Privacy Policy

1. Introduction

TripVitae ("we", "our", "us") is a travel planning application operated by SevenKoncepts Ltd. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service").

By using TripVitae, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you register, we collect your name, email address, and password (stored as a salted hash). If you sign in with Apple or Google, we receive your name and email from the identity provider.

2.2 Trip Data

Information you enter about your trips: itinerary days, transport details, lodging, reservations, budget expenses, packing lists, shopping lists, photo spots, and traveler profiles. This data is stored in our database and associated with your account.

2.3 Gmail Data (Optional)

If you choose to connect your Gmail account, we request read-only access to your email messages using the Gmail API restricted scope (gmail.readonly). We use this access exclusively to:

• Search for travel booking confirmation emails (flights, hotels, trains, car rentals, restaurants, activities)
• Extract structured booking data (dates, confirmation numbers, costs, locations) from those emails
• Create corresponding records in your trip

What we DO NOT do with your Gmail data:

• We do not store the full content of any email
• We do not read emails unrelated to travel bookings
• We do not share, sell, or transfer your email data to any third party
• We do not use your email data for advertising or profiling
• We do not retain email content after extraction — only the structured booking details are saved

Email content is processed in real-time by our AI extraction service and immediately discarded. Only the extracted booking metadata (e.g., "BA 269, LAX→LHR, Jun 23, $800") is stored.

You can disconnect Gmail at any time from within the app. Disconnecting revokes our access to your Gmail account. Previously imported booking records remain in your trip unless you delete them manually.

TripVitae's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2.4 Email Forwarding

As an alternative to Gmail sync, you can forward booking confirmation emails to a unique trip-specific email address. Forwarded emails are processed identically to Gmail sync: the content is parsed for booking data and then discarded. No email content is stored.

2.5 Location Data

If you enable photo spot proximity alerts, we access your device location in the foreground to calculate distance to saved photo spots. Location data is processed on-device and is not transmitted to our servers.

2.6 Device Information

We collect Firebase Cloud Messaging tokens to send push notifications about imported bookings. We do not collect device IDs, advertising identifiers, or analytics data.

3. How We Use Your Information

• To provide and maintain the Service
• To create and manage your account
• To import and organize your travel bookings
• To generate AI-powered packing suggestions and trip summaries
• To send push notifications about imported bookings
• To respond to your support requests

4. Data Sharing

We do not sell, rent, or trade your personal information. We share data only with:

• OpenAI: Email content is sent to OpenAI's API for booking data extraction. OpenAI processes this data per their data usage policy and does not use API inputs for training.
• Google: Gmail API for reading booking emails (with your explicit consent)
• Firebase: For push notifications and authentication
• Mailgun: For receiving forwarded booking emails

We do not share your data with advertisers, data brokers, or any other third parties.

5. Data Security

We implement industry-standard security measures including: encrypted data transmission (TLS), encrypted storage of sensitive fields (booking references, PIN codes) using AES-256-GCM, hashed passwords (bcrypt with 12 rounds), and JWT-based authentication with rotating refresh tokens.

6. Data Retention

Your trip data is retained as long as your account is active. Email forwarding addresses expire 30 days after a trip's end date. You can delete individual trips or your entire account at any time, which permanently removes all associated data from our servers.

7. Your Rights

You have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your account and all associated data
• Disconnect Gmail access at any time
• Export your trip data (PDF export available in-app)
• Withdraw consent for data processing

8. Children's Privacy

TripVitae is not directed at children under 13. We do not knowingly collect personal information from children under 13. Traveler profiles for children within a family trip are created and managed by the parent/guardian account holder.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

10. Contact Us

If you have questions about this Privacy Policy, contact us at: