tripowl

Legal

Privacy Policy

How we collect, use, and protect your data — clearly and honestly.

Last updated: March 2026

Contents

1. What Data We Collect2. Why We Collect It3. How We Process It4. Third-Party Services5. Data Retention6. Your Rights Under DPDPA 20237. Data Security8. Children's Data9. Grievance Officer10. Changes to This Policy

1. What Data We Collect

Account Data

  • Full name, email address, and profile photo — collected when you sign in via Google OAuth
  • Email address — collected when you sign in via Email OTP

Travel Preferences

  • Destinations, travel dates, budget level, number of travellers, travel companions, and trip style — collected when you use the itinerary planner

User-Generated Content

  • Travel stories (text, title, destination), photos you upload, tags you select, and likes you give to other stories

Device & Usage Data

  • Browser type, device type, pages visited, and approximate location (derived from IP address, used for relevant destination recommendations)

Cookies

We use authentication session cookies only — to keep you logged in securely. We do not use advertising cookies, tracking pixels, or any third-party analytics cookies that profile your behaviour across other websites.

2. Why We Collect It (Purpose of Processing)

  • Account data: To create and manage your TripOwl account, authenticate your identity, and communicate important account-related information.
  • Travel preferences: To generate personalised AI-powered itineraries tailored to your trip requirements.
  • User-generated content: To display your travel stories, photos, and engagement on the Travel Stories feed for other users to read and interact with.
  • Device & usage data: To improve app performance, fix bugs, ensure platform stability, and provide a better user experience.

We do not sell, rent, or trade your personal data to any third party. We do not use your data for targeted advertising.

3. How We Process It

AI Itinerary Generation

When you generate an itinerary, your destination, travel dates, budget, and trip style are sent to Google's Gemini AI API to create a personalised travel plan. This data is processed on Google's servers under their privacy terms. No personal identifiers (your name, email, or profile photo) are ever sent to the AI — only your travel preferences.

Story Images

Photos you upload with your travel stories are compressed client-side for optimal quality and then stored in our cloud storage infrastructure (Supabase Storage, hosted on AWS). These images are publicly visible on the Travel Stories feed as part of your published story.

Profile Data

Your account information is stored securely in our database with row-level security (RLS) policies, ensuring that each user can only access and modify their own data.

4. Third-Party Services

TripOwl relies on the following third-party services to operate. Each service has access only to the data necessary for its function:

  • Google (OAuth & Gemini AI): Handles user authentication via Google sign-in and processes travel preferences to generate AI itineraries. Google's Privacy Policy applies to data processed by their services.
  • Supabase: Provides our database (PostgreSQL) and file storage infrastructure, hosted on AWS. Stores all user data, stories, and uploaded images.
  • Vercel: Hosts the TripOwl web application. Processes HTTP requests and serves the platform to users.
  • Brevo (formerly Sendinblue): Sends transactional emails, specifically One-Time Passwords (OTPs) for email-based login. Receives only the email address required to deliver the OTP.

We encourage you to review the privacy policies of these services for full details on how they handle data.

5. Data Retention

  • Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion request.
  • Travel stories & images: Retained until you delete them individually or delete your account entirely.
  • Saved itineraries: Retained until you delete them or delete your account.
  • Usage analytics: Aggregated and anonymised data may be retained indefinitely for platform improvement. This data cannot be traced back to any individual user.

6. Your Rights Under the Digital Personal Data Protection Act, 2023

As a user in India, you have the following rights under the DPDPA 2023:

  • Right to Access: You may request a copy of all personal data we hold about you.
  • Right to Correction: You can update or correct inaccurate personal data at any time through your profile settings.
  • Right to Erasure: You may request deletion of your account and all associated personal data. We will process this within 30 days.
  • Right to Grievance Redressal: You have the right to raise a complaint with our Grievance Officer if you believe your data is being mishandled.
  • Right to Nominate: You may nominate another person to exercise your data rights in the event of your death or incapacity, as provided under the DPDPA 2023.

How to exercise these rights: Send an email to privacy@tripowl.in with the subject line "Data Rights Request". We will verify your identity and respond within 72 hours.

7. Data Security

  • All data is encrypted at rest and in transit using industry-standard encryption protocols (TLS 1.2+).
  • Row-level security (RLS) policies ensure that each user can only access, modify, and delete their own data.
  • Authentication is handled by industry-standard providers (Google OAuth, Supabase Auth) with secure token management.
  • Uploaded images are stored in access-controlled cloud storage buckets.
  • We regularly review our security practices and update them as needed.

While we take all reasonable measures to protect your data, no system is completely secure. If you suspect any unauthorised access to your account, please contact us immediately.

8. Children's Data

TripOwl is not intended for users under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a user under 18 has provided us with personal data, we will take steps to delete that data promptly.

If you are a parent or guardian and believe your child has provided personal data to TripOwl, please contact us at privacy@tripowl.in.

9. Grievance Officer

In accordance with the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the following person is designated as the Grievance Officer for TripOwl:

Name: Trishul

Email: grievance@tripowl.in

Response time: Acknowledgement within 24 hours of receipt. Resolution within 15 days.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make significant changes, we will notify you via email or through an in-app notification before the changes take effect.

We encourage you to review this page periodically. The "Last updated" date at the top of this page indicates when this policy was most recently revised.