PRIVACY POLICY OF THE TRIPERINO SERVICE
Effective Date: April 15, 2026
§ 1. GENERAL PROVISIONS
This Privacy Policy (hereinafter "Policy") defines the rules for collecting, processing, and protecting personal data of users of the Triperino service available at triperino.com (hereinafter "Service").
The Data Controller is:
The Data Controller simultaneously acts as the Data Protection Officer (DPO). All inquiries, requests, and complaints regarding the processing of personal data should be directed to: support@triperino.com.
This Policy has been prepared in compliance with: Regulation (EU) 2016/679 (GDPR), the Polish Personal Data Protection Act of May 10, 2018, the Act on Providing Electronic Services of July 18, 2002, the Telecommunications Law Act of July 16, 2004 (regarding cookies and tracking), and with consideration of: the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Brazilian General Data Protection Law (LGPD), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the South African Protection of Personal Information Act (POPIA).
Data Controller / Data Protection Officer
Maksymilian Blok
Maksymilian Blok Codemaxi
ul. Akacjowa 21, Grabowo Kościerskie, 83-403 Grabowo Kościerskie, Poland
NIP: 5911713026
E-mail: support@triperino.com
The Service is addressed to users who are at least 16 years of age. We do not knowingly collect data from persons under 16 years of age.
§ 2. CATEGORIES OF PERSONAL DATA PROCESSED
In the course of the Service's operation, we collect and process the following categories of personal data:
A. Registration and Account Data
- Username (login)
- E-mail address
- Password (stored exclusively in hashed form using the bcrypt algorithm)
- First name and surname (optional, provided by the user)
- Date of account registration
- Account type and permissions
B. Profile Data and Preferences
- Travel preferences (preferred currency, vehicle settings, fuel type and consumption)
- Allergy information (for safety alerts during travel)
- Preferred place types (e.g., museums, restaurants, parks)
- Preferred event categories and event entities (e.g., sports teams, artists)
- Visited, ignored, and rated places
C. Trip Planning Data
- Trip details: title, description, dates, visibility (public/private)
- Itinerary: places, events, custom points, transportation, accommodation
- Financial data: expenses, money splits, payer information (manual entry – no payment processing)
- Collaborative data: comments, votes, proposals, activity logs
- Uploaded files: photos, documents (booking confirmations, visa copies, insurance, tickets)
- Trip members: usernames, e-mails, assigned roles (owner/editor/viewer), virtual members
D. User-Generated Content
- Place reviews and ratings (content, rate, date)
- Comments on places and events
- Photos uploaded to trips
- Places submitted via the form (name, address, description, coordinates, photos)
E. Location Data
- Geographic coordinates (latitude, longitude) – provided with user consent via the browser's Geolocation API
- Addresses entered manually or selected via geocoding search (Mapbox, Photon)
- Approximate location based on IP address (via ipapi.co, ip-api.com, get.geojs.io) – used as a fallback
F. Technical and Analytical Data
- IP address
- Browser type and version, operating system
- Cookie data and session identifiers
- Data collected by Google Analytics 4 (page views, session duration, traffic source, device type)
- Data from Google reCAPTCHA v3 (behavioral analysis for bot detection)
§ 3. PURPOSES AND LEGAL BASIS FOR PROCESSING
We process personal data for the following purposes, based on the corresponding legal grounds:
A. Performance of a Contract / Provision of the Service
Legal basis: Art. 6(1)(b) GDPR – performance of a contract
- Creating and managing user accounts, authentication and authorization
- Enabling use of Service features: trip planning, place/event search, country guides
- Personalization of content and recommendations based on user preferences
- Collaborative trip planning features (invitations, members, shared content)
- Manual expense tracking and money-splitting within trips
- Handling contact form inquiries and providing user support
B. Legitimate Interest of the Controller
Legal basis: Art. 6(1)(f) GDPR – legitimate interest
- Statistical analysis of traffic and user behavior (via Google Analytics 4)
- Ensuring Service security and protection against abuse (reCAPTCHA)
- Development and improvement of Service functionality
- Moderation of user-generated content (reviews, comments, photos)
- Service uptime monitoring and error diagnostics
C. User Consent
Legal basis: Art. 6(1)(a) GDPR – consent
- Processing of precise location data (Geolocation API)
- Setting of analytical and optional cookies
- Advanced profiling and personalization of recommendations
D. Legal Obligation
Legal basis: Art. 6(1)(c) GDPR – legal obligation
- Fulfilling obligations under applicable law, including tax and accounting regulations
- Responding to requests from authorized public authorities
§ 4. DATA RETENTION PERIODS
We retain personal data only for as long as necessary to achieve the purpose for which it was collected:
| Data Category | Retention Period |
|---|---|
| Account data (username, e-mail, password) | Until the user deletes their account |
| Profile preferences | Until the user changes/deletes them or deletes their account |
| Trip data (itineraries, expenses, photos, documents) | Until the user deletes the trip or account; public trips may be retained for up to 30 days after account deletion |
| User-generated content (reviews, comments) | May be retained in anonymized form after account deletion for Service quality purposes |
| Analytical and technical data (Google Analytics) | Maximum 14 months (GA4 default retention) |
| Session cookies | Until the end of the browser session or max. 24 hours |
| reCAPTCHA data | Processed in real-time; not stored by the Service |
| Account activation and password reset tokens | 1 hour from generation; marked as used after use |
| Server logs | Maximum 90 days |
After the retention period expires, data is irreversibly deleted or anonymized. In the event of account deletion, we delete data within 30 days, except for data that we are required by law to retain.
§ 5. SHARING OF PERSONAL DATA
We may share personal data with the following categories of recipients to the extent necessary for the provision of the Service:
| Recipient | Purpose | Data Location |
|---|---|---|
| Hosting provider (EU) | Server hosting, data storage, application availability | European Union |
| Google LLC (Google Analytics 4) | Statistical analysis of traffic and user behavior | USA – EU-US Data Privacy Framework |
| Google LLC (reCAPTCHA v3) | Spam and bot protection during registration | USA – EU-US Data Privacy Framework |
| Google LLC (Google Fonts) | Font rendering in the application and e-mail templates | USA – EU-US Data Privacy Framework |
| Mapbox Inc. | Address geocoding (conversion of addresses to coordinates) | USA – Standard Contractual Clauses (SCC) |
| Komoot (Photon) | Free geocoding and reverse geocoding | Germany (EU) |
| SMTP e-mail provider (PrivateEmail) | Sending transactional e-mails (activation, password reset) | European Union |
| IP geolocation providers (ipapi.co, ip-api.com, get.geojs.io) | Approximate location determination as a fallback | Various – data limited to IP address |
| OpenStreetMap Foundation | Map tile rendering | European Union / United Kingdom |
| Public authorities | Based on applicable legal provisions | Poland / EU |
We do not sell personal data to third parties. We do not share personal data for marketing purposes of third parties without the user's explicit consent.
Trip data shared within collaborative trips is visible to other trip members to the extent defined by the trip owner.
§ 6. INTERNATIONAL DATA TRANSFERS
Our primary servers are located within the European Union. However, some of our sub-processors (Google, Mapbox) process data in the United States.
Transfers of personal data to the USA are carried out based on: the EU-US Data Privacy Framework (for Google LLC), Standard Contractual Clauses (SCC) adopted by the European Commission (for other processors), or the user's explicit consent.
We ensure that all international transfers of personal data comply with the requirements of Chapter V of the GDPR and provide an adequate level of protection.
§ 7. COOKIES AND TRACKING TECHNOLOGIES
The Service uses cookies and similar tracking technologies. Below is a detailed list:
| Cookie / Technology | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie (connect.sid) | Essential | Maintaining server-side session | 24 hours |
| authToken (localStorage) | Essential | Storing JWT token for user authentication | Until logout or token expiry |
| Language preference | Functional | Remembering user interface language (PL/EN) | 1 year |
| Recent searches (localStorage) | Functional | Storing recent search queries for places and events | Until manually cleared |
| Local trip data (localStorage) | Functional | Storing unauthenticated users' trip data locally | Until manually cleared |
| Google Analytics (_ga, _ga_*) | Analytical | Statistical analysis, user behavior tracking, generating anonymous traffic reports | _ga: 2 years, _ga_*: 2 years |
| Google reCAPTCHA | Security | User behavior analysis for bot detection during registration | Session / up to 6 months |
You can manage cookies through your browser settings. Most browsers allow you to: block all cookies, accept only first-party cookies, or delete cookies upon closing the browser.
Disabling essential cookies may prevent proper Service operation (e.g., inability to log in). Disabling analytical cookies will not affect functionality but will prevent us from improving the Service based on usage data. You can also opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on available at: https://tools.google.com/dlpage/gaoptout.
§ 8. USER RIGHTS (GDPR)
Under GDPR, every user whose personal data we process has the following rights:
- Right of access – You can request a copy of all personal data we hold about you (Art. 15 GDPR).
- Right to rectification – You can request correction of inaccurate or incomplete data (Art. 16 GDPR).
- Right to erasure – You can request deletion of your data ("right to be forgotten"), e.g., when data is no longer necessary for the purposes of processing (Art. 17 GDPR).
- Right to restriction of processing – You can request restriction of processing in certain circumstances, e.g., when you contest the accuracy of data (Art. 18 GDPR).
- Right to data portability – You can request to receive your data in a structured, commonly used, machine-readable format and transmit it to another controller (Art. 20 GDPR).
- Right to object – You can object to processing based on legitimate interest, including profiling (Art. 21 GDPR).
- Right to withdraw consent – Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7(3) GDPR).
- Right not to be subject to automated decision-making – You have the right not to be subject to a decision based solely on automated processing, including profiling (Art. 22 GDPR).
To exercise any of the above rights, please contact us at: support@triperino.com. In your request, please specify which right you wish to exercise and provide information enabling us to verify your identity.
We will respond to your request within 30 days from the date of its receipt. In complex or numerous cases, this period may be extended by an additional 60 days, of which we will inform you.
You also have the right to lodge a complaint with the supervisory authority – in Poland this is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, website: https://uodo.gov.pl.
§ 9. ADDITIONAL RIGHTS FOR NON-EU USERS
California, USA (CCPA/CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:
- Right to know what personal information is collected, used, shared, or sold
- Right to delete personal information held by us and by extension our service providers
- Right to opt-out of the sale of personal information – we do not sell your personal data
- Right to non-discrimination for exercising your CCPA/CPRA rights
- Right to correct inaccurate personal information
- Right to limit use and disclosure of sensitive personal information
Brazil (LGPD)
If you are a Brazilian resident, you are entitled to the following rights under the Lei Geral de Proteção de Dados:
- Confirmation of the existence of processing of your data
- Access to your data
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary or excessive data
- Data portability to another service or product provider
- Deletion of personal data processed with consent
- Information about public and private entities with which data has been shared
- Right to revoke consent
Canada (PIPEDA)
If you are a Canadian resident, you have the following rights under the Personal Information Protection and Electronic Documents Act:
- Right to access your personal information held by us
- Right to challenge the accuracy and completeness of data and have it amended
- Right to withdraw consent (subject to legal or contractual restrictions)
- Right to file a complaint with the Privacy Commissioner of Canada
South Africa (POPIA)
If you are a South African resident, you have the following rights under the Protection of Personal Information Act:
- Right to be notified about the collection of personal information
- Right to access your personal information
- Right to request correction or deletion of personal information
- Right to object to the processing of personal information
- Right to submit a complaint to the Information Regulator
- Right not to be subject to automated decision-making
§ 10. DATA SECURITY
We apply appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or disclosure. These measures include:
- Encryption of passwords using the bcrypt algorithm (one-way hashing)
- SSL/TLS encryption for all data transmission (HTTPS)
- JWT-based authentication with secure token management
- Time-limited, single-use tokens for account activation and password reset (1-hour validity)
- CORS policy restricting access to the API to authorized domains only
- express-session with secure session management and cookie signing
- Google reCAPTCHA v3 to protect against automated attacks during registration
- Role-based access control (RBAC) with permissions system
- Regular security audits and software updates
Despite our best efforts, no method of transmission over the Internet or method of electronic storage is 100% secure. In the event of a data breach that poses a risk to users' rights and freedoms, we will notify the supervisory authority (UODO) within 72 hours and inform affected users without undue delay.
§ 11. CHILDREN'S PRIVACY
The Service is not intended for persons under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data as soon as possible.
If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at: support@triperino.com.
§ 12. DATA PROTECTION OFFICER / CONTACT
For all matters related to personal data protection, you can contact the Data Controller, who simultaneously acts as the Data Protection Officer:
Data Controller / Data Protection Officer
Maksymilian Blok
Maksymilian Blok Codemaxi
ul. Akacjowa 21, Grabowo Kościerskie, 83-403 Grabowo Kościerskie, Poland
NIP: 5911713026
E-mail: support@triperino.com
§ 13. FINAL PROVISIONS
This Privacy Policy may be updated. We will inform users of significant changes at least 14 days before their effective date by posting information in the Service and, where possible, by sending a notification to the e-mail address associated with the account.
Continued use of the Service after the effective date of the changes constitutes acceptance of the updated Policy. If you do not agree with the changes, you should stop using the Service and delete your account.
This Policy enters into force on April 15, 2026.