Privacy Policy

Trippo is an AI travel companion being built by Yaroslav Kovalskyi, an individual founder based in Wroclaw, Poland. This page explains what personal data we collect on heytrippo.com today and what we will collect when the iOS app launches in summer 2026. We try to keep the surface small, explain our service providers and partners clearly, and make every right under GDPR easy to use.

Who we are
Data we collect right now
Data the iOS app will collect
Why we use your data
Legal bases (GDPR)
Third-party service providers and partners
International transfers
Your rights
California residents (CCPA)
Data retention
Security
Children
Changes to this policy
Contact

1. Who we are

Trippo is currently operated by Yaroslav Kovalskyi, an individual founder based in Wroclaw, Poland, while Trippo is pre-incorporation. Yaroslav is the data controller for personal data processed through heytrippo.com and, once launched, the Trippo iOS app.

If Trippo later operates through an incorporated entity, we will update this policy to identify the new data controller where required.

Contact for privacy questions and rights requests: yaro@heytrippo.com.

2. Data we collect right now

Today, heytrippo.com is a pre-launch marketing site with a waitlist form. The data we collect is intentionally minimal.

Email address - only when you voluntarily join the waitlist.
IP address - collected in Vercel hosting logs for security, anti-abuse, and basic operational visibility.
Device, browser, OS, country, and referrer - collected at the aggregate level by Vercel Analytics. No cross-site tracking, no advertising identifiers.
No advertising cookies on the marketing site today. The marketing site is statically rendered and does not use advertising or cross-site tracking cookies. Where a session cookie is strictly needed, it is essential and not used for profiling.

3. Data the iOS app will collect

When the Trippo iOS app ships in summer 2026, additional data will be collected so the AI companion can help you plan and remember trips. We will update this section before launch with final specifics. The current intended scope is:

Authentication identifiers - email address and, if you use Sign in with Apple, the Apple ID token relayed by Apple. We do not see your Apple password.
Travel preferences - things you tell the companion: dietary preferences, accessibility considerations, travel style, budget bands. Some of this may be special category data under GDPR Article 9 (for example, health or dietary information that reveals a condition). We process it only with your explicit consent and only to provide the service to you.
Chat history with the AI companion - the conversation you have with Trippo, so the companion can remember context across trips.
Trip details - destinations, dates, saved moments, notes, and any photos you choose to attach.
In-app purchase records - Apple manages payment data; we receive transaction receipts and entitlements, not card details.
Usage analytics - feature-level event data to understand which parts of the app work and which do not. Wherever possible this will be aggregated and de-identified.

4. Why we use your data

To respond to your waitlist signup and confirm it.
To send launch announcements and major product updates by email. Every message contains an unsubscribe link.
To monitor for abuse, spam, and security threats.
Once the app is live: to deliver the AI travel companion service - generate itineraries, surface options from partners, remember your preferences across trips.
To improve the product by analysing aggregated usage patterns.
To attribute partner referrals and bookings when you choose to click affiliate or booking partner links.
To comply with legal obligations, including responding to lawful requests from authorities.

5. Legal bases (GDPR Article 6)

Consent - for marketing emails. Joining the waitlist is an opt-in; you can withdraw it at any time by unsubscribing.
Contract performance - for delivering the Trippo app once you sign up and use it.
Legitimate interest - for security monitoring, fraud prevention, and basic product analytics, balanced against your rights and reasonable expectations.
Legitimate interest - for affiliate attribution and measuring partner link performance, where this does not override your rights.
Explicit consent (Article 9) - for any special category data, such as dietary or accessibility information that reveals health context, that you voluntarily provide in the app.
Legal obligation - where required to keep records or respond to authorities.

6. Third-party service providers and partners

We rely on a small set of service providers and partners. Some act as processors on our behalf; others, such as affiliate networks and booking partners, may act as independent controllers under their own privacy policies. Each receives only the data needed for its role.

Vercel - hosting and analytics for heytrippo.com. May process IP address, device/browser information, referrer, and usage events.
Resend - transactional and waitlist emails. Processes your email address and email delivery metadata.
Supabase (planned, EU Frankfurt region) - primary application database for the Trippo iOS app.
OpenAI (planned) - large-language-model inference for the AI companion. Chat content may be sent to the API for processing. We will use API settings and contractual terms intended to prevent customer content from being used to train OpenAI models, where available.
Apple - Sign in with Apple, App Store delivery, and in-app purchase processing.
Affiliate networks and travel booking partners (such as flight, hotel, activity, and ground-transport providers and the networks that connect us to them). When you click a partner link, the partner or network may receive referral identifiers and technical information needed to attribute bookings. A current list of partners is available on request at yaro@heytrippo.com. Their own privacy policies apply after you leave Trippo or interact with their services.
Google Cloud / Google Maps Platform (planned, post-launch) - Places API and related travel data services.

7. International transfers

Some service providers and partners are based in the United States or operate infrastructure outside the European Economic Area. Where that is the case, transfers are protected by Standard Contractual Clauses and any supplementary measures appropriate to the destination country. We prefer EU regions where a processor offers them.

8. Your rights

If you are in the EU, EEA, or UK, you have the right to:

access the personal data we hold about you;
request correction of inaccurate data;
request erasure of your data;
restrict or object to processing;
data portability in a structured, common format;
withdraw consent at any time, without affecting prior lawful processing;
lodge a complaint with your supervisory authority. For users in Poland, that is the Urząd Ochrony Danych Osobowych (UODO).

To exercise any of these rights, email yaro@heytrippo.com. We respond within 30 days, and usually much sooner.

9. California residents (CCPA)

If you are a California resident, you may have the right to know what personal information we collect about you, request deletion or correction of that information, opt out of certain sharing, and not be discriminated against for exercising your privacy rights.

We do not sell personal information for money. Some affiliate links or partner tracking technologies may involve sharing limited referral or device information with partners so bookings can be attributed. Where required, we will provide opt-out controls.

To make a request, email yaro@heytrippo.com.

10. Data retention

Waitlist email - kept until you unsubscribe, request deletion, or for 24 months after the Trippo iOS app launches, whichever comes first.
App account data (after launch) - kept until you delete your account, after which we erase identifiable data within 30 days. Backups may take slightly longer to age out.
Aggregated, de-identified analytics - may be retained indefinitely, because they cannot be linked back to you.
Security and operational logs - kept for a short window (typically up to 90 days) for incident response.

11. Security

We use TLS for all data in transit. App data will be encrypted at rest using the native protections of our database provider (Supabase). Production credentials are stored in a password manager (Bitwarden) and rotated when access needs change. We do not claim any specific certification at this pre-launch stage; we will update this section as the security posture matures.

12. Children

Trippo is not directed at children under 16. We do not knowingly collect personal data from anyone under that age. If you believe a child has provided us with personal data, contact yaro@heytrippo.com and we will delete it.

13. Changes to this policy

We will update this policy as Trippo evolves - particularly when the iOS app launches. Material changes will be notified to waitlist subscribers by email, and the effective date at the top of this page will always reflect the latest revision.

14. Contact

Questions, requests, or concerns: yaro@heytrippo.com.