Trippix Logo

Legal / Documentation

Privacy Policy

Last Updated: February 21, 2026 | Effective Date: February 21, 2026

1. Introduction

Trippix ("we," "us," or "our") values your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) (EU 2016/679) and the Dutch Implementation Act (Uitvoeringswet AVG / UAVG).

Data Controller:

Trippix, registered in the Netherlands

KVK: [Insert KVK Number]

Email: jeffrey@trippix.travel


2. Data We Collect


2.1 Data You Provide Directly

  • Account Information: Name and email address (obtained via Google Sign-In or direct registration).
  • Travel Preferences: Destination interests, travel dates, budget, dietary restrictions, and other inputs you provide to our AI.
  • Communications: Messages you send to our support team.

2.2 Data Collected Automatically

  • Technical Data: IP address, browser type, device type, operating system, and session data.
  • Usage Data: Pages visited, features used, clicks, scrolls, and interaction patterns — collected via Google Analytics 4 (GA4) and Microsoft Clarity.
  • Session Recordings & Heatmaps: Microsoft Clarity collects mouse movements, clicks, and session replays to help us understand usability. This data is pseudonymized.
  • Cookies and Tracking Technologies: See our Cookie Policy for full details.

2.3 Data from Third-Party Sign-In

If you register using Google Sign-In, we receive your name, email address, and Google profile picture from Google LLC. We do not receive your Google password.


3. Legal Bases for Processing (GDPR Art. 6)

  • Performance of Contract (Art. 6(1)(b)): Processing necessary to provide you with the Service — generating itineraries, managing your account.
  • Legitimate Interest (Art. 6(1)(f)): Analyzing usage to improve our platform, detecting fraud, ensuring security, and understanding how users interact with our Service (GA4, Microsoft Clarity). Our legitimate interest is balanced against your rights.
  • Consent (Art. 6(1)(a)): Marketing communications, non-essential cookies (e.g., tracking/marketing cookies). You may withdraw consent at any time.
  • Legal Obligation (Art. 6(1)(c)): Compliance with Dutch legal requirements (tax records, court orders).

4. How We Use Your Data

  • To provide personalized AI-generated travel itineraries via Google Gemini LLM.
  • To manage your account and authenticate your identity via Google Sign-In (Firebase Authentication).
  • To store your preferences, saved itineraries, and session data in our database (Firebase Firestore / Cloud Storage on Google Cloud).
  • To analyze user behavior and improve the Service (Google Analytics 4, Microsoft Clarity).
  • To send you transactional emails and, if you have consented, marketing communications.
  • To detect abuse, fraud, and security threats.
  • To comply with legal obligations.

5. Third-Party Data Processors & Recipients

We do not sell your personal data. We share data only with trusted service providers acting as data processors under GDPR Art. 28, each bound by a Data Processing Agreement (DPA). Below is the complete list of third parties with whom we share data:


5.1 Infrastructure & Database

  • Google Cloud Platform (Google LLC, USA): Our primary cloud infrastructure hosting provider. All application data — including your account and itinerary data — is stored on Google Cloud servers. Google acts as a data processor. DPA: Google Cloud Data Processing Addendum. Safeguard: EU Standard Contractual Clauses (SCCs).
  • Firebase (Google LLC, USA): We use Firebase Authentication for user login and Firebase Firestore/Cloud Storage for our database. Firebase is a Google Cloud product and is covered by the same Google DPA and SCCs.

5.2 Authentication

  • Google Sign-In / Google Identity Services (Google LLC, USA): Used to allow you to log in with your Google account. When you use Google Sign-In, Google processes authentication data in accordance with Google's own Privacy Policy (https://policies.google.com/privacy). Google acts as an independent data controller for this authentication flow.

5.3 AI Processing

  • Google Gemini (Google LLC, USA): We use Google's Gemini LLM API to process your travel preferences and generate itinerary suggestions. Your travel input data (prompts) is sent to Google for processing. We have a DPA with Google for this service. We do not send directly identifiable information (name, email) in prompts — only your travel preferences. Google's API Data Usage Policy applies. Safeguard: SCCs.

5.4 Analytics

  • Google Analytics 4 / GA4 (Google LLC, USA): We use GA4 to collect anonymous and pseudonymous website usage statistics (page views, session duration, user journeys). IP addresses are anonymized. You can opt out via our Cookie Banner or by installing the GA Opt-out Browser Add-on. Safeguard: SCCs. Google acts as a data processor under our configuration.
  • Microsoft Clarity (Microsoft Corporation, USA): We use Microsoft Clarity to record session replays, heatmaps, and user interaction data to analyze usability. Data is pseudonymized. Microsoft acts as a data processor. DPA: Microsoft Data Processing Agreement. Safeguard: SCCs.

5.5 Legal Authorities

  • Competent Authorities: We may disclose your data to Dutch legal authorities, courts, or government bodies if required by applicable law or a valid legal order.

6. International Data Transfers

Several of our service providers (Google, Microsoft) process data in the United States. We ensure appropriate safeguards are in place for all transfers outside the European Economic Area (EEA), specifically:

  • EU Standard Contractual Clauses (SCCs) under Commission Decision 2021/914, as applicable.
  • Where applicable, supplementary technical measures (encryption in transit and at rest).

You may request a copy of the applicable SCCs by contacting us at the address in Section 1.


7. Data Retention

  • Account Data: Retained for as long as your account is active, plus 12 months after deletion to comply with legal obligations.
  • Usage & Analytics Data: Retained for up to 26 months (GA4 default maximum), then automatically deleted.
  • Session Recordings (Microsoft Clarity): Retained for up to 30 days.
  • Legal/Financial Records: Retained for 7 years in accordance with Dutch tax law (Belastingdienst requirements).

8. AI and Automated Decision-Making

We use the Gemini LLM to generate personalized travel suggestions based on your inputs. This processing:

  • Does not produce legal effects or similarly significantly affect you (unlike automated credit scoring or profiling for employment).
  • Is therefore not subject to the opt-out provisions of GDPR Art. 22, though you may always request human review of any output.

We minimize data sent to Gemini. We do not send your name or email as part of AI prompts — only travel preference data you explicitly provide.


9. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR Articles 15–22:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
  • Right to Restriction (Art. 18): Request that we limit the processing of your data in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling.
  • Right to Withdraw Consent: Withdraw consent at any time (e.g., for marketing or non-essential cookies) without affecting prior processing.

To exercise any of these rights, please email us at jeffrey@trippix.travel. We will respond within 4 weeks (GDPR maximum: 1 month, extendable to 3 months for complex requests).


You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl.


10. Security

We implement appropriate technical and organizational measures (TOMs) to protect your personal data, including:

  • Encryption in transit (HTTPS/TLS) and at rest (Google Cloud encryption).
  • Access controls and role-based permissions within Firebase.
  • Regular security reviews and vulnerability assessments.
  • Data minimization — we collect only what is necessary for the Service.

11. Children's Privacy

Our Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with their data, please contact us immediately and we will delete it.


12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or a prominent notice on the Service. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.


13. Contact

Email: jeffrey@trippix.travel

KVK: [Insert KVK Number]

For data protection inquiries, please mark your email with the subject line: "Privacy Request — Trippix".