Privacy Policy
Last Updated: April 2026
This Privacy Policy explains how TripWave ("we", "us") collects, uses, and protects your personal data when you use tripswaves.com. It is written to comply with the EU and UK General Data Protection Regulations ("GDPR" / "UK GDPR"), the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and other applicable privacy laws.
1. Who is the controller
TripWave is the "controller" of your personal data under GDPR Article 4(7). Until we appoint a formal Data Protection Officer, all privacy enquiries should go to [email protected].
EU residents may lodge a complaint with their national supervisory authority (list at edpb.europa.eu/about-edpb/board/members). UK residents may complain to the Information Commissioner's Office at ico.org.uk.
2. What we collect and why
We deliberately keep collection minimal. The categories below are exhaustive — we do not buy data from brokers, we do not maintain advertising profiles, and we do not sell personal data.
| Category | Examples | Why | Lawful basis (GDPR Art 6) | Retention |
|---|---|---|---|---|
| Account data | Email, hashed password | Create and authenticate your account | Contract — Art 6(1)(b) | While the account is active + 30 days after deletion (recovery window) |
| Profile preferences | Saved trips, wishlist, theme, language | Personalise the service | Contract — Art 6(1)(b) | While the account is active |
| Search queries | Destination, dates, filters | Return relevant results, improve search quality | Legitimate interest — Art 6(1)(f) | 14 days raw, then aggregated/anonymised |
| Server logs | IP, user agent, referrer, timestamp, response code | Security, abuse prevention, debugging | Legitimate interest — Art 6(1)(f) | 14 days, then deleted |
| Analytics events | Page views, click events (anonymised, no IP at rest) | Understand product usage | Consent — Art 6(1)(a) (cookie banner opt-in) | 13 months, then aggregated |
| Affiliate referral | Partner network, click ID (only on affiliate-link click) | Earn commission so the service stays free | Consent — Art 6(1)(a) (cookie banner opt-in to Marketing) | Stored by the partner network, not by us |
| Email correspondence | Whatever you send to privacy@ / support@ | Reply to your message | Legitimate interest — Art 6(1)(f) | 3 years from last contact |
| Transactional email | Email address used for welcome / password-reset emails | Operate the account | Contract — Art 6(1)(b) | Same lifetime as account |
3. Cookies and similar technologies
Detailed in our Cookie Policy. Strictly-necessary cookies are always on (login, language, security); functional, analytics, and marketing cookies fire only with your prior consent given via the cookie banner. Withdraw consent at any time via the Cookie Preferences link in the footer.
4. Third-party processors and recipients
- Cloudflare, Inc. (US, with EU edge) — TLS termination, bot management, content delivery. IP + request metadata in transit only.
- DigitalOcean, LLC (US, EU-hosted region) — application hosting and database. Holds account data + server logs.
- Resend, Inc. (US) — transactional email. Receives your email address and the body of emails we send to you.
- Google Workspace (US/EU) — when you contact us by email, your message lands in our Workspace inbox.
Where data is transferred outside the EEA / UK we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) plus technical safeguards (encryption in transit and at rest), aligned with Schrems II.
Affiliate networks
When you click an affiliate link, you leave TripWaveand enter the partner's own site, with its own privacy policy. We do not transfer personal data to affiliate networks; the partner records the referral via cookies/click IDs only after you opt in to Marketing cookies. See Affiliate Disclosure.
5. Your rights
Email [email protected] from your registered address. We respond within 30 days at the latest (often within 72 hours), free of charge unless requests are manifestly unfounded or excessive.
- Access — copy of your personal data (Art 15 GDPR / CCPA §1798.100, 110)
- Rectification — correct inaccurate or incomplete data (Art 16 GDPR / CCPA §1798.106)
- Erasure / Deletion — "right to be forgotten" (Art 17 GDPR / CCPA §1798.105)
- Restriction of processing in specific cases (Art 18 GDPR)
- Portability — receive your data in a structured, machine-readable format (Art 20 GDPR / CCPA §1798.130)
- Objection to processing based on legitimate interests (Art 21 GDPR)
- Withdraw consent at any time, without affecting prior lawful processing (Art 7(3) GDPR)
- No automated decisions with significant effects (Art 22 GDPR — we don't make any)
California-specific rights (CCPA / CPRA)
- Right to know what personal information we collect, use, and disclose
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing— we do not sell or "share" (in the CPRA cross-context-advertising sense) personal data. We honour the Global Privacy Control (GPC) signal as a valid opt-out request.
- Right to limit use of sensitive personal information — we do not collect categories defined as sensitive under the CPRA.
- Right to non-discrimination for exercising any of the above.
6. Children
Not directed to children under 16; we do not knowingly collect data from them. If you believe we hold a child's data, email [email protected] and we will delete it.
7. Security
Measures appropriate to risk: TLS in transit, encryption at rest for backups, bcrypt password hashing, HttpOnly + Secure + SameSite=Lax authentication cookies, network-level DB access control, daily encrypted backups with 14-day retention, rate limiting on auth endpoints, fail2ban, automated security updates.
If a breach affects your data and creates a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours of becoming aware (GDPR Art 33–34).
8. International transfers
Where processors are based outside the EEA/UK (see §4), we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and supplementary technical safeguards. Copies of the SCCs in place can be requested at [email protected].
9. Retention summary
Detailed per category in §2. Short version: account data while active; server logs 14 days; analytics events 13 months; backups 14 days; correspondence 3 years.
10. Automated decision-making and profiling
We do not perform automated decision-making (including profiling) that produces legal or similarly significant effects on you.
11. Changes to this policy
Material changes are published here and we re-prompt you for cookie consent if categories or processors change in a way that affects you. Minor edits are reflected by the "Last Updated" date.
12. Contact
Privacy and data-protection requests: [email protected]
General support: [email protected]