Privacy Policy

Last updated: April 2026

TripSquad ("we", "us") is a product of Afia Labs. This policy explains what we collect, why, and your rights.

What we collect

• Account data: email, display name, emoji, optional @tag handle, profile photo URL.
• Trip data: trip names, destinations, dates, budgets, preferences, votes, chat messages, itineraries you create or participate in.
• Device data: push notification tokens (only if you grant permission), platform, app version.
• Diagnostics: minimal crash and performance data to keep the app working.

We do not collect your location unless you explicitly share it in a trip. We do not sell your data.

How we use it

• To provide the service · sync your trips, deliver realtime updates to your squad, generate AI trip options.
• To send you notifications about trip activity you're part of.
• To improve Scout (our AI) using aggregate, de-identified prompts. We do not train models on the content of your private squad chats or DMs.

Third-party data processors

TripSquad relies on a small set of trusted infrastructure and identity providers to make the app work. We share the minimum data needed for each provider's specific function. None of them receive your data for advertising.

• Supabase · authentication, database, file storage, and realtime sync. Stores your account, profile, trips, squad members, chat messages, and uploaded photos. Hosted in the United States (us-east-2 / Ohio).
• Apple · Sign in with Apple (account creation and authentication). Apple may receive your name and email if you choose to share them at sign-up.
• Google · Google Sign-In (OAuth) for account creation and authentication. Google receives your name and email when you sign in via Google.
• Anthropic · powers Scout, our AI travel companion, and AI-assisted trip generation. Messages you send to Scout, plus the squad's preferences and dates, are sent to Anthropic's Claude API to produce a response. Anthropic does not retain or train on your prompts per its enterprise terms.
• Firebase Cloud Messaging and Apple Push Notification Service (APNs) · delivery of push notifications. Receives a device token and the notification payload only.
• Cloudflare · hosts gettripsquad.com and the in-browser squad-invite flow. Receives standard web-server request data (IP, user agent) for security and abuse prevention.

We also share trip-specific data (your preferences, votes, chat messages, photos) with the squad members you invite to a trip. That's the product working as intended.

We do not share your data with advertisers, data brokers, or analytics networks.

Affiliate links and outbound clicks

TripSquad participates in affiliate programs with travel partners (Booking.com, Marriott, Hotellook / Travelpayouts, Aviasales) and Amazon Associates. When you tap a hotel, flight, or product link in TripSquad and complete a qualifying booking on the partner's site, we may earn a commission at no extra cost to you. The price you pay never changes because of our affiliate relationship.

To support attribution and protect the platform from fraud, we record outbound clicks: which kind of recommendation you tapped (hotel / flight / restaurant), the trip context, a hashed IP fragment for fraud signals (never the raw IP), and a click ID we pass to the partner. We do not sell or share clickthrough data with anyone outside the partner the link points to.

You can identify affiliate links by their destination URL · they go to `booking.com`, `amzn.to`, `aviasales.com`, `hotellook.com`, etc. Affiliate revenue helps fund development; our recommendations are based on what we think will serve the squad, not on which partner pays the highest commission.

Your rights

• Access / export: email us and we'll send you a copy of your data.
• Delete: delete your account in the app (Profile → settings) or email us. Deletion removes your profile, trips you host, and your chat messages within 30 days.
• Correct: update your profile fields any time in the app.
• Opt out of notifications: system settings or in-app toggle.

Children

TripSquad is not intended for users under 13. We do not knowingly collect data from children under 13.

Security

Data is transmitted over HTTPS. Supabase Row Level Security restricts access to your trips to you and your squad. Passwords are hashed. Push tokens are stored per-user and revoked on sign out.

International users

We process data in the United States. If you're in the EU/UK, we rely on standard contractual clauses.

Contact

Questions? Email [email protected].