Legal
Privacy Policy
Last updated: 21 May 2026
This Privacy Policy explains how PartiiTrip Ltd collects, uses, stores, and protects your personal data when you use the PartiiTrip app or website. We are committed to being transparent about our data practices and to handling your information responsibly and in compliance with applicable data protection law.
Please read this policy carefully. If you have any questions or concerns, contact us at contact@partiitrip.com. Our Terms & Conditions also apply to your use of the Service.
1. Who We Are
PartiiTrip Ltd is a private limited company incorporated in England and Wales. We operate the PartiiTrip group trip planning app and website, available at partiitrip.com and via the Apple App Store and Google Play Store.
For the purposes of UK data protection law, PartiiTrip Ltd is the data controller in respect of any personal data processed through the Service. This means we determine the purposes and means of processing your personal data.
If you have any questions about this Privacy Policy, about how we handle your personal data, or about your data subject rights, please contact us:
- Email: contact@partiitrip.com
- Website: partiitrip.com
2. What Data We Collect
We collect only the personal data that is necessary for the operation of the Service. The categories of personal data we collect are as follows:
- Email address: Collected when you create an Account. Used for OTP (one-time passcode) authentication, to keep you logged in securely, and to send you important Service communications. No passwords are collected or stored.
- Name and display name: Collected when you set up your profile. Used to identify you to other members of your Trip group within the Service.
- Trip data: Includes destination information, travel dates, itinerary entries, group member lists, polls, notes, challenges, and other content you create or contribute to within the context of a Trip. This data is shared with other members of the same Trip.
- Expense data: Includes expense amounts, descriptions, categories, payer and payee relationships, and settlement records that you or other Trip members log within the Service. This data is shared with all members of the same Trip.
- Bank account details (voluntary): If you choose to add your bank account details (sort code, account number, and account name) to your profile, this information is stored and displayed to other members of your Trip group solely to facilitate manual bank transfers when settling shared expenses. These details are entirely voluntary, are not used by PartiiTrip Ltd for any payment processing purpose, and are never shared with any third party for payment initiation. Bank details are encrypted at rest using AES-256 encryption via our database infrastructure provider, Supabase.
- Device information: Includes your operating system, app version, and device type. Collected automatically for the purposes of crash reporting and compatibility. Crash reports are processed in an anonymised form via Sentry and do not include personally identifiable information.
- Usage data: Includes information about which features of the Service you use, how frequently, and in what order - for example, which sections of a Trip you view or interact with. This data is used in aggregated and anonymised form to help us understand how the Service is used and to improve it. Usage data is not sold to any third party.
We do not collect special category personal data (such as health, political, religious, or biometric data) and we do not ask you to provide it. Please do not include such data in your Trip content or notes.
3. How We Use Your Data
We use the personal data we collect for the following purposes:
- To provide and operate the Service: To create and manage your Account, to activate and run Trips, to display Trip content and expense data to appropriate members, and to generally deliver the features of the Service.
- To authenticate you: To send OTP login codes to your email address when you sign in, and to maintain your authenticated session within the App or browser.
- To calculate and display expense splits: To process the expense data entered by you and other Trip members and generate suggested settlement calculations for display within the Service.
- To generate AI-powered recommendations: To provide activity suggestions, itinerary ideas, and other AI-powered features by submitting anonymised prompts to OpenAI's API. Personal identifiers (such as your name or email address) are not included in prompts sent to OpenAI.
- To detect and diagnose crashes and errors: To receive anonymised crash reports via Sentry, enabling us to identify and resolve technical issues that affect the reliability of the Service.
- To improve the product: To analyse aggregated and anonymised usage patterns to understand how the Service is being used, identify areas for improvement, and prioritise new features.
- To communicate important changes: To notify you of material changes to these Terms, this Privacy Policy, or the Service itself, where we are required or choose to do so by email.
We do not use your personal data for advertising, marketing to third parties, or any purpose not described above without your explicit consent.
4. Legal Basis for Processing
Under UK GDPR, we are required to have a lawful basis for each type of personal data processing we carry out. Our lawful bases are as follows:
- Contract performance (Article 6(1)(b) UK GDPR): Processing that is necessary to perform the contract between you and PartiiTrip Ltd - i.e., to provide you with the Service you have requested. This covers Account creation and authentication, Trip creation and management, expense tracking, and all core Service features.
- Legitimate interests (Article 6(1)(f) UK GDPR): Processing that is necessary for our legitimate interests in operating and improving the Service securely and reliably, and where those interests are not overridden by your rights and interests. This covers crash reporting and error diagnosis (via Sentry), product improvement via anonymised usage analytics, fraud detection, and security monitoring.
- Consent (Article 6(1)(a) UK GDPR): Where we seek and obtain your explicit consent to process your personal data for a specific purpose - for example, if we introduce optional marketing communications in the future, or where you voluntarily add bank account details to your profile. You have the right to withdraw consent at any time, and withdrawal will not affect the lawfulness of processing carried out before withdrawal.
5. Data Sharing
We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes. We share personal data only in the following circumstances:
With service providers acting as data processors: We share personal data with the following third-party service providers under data processing agreements, as required by UK GDPR. These providers are authorised to process your personal data only on our instructions and for the purposes described:
- Supabase: Database infrastructure provider. Stores all core Service data including Account information, Trip data, and expense records. Data is hosted in the EU (Ireland).
- OpenAI: AI features provider. Receives anonymised prompts to generate trip suggestions and recommendations. No personal identifiers (name, email, or bank details) are included in prompts sent to OpenAI.
- Sentry: Crash and error reporting provider. Receives anonymised crash data and stack traces to help us diagnose technical issues. Data sent to Sentry is anonymised.
- Resend: Email delivery provider. Processes your email address to deliver OTP login codes and service notification emails.
- Cloudflare: Hosting, content delivery network, and security proxy provider. All network traffic to the Service passes through Cloudflare's infrastructure.
With independent controllers for payment processing: Where you make in-app purchases, your payment data is handled directly by Apple (App Store), Google (Play Store), or Stripe (web purchases). These companies act as independent data controllers for payment data under their own privacy policies. PartiiTrip Ltd does not receive or store your payment card details.
With other Trip members: Certain personal data you provide - such as your display name, profile information, expense contributions, and (if provided) bank account details - is shared with other members of the same Trip as part of the core functionality of the Service. Please be mindful of the information you choose to share within a Trip group.
Where required by law: We may disclose personal data where required to do so by applicable law, court order, or the request of a competent regulatory or law enforcement authority.
6. Bank Account Details
If you choose to add your bank account details (sort code, account number, and account name) to your PartiiTrip profile, the following applies:
- These details are stored solely so that other members of your Trip group can see where to send payment when settling shared expenses. They are displayed within the Trip interface to other Trip members.
- PartiiTrip Ltd does not use your bank account details to initiate, process, authorise, or facilitate any bank transaction. We are not a payment service provider and we have no access to your bank account.
- Bank account details are stored encrypted at rest using AES-256 encryption via Supabase, our database infrastructure provider.
- You can view, edit, or permanently delete your bank account details at any time from your profile settings within the App. Deletion is immediate.
- Adding bank account details is entirely optional. The Service can be used fully without providing this information.
We strongly recommend that you only share bank account details within Trip groups where you know and trust all members.
7. Data Retention
We retain your personal data for as long as your Account remains active and for a reasonable period thereafter to allow for account recovery requests. The specific retention practices are as follows:
- Account data: Retained for the duration of your Account's active period. Following account deletion, personal data associated with your Account is removed within 30 days of the deletion request being actioned, subject to the exceptions below.
- Trip and expense data: Retained for the duration of the relevant Trip and your Account's active period. Where your contributions to a Trip (such as expense records or notes) are associated with other active Members' trips, this data may be retained for the duration of those Members' active Trips, as deleting it could disrupt other Members' records.
- Legal retention obligations: Certain records may be required to be retained for longer periods in order to comply with legal obligations (for example, financial records for tax purposes). Where such obligations apply, we will retain only the minimum necessary information for the required period and will delete it once the retention period expires.
- Anonymised and aggregated data: Data that has been fully anonymised or aggregated such that it can no longer identify you (even indirectly) may be retained indefinitely for product analytics and improvement purposes.
Where you request deletion of your Account, we will confirm by email once the deletion has been completed. If you have any questions about how long we retain specific types of data, contact us at contact@partiitrip.com.
8. Your Rights (UK GDPR)
As a data subject under UK GDPR, you have the following rights in respect of your personal data. These rights apply subject to certain legal exceptions and conditions:
- Right of access: You have the right to request a copy of the personal data we hold about you and information about how we process it. This is known as a Subject Access Request (SAR).
- Right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to erasure ("right to be forgotten"): You have the right to request that we delete your personal data where there is no compelling reason for its continued processing - for example, where the data is no longer necessary for the purpose for which it was collected. This right is subject to legal retention obligations.
- Right to restriction of processing: You have the right to request that we restrict the processing of your personal data in certain circumstances - for example, while the accuracy of data you have contested is verified.
- Right to data portability: Where processing is based on your consent or the performance of a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller where technically feasible.
- Right to object: Where processing is based on our legitimate interests, you have the right to object to that processing. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.
- Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
To exercise any of these rights, please contact us at contact@partiitrip.com. We will respond within 30 days of receiving a valid request. We may ask you to verify your identity before processing a request. Requests are free of charge unless they are manifestly unfounded or excessive.
