Privacy policy

Last updated: 11 April 2026

SynqForge Ltd (trading as TripTiles), a company registered in England and Wales (company number 16808271). Registered office: 3rd Floor, 86-90 Paul Street, London, EC2A 4NE, United Kingdom. Contact: hello@triptiles.app. Privacy enquiries: privacy@triptiles.app.

1. Who we are

SynqForge Ltd (trading as TripTiles) is the data controller for personal data processed through the TripTiles service. We are responsible for deciding how and why your data is processed, and for keeping it safe.

Contact for privacy matters: privacy@triptiles.app
General enquiries: hello@triptiles.app
Website: www.triptiles.app

2. What data we collect

Account data: email address, password hash (held by Supabase Auth), subscription tier, optional display name.
Trip data: destinations, dates, calendar assignments, preferences, notes, and public sharing settings where you choose to publish.
Usage data: AI generation prompts and outputs (stored to provide the service), timestamps, and technical metadata for AI processing (such as request identifiers).
Payment data: Stripe customer and subscription identifiers, invoice references, and product/price identifiers. We do not receive or store your full card details — Stripe processes card data.
Technical data: IP address, user agent, essential session cookies (httpOnly), and basic analytics from our hosting provider (privacy-friendly, no advertising cookies).
Communications: transactional and scheduled emails (e.g. confirmations, trip reminders, collaborator invites) sent via Resend.

3. Legal basis (Article 6 UK GDPR)

Contract: processing necessary to run TripTiles for you.
Legitimate interests: securing the service, fraud prevention, product improvement, and aggregate analytics where proportionate.
Consent: where we rely on consent (e.g. optional marketing — we do not send marketing without opt-in).
Legal obligation: retaining certain financial records for UK tax law (typically up to six years for relevant transactions).

4. How we use your data

Providing the planner, AI features, PDF export, and sharing.
Processing subscriptions and billing via Stripe.
Sending service emails (account, security, trip lifecycle, invites).
Improving reliability and security; aggregate analytics only.
Fraud prevention and abuse detection.

5. Who we share data with (processors)

We do not sell your personal data. We use processors who handle data only to provide their services to us:

Supabase — database and authentication.
Vercel — hosting and web analytics (privacy-oriented).
Anthropic — AI processing when you use Smart Plan.
Resend — email delivery.
Stripe — subscription billing and card payments.
Booking.com — if you click our affiliate hotel links, their policy applies on their site.
GetYourGuide — if you click our affiliate experience links.

6. International transfers

Some processors may process data outside the UK/EEA. Where required, we rely on appropriate safeguards such as the UK International Data Transfer Agreement / Addendum and Standard Contractual Clauses. Data is encrypted in transit (TLS) and protected at rest by our processors.

7. How long we keep data

Active accounts: whilst your account exists and as needed to provide the service.
Deleted accounts: personal data removed within 30 days of deletion, subject to backups rotating out.
Financial records: up to six years where UK law requires retention (metadata only where applicable).
Backups: may persist for up to 30 days in routine backup cycles.
Aggregated analytics without personal identifiers may be kept indefinitely.

8. Your rights under UK GDPR

You may have the right to:

Access the personal data we hold about you.
Rectify inaccurate data.
Erase your data (see account deletion in Settings).
Restrict processing in certain circumstances.
Data portability for data you provided (e.g. export).
Object to processing based on legitimate interests.
Withdraw consent where processing is consent-based.

To exercise a right, email privacy@triptiles.app. We will respond within 30 days. You may also complain to the ICO: ico.org.uk.

9. Cookies

We use essential cookies only (session and authentication). We do not use non-essential tracking or marketing cookies on TripTiles itself. Vercel Analytics does not use cookies in the usual tracking sense. See our Cookie policy for details.

10. Children

TripTiles is not directed at children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has signed up, contact privacy@triptiles.app.

11. Security

We use HTTPS, industry-standard password hashing via Supabase, and database Row Level Security. We review access and rotate secrets periodically.

12. Changes to this policy

We may update this policy. Material changes will be highlighted on this page and, where appropriate, notified by email. The effective date is shown at the top.

13. Contact

privacy@triptiles.app