Legal

Privacy policy

Last updated: April 18, 2026

This policy explains what information TripRelay collects, how we use it, and the choices you have. It’s written in plain English. If anything here is unclear, email us at privacy@triprelay.app.

Who we are

TripRelay is a collaborative group trip planning app operated at triprelay.app. When this policy says “we” or “us,” we mean TripRelay.

What we collect

Account and trip data you give us

When you use TripRelay, we collect:

  • Account information — email address and, optionally, display name, username, and profile photo. Created when you sign up via email/password or Google OAuth, or generated automatically for anonymous sessions.
  • Trip content — rooms, destinations, dates, candidate places, votes, generated itineraries, and shared teasers. Created as you use the product.
  • Bookings you log — if you use the booking tracker, the hotels, tours, reservations, and notes you enter.
  • Reviews you submit — ratings and any optional quotes plus a display name if you choose to opt into public display. Reviews are private by default.

Information we collect automatically

  • Usage analytics (via PostHog) — pageviews, clicks, feature events (like swipe votes and itinerary generation), web performance metrics, browser/device type, approximate location derived from IP address, and a persistent analytics identifier. PostHog is a product analytics service; see the PostHog privacy policy.
  • Authentication data (via Firebase) — session tokens, sign-in timestamps, and authentication provider. See the Firebase privacy documentation.
  • Server logs — request metadata (timestamp, endpoint, status code, user-agent) retained for a short period for debugging and abuse prevention.

Cookies and local storage

We use a small number of first-party cookies and browser local storage entries to keep you signed in, remember your preferences, store the analytics identifier, and remember when you’ve dismissed in-app prompts (like the rating prompt). We do not use third-party advertising cookies.

How we use the information

  • To run the product — create rooms, process votes, generate itineraries, render shared teasers.
  • To improve the product — analyze which flows work, where users get stuck, and which features get used. This is what PostHog events power.
  • To communicate — only transactional emails tied to your account (password reset, important service updates). We don’t run a marketing email program today.
  • To comply with the law — respond to legal process, enforce our Terms, and protect TripRelay and our users from abuse.

Sharing and third parties

We don’t sell your data. We share limited information only with service providers that help us run the product:

  • Google Firebase — authentication, Firestore database, hosting of structured data.
  • PostHog — product analytics, routed through our own domain so ad blockers don’t drop events.
  • Vercel — application hosting and CDN.
  • OpenAI — the AI model used for itinerary generation. We send trip setup context, candidate places, and vote results to OpenAI to produce the day-by-day plan.
  • Google Places — used to populate the candidate-place catalog for new cities.
  • Viator (a Tripadvisor company) — when you click a recommended tour, you’re taken to Viator’s site. We include an affiliate identifier in the URL; if you book, TripRelay may earn a commission at no additional cost to you.

Viator affiliate disclosure

Some of the tour links on TripRelay are affiliate links through the Viator partner program. If you click one and complete a booking, TripRelay may receive a small commission. This never changes the price you pay and never influences which tours we recommend; the tour list is generated from Viator’s catalog based on your destination.

Your choices

  • Access and deletion — email privacy@triprelay.app to request a copy of your data or to delete your account. We’ll respond within 30 days.
  • Opting out of analytics — most browsers support “Do Not Track.” We honor DNT by not persisting analytics sessions when that signal is on. You can also block the triprelay.app/ph/* path at the browser level.
  • Sign out — from your profile page or the nav bar.
  • Revoke room access — room owners can rotate the invite link from the room detail page.

Data retention

Trip rooms, itineraries, and shared teasers are retained while your account is active. If you delete your account, we delete or anonymize your personal data within 30 days except where retention is required for legal, accounting, or abuse-prevention reasons. Server logs are retained for up to 90 days.

Children

TripRelay is not directed at children under 13. If you believe a child has provided us with personal information, email privacy@triprelay.app and we’ll delete it.

International users

TripRelay is operated from the United States. If you’re using the product from another country, you acknowledge that your data is processed in the US and other countries where our service providers operate. We use the standard infrastructure protections provided by Firebase, Vercel, and PostHog for data-in-transit and data-at-rest.

Changes to this policy

We’ll update the “Last updated” date at the top of this page when we make meaningful changes. If the change is material, we’ll surface a notice in-app or by email the next time you sign in.

Contact

Privacy questions, data requests, or concerns: privacy@triprelay.app.