Policies and disclosures

Product terms, privacy details, and operational disclosures that match how Tripanomics works today.

Privacy Policy

Last updatedMay 22, 2026

Review cadenceat least every 6 months and before launching a new processor, analytics event family, or data-rights workflow.

1. Who we are

Tripanomics is operated by Shard Software LLC, doing business as Tripanomics.

Website: https://tripanomics.com
Support and privacy contact: support@tripanomics.com
Mailing address: 4030 Wake Forest Road Ste 349, Raleigh, NC 27609, United States

2. What this policy covers

This policy explains how Tripanomics collects, uses, shares, and retains information when you browse the site, create an account, generate or share itineraries, buy a plan, or contact support.

3. Information we collect

Category	Examples	Why we collect it
Account and profile data	Email address, authentication identifiers, display name, profile metadata	Create your account, sign you in, and personalize your dashboard
Trip inputs and itinerary content	Destination, dates, travelers, budget, preferences, accessibility needs, generated itinerary content, saved share state	Generate, save, and let you manage itineraries
Generation and enrichment request context	Trip inputs, preference context, selected constraints, destination queries, and limited prompt context needed to generate or enrich an itinerary	Produce itinerary output, retrieve travel data, troubleshoot quality issues, and prevent abuse
Billing and subscription data	Stripe customer and subscription references, current plan, billing status, cancellation state	Sell paid plans, manage renewals, and support billing questions
Product analytics	Consent state, PostHog anonymous or user identifiers, page paths, event names, and product-usage metadata	Measure product usage only after you allow analytics
Support and email activity	Transactional email events, support messages, resend attempts, delivery metadata	Send account and billing emails and respond to requests
Security and operational data	Rate-limit and IP metadata, error logs, and admin audit entries for privileged actions	Protect the service, detect abuse, and investigate incidents

4. How we collect information

We collect information:

directly from you when you create an account, edit your profile, generate an itinerary, contact support, manage billing, or change settings;
automatically through required authentication, security, consent, and product-operation events;
from third-party sign-in, billing, mapping, analytics, and enrichment providers when you use features that depend on them; and
from public or partner-provided travel data sources when we enrich itinerary output.

5. How we use information

We use the information above to:

operate accounts, authentication, and saved itineraries;
generate travel plans and related map, recommendation, and sharing features;
process payments and manage subscriptions;
send transactional emails such as verification, password reset, receipts, and service notices;
send optional marketing or product-update communications if you opt in or where otherwise permitted by law;
measure product usage after analytics consent;
if you leave recommendation learning enabled, log which itinerary venues and booking surfaces you click, share, or export so the product can learn which recommendations are actually useful; and
protect the service against abuse, fraud, and reliability issues.

6. Itinerary generation and recommendation data

When you ask Tripanomics to generate or refine an itinerary, we may send the minimum practical trip context to our configured AI provider and enrichment providers. That context can include destination, dates, trip length, budget, traveler count, stated preferences, accessibility needs you choose to provide, generated itinerary content, and retrieval results from travel-data providers.

Itinerary generation is not used to make legal, employment, credit, housing, insurance, or similarly significant decisions about you. It is used to create travel-planning output and related recommendations.

We do not sell trip content or itinerary history. We may use aggregated, de-identified, or product-usage signals to understand which recommendations are useful, improve ranking and retrieval quality, debug failures, and prevent abuse.

7. Legal bases for processing

If you are in the EEA, UK, or another jurisdiction that requires a legal basis for processing, we generally rely on:

performance of a contract when we provide the service you asked for, such as account access, itinerary generation, billing, or support;
consent where required, such as optional analytics;
legitimate interests in operating, securing, improving, and supporting the service; and
legal obligations where we must keep records, respond to lawful requests, or prevent fraud and abuse.

8. When we share information

We share information only with service providers that help us run the product, including:

Supabase for authentication and database hosting;
Stripe for checkout, subscriptions, billing portal, and payment records;
Resend for transactional email delivery;
PostHog for product analytics after consent;
Sentry for error monitoring;
Upstash Redis for rate limiting and operational counters;
Vercel or another selected deployment host for website hosting, server runtime, logs, and content delivery;
Anthropic or OpenAI for itinerary generation when an itinerary request is processed;
Google OAuth and Google Places for sign-in or destination and place lookups;
Mapbox for map tiles and map interactions;
Cloudflare Turnstile for bot protection; and
travel-data and enrichment providers such as Foursquare, Ticketmaster, Unsplash, Pexels, Viator, and Open-Meteo when a trip request needs those lookups.

AI providers and travel-data providers receive only the context needed for the requested generation, lookup, or enrichment task. They may process that information under their own security, retention, and subprocessor terms when acting as our service providers or integrated providers.

We do not sell personal information or run advertising-targeting cookies.

See the separate Subprocessors page for the current launch-baseline vendor list.

9. Cookies and browser storage

We use a mix of required and optional browser storage:

Required storage keeps you signed in, protects admin sessions, and remembers your analytics choice.
Optional analytics storage is used only after you allow analytics.
On a fresh visit, Tripanomics does not initialize PostHog or send analytics ingest traffic until your consent state allows it.

See the separate Cookies & Device Storage page for the current storage inventory.

10. Retention

Current launch-baseline retention rules are:

account profile data and saved itineraries: until you delete the account or remove the content;
analytics data: up to 12 months;
error and security logs: up to 30 days unless a live incident requires longer retention;
email delivery logs: up to 30 days;
billing and accounting references: up to 7 years where required for accounting, fraud prevention, or tax compliance; and
deleted-account residual records: limited to records we must keep for fraud prevention, accounting, legal compliance, or dispute handling.

11. Your choices and rights

You can currently:

delete your account from Settings > Account;
export your data from Settings > Preferences;
change analytics consent from the banner or Settings > Preferences; and
request corrections or a manual access review by emailing support@tripanomics.com.

If you make an itinerary public, the share page becomes accessible to anyone with the link until you turn sharing off.

Unless you enable sharing, saved itinerary content is intended to remain private to your account and operational service providers.

If you are in the EEA or UK, you may also have rights to access, correct, delete, restrict, object to certain processing, or request portability of your personal information, subject to applicable law.

If you are a California resident, you may request information about the categories of personal information we collect, use, disclose, and retain, and you may request deletion or correction where applicable. We do not sell personal information or share it for cross-context behavioral advertising as those terms are used in California privacy law. Because we do not sell or share personal information for cross-context behavioral advertising, Global Privacy Control signals do not currently change our processing; you can still contact us directly with privacy requests.

12. International transfers

Some of our vendors may process data outside your country. We rely on the safeguards offered by those vendors and limit the data shared to what each feature needs.

13. Security

We use reasonable technical and organizational safeguards designed to protect personal information, including authentication controls, encryption in transit, payment processing through Stripe, access controls, and operational logging for security and abuse prevention. Payment card details are handled by Stripe and are not stored on our systems. We investigate suspected security incidents and provide notices where legally required. No internet-based service can guarantee absolute security.

See the separate Security Practices page for the current public security summary.

14. Children's privacy

Tripanomics is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn that a child under 13 provided personal information, we will delete it where required by law.

15. Changes to this policy

We may update this policy when the product, vendors, analytics behavior, or legal requirements change. When we do, we will update the "Last updated" date at the top of this page.

16. Contact

For privacy, export, correction, or deletion questions, email support@tripanomics.com.