TripFast Logo
TripFast

Privacy Policy for TripFast

Last updated: July 29, 2024

1. Introduction

Welcome to TripFast! This service is operated by SeroDesign, Serhat Cakmaktepe ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data according to the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

This privacy policy explains how we collect, use, store, and share your personal data when you use our website and the TripFast application (collectively, the "Service"), and informs you about your privacy rights.

2. Data Controller

The data controller responsible for processing your personal data is:

SeroDesign
Serhat Cakmaktepe
Meuschelstraße 60
90408 Nürnberg
Germany

Email: Serhatc580@gmail.com

If you have any questions about this privacy policy or our data protection practices, please contact us using the email address above. As a small business, we are generally not required to appoint a formal Data Protection Officer (DPO) under Art. 37 GDPR / § 38 BDSG. Your primary contact for data protection matters is Serhat Cakmaktepe.

3. The Data We Collect

We collect and process the following categories of personal data:

  • Identity Data: Includes first name, last name, username or similar identifier provided during account creation or profile setup (e.g., via Supabase Auth).
  • Contact Data: Includes email address. If you contact support, we may also process data related to that communication.
  • Technical Data: Includes internet protocol (IP) address, browser type and version, time zone setting, approximate location derived from IP, browser plug-in types and versions, operating system and platform, device identifiers, performance metrics (e.g., Core Web Vitals), and other technology on the devices you use to access our Service. Collected automatically via our servers, hosting provider (e.g., Vercel), backend provider (e.g., Supabase), map provider (e.g., Mapbox), analytics/performance tools, and rate limiting service (e.g., Upstash).
  • Usage Data: Includes information about how you use our Service, such as pages visited, features used, time spent, interactions, clicks, error logs, and performance data (e.g., load times). Collected via our hosting provider's analytics and performance tools (e.g., Vercel Analytics, Vercel Speed Insights), product analytics tools (e.g., PostHog), and potentially other internal logging.
  • Travel Planning Data: Includes information you provide to generate itineraries, such as destinations, travel dates, interests, preferences, budget indications (if collected), specific locations or activities added, and the resulting itineraries. This data is processed by our AI service providers (e.g., Google AI, OpenAI) to generate plans. If you use collaborative features, this data may be shared with users you invite.
  • Payment Data: If you subscribe to paid features, we use a third-party payment processor (e.g., Stripe). We do not directly store your full credit card number. We may receive and store transaction identifiers, subscription status, payment method type, last four digits of card number, and expiry date from the processor to manage your subscription and handle billing inquiries.

We do not intentionally collect special categories of personal data (e.g., health, religion, ethnicity).

4. How We Collect Your Data

We use different methods to collect data from and about you including through:

  • Direct interactions: You provide data when you create an account, fill in forms (e.g., itinerary requests), subscribe to services, or contact us for support.
  • Automated technologies or interactions: As you interact with our Service, we automatically collect Technical and Usage Data (including performance metrics) via server logs, cookies (see our Cookie Policy), analytics and performance tools (e.g., Vercel Analytics, Vercel Speed Insights), and other technologies integrated into the Service (e.g., Mapbox API calls).
  • Third parties: We receive data from third parties such as:
    • Payment processors (e.g., Stripe) provide transaction details.
    • Analytics and performance providers (e.g., Vercel) provide aggregated usage statistics and performance insights.
    • Product analytics providers (e.g., PostHog) provide usage data and feature flag results.
    • Backend service providers (e.g., Supabase) manage authentication and database interactions.

5. How and Why We Use Your Data (Purposes and Legal Basis)

We only use your personal data when the law allows us to. The table below describes the ways we use your personal data and the legal bases we rely on (primarily from Art. 6 GDPR):

Purpose / ActivityType of DataLegal Basis for Processing
To register you as a new user and manage your accountIdentity, Contact, TechnicalPerformance of a contract with you (Art. 6(1)(b))
To provide the core TripFast service (generate itineraries, display maps, enable collaboration)Identity, Contact, Technical, Travel Planning, Usage, Location (IP-based)Performance of a contract with you (Art. 6(1)(b))
To process payments and manage your subscriptionIdentity, Contact, Payment, TechnicalPerformance of a contract with you (Art. 6(1)(b)); Necessary for compliance with a legal obligation (e.g., tax law) (Art. 6(1)(c))
To manage our relationship with you (e.g., notifications about service changes, responding to support requests)Identity, Contact, Usage, Travel Planning (contextual)Performance of a contract with you (Art. 6(1)(b)); Necessary for our legitimate interests (to keep records updated and provide support) (Art. 6(1)(f))
To administer and protect our business and this Service (troubleshooting, data analysis, testing, system maintenance, security, preventing abuse/fraud, rate limiting)Identity, Contact, Technical, UsageNecessary for our legitimate interests (for running our business, provision of administration and IT services, network security, fraud prevention) (Art. 6(1)(f)); Necessary for compliance with a legal obligation (Art. 6(1)(c))
To use data analytics and performance monitoring to improve our Service, user experience, and marketing (understanding feature usage, identifying trends, monitoring site speed)Technical, Usage (often aggregated or pseudonymized)Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Service updated, relevant, and performant, to develop our business) (Art. 6(1)(f)). Where cookies or similar technologies requiring consent are used for analytics or performance insights (e.g., Vercel Analytics, Speed Insights, PostHog), the basis is Consent (Art. 6(1)(a)) - see Cookie Policy.

We will generally only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

6. Disclosure of Your Personal Data

We may have to share your personal data with the categories of parties set out below for the purposes listed in the table in section 5. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We conclude data processing agreements (DPAs) where required.

  • Service Providers (Processors): Companies that provide services on our behalf, acting on our instructions:
    • **Hosting & Infrastructure Providers** (e.g., Vercel for hosting the application).
    • **Backend Service Providers** (e.g., Supabase for database and authentication - *assuming EU region is used*).
    • **AI Service Providers** (e.g., Google AI, OpenAI for itinerary generation).
    • **Map Service Providers** (e.g., Mapbox for displaying interactive maps).
    • **Payment Processing Providers** (e.g., Stripe for handling payments).
    • **Analytics Providers** (e.g., Vercel Analytics for usage statistics).
    • **Product Analytics Providers** (e.g., PostHog for detailed usage insights).
    • **Rate Limiting / Caching Providers** (e.g., Upstash for performance and security - *assuming EU region is used*).
    • **Communication / Support Tools** (e.g., email providers for support communication).
  • Professional Advisers: Lawyers, bankers, auditors, and insurers based in Germany or the EEA who provide consultancy, banking, legal, insurance, and accounting services, where necessary.
  • Legal Authorities: Regulators and other authorities based in Germany or the EEA who require reporting of processing activities in certain circumstances or disclosure of data based on legal requests.
  • Business Transfers: Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions and legal agreements (DPAs).

7. International Transfers

Some of the external third parties we work with are based outside the European Economic Area (EEA) or process data outside the EEA, so their processing of your personal data will involve a transfer of data outside the EEA. This primarily includes providers based in the United States (USA) such as:

  • Hosting & Analytics Provider (e.g., Vercel)
  • AI Service Providers (e.g., Google AI, OpenAI)
  • Map Service Provider (e.g., Mapbox)
  • Payment Processor (e.g., Stripe)
  • Product Analytics Provider (e.g., PostHog)

Whenever we transfer your personal data out of the EEA to such countries (particularly the USA, which the European Commission has not deemed to provide an adequate level of data protection equivalent to the EU in all aspects), we ensure a similar degree of protection is afforded to it by implementing appropriate safeguards. This typically involves using specific contracts approved by the European Commission known as Standard Contractual Clauses (SCCs), or relying on the provider's participation in the EU-U.S. Data Privacy Framework (DPF) if they are certified and the transfer falls within its scope, or other valid transfer mechanisms under the GDPR.

You can request further information about the specific mechanism used when transferring your personal data out of the EEA by contacting us. Note that some providers (like Supabase and Upstash) offer infrastructure within the EEA (e.g., Frankfurt, Germany), and we strive to utilize these options where feasible to minimize data transfers.

8. Data Security

We have put in place appropriate technical and organizational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. Examples include using encryption (e.g., HTTPS), access controls, and secure infrastructure provided by our service providers.

We limit access to your personal data to employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and the relevant supervisory authority (see section 13) of a breach where we are legally required to do so, in accordance with GDPR requirements (Art. 33 and 34).

9. Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it and whether we can achieve those purposes through other means, and the applicable legal requirements (e.g., German commercial and tax laws often require retention for 6 or 10 years).

Generally, account data is retained as long as your account is active and for a reasonable period afterward to allow for reactivation or to fulfill legal obligations. Usage data for analytics is often aggregated or anonymized sooner. You can request deletion of your account and associated personal data via the contact details in Section 2, subject to legal retention obligations.

10. Your Legal Rights

Under the GDPR and German data protection laws, you have the following rights regarding your personal data:

  • Right to access (Art. 15 GDPR): Request copies of your personal data.
  • Right to rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data.
  • Right to erasure ('right to be forgotten') (Art. 17 GDPR): Request deletion of your personal data, under certain conditions (e.g., data no longer necessary, consent withdrawn).
  • Right to restrict processing (Art. 18 GDPR): Request restriction of processing, under certain conditions (e.g., accuracy contested, processing unlawful).
  • Right to object to processing (Art. 21 GDPR): Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to data portability (Art. 20 GDPR): Request transfer of data you provided to us to another organization, or directly to you, in a structured, commonly used, machine-readable format, under certain conditions (processing based on consent or contract, and automated).
  • Right to withdraw consent (Art. 7(3) GDPR): Withdraw consent at any time where we rely on consent (e.g., for certain cookies or marketing). This does not affect the lawfulness of processing before withdrawal.
  • Right to lodge a complaint (Art. 77 GDPR): Complain to a supervisory authority (see section 13).

If you wish to exercise any of these rights, please contact us at: Serhatc580@gmail.com.

You generally do not have to pay a fee to exercise your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances (§ 65 BDSG).

We may need to request specific information from you to help us confirm your identity and ensure your right to exercise these rights. This is a security measure.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer if your request is complex or you have made multiple requests. In this case, we will notify you.

11. Cookies and Similar Technologies

Our Service uses cookies and similar technologies (like local storage) to distinguish you from other users, provide functionality, and analyze usage.

For detailed information on the cookies we use, the purposes for which we use them, and how you can manage your consent, please see our Cookie Policy.

12. Changes to This Privacy Policy

We keep our privacy policy under regular review and may update it from time to time. We will notify you of any significant changes, for example by posting a notice on the Service or sending you an email. The "Last updated" date at the top indicates when it was last revised.

We encourage you to review this privacy policy periodically. Changes are effective when posted on this page.

13. Contact and Supervisory Authority

For questions about this policy or to exercise your rights, please contact us:

Email: Serhatc580@gmail.com
Address: SeroDesign, Serhat Cakmaktepe, Meuschelstraße 60, 90408 Nürnberg, Germany

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us in Bavaria, Germany is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
Phone: +49 (0) 981 180093-0
Email: poststelle@lda.bayern.de
Website: www.lda.bayern.de

We would, however, appreciate the chance to deal with your concerns before you approach the BayLDA, so please contact us in the first instance.