Legal

Privacy Policy

Last updated: May 19, 2026

1. Data Controller

TripSet ("we", "us", "our") is operated by an individual entrepreneur and is the data controller for personal data collected through the platform at tripset.io. Payments are processed by Paddle.com Market Limited ("Paddle"), who acts as Merchant of Record for all subscription transactions. For privacy-related questions, contact us at legal@tripset.io.

2. Data We Collect

—Account data: name, email address, password (hashed), profile information.
—Itinerary data: trip details, destinations, places, transport, hotels, expenses, notes, and photos you create.
—Usage data: pages visited, features used, device type, browser, IP address.
—AI usage logs: parser type, token counts, and cost estimates (no raw document content is stored).
—Communications: emails you send us for support.

3. How We Use Your Data

—To provide, operate, and improve the TripSet platform.
—To authenticate your identity and secure your account.
—To send transactional emails (email verification, password reset).
—To generate anonymized analytics and improve AI parser accuracy.
—To enforce our Terms of Service and prevent abuse.
—We do not use your itinerary content, photos, or personal data to train AI or machine learning models — neither our own nor third-party models.
—When documents are sent to OpenAI or Anthropic for AI ticket parsing, they are processed in real time and not retained or used for model training by those providers, per their API terms.

4. Data Sharing

—We do not sell your personal data to third parties.
—We share data with infrastructure providers (Railway, Cloudflare, Vercel) solely for hosting purposes, under data processing agreements.
—Transactional emails (verification, password reset) are sent via Resend (resend.com). Your email address is transmitted to Resend solely for email delivery.
—Payments are processed by Paddle as Merchant of Record. Paddle collects billing information directly from you under their own privacy policy.
—AI parsing requests are processed via OpenAI and Anthropic APIs — document text is sent to these providers for parsing but is not used for training their models (per their API terms).
—We may disclose data if required by law or to protect our legal rights.

5. Cookies and Tracking

We use strictly necessary cookies for authentication (SSO token shared across app.tripset.io and tripset.io) and CSRF protection. We do not use third-party advertising or tracking cookies. See our Cookie Policy for details.

6. Data Retention

—Account data is retained for as long as your account is active.
—Refresh tokens expire after 7 days and are automatically deleted.
—AI usage logs are retained for up to 12 months for billing and abuse prevention.
—You may request deletion of your account and associated data at any time by contacting legal@tripset.io. Upon deletion, your personal data is removed from our active database within 30 days. Infrastructure backups (Railway, Cloudflare) may retain copies for up to 90 days before automatic expiry; these backups are encrypted and inaccessible in normal operations.
—Photos uploaded to TripSet are stored in Cloudflare R2 object storage. When you delete a photo or your account, the file is removed from our active storage within 30 days. Copies may persist in infrastructure backups for up to 90 days.
—Itinerary location data (coordinates of places, hotels, and transport stops) is treated as content data, not personal data, when the itinerary is published publicly. For private itineraries, location data is treated with the same protections as other personal data.

7. Your Rights (GDPR / CCPA)

—Right to access: request a copy of the personal data we hold about you.
—Right to rectification: correct inaccurate or incomplete data.
—Right to erasure: request deletion of your personal data.
—Right to portability: receive your data in a structured, machine-readable format.
—Right to object: opt out of certain processing activities.
—To exercise any of these rights, contact us at legal@tripset.io. We will respond within 30 days.

8. Security

We implement industry-standard security measures including HTTPS (TLS), bcrypt password hashing, SHA-256 hashed refresh tokens, rate limiting, and CSRF protection. No system is 100% secure; we encourage you to use a strong unique password.

9. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy. We will notify registered users of material changes by email. The "Last updated" date at the top of this page reflects the most recent revision.

Questions about this document? legal@tripset.io

Loading…

1. Data Controller

2. Data We Collect

—Account data: name, email address, password (hashed), profile information.

—Itinerary data: trip details, destinations, places, transport, hotels, expenses, notes, and photos you create.

—Usage data: pages visited, features used, device type, browser, IP address.

—AI usage logs: parser type, token counts, and cost estimates (no raw document content is stored).

—Communications: emails you send us for support.

3. How We Use Your Data

—To provide, operate, and improve the TripSet platform.

—To authenticate your identity and secure your account.

—To send transactional emails (email verification, password reset).

—To generate anonymized analytics and improve AI parser accuracy.

—To enforce our Terms of Service and prevent abuse.

—We do not use your itinerary content, photos, or personal data to train AI or machine learning models — neither our own nor third-party models.

—When documents are sent to OpenAI or Anthropic for AI ticket parsing, they are processed in real time and not retained or used for model training by those providers, per their API terms.

4. Data Sharing

—We do not sell your personal data to third parties.

—We share data with infrastructure providers (Railway, Cloudflare, Vercel) solely for hosting purposes, under data processing agreements.

—Transactional emails (verification, password reset) are sent via Resend (resend.com). Your email address is transmitted to Resend solely for email delivery.

—Payments are processed by Paddle as Merchant of Record. Paddle collects billing information directly from you under their own privacy policy.

—AI parsing requests are processed via OpenAI and Anthropic APIs — document text is sent to these providers for parsing but is not used for training their models (per their API terms).

—We may disclose data if required by law or to protect our legal rights.

6. Data Retention

—Account data is retained for as long as your account is active.

—Refresh tokens expire after 7 days and are automatically deleted.

—AI usage logs are retained for up to 12 months for billing and abuse prevention.

—You may request deletion of your account and associated data at any time by contacting legal@tripset.io. Upon deletion, your personal data is removed from our active database within 30 days. Infrastructure backups (Railway, Cloudflare) may retain copies for up to 90 days before automatic expiry; these backups are encrypted and inaccessible in normal operations.

—Photos uploaded to TripSet are stored in Cloudflare R2 object storage. When you delete a photo or your account, the file is removed from our active storage within 30 days. Copies may persist in infrastructure backups for up to 90 days.

—Itinerary location data (coordinates of places, hotels, and transport stops) is treated as content data, not personal data, when the itinerary is published publicly. For private itineraries, location data is treated with the same protections as other personal data.

7. Your Rights (GDPR / CCPA)

—Right to access: request a copy of the personal data we hold about you.

—Right to rectification: correct inaccurate or incomplete data.

—Right to erasure: request deletion of your personal data.

—Right to portability: receive your data in a structured, machine-readable format.

—Right to object: opt out of certain processing activities.

—To exercise any of these rights, contact us at legal@tripset.io. We will respond within 30 days.