TripSync Privacy Policy
Effective date: 8 April 2026 Last updated: 8 April 2026
This Privacy Policy explains how TripSync (“TripSync”, “we”, “us”, or “our”) collects, uses, stores, shares, and protects information when you use the TripSync mobile application (the “App”) and related services (collectively, the “Service”).
By using TripSync you agree to the practices described in this Policy. If you do not agree, please do not use the Service.
1. Who we are
TripSync is operated by Vartaal (“we”). TripSync is a school field trip coordination app that helps trip organizers, chaperones, and parents communicate and share updates during a school field trip.
For privacy questions, contact us at neelagiri@outlook.com.
2. The information we collect
We collect only the information needed to run the App. We do not sell personal data, we do not use it for advertising, and we do not collect information from your device beyond what’s listed below.
2.1 Information you provide directly
| Data | When we collect it | Why |
|---|---|---|
| Email address | When you create an account | Account identifier; used to send sign-in codes (one-time passwords) |
| Display name | During account setup or in your Profile | Shown to other trip participants so they can recognize you |
| Password (optional) | When you choose to set a password | Lets you sign in without an email code |
| Avatar / profile photo (optional) | When you upload one in your Profile | Shown to other participants |
| Phone number (optional) | If you choose to add it | Lets organizers contact you in an emergency |
2.2 Information generated while you use the App
| Data | Source | Why |
|---|---|---|
| Trip posts and photos | Created by you (organizers and chaperones) | Shared with other participants of the trip |
| Direct messages | Sent by you to other participants | Private communication between parents and chaperones, or among staff |
| Check-ins | Created by chaperones at pre-defined trip stops | Lets parents and organizers know where a group is. Check-ins are not GPS coordinates — they are the name of a stop (e.g. “Visitor Center”) chosen from a list created by the organizer |
| Headcount | Entered by chaperones | Group-level attendance, not per-student |
2.3 Information about students (children)
When an organizer or chaperone sets up a trip, they enter a student roster. For each student, the App stores:
- The student’s name (typically a first name and last initial)
- Optional health notes (e.g. allergies, medications) entered by the organizer or chaperone
- The student’s group assignment
- The student’s parent/guardian email address (so the parent can be invited to the trip in the App)
Students do not have accounts and cannot sign in. Their information is visible only to:
- The organizer of the trip
- The chaperone assigned to the student’s group
- The parents/guardians linked to that student via a household record
The school or organizer that creates the trip is responsible for obtaining the necessary consent from parents and guardians before entering a child’s information into TripSync. Parents who use TripSync consent to their child’s information being shared with the organizer and chaperone of the specific trip they participate in.
We treat all student information as personal and sensitive data and apply the same protections to it as to adult user data, plus the additional protections in Section 8 (Children’s data) below.
2.4 Technical information
| Data | Source | Why |
|---|---|---|
| Push notification token | Provided by your device’s operating system when you grant notification permission | Lets us deliver notifications about new posts and messages. We use the Expo Push service to send notifications |
| Authentication tokens / session cookies | Generated when you sign in | Keeps you signed in between app launches |
| App and database logs | Generated by our backend (Supabase) | Used for debugging, security, and abuse prevention. Logs may include your user ID, IP address, and the actions you took, retained for up to 90 days |
2.5 What we do NOT collect
To be explicit, TripSync does not collect:
- GPS coordinates or precise location
- Your contacts list
- Calendar entries
- Browsing history
- SMS or call logs
- Microphone audio
- Camera feed (we only access the camera when you tap the photo button to attach a photo to a post — and only for the duration of that action)
- Advertising identifiers or ad-tracking data
- Financial information (TripSync does not currently process payments)
- Biometric data
- Health data, except for the student health notes voluntarily entered by an organizer or chaperone (see Section 2.3)
We do not embed third-party advertising SDKs or analytics SDKs.
3. How we use your information
We use your information only to provide the Service. Specifically, we use it to:
- Authenticate you and keep you signed in
- Display your posts, photos, and messages to the people you intended to share them with (your trip’s participants)
- Notify you about activity that is relevant to you (new posts, new messages, check-ins)
- Connect parents with the chaperone of their child’s group
- Operate, maintain, secure, and improve the Service
- Investigate and prevent abuse, fraud, and security incidents
- Comply with legal obligations
We do not use your data for advertising, profiling, or training machine learning models.
4. Who we share your information with
4.1 Other users of TripSync
The whole point of the App is to share information with other people on your trip. Specifically:
- Trip organizers can see all participants, posts, messages they send or receive, and student information for the trips they create.
- Chaperones can see participants of their trip, group rosters, student information for students in their group, posts in the trip feed, and messages they send or receive.
- Parents can see posts in the feed of trips their child is on, the My Group view (their child’s chaperone and groupmates), and messages they exchange with their child’s chaperone.
