β
Effective date: January 1, 2026 Β· Last updated: March 28, 2026
Summary: We collect only what we need to run the service. We don't sell your data. You can request deletion at any time. Payments are handled by PCI-DSS compliant processors β we never store raw card numbers.
1. Who We Are
TripCartIt, Inc. ("TripCartIt", "we", "us", or "our") operates the travel planning and booking platform at tripcartit.com. We are the data controller for personal information collected through our platform.
Contact: [email protected]
2. Information We Collect
2.1 Information you provide directly
- Profile data: Name, email address, home city, travel style preferences, and group size when you create a profile
- Booking data: Passenger names, dates of birth, passport information, and contact details when you complete a booking
- Payment data: Credit/debit card details when you make a purchase β processed by PCI-DSS compliant third-party processors; we do not store raw card numbers
- Communications: Messages you send to our support team
2.2 Information collected automatically
- Trip data: Destinations searched, itineraries built, and cart items saved (stored locally in your browser via localStorage)
- Usage data: Pages visited, features used, click patterns β collected anonymously to improve the platform
- Device data: Browser type, operating system, screen resolution, and IP address for security and compatibility
- Cookies: Session cookies to maintain your logged-in state and preference cookies to remember your settings
2.3 Information from third parties
- Flight booking data from Duffel (IATA-certified flight distributor)
- Hotel reservation data from Expedia Rapid API
- Activity booking data from GetYourGuide
- Weather data from OpenWeatherMap
- Location/POI data from Geoapify
3. How We Use Your Information
- To provide, operate, and improve the TripCartIt platform
- To process flight, hotel, and activity bookings you initiate
- To personalize AI trip recommendations via Trippy (powered by Anthropic Claude)
- To send booking confirmations, itinerary updates, and price alerts you opt into
- To prevent fraud, abuse, and unauthorized access
- To comply with legal obligations including IATA regulations and financial reporting
- To improve our AI models using anonymized, aggregated usage patterns β never individual identifiable data
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:
- Contract performance: Processing necessary to complete bookings you initiate (Art. 6(1)(b) GDPR)
- Legitimate interests: Platform security, fraud prevention, and service improvement (Art. 6(1)(f) GDPR)
- Legal obligation: Compliance with financial regulations and IATA requirements (Art. 6(1)(c) GDPR)
- Consent: Marketing communications and optional analytics (Art. 6(1)(a) GDPR) β you may withdraw consent at any time
5. Information Sharing
We share your personal data only in the following circumstances:
- Travel suppliers: Airlines, hotels, and activity operators receive your passenger/guest details solely to fulfill bookings you initiate
- Payment processors: PCI-DSS Level 1 certified processors receive card data to complete transactions
- AI providers: Trip descriptions are processed by Anthropic (Claude API) to generate itineraries β data is not used to train Anthropic's models per our API agreement
- Infrastructure providers: Cloudflare (hosting and CDN), Supabase (optional account storage)
- Legal requirements: We may disclose data when required by law, court order, or to protect our legal rights
We do not sell, rent, or share your personal data with third parties for marketing purposes.
6. Cookies & Tracking
We use the following types of cookies:
- Essential cookies: Required for the platform to function (session management, security). Cannot be disabled.
- Preference cookies: Remember your settings such as dark mode and home city.
- Analytics cookies: Anonymized usage data to improve features. You may opt out.
We do not use cross-site advertising trackers or sell cookie data to ad networks. You can manage cookies in your browser settings.
7. Data Retention
- Trip data: Stored in your browser's localStorage β controlled entirely by you. Clearing browser data removes it.
- Account data: Retained while your account is active, then deleted within 90 days of account closure upon request
- Booking records: Retained for 7 years to comply with financial and tax regulations
- Support communications: Retained for 2 years then deleted
8. Data Security
- All data in transit is encrypted using TLS 1.3
- Payment card data is processed by PCI-DSS Level 1 certified processors β never stored on our servers
- Passenger data (names, DOBs) is encrypted at rest
- Access to production systems is restricted to authorized personnel with MFA
- We conduct regular security reviews and promptly address vulnerabilities
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data ("right to be forgotten") β subject to legal retention requirements
- Portability: Receive your data in a machine-readable format
- Objection: Object to processing based on legitimate interests
- Restriction: Request we limit how we process your data
- Withdraw consent: Withdraw consent for optional processing at any time
To exercise any right, email [email protected]. We respond within 30 days. EEA residents may also lodge a complaint with their national data protection authority.
10. International Transfers
TripCartIt is based in the United States. If you access our platform from the EEA, UK, or other regions with data protection laws, your information may be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for such transfers.
11. Children's Privacy
TripCartIt is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us at [email protected] and we will delete it promptly.
12. California Privacy Rights (CCPA)
California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete it, and the right to opt out of sale. We do not sell personal information. To make a CCPA request, email [email protected].
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or prominent in-app notice at least 14 days before the change takes effect. Continued use of the platform constitutes acceptance of the updated policy.
14. Contact
For privacy-related questions or requests: