Privacy Policy

Last updated: May 26, 2026

In Short

The team here regularly use TripWaffle for our own travels and we value the sanctity of your data as much as our own. We take this responsibility seriously and are generally far more conscientious and ethical than your average Acme MegaTravelCorp™.

Information We Collect

Account Information

You can create an account with Sign in with Google or Sign in with Apple. Depending on the provider you choose, we receive and store:

  • Your name and email address
  • Your Google profile picture (Google sign-in only)
  • A unique identifier from the sign-in provider

If you choose Apple's "Hide My Email" option, we receive a private relay address instead of your real email. Apple forwards messages we send to that address on to your real inbox. We never see your real email in that case.

Trip and Event Data

To provide our service, we collect and store information about your trips and travel events, including:

  • Trip names and dates
  • Flight details (airlines, flight numbers, airports, times)
  • Accommodation information (hotel names, addresses, dates)
  • Transportation bookings
  • Other events and activities you add
  • Booking confirmation codes (also known as PNRs or record locators)
  • Notes, costs, and additional details you provide
  • Files you attach to events

Email Forwarding

When you forward booking confirmation emails to TripWaffle, we process the message content using AI to extract travel information and create events in your itinerary.

The original message is retained briefly so we can create your itinerary and debug parsing issues, then automatically deleted within 30 days. The exception to this is that any ticket-related PDFs are attached to your travel events, for convenience.

Any travel data extracted from the message remains on your itinerary until you delete it. Once deleted, that information is gone forever (subject to rolling backups expiring).

Activity and Usage Data

We log information needed to operate and debug the Service, including:

  • Page views, button clicks, and feature usage within the app
  • Performance and error data (slow queries, failed requests)
  • Referral source and landing page when you first visit

Technical Information

We automatically collect:

  • IP address and approximate location
  • Browser type and device information
  • Session data for authentication
  • Push notification tokens (if you enable notifications)

How We Use Your Information

We use your information to:

  • Provide and maintain the TripWaffle service
  • Create and organize your travel itineraries
  • Send real-time flight status updates and notifications
  • Parse forwarded booking emails to create events automatically
  • Generate AI-powered trip insights, packing suggestions, and travel tips
  • Display weather, currency, visa, and destination information for your trips
  • Send optional emails (pre-trip checklists, check-in reminders, re-engagement) that you can unsubscribe from at any time
  • Improve the service and fix issues
  • Communicate with you about service updates

Sharing and Public Links

TripWaffle includes several user-initiated features for sharing trip data. Each is opt-in and you control the audience:

  • Direct sharing with named users you invite by email. Each invitee receives a read-only or read/write role you choose, and you can revoke access at any time.
  • Public trip links that anyone with the URL can view. These pages hide booking confirmation codes, costs, notes, and attachments. You can revoke or rotate the link at any time.
  • Public stats links that anyone with the URL can view. These pages are intentionally indexable by search engines so you can share them publicly. You can revoke them at any time.
  • Calendar feeds at tokenized URLs you can subscribe to in Google Calendar, Apple Calendar, or similar apps. Anyone with the feed URL can read the trip data, so treat the URL as a secret.

We do not share your trip data with anyone else without your consent.

Third-Party Service Providers

To deliver the Service, we rely on a small number of vendors. We share only the minimum data each vendor needs to do its job:

  • Authentication providers for sign-in (Google OAuth and Sign in with Apple).
  • Inbound email processor that receives the messages you forward to your TripWaffle alias.
  • Flight, airport, and aircraft data providers for live flight status, schedules, and tracking.
  • Mapping and place-information provider for location lookups, addresses, and photos.
  • Weather data provider for destination forecasts.
  • Push notification provider that delivers app notifications to iOS and Android devices.
  • Outbound email service that sends transactional and notification emails.

Each provider has its own privacy policy. We do not sell your data to any of them.

Data Storage and Security

We take the security of your data seriously:

  • All data is transmitted over HTTPS (encrypted connections)
  • Session cookies are sent only over encrypted connections and cannot be read by JavaScript in your browser, which protects them from common cross-site scripting attacks
  • We use Google and Apple sign-in instead of storing passwords
  • State-changing requests are protected with CSRF tokens, and write endpoints enforce per-user rate limits
  • The server runs a network firewall, automated brute-force detection that bans abusive IPs, and a web application firewall that filters common attack patterns
  • Sensitive files and configuration are blocked from direct web access, and operating-system and dependency updates are applied regularly
  • Backups are kept on access-restricted infrastructure, with regular off-site copies sent over an encrypted channel
  • Access to user data is restricted to essential operations

Data Retention

We retain your account, trip, and event data for as long as your account is active. You can delete individual trips, events, and attachments at any time. Forwarded-email logs and the data extracted from them are kept for debugging and quality improvement. Activity and analytics logs are kept for up to 180 days. If you wish to delete your entire account and all associated data, please contact us via our support page.

Your Rights

You have the right to:

  • Access and view your personal data within the app
  • Edit or delete your trips, events, and attachments
  • Request a copy of your data
  • Request deletion of your account
  • Opt out of email categories from your subscription settings, or via the unsubscribe link in any email
  • Opt out of push notifications in your device or browser settings

Children's Privacy

TripWaffle is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

What We Don't Do

  • We do not sell your personal data
  • We do not use your data for targeted advertising
  • We do not share your trip details with anyone outside the service providers listed above without your consent
  • We do not access your Google account beyond the basic profile information you grant at sign-in

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

Contact Us

If you have questions about this Privacy Policy or your personal data, please get in touch via our support page.