Travl ("we", "our", or "us") operates the travel-planning service available at routebook.app(the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have under the General Data Protection Regulation (GDPR) and other applicable privacy laws.
By using the Service you acknowledge that you have read and understood this policy. If you do not agree, please stop using the Service and delete your account.
1. Data controller
The data controller responsible for your personal data is Travl, based in the Netherlands. For all privacy-related enquiries contact privacy@routebook.app.
2. Personal data we collect
2.1 Account data
- Email address — required to create and authenticate your account.
- Display name and avatar — optional, set by you in your profile.
2.2 Trip and content data
- Trip names, dates, descriptions, and cover images you create.
- Destinations, stops, places, lodging, and transit segments you add to trips.
- Comments, reactions, and mentions you post within the collaboration features.
- Invitations you send and pending-invite email addresses.
2.3 Usage and operational data
- Server access logs containing anonymised IP addresses, request paths, HTTP status codes, and timestamps, retained for 30 days.
- Aggregate, cookie-free analytics (page views, referrer, country) via Plausible Analytics. No personal identifier is stored.
2.4 Data you do not need to provide
We do not collect payment card numbers (processed directly by Stripe), government IDs, precise location (only place names you type), or any special-category data under GDPR Article 9.
3. Purposes and legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing, maintaining, and improving the Service | Art. 6(1)(b) — performance of contract |
| Authenticating your account and securing your session | Art. 6(1)(b) — performance of contract |
| Sending transactional emails (magic-link sign-in, trip invitations) | Art. 6(1)(b) — performance of contract |
| Sending optional digest or feature-announcement emails | Art. 6(1)(a) — consent (withdrawable at any time) |
| Detecting abuse, fraud, and security incidents | Art. 6(1)(f) — legitimate interest |
| Complying with legal obligations | Art. 6(1)(c) — legal obligation |
4. Subprocessors and data sharing
We share personal data only with the following vetted subprocessors. A Data Processing Agreement (DPA) is in place with each.
| Subprocessor | Role | Region |
|---|---|---|
| Supabase | PostgreSQL database and authentication | EU (Frankfurt) |
| Vercel | Application hosting and edge CDN | EU |
| Resend | Transactional email delivery | EU |
| Stripe | Payment processing (billing data only) | EU |
| Plausible Analytics | Cookie-free aggregate analytics | EU |
| OpenAI / Anthropic | AI-generated city-guide suggestions (place names only) | EU API endpoint |
We do not sell personal data. We do not share personal data with advertisers or data brokers.
5. International transfers
All primary processing occurs within the EU/EEA. Where a subprocessor transfers data outside the EEA, it does so under Standard Contractual Clauses (SCCs) adopted by the European Commission.
6. Data retention
- Active accounts: account and trip data are retained for the lifetime of your account.
- Deleted accounts: personal data is erased within 30 days of deletion, subject to the shared-trip freeze described below.
- Shared trips (owner-deleted account): trips enter a 7-day grace period during which any editor may claim ownership; if unclaimed, they are deleted along with your account data.
- Pending invites: invited email addresses are automatically purged 30 days after the invite was sent if not accepted.
- Server logs: anonymised access logs are deleted after 30 days.
- Billing records: retained for 7 years to satisfy Dutch and EU accounting obligations.
7. Cookies and tracking
The Service uses only strictly necessary cookies (authentication session cookies) and no third-party tracking cookies. Analytics are collected via Plausible Analytics, which does not set cookies or store any personal identifier. No consent banner is required.
8. Your rights under GDPR
As a data subject in the EU/EEA you have the following rights. To exercise them, visit your Account page or email privacy@routebook.app.
- Access (Art. 15) — obtain a copy of the personal data we hold about you.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure (Art. 17)— request deletion of your personal data ("right to be forgotten").
- Portability (Art. 20) — receive your data in a machine-readable format (JSON export available in Account settings).
- Restriction (Art. 18) — ask us to restrict processing of your data while a complaint is pending.
- Objection (Art. 21) — object to processing based on legitimate interest.
- Withdraw consent — unsubscribe from optional emails at any time via the link in any email or in Account settings.
We will respond to verifiable requests within 30 days. If you are unsatisfied, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
9. Children's privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include encryption in transit (TLS 1.2+), encryption at rest, row-level security policies on the database, and access controls limited to authorised personnel.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified to active users by email at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.
12. Contact
Privacy enquiries: privacy@routebook.app
Legal / DSA notices: legal@routebook.app