Privacy Policy

Last updated: 2026-05-02 · Effective at first public release · DRAFT pending legal review

1. Who we are

OneTrip is operated by Securight Pty Ltd (ABN to be inserted), a company registered in Australia. Contact: privacy@onetrip.com.au.

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, Securight is the data controller of personal data processed through the OneTrip iOS app.

2. What we collect

2.1 Account data (provided by you, via Apple Sign In or Google Sign In)

Email address — for account identity and security alerts. If you use Apple's "Hide my email" relay, we receive only the relay address.
Display name — first name only is required; last name optional. Stored on your profile so trip companions can see who you are.
Apple / Google user identifier — opaque, stable across sign-ins; we never receive your Apple ID or Google password.

2.2 Trip content (provided by you and your trip members)

Trip titles, dates, destinations, cover photos.
Ideas, places, comments, and votes that you or your trip members add.
Expenses, splits, and settle-up records.
Pasted source URLs (e.g. TikTok, Google Maps, blog links) which our AI agents process to extract place data.

2.3 Telemetry and product analytics (collected automatically)

App version, OS version, device model — to debug crashes and route compatibility fixes.
Anonymous product-interaction events (e.g. "trip created", "idea added", "expense split") — to measure whether features are usable. These are linked to your user ID inside our systems for support and abuse-detection purposes, but are not used for advertising or cross-app tracking.
Crash reports — stack traces, device state, and app logs at the moment of crash. PII is redacted in transit.

Telemetry is processed by Securight Observe, our own first-party telemetry platform. We do not use Firebase Analytics, Mixpanel, Amplitude, Segment, or any cross-app advertising SDK.

2.4 What we do NOT collect

We do not access your Camera, Photo Library, Location, or Contacts in this release.
We do not track you across other apps or websites. Apple's App Tracking Transparency dialog is therefore not required and is not shown.
We do not sell personal data. Ever.

3. How we use your data

To provide the service — show your trips, sync between your devices and your trip members, generate AI suggestions, split expenses.
To improve the service — fix crashes, debug issues you report, evaluate AI accuracy on a sampled, redacted subset of suggestions.
To keep you safe — detect abuse (e.g. one user firing thousands of agent calls per hour), enforce per-user rate limits, comply with platform terms.
To comply with the law — respond to lawful requests, retain records where required by Australian tax / corporate law.

4. Who we share with (sub-processors)

We share data with the third parties below, and only as required to deliver the service. We do not share your data with advertisers, data brokers, or marketing platforms.

Sub-processor	Purpose	Region
Supabase Inc.	Postgres database, Auth, Edge Functions, Realtime, Storage	AWS Sydney (ap-southeast-2)
Apple Inc.	Sign In with Apple, App Store distribution	USA / EU
Google LLC — Sign In	Google Sign In identity	USA
Google LLC — Gemini API	AI agent inference (Scout, Local, future agents). PII redacted before each call.	USA / EU (Google Cloud)
Google LLC — Places API	Verifying that AI-suggested places exist, are operating, and have current opening hours	USA
Cloudflare Inc.	CDN, image hosting (R2), DDoS protection	Global edge, primary AU
Securight Observe	Our own first-party telemetry, crash reporting, and analytics	AWS Sydney (ap-southeast-2)

Each sub-processor is bound by a Data Processing Agreement that limits use of the data to the purpose listed above. We review this list annually and publish material changes here.

5. Data retention

Active trips and account data — kept while your account is active.
Deleted trips — soft-deleted for 30 days (so a member can restore), then hard-deleted from the primary database. Backup snapshots persist for up to 30 further days.
AI agent audit log — every AI call is logged for trust + abuse detection; the log is kept for 13 months then permanently deleted.
Crash and telemetry — 90 days, then aggregated and the raw events are deleted.
Account deletion — on your request, we delete your account, profile, AI audit rows, and de-identify any orphaned trip content within 30 days. See §7.

6. Your rights (GDPR Articles 15–22, AU Privacy Act APP 6 / 12 / 13)

Access (Art. 15 / APP 12) — request a copy of the personal data we hold about you.
Rectification (Art. 16 / APP 13) — correct any inaccurate data. You can edit your profile in-app; for everything else, email us.
Erasure / "right to be forgotten" (Art. 17) — delete your account and associated data. In-app: Settings → Account → Delete account. Or email us.
Restriction (Art. 18) — pause processing while we resolve a complaint.
Data portability (Art. 20) — export your trips, ideas, and expenses as JSON. In-app or by email request.
Object (Art. 21) — object to processing on legitimate-interest grounds.
Lodge a complaint — with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or your national EU Data Protection Authority.

To exercise any of these rights, email privacy@onetrip.com.au. We will respond within 30 days.

7. Children

OneTrip is not directed at children under 13. Apple's App Store age rating for OneTrip is 4+ on the basis that the in-app content is private, group-scoped, and free of mature themes; however, an account requires Sign In with Apple or Google, which both providers gate separately. We do not knowingly collect personal data from children under 13. If you believe a child has signed up, email us and we will delete the account.

8. Security

All data in transit is encrypted with TLS 1.3.
All data at rest in Supabase is encrypted with AES-256.
Auth tokens are stored in the iOS Keychain. They are never written to UserDefaults.
Every database table has Row-Level Security enforced; trip content is only readable by trip members.
We run automated dependency scanning, secrets scanning, and code reviews on every release.

9. AI transparency (EU AI Act Article 50)

OneTrip uses generative AI to extract places from URLs you paste, verify their freshness, and (in future releases) suggest day plans and respond to your questions. Per the EU AI Act Article 50, effective 2 August 2026:

Every AI-generated card in OneTrip carries a visible label identifying the producing agent (e.g. "Authored by Scout"), a confidence pill, a citation to the source URL, and an expandable "Why this?" reasoning panel.
Machine-readable provenance — JSON served to the client carries generative_ai: true, agent_id, model_version, and a UTC timestamp.
No system-prompt injection of user input. User-provided strings are passed as data, not as instructions to the model.
PII redaction before every model call.
We adopt the European Commission's draft Code of Practice for Transparency in Generative AI (March 2026) as a floor.

The OneTrip agent audit log can produce, on request, a record showing: which agent generated which suggestion, on what input, with which model version, and what the redacted trace looked like.

10. International transfers

Your data is stored primarily in Sydney, Australia. Some sub-processors operate from the United States (Apple, Google Gemini, Google Places). Where personal data of EU/UK residents is transferred to the US, we rely on the EU–US Data Privacy Framework (Apple, Google) or Standard Contractual Clauses (Cloudflare, Securight Observe).

11. Changes to this policy

If we change how we handle your data, we will update this page, bump the "Last updated" date at the top, and (for material changes) send an in-app notice and email at least 30 days before the change takes effect.

12. Contact

For privacy questions or to exercise any right above, email privacy@onetrip.com.au. For general support, see /support.

This page is a draft. Final wording subject to legal review before App Store submission.