Privacy Policy — Triphaus
Effective: 22 May 2026
Privacy Policy
Effective date: 22 May 2026
1. Controller
The controller responsible for the processing of your personal data within the meaning of the General Data Protection Regulation (GDPR) is:
[Founder full name] [Street, House number] [Postcode, City] Germany
Email: support@triphaus.app
(Exact contact details are maintained in the founder’s legal record. See /impressum for the current address.)
2. Data Protection Officer
Triphaus is operated as a sole proprietorship (Einzelunternehmer). German law does not require a Data Protection Officer for businesses of this size. No DPO has been appointed.
3. What data we collect and why
The following categories of personal data are processed when you use the Triphaus app. This list mirrors the Apple Privacy Nutrition Label for Triphaus (declared in PrivacyInfo.xcprivacy).
3.1 Account data (linked to your identity)
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Account creation via Sign in with Apple; sending service-related messages | Performance of contract, Art. 6(1)(b) GDPR |
| Name (display name from Apple) | Personalising the in-app experience | Performance of contract, Art. 6(1)(b) GDPR |
| User ID (opaque Apple-issued identifier) | Identifying your account across devices; securing API calls | Performance of contract, Art. 6(1)(b) GDPR |
Sign in with Apple is the only sign-in method. Triphaus never receives your Apple ID password.
3.2 Subscription and purchase data (linked to your identity)
| Data | Purpose | Legal basis |
|---|---|---|
| Purchase history (App Store subscription status) | Enforcing the free/paid quota; restoring your subscription | Performance of contract, Art. 6(1)(b) GDPR; Legal obligation (VAT records), Art. 6(1)(c) GDPR |
3.3 Content you provide (linked to your identity)
| Data | Purpose | Legal basis |
|---|---|---|
| Travel documents, booking confirmations, photos you share with the AI feature | Extracting structured itinerary data via the AI model | Performance of contract, Art. 6(1)(b) GDPR |
| Itineraries and trip data you create | Storing and syncing your trips | Performance of contract, Art. 6(1)(b) GDPR |
3.4 App interaction data (linked to your identity)
| Data | Purpose | Legal basis |
|---|---|---|
| Feature usage (which features you use, AI quota consumed) | Enforcing usage quota; improving the service | Legitimate interests, Art. 6(1)(f) GDPR — interest: sustainable quota management |
3.5 Location data (not linked to your identity)
| Data | Purpose | Legal basis |
|---|---|---|
| Precise location (optional, requested in-app) | Suggesting nearby airports or places when you add a trip step | Consent, Art. 6(1)(a) GDPR — you can deny or revoke in iOS Settings |
Location data is used only on-device for suggestions. It is not transmitted to our servers or to any third party.
3.6 Photos and videos (not linked to your identity)
| Data | Purpose | Legal basis |
|---|---|---|
| Photos or screenshots you select for AI extraction | Sending to the AI model to extract booking information | Performance of contract, Art. 6(1)(b) GDPR |
Photos are transmitted to OpenAI solely for processing your request and are not retained by OpenAI beyond the API call (see Section 4).
4. Recipients and third-party services
OpenAI (AI feature)
When you use the AI import feature, Triphaus sends the content you submit (booking confirmation text or image) to OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA, via OpenAI’s API. OpenAI processes this data to extract structured travel information and returns the result to the app. OpenAI does not use API request data to train its models (OpenAI API data usage policy, effective as of this policy date).
International transfer: OpenAI is based in the United States. The transfer is governed by the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, supplemented by OpenAI’s Data Processing Addendum. Additionally, OpenAI participates in the EU–US Data Privacy Framework (DPF).
Apple Inc. (Sign in with Apple, App Store)
Apple processes the authentication and payment flow under its own privacy policy. Triphaus receives only the opaque user identifier and, on first sign-in, an email address and optional name that you choose to share.
No analytics or advertising SDKs
Triphaus does not integrate any advertising network, social-media tracking pixel, or behavioural analytics SDK. NSPrivacyTracking is declared false in the Apple Privacy Manifest.
5. Cookies and tracking technologies
The Triphaus marketing website (triphaus.app) uses only technically necessary first-party storage. No tracking cookies, advertising pixels, or third-party analytics scripts are deployed. A full Cookie Notice is published separately at [/cookie-notice] (forthcoming in a future release).
The iOS app does not use browser cookies. On-device storage uses Apple’s UserDefaults (for preferences, declared under reason CA92.1) and the Keychain (for authentication tokens).
6. Retention periods
| Data category | Retention |
|---|---|
| Account and itinerary data | Until you delete your account. You can request deletion at any time (Section 8). |
| AI input data (booking documents sent to OpenAI) | Not retained by Triphaus after the API response. OpenAI’s retention is governed by OpenAI’s data processing agreement (zero-day retention for API data). |
| Purchase history | As required by German commercial and tax law — typically 10 years (§ 147 AO). |
| Server logs | 30 days, then automatically deleted. |
7. Your rights under GDPR
As a data subject in the European Union (or the European Economic Area), you have the following rights:
- Right of access (Art. 15 GDPR): You may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16 GDPR): You may correct inaccurate data.
- Right to erasure (Art. 17 GDPR): You may request deletion of your data, subject to legal retention obligations.
- Right to restriction of processing (Art. 18 GDPR): You may ask us to restrict processing in certain circumstances.
- Right to data portability (Art. 20 GDPR): You may receive your data in a structured, machine-readable format.
- Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests (Art. 6(1)(f)).
- Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent (e.g. location), you may withdraw at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at support@triphaus.app. We will respond within 30 days.
8. Account and data deletion
To delete your account and all associated data, go to Settings → Delete Account inside the Triphaus app, or send a written request to support@triphaus.app. Deletion is processed within 30 days.
9. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. The supervisory authority competent for Triphaus is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) Husarenstr. 30 53117 Bonn, Germany https://www.bfdi.bund.de
You may also contact the supervisory authority in your country of residence.
10. Automated decision-making and profiling
Triphaus does not use automated decision-making or profiling that produces legal or similarly significant effects (Art. 22 GDPR). The AI feature extracts travel data from documents you provide; the result is always reviewed by you before any booking or itinerary is saved.
11. Children
Triphaus is not directed at children under 16 years of age, consistent with the age threshold for consent under Art. 8 GDPR in Germany. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us at support@triphaus.app and we will delete it promptly.
12. Changes to this policy
We may update this policy to reflect changes in our data practices or applicable law. The effective date at the top of this page indicates when the current version was adopted. Material changes will be communicated in-app.
13. Contact
For privacy-related questions, write to: support@triphaus.app
[FOUNDER NOTE: This draft requires your legal review before publication. See the Open Question in spec 2026-05-22-1430_web-legal-pages.md. Do not publish without sign-off.]