4. Data Sharing

We do not sell your personal data. We share data only with:

5. Data Retention

Your data is retained as long as your account is active. When you delete your account, all your photos, profile data, and associated records are permanently deleted from our servers within 30 days.

6. Your Privacy Rights

Under GDPR and applicable privacy law, you have the following rights over your personal data. To exercise any of them, email privacy@tripvault.ai and we will respond within 72 hours.

Right to Access

You can request a copy of all personal data we hold about you at any time. Email privacy@tripvault.ai and we will provide it within 30 days.

Right to Deletion

You can permanently delete your account and all associated data directly from the app: Settings → Delete Account. Your profile, photos, and trip data are deleted immediately. Encrypted backups are purged within 30 days. Analytics data (PostHog, Sentry) is anonymised and cannot be linked back to you after deletion.

Right to Portability

You have the right to receive a copy of your data in a machine-readable format (GDPR Article 20). Email privacy@tripvault.ai to request an export of your profile, trips, and uploaded photos. We will fulfil requests within 30 days.

Right to Correction

If any personal data we hold about you is inaccurate, you can update your display name directly in the app, or email privacy@tripvault.ai to request a correction.

Right to Withdraw Consent

Where processing is based on consent (e.g. analytics cookies), you can withdraw consent at any time using the cookie banner on this website or by emailing us.

7. Children's Privacy

TripVault is not directed at children under 13. We do not knowingly collect personal data from children under 13.

8. Security

We use industry-standard security measures including encryption in transit (TLS) and at rest, row-level security on all data, and signed URLs for photo access that expire after one hour.

Access to production infrastructure and backend credentials is restricted to authorised TripVault personnel only. We do not grant third parties access to your stored photos or personal data beyond the sub-processors listed in Section 4.

9. Changes to This Policy

We may update this Policy from time to time. We will notify you of material changes within the App. Your continued use after notice constitutes acceptance.

10. Contact

For privacy-related questions or to exercise your rights, email privacy@tripvault.ai. For general support, email support@tripvault.ai.