Privacy Policy

Effective date: 15 May 2026  ·  Last updated: 15 May 2026

1. Who we are and how to contact us

Data controller: Tripbuds Pty Ltd, 100 Harris Street, Pyrmont NSW 2009, Australia.

Privacy contact: [email protected]

2. Eligibility and children

The Service is intended for people aged 17 and over. You must be at least 17 years old to create an account or use Tripbuds.

We do not knowingly collect personal information from anyone under 17. If you believe a person under 17 has provided us with personal information, contact [email protected] and we will delete it.

3. Information we collect

3.1 Information you give us

• Account details: name, email address, mobile number (if you use SMS sign-in), profile photo, password (stored hashed — we never see it).
• Trip content: trip names, dates, destinations, itinerary items, places saved, notes, photos, packing lists, budgets, and any other content you add to a trip.
• Messages: chat messages, comments, and reactions you send to your crew within the Service.
• Crew connections: who you invite to a trip, who joins, and how you interact within the trip.
• Support enquiries: when you contact us, we keep a record of the conversation.

3.2 Information we collect automatically

• Device and usage data: device model, OS version, app version, language, timezone, crash logs, and performance metrics.
• Approximate location: derived from your IP address. We do not collect precise GPS location unless you grant the app permission and use a feature that needs it (e.g. "near me" search). You can revoke this in your device settings at any time.
• Identifiers: a Tripbuds account ID, and an anonymised device identifier for analytics. We do not use Apple's IDFA or Google's AAID for advertising.

3.3 Information from third parties

• Google Places: when you search for a place inside the app, we send the query to Google's Places API and store the result (place name, address, photo, rating) against your trip. Google's privacy policy applies to that request.
• Affiliate partners (e.g. Booking.com via CJ Affiliate): when you tap a booking link, you are taken to the partner's site. We receive an anonymised confirmation that a click occurred (and, if you book, a commission). We do not receive your card details, passport, or any other booking data unless you choose to share it with us.

4. How we use your information

5. AI and machine learning

Tripbuds offers AI-assisted features (for example, generating a draft itinerary from a brief you write). When you use these features:

• We send your brief, the trip dates, and the destination to our AI provider (currently Anthropic) to produce the draft.
• We do not train AI models on your messages, your trips, or your photos. Our AI provider is contractually prohibited from training on the data we send.
• We do not use your content to train Tripbuds' own AI features either.
• You can choose not to use AI features. The rest of the Service works without them.

6. Who we share your information with

We do not sell your personal information. We share it only as described below.

• Your crew: trip content is visible to people you invite to a trip. You control who joins.
• Service providers (processors):
  • Supabase Inc. (USA) — database, authentication, file storage, edge compute.
  • Anthropic PBC (USA) — AI drafting (only when you trigger it; not used for training).
  • Google LLC (USA) — Places search and photos; Firebase Cloud Messaging for push notifications.
  • Apple Inc. (USA) — Apple Push Notification service.
  • Mailchimp (USA) — transactional and marketing email (marketing only if you opt in).
  • Cloudflare Inc. (USA) — content delivery and security for tripbuds.com.
  • Expo (USA) — over-the-air app updates and crash reporting.
• Affiliate partners: when you tap a booking link, you go directly to the partner. We do not pass them your personal details.
• Legal and safety: if required by law, court order, or to protect rights, safety, or property.
• Business transfers: if Tripbuds is acquired or merges with another company, your information may transfer; we will notify you and this policy will continue to apply.

7. International transfers

Most of our processors are based in the United States. When we send your information overseas, we rely on Standard Contractual Clauses (for EU/UK transfers) and equivalent contractual protections. Australian users: by using the Service you consent to these overseas disclosures under APP 8.

8. How long we keep your information

• Account data: for as long as your account is active. If you delete your account, we erase or anonymise your personal data within 30 days, except where we are legally required to keep it (e.g. tax records, fraud investigations).
• Trip content: kept until you or your crew owner delete the trip, then erased within 30 days.
• Backups: may persist for up to 90 days after deletion before being overwritten.
• Crash logs and analytics: retained for up to 13 months in aggregated form.

9. Your rights

You have the following rights (subject to your jurisdiction):

• Access — request a copy of the information we hold about you.
• Correction — ask us to fix inaccurate or incomplete data.
• Erasure — ask us to delete your data. You can also delete your account from inside the app (Settings → Delete account).
• Portability — receive your data in a machine-readable format.
• Objection or restriction — ask us to stop or limit certain processing.
• Withdraw consent — for processing based on consent (e.g. marketing emails).
• CCPA (California residents): right to know, delete, correct, and not be discriminated against for exercising your rights. We do not sell or share personal information for cross-context behavioural advertising.

To exercise any right, email [email protected]. We respond within 30 days.

Australian users can also complain to the Office of the Australian Information Commissioner (oaic.gov.au). EU/UK users can complain to their local data protection authority.

10. How we protect your information

• All traffic to the Service uses HTTPS / TLS 1.2 or above.
• Database access is restricted by row-level security: you can only read or write your own data and data belonging to trips you are a member of.
• Passwords are hashed with bcrypt; we never see them in plain text.
• API keys and secrets are stored as encrypted environment variables.
• Access to production systems is limited to authorised personnel and logged.

No system is perfectly secure. If we ever experience a data breach that is likely to result in serious harm, we will notify you and the relevant authority as required by law (within 72 hours for GDPR, and per the Notifiable Data Breaches scheme in Australia).

11. Cookies and similar technologies

The Tripbuds mobile app does not use third-party advertising cookies or trackers. The tripbuds.com website uses only essential cookies (for session management) and privacy-friendly analytics (no cross-site tracking). We do not use Facebook Pixel, Google Ads pixels, or similar.

12. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you in the app and by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the current version.

13. Australian Privacy Principles statement

Tripbuds is bound by the Australian Privacy Principles. This policy describes our compliance with each principle. If you have an unresolved privacy complaint, you may contact the Office of the Australian Information Commissioner at oaic.gov.au or 1300 363 992.

Tripbuds Pty Ltd · ABN 88 635 938 537 · 100 Harris Street, Pyrmont NSW 2009, Australia.