Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, and authentication credentials when you register via email/password, Google, or Apple Sign In.
• Profile Data: Display name, avatar, passport nationality (optional, stored locally on device).
• Transaction Data: Email address for eSIM delivery, purchase history, subscription status. We do not collect or store payment card details.
• Trip Data: Destinations, dates, flights, bookings, packing lists you create within the Service.
• Communications: Messages you send to our support team via WhatsApp or email.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, interactions with the Service (only when analytics consent is given).
• Device Information: Browser type, operating system, device type, screen resolution (only when analytics consent is given).
• IP Address: Anonymized via Google Analytics (last octet removed). Used for approximate country-level location only.

1.3 Information We Do Not Collect

• Payment card numbers, CVV codes, or banking details (handled entirely by Stripe)
• Precise geolocation without explicit consent
• Biometric data
• Data from children under 16 (see Section 12)

2. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

• Contract Performance: Processing necessary to provide the Service, deliver eSIMs, process bookings, and manage your account (Art. 6(1)(b) GDPR).
• Consent: Analytics cookies, marketing communications, and Trustpilot widget (Art. 6(1)(a) GDPR). You can withdraw consent at any time.
• Legitimate Interest: Security monitoring, fraud prevention, and service improvement (Art. 6(1)(f) GDPR).
• Legal Obligation: Retaining transaction records as required by Swiss and EU tax law (Art. 6(1)(c) GDPR).

3. How We Use Your Information

• Provide, operate, and maintain the Service
• Process transactions and deliver purchased eSIMs via email
• Send transactional notifications (order confirmations, eSIM delivery)
• Generate AI trip suggestions and packing recommendations
• Track flights and provide real-time updates
• Improve and develop features based on aggregated, anonymized usage data
• Communicate updates and offers (only with explicit consent)
• Prevent fraud and ensure security of the Service
• Comply with legal obligations

4. Data Storage and Security

Your data is stored on Supabase servers in the EU (AWS eu-west-1, Ireland). We implement the following security measures:

• Encryption in transit using TLS 1.2+ for all connections
• Encryption at rest for database storage (AES-256)
• Row-level security (RLS) policies in Supabase ensuring users can only access their own data
• Secure session handling via HTTP-only cookies
• No sensitive data stored in URLs, logs, or client-side storage beyond authentication tokens
• All payment processing handled by PCI DSS Level 1 compliant providers (Stripe)
• Access restricted to authorized personnel on a need-to-know basis
• Regular security reviews and dependency updates

5. Third-Party Data Processors

We share data with the following third-party service providers, each acting as a data processor under written agreements:

We do not sell, rent, or trade your personal information to any third party. We do not share data with data brokers or advertising networks.

6. AI and Data Processing

Google Gemini AI powers trip planning features. When you use AI features:

• Trip details (destinations, dates, preferences) are sent to Google's API for processing
• Google does not use this data for model training under our API agreement
• AI-generated content is clearly marked as suggestions and not guaranteed for accuracy
• No automated decision-making with legal or significant effects is performed

7. Cookies and Tracking Technologies

7.1 Essential Cookies (No Consent Required)

• Supabase Auth Cookies (sb-*-auth-token): Session management. Expires when session ends or after 7 days. HTTP-only, secure, same-site.
• Cookie Consent Preference (cookie_consent): Stores your consent choice. localStorage. Persists until cleared.

7.2 Analytics Cookies (Consent Required)

• Google Analytics (_ga, _ga_*): Anonymous usage analytics with IP anonymization enabled. Expires after 13 months. Only loaded after explicit opt-in consent.

7.3 Third-Party Widgets (Consent Required)

• Trustpilot Widget: Only loaded when analytics consent is given. May set its own cookies per Trustpilot's privacy policy.

We respect the Do Not Track (DNT) browser signal. When DNT is enabled, no analytics cookies are set and no consent banner is shown.

You can manage your cookie preferences at any time by clicking "Cookie Settings" in the website footer, or by clearing your browser's localStorage.

8. Your Rights Under GDPR

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:

1. Right of Access (Art. 15): Request a copy of all personal data we hold about you.
2. Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data.
3. Right to Erasure (Art. 17): Request deletion of your personal data. You can delete your account via Settings > Delete Account, or by emailing us.
4. Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON). Request via email.
5. Right to Restrict Processing (Art. 18): Request that we limit how we use your data.
6. Right to Object (Art. 21): Object to processing based on legitimate interests.
7. Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time for analytics, marketing, or other consent-based processing. Use the cookie settings or email us.

To exercise any of these rights, contact: info@tripportier.com

We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority (e.g., FDPIC in Switzerland, CNIL in France, ICO in the UK).

9. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights:

• Right to Know: You can request details about the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources, purposes, and categories of third parties with whom we shared it.
• Right to Delete: You can request deletion of your personal information. Use Settings > Delete Account or email info@tripportier.com.
• Right to Correct: You can request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary, but we state this explicitly for transparency.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.

Categories of personal information collected: Identifiers (name, email), commercial information (purchase history), internet activity (analytics with consent), geolocation (country-level, anonymized).

Categories of personal information sold: None. We do not sell personal information.

To make a request, email info@tripportier.com with subject line "CCPA Request". We will verify your identity before processing.

10. US State Privacy Rights (Other States)

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other US states with consumer privacy laws have similar rights to access, delete, correct, and opt-out. We honor these rights regardless of your state of residence. Contact info@tripportier.com to exercise any data rights.

11. Data Retention

• Active Accounts: Data is retained for as long as your account is active.
• Account Deletion: Personal data removed from production systems within 30 days. Backups purged within 90 days.
• Transaction Records: Retained for 10 years as required by Swiss commercial law (OR Art. 958f).
• Analytics Data: Anonymized analytics retained for up to 14 months (Google Analytics default with IP anonymization).
• Support Communications: Retained for 2 years after last contact, then deleted.
• Consent Records: Retained for 3 years after consent is given or withdrawn, as proof of compliance.

12. Children's Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact info@tripportier.com.

13. International Data Transfers

Your data is primarily processed in the EU (Ireland via Supabase). Where data is transferred outside the EEA (e.g., to US-based processors), we rely on:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission
• The EU-US Data Privacy Framework where applicable
• Adequacy decisions by the European Commission (for Switzerland)

14. Do Not Track

We honor the Do Not Track (DNT) browser signal. When your browser sends a DNT signal:

• No analytics cookies are set
• No third-party tracking scripts are loaded
• No cookie consent banner is displayed

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Display a notice on the website for existing users
• Re-prompt for cookie consent if cookie practices change

Continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact

For any privacy-related questions, data requests, or complaints:

Email: info@tripportier.com
General: info@tripportier.com
Location: TripPortier, Switzerland

We aim to respond to all data protection requests within 30 days.