Privacy Policy

Tripkit is built and operated by Omkar Kardile as a personal project, not a company. There's one person behind it. You can reach me at omkarkardile95@gmail.com.

We only collect information that's needed for the app to work or that you choose to enter.

From your Google account (when you sign in)

When you sign in with Google, we receive from Google:

• Your email address
• Your name (whatever your Google account shows)
• Your profile picture URL (the small avatar Google associates with your account)

That's it. We don't get access to your Gmail inbox, contacts, calendar, drive, photos, or any other Google service. We only use Google to verify "yes, this person is who they say they are."

From your use of the app

When you create or join a trip, we store:

• Trips you create or are a member of, including name, destination, dates, and the invite-link token.
• Tasks you create or are assigned to, including title, category, assignee, status, progress, due date, dependencies, and expense amount.
• Comments and replies you post on tasks.
• Chat messages you send in trip-level chat.
• Files you upload as itineraries or attachments (up to 3 files per trip, 5 MB each).
• Your push-notification subscription if you turn notifications on — a device-specific token from your browser that lets us send pings.

From your device / browser

• A session cookie so you stay signed in across visits. It contains a token; no personal data.
• Small preferences kept in your browser's localStorage: which trips sort order you picked, whether you dismissed the notifications prompt this session, and similar UI choices. These never leave your device.
• A service worker is registered in your browser if you enable notifications, so push messages can be delivered even when the tab is closed.

Anonymous usage analytics

If your browser doesn't block it, Vercel Web Analytics records anonymous page views, country (approximate), browser, and device type. It does not use cookies and does not associate visits with your identity. It just helps me find bugs and figure out what's used.

We use the data above only to:

1. Run the app. Show you your trips, show your tasks to friends in the trip, deliver chat messages and notifications.
2. Keep you signed in across visits and devices.
3. Send notifications about events you opted into (comments on your tasks, chat messages, etc.) — only if you turn them on.
4. Improve the app. Aggregate, anonymous usage stats help me find bugs and figure out what's used.

We don't sell your data, share it with advertisers, or use it for marketing. There are no ads in Tripkit.

Inside your trips

Anyone you invite to a trip can see everything inside that trip: members, tasks, assignments, comments, chat, attachments, expenses. That's the point of a shared planning tool. You decide who's in your trips by sharing invite links with them. People not in a trip cannot see any of it.

Trip leads and members

The "group lead" (whoever created the trip) can edit trip details and remove members. Anyone can leave a trip; doing so removes you from that trip's member list. If the trip lead leaves and is the only member, the trip is deleted.

Third-party services we use

Tripkit is built on top of a few well-known services. Each one sees a specific slice of your data so the app can work:

We don't share data with any service beyond what's listed above.

Data location

All Tripkit application data lives in a Supabase Postgres database in the United States (Supabase's default region). Files you attach are stored in Supabase Storage, also in the US. If you're in another country, your data crosses borders to be served. If that's not okay for you, please don't use Tripkit.

You'll only get push notifications if you explicitly turn them on via the bell icon in the topbar (or the popup that appears in a trip). When you turn them on, your browser generates a push subscription identifier that we store. We use it to send notifications when:

• Someone comments on a task assigned to you
• Someone replies to a comment you posted
• A new task is assigned to you
• A new chat message appears in a trip you're a member of

You can turn notifications off any time — either from the bell icon in Tripkit, or in your browser/OS notification settings. Once turned off, we delete your subscription on your next visit.

We do not send marketing or promotional notifications. Ever.

You can, at any time:

• See your data — it's already visible to you in the app.
• Export your data — email omkarkardile95@gmail.com and I'll send you a JSON dump of every row associated with your account, usually within a week.
• Delete your account and all your data — email me and I'll wipe everything tied to your account, usually within 30 days. (You'll need to email because there isn't a one-click delete button yet.)
• Leave a trip — use the "leave" link on your member row. You're removed instantly; comments and messages you posted remain visible to that trip's other members.
• Turn off notifications — bell icon in the topbar.
• Clear preferences and dismissals — clear your browser's site data for Tripkit.
• Block analytics — most ad blockers already do this; Tripkit works fine without analytics.

If you're a resident of a region with stronger rights (EU, UK, California, etc.), you have additional rights to access, correct, restrict, or object to processing. Email me and I'll handle each request individually.

• While your account exists: we keep your data because the app needs it.
• When you delete your account: we delete everything from the active database within a few days.
• Backups: Supabase keeps automated daily backups for 7 days on the free plan. Once backups roll off, deleted data is gone for good.

We don't keep "shadow" copies for analytics or anything else.

Tripkit uses a small number of essential storage mechanisms in your browser:

• Session cookie — keeps you signed in.
• localStorage — remembers UI choices like your trips sort order and whether you dismissed the notifications prompt.
• sessionStorage — remembers whether you dismissed the notifications prompt during this browser tab session.
• Service worker — registered if you enable notifications, so pushes work when the tab is closed.

We don't use third-party tracking cookies. The Vercel Analytics service we use is cookie-free by design.

• All traffic is over HTTPS.
• Database access is gated by Row Level Security at the Postgres level — even if app code had a bug, the database wouldn't return your data to someone who shouldn't see it.
• The service-role key used for sending push notifications is server-only and never reaches your browser.
• File attachments are served via time-limited signed URLs (1 hour) rather than public links.

No system is 100% secure. If you spot a vulnerability or a data leak, email me and I'll fix it as a priority.

Tripkit is not intended for users under 13. If you're a parent or guardian and believe a child under 13 has signed up, email me and I'll remove their account and data.

If we materially change how we handle your data, we'll update the "Last updated" date at the top, and reasonable efforts will be made to notify active members via in-app message or the email tied to your Google account. Minor wording fixes won't be flagged.

Questions, requests, or concerns: Omkar Kardile — omkarkardile95@gmail.com.