4.2 Service providers (data processors)
We use the following service providers to operate TripSync. Each is bound by contract to use your data only to provide services to us.
| Provider | What they process | Where |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage, server-side logic | United States and/or European Union, depending on the project region |
| Expo (Exponent, Inc.) | Push notification delivery (push token + notification body) | United States |
| Resend | Email delivery for sign-in codes and account notifications | United States |
| Apple Inc. / Google LLC | App distribution, device-level push notification routing | Per their respective privacy policies |
4.3 Legal disclosures
We may disclose your information if we are required to do so by law, court order, or other valid legal process, or if we believe in good faith that disclosure is necessary to protect the rights, safety, or property of TripSync, our users, or the public.
4.4 We do not sell your data
We do not sell, rent, or trade your personal information to third parties for their own marketing or commercial purposes.
5. How we secure your information
- Encryption in transit: all communication between the TripSync app and our backend uses HTTPS / TLS.
- Encryption at rest: user data is stored in Supabase’s managed Postgres database, which is encrypted at rest.
- Private storage: photos and other media are stored in a private storage bucket. They are accessible only via short-lived signed URLs generated for authenticated users who are entitled to view them.
- Access controls: our database uses row-level security policies so a user can only read or modify the records they are entitled to (their own profile, posts in trips they are members of, messages they sent or received, etc.).
- Authentication: we offer email one-time passwords and optional password authentication. Passwords are hashed (we never store plaintext passwords) and never transmitted to other users.
- Operational security: access to production systems is limited to authorized personnel.
No system is perfectly secure. If we become aware of a security incident that affects your personal data, we will notify you and the relevant authorities as required by applicable law.
6. Data retention
- Active accounts: we retain your account data and the content you’ve created for as long as your account is active.
- Trip data: trip records (posts, messages, check-ins, photos) are retained for the duration of the trip and afterward as part of the trip’s history, so participants can refer back to it.
- Server logs: retained for up to 90 days and then deleted.
- Deleted accounts: when you request account deletion (see Section 7), we will delete or anonymize your personal data within 30 days.
7. Your rights and choices
Depending on where you live, you have some or all of the following rights regarding your personal information:
- Access — request a copy of the personal information we hold about you
- Correction — ask us to correct inaccurate or incomplete data (you can also edit your name and other profile fields directly in the app)
- Deletion — ask us to delete your account and associated personal data
- Portability — request your data in a machine-readable format
- Restriction / objection — ask us to limit certain processing
- Withdraw consent — where we rely on consent to process data, you can withdraw it at any time
How to exercise your rights
To request account deletion, follow the instructions at our Account Deletion page (linked from our Google Play and App Store listings).
To exercise any other right, email neelagiri@outlook.com with the subject line that describes your request and the email address associated with your account. We respond within 30 days.
You may also contact your local data protection authority if you believe we have not handled your data lawfully.
Note about shared trip data
If you delete your account, your personal profile and the content you’ve authored (your posts, messages, photos) will be deleted. Trips you organized may be retained for the benefit of other participants (chaperones and parents who took part in the trip). Where this happens, your name is removed from the organizer field.
8. Children’s data
TripSync is not directed at children, and children cannot sign up for or use TripSync directly. The App is intended for adults — school staff, chaperones (typically volunteer parents), and parents/guardians of children participating in a field trip.
Information about children appears in the App because it is the nature of a school trip coordination tool. That information (name, group assignment, optional health notes, photos taken during the trip) is entered by adults — the organizer, chaperones, and the child’s own parents — and is shared only with the limited group of adults responsible for that specific trip.
We rely on the school or trip organizer to obtain the necessary parental or guardian consent before entering a child’s information into TripSync. TripSync provides organizers and chaperones with tools to add, edit, and delete this information at any time. Parents and guardians may also request deletion of information about their child by emailing neelagiri@outlook.com.
We do not:
- Allow children to create accounts in TripSync
- Collect any information from children’s devices
- Use information about children for advertising, profiling, or any purpose other than enabling trip coordination among the adults responsible for that trip
- Share information about children with any third party except the service providers listed in Section 4.2, all of which are bound to process data only on our instructions
If you believe a child’s information has been entered into TripSync without proper authorization, please contact us at neelagiri@outlook.com and we will investigate and remove the information promptly.
9. International data transfers
TripSync operates from California, USA. Our service providers (see Section 4.2) may store and process your information in the United States, the European Union, or other countries where they operate. Where personal data is transferred internationally, we rely on standard contractual clauses or equivalent safeguards.
10. App permissions we request
TripSync only asks for permissions it actually needs:
- Notifications — to deliver alerts about new posts and messages. You can decline this and the rest of the App still works.
- Photos / Camera — only when you tap the photo button to attach a photo to a post. We never access the camera or photo library without an explicit action by you.
- Internet — required for the App to communicate with our backend.
The App does not request location, contacts, microphone, calendar, SMS, call logs, or any background access.
11. Changes to this Policy
We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. Material changes will be communicated through the App or by email before they take effect. Your continued use of TripSync after a change means you accept the updated Policy.
12. Contact us
If you have any questions about this Privacy Policy or how TripSync handles your data, please email us at neelagiri@outlook.com. If you need our postal mailing address (for example, to exercise a legal right that requires written correspondence), email us and we will provide it.
If you are in the European Economic Area or the United Kingdom, you also have the right to lodge a complaint with your local data protection authority.