9. Cookies and Local Storage
PartiiTrip uses minimal local storage in your browser or device to enable the Service to function. We do not use advertising cookies, third-party tracking cookies, fingerprinting technologies, or any other tracking mechanism that would require a cookie consent banner under UK PECR (Privacy and Electronic Communications Regulations).
The local storage items we use are strictly necessary for the operation of the Service:
- Authentication session token: Stored in your browser's localStorage to keep you logged in to your Account between visits, without requiring you to enter a new OTP each time. This token expires after a defined period of inactivity.
- Preference flags: Basic functional flags stored locally to remember your preferences within the App, such as whether you have completed the onboarding walkthrough. These contain no personally identifiable information.
Because we use only strictly necessary local storage (with no third-party tracking or advertising elements), we are not required to display a cookie consent banner. If you clear your browser's localStorage, you will be logged out and any local preference flags will be reset.
10. Security
We take the security of your personal data seriously and implement technical and organisational measures designed to protect it against unauthorised access, disclosure, alteration, or destruction. Our key security measures include:
- Encryption in transit: All data transmitted between your browser or device and the Service is encrypted using TLS (Transport Layer Security).
- Encryption at rest: Data stored in our database (including bank account details and personal information) is encrypted at rest using AES-256 encryption, implemented via Supabase.
- Passwordless authentication: We use one-time passcodes (OTP) delivered by email rather than passwords. This eliminates the risk of password reuse, credential stuffing, and password theft.
- Security proxy: All database and API calls are routed through a Cloudflare security proxy layer, which provides additional protection against DDoS attacks, malicious traffic, and other common threats.
- Ongoing security review: We conduct regular reviews of our security posture and practices, and we respond promptly to any identified vulnerabilities.
While we take all reasonable steps to protect your personal data, no transmission over the internet and no method of storage can be guaranteed to be 100% secure. If you discover or suspect a security vulnerability in the Service, please report it responsibly to contact@partiitrip.com.
11. International Data Transfers
Where personal data is transferred outside the United Kingdom or the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with UK GDPR. The international transfers involved in operating the Service are as follows:
- Supabase: Data is hosted in the EU (Ireland, which remains an adequate jurisdiction for UK data transfers under current UK adequacy regulations). No transfer outside the EU/EEA occurs for primary data storage.
- OpenAI: OpenAI is headquartered in the United States. Anonymised prompts may be processed on OpenAI's US infrastructure. We rely on Standard Contractual Clauses (SCCs) as the transfer mechanism for any personal data transferred to OpenAI in the US, to the extent such data is deemed personal data under applicable law.
- Sentry: Crash data is processed in the EU where possible. Anonymised data means that in many cases no personal data is transferred.
- Cloudflare: Cloudflare operates a global network. Cloudflare's data transfer practices are governed by its Privacy Shield successor arrangements and standard contractual clauses, as set out in Cloudflare's own privacy documentation.
If you have questions about the safeguards we have in place for international data transfers, contact us at contact@partiitrip.com.
12. Children
The Service is not directed at, and is not intended for use by, individuals under the age of 18. We do not knowingly collect personal data from children under 18.
If you are a parent or guardian and you believe that your child has provided personal data to PartiiTrip without your consent, please contact us immediately at contact@partiitrip.com. We will take prompt steps to identify and delete any personal data belonging to a child that has been collected without appropriate consent.
Where a user is between 16 and 18 years of age and wishes to use the Service, verifiable parental or guardian consent must be obtained in accordance with our Terms & Conditions.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, changes to the Service, or updates to applicable data protection law. The effective date of the current version is shown at the top of this page.
When we make material changes - meaning changes that significantly affect how we collect, use, or share your personal data, or that affect your rights - we will notify you:
- By email to the address associated with your Account (where held), at least 14 days before the change takes effect; and/or
- By a prominent notice within the App or on the website, displayed before or at the time you next use the Service after the change has been made.
For minor or non-material changes (such as clarifications, corrections, or updates that do not alter the substance of the policy), we may update this page without prior notice. We recommend reviewing this page periodically.
Your continued use of the Service after the effective date of any revised Privacy Policy constitutes your acceptance of the changes. The current version of this policy is always available at partiitrip.com/privacy.html.
14. Contact and Complaints
For all data protection queries, subject access requests, or requests to exercise your UK GDPR rights, please contact us at:
Email: contact@partiitrip.com
Website: partiitrip.com
We will acknowledge your request promptly and respond fully within 30 days.
If you are not satisfied with our response to your data protection concern, or if you believe that we are processing your personal data in a manner that is not compliant with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent supervisory authority for data protection:
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would, however, appreciate the opportunity to address your concern directly before you contact the ICO, and encourage you to contact us in the first instance.