Last updated: April 20, 2026
TripTrack is an iOS application for recording personal car trips. This Privacy Policy explains what information we collect, how we use it, and the choices you have. It applies to the TripTrack mobile app and any server infrastructure we operate ("Service").
The developer of TripTrack ("we", "us") acts as the data controller for personal data processed through the Service. Contact: privacy@trip-track.app.
TripTrack works in two distinct modes. The data we process depends on which mode you use.
If you do not sign in, TripTrack stores all your data — trips, GPS tracks, photos, vehicle profiles, preferences — exclusively on your device using Apple's CoreData framework. No data leaves the device. In this mode we do not process any personal data on our servers.
If you sign in with Apple, your data can be synchronized with our server so it is available on your other devices. Cloud sync is opt-in and can be disabled at any time in the app (Profile → Cloud Sync).
For users in the European Economic Area, the United Kingdom, and jurisdictions with similar rules, we process each data category on the following lawful bases (GDPR Art. 6):
| Data | Purpose | Legal basis |
|---|---|---|
| Apple user ID, account UUID, device UUID | Create and authenticate your account | Contract — Art. 6(1)(b) |
| Email, display name | Account identification, social features, account recovery | Contract — Art. 6(1)(b) |
| GPS trips (uploaded on opt-in) | Deliver the sync service you enabled | Contract — Art. 6(1)(b) |
| Photos (EXIF stripped) | Deliver the sync service | Contract — Art. 6(1)(b) |
| Public profile, follows, reactions, trip shares | Deliver social features you enabled | Contract — Art. 6(1)(b) |
| Server access logs, IP addresses, abuse-report records | Security, abuse prevention, accountability | Legitimate interests — Art. 6(1)(f), Recital 49 |
| Account-deletion audit record (timestamp + opaque hash only) | Demonstrate compliance with Art. 17 requests | Legal obligation + legitimate interests — Art. 6(1)(c)+(f) |
We do not rely on consent as a legal basis for the core service. Using a feature (tapping Record, enabling cloud sync, making your profile public) is your affirmative action to use that feature under Art. 6(1)(b). This is intentional — it means there is no ambiguous "consent withdrawal" question for core features; you simply disable the feature and processing stops.
Precise location and special category data. GPS coordinates are not special-category data under GDPR Art. 9 per se. We do not derive, infer, or cluster users by visited-place type (e.g., health, religion, sexuality). We do not run machine-learning inference on trip coordinates. If our practice changes, this policy will be updated in advance.
When you use cloud sync, the following parties process data on our behalf or alongside us:
We do not sell or share your personal information. We do not use analytics SDKs, advertising networks, cross-app/site tracking, or any third-party trackers. We do not share data with advertisers. We do not use your content to train machine-learning models.
Our primary hosting is in the European Economic Area. Photo storage on Cloudflare R2 uses an EU-jurisdiction bucket; however, as a US-headquartered company, Cloudflare is subject to US law. We rely on Cloudflare's EU-US Data Privacy Framework certification and Standard Contractual Clauses as transfer mechanisms. Sign in with Apple authentication routes through Apple Inc. (United States) under the EU-US DPF. If you are in a jurisdiction with stricter cross-border rules, using cloud sync constitutes your informed consent to this transfer.
Depending on your jurisdiction, you have the following rights:
We respond to verified requests within 30 days.
No system is perfectly secure. If you believe your account has been compromised, contact us immediately.
TripTrack is directed to adults and is not intended for children. The minimum age to use the App is 16 (matching the strictest GDPR Art. 8 threshold across EU member states). We do not knowingly collect personal data from children under 13 in the United States (COPPA), and will delete any account we learn belongs to a user under 13. If you believe a child has provided us with personal data, please contact us for prompt removal.
California (CCPA/CPRA). We do not sell or share your personal information as defined by California law. We do not use personal information for cross-context behavioral advertising. If you are a California resident, you may contact us to exercise rights to know, delete, correct, or access your data. We will verify your identity via the email on file.
Nevada (SB 220). Nevada residents may opt out of any future sale of their covered personal information by emailing privacy@trip-track.app. We currently do not sell personal information.
Washington (My Health My Data Act). Precise location data collected by the App may, in some cases, incidentally reveal visits to health-related facilities (e.g., a medical office, gym). To the extent any such data is classified as "consumer health data" under Washington law: (a) we collect it only when you actively record a trip; (b) we do not sell it; (c) we do not share it with advertisers; (d) we do not geofence health-facility locations; (e) you can delete it at any time by deleting the relevant trip or your account. Before any material change to this practice, we will obtain your separate opt-in consent. To exercise rights under RCW 19.373, email privacy@trip-track.app.
Other US states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, etc.). Residents of states with comprehensive privacy laws have rights similar to California's under their respective statutes. To exercise any such right, email privacy@trip-track.app.
We may update this Privacy Policy from time to time. Material changes will be announced in the app or by email. The "Last updated" date at the top always reflects the current version.
Questions, complaints, or data subject requests: