TripTribe logoTripTribe.

Privacy Policy

Effective 16 June 2026 · Applies globally with Thailand PDPA & EU GDPR specifics

TripTribe is a travel-intelligence platform used by travelers across Asia and Europe. We take privacy seriously because the data you share — tickets, locations, payments — is sensitive. This policy explains what we collect, what we redact, where it goes, and the rights you have under Thailand's Personal Data Protection Act (PDPA, B.E. 2562), the EU General Data Protection Regulation (GDPR), the UK GDPR, and other major Asian privacy laws.

1. Who we are

“TripTribe”, “we”, “us” or “our” refers to TripTribe, the operator of triptribe.io. We act as the data controller for personal data you submit through the Service, except where we act as a processor on behalf of an operator partner.

  • Operating entity: PassByte OÜ (registered in Estonia)
  • Registered address: Sakala tn 7-2, Kesklinna linnaosa, Tallinn, Harju maakond, 10141, Estonia
  • Privacy contact / DPO: passbyte@pm.me
  • EU establishment: As an Estonian company, PassByte OÜ is established in the EU; a separate GDPR Art. 27 representative is therefore not required.

2. The data we collect

2.1 You give us

  • Account data: email, display name, password hash (via our auth provider), optional profile photo.
  • Travel content: ticket images / PDFs, trip plans, journey legs, live reports, tips, ratings, photos.
  • Payment data: we never see your full card. Stripe processes payments and returns only a token, last 4 digits, and brand.
  • Support data: messages you send us.

2.2 Automatically

  • Device & usage: IP address, browser, OS, pages viewed, timestamps, crash logs.
  • Approximate location from IP; precise location only if you opt in to live tracking.
  • Cookies / local storage: see our Cookie Policy.

2.3 From third parties

  • Google OAuth (name, email, avatar) if you sign in with Google.
  • Operator partners (booking confirmations).

3. How we redact PII before sharing or AI processing

TripTribe runs an automatic PII-scrubbing pipeline on every uploaded ticket and on any user-supplied text before it is sent to an external AI provider, an operator, or aggregated into market-intelligence reports. Specifically, we remove or mask:

  • Passenger names, traveler names, “booked by” and similar identity lines.
  • Email addresses, phone numbers, IBANs, full credit-card numbers, passport numbers, and long alphanumeric booking references.
  • Stored ticket files are linked to your account only and are not shared with operators or external buyers.

Aggregated data we publish (e.g. average prices on a corridor, on-time scores per operator) is anonymized and contains no field that, alone or in combination, can re-identify an individual. If we cannot guarantee anonymity for a given aggregate (e.g. too few users on a corridor), we suppress it.

4. Why we process your data (lawful basis)

Under GDPR Art. 6 and Thailand PDPA Sec. 24, we rely on:

  • Contract — to provide the Service you signed up for (parsing tickets, showing routes, processing bookings).
  • Legitimate interests — to keep the Service secure, fight fraud, improve features, and build anonymized travel statistics.
  • Consent — for precise location, marketing email, non-essential cookies, and any sensitive data you choose to share. You may withdraw consent at any time.
  • Legal obligation — to comply with tax, anti-money-laundering, and law-enforcement requests.

5. Who we share data with

  • Sub-processors who power the Service: hosting (Cloudflare, Supabase / Lovable Cloud), email (Resend), payments (Stripe), AI parsing (with redacted input only), maps (Google Maps). Each is bound by a data-processing agreement with confidentiality, security, and sub-processor flow-down obligations.
  • Operators — only the data needed to fulfill a booking (passenger name, contact, travel date). Operators are independent controllers from that point.
  • Authorities — when legally compelled. We push back on overbroad requests and notify you where law allows.
  • In a corporate transaction — with successor entities, under the same protections.

We do not sell your personal data. Aggregated, anonymized market-intelligence reports we may sell to operators, tourism boards, or research partners contain no personal data.

6. International data transfers

TripTribe operates globally. Data may be stored or processed in the EU, the United Kingdom, Thailand, Singapore, and the United States. For cross-border transfers we rely on:

  • EU / UK Standard Contractual Clauses (SCCs) with all non-adequate-country sub-processors.
  • Thailand PDPA Sec. 28 safeguards — adequate destination, your explicit consent, or contractual safeguards approved by the PDPC.
  • Transfer Impact Assessments where required (Schrems II), and supplementary measures such as encryption in transit (TLS 1.2+) and at rest.

7. How long we keep it

  • Account data: while your account is active, plus 12 months.
  • Ticket files & parsed JSON: 24 months, or until you delete them.
  • Booking & payment records: 7 years (tax / accounting laws in Thailand & the EU).
  • Anonymized analytics & aggregate intelligence: indefinitely (no longer personal data).
  • Backups: rolling 30-day cycle, then permanent deletion.

8. Security

  • TLS 1.2+ in transit; AES-256 at rest where the underlying store supports it.
  • Row-Level Security on every user-data table — your data is isolated to your account.
  • Least-privilege admin access, audit logging, and least-privileged service keys.
  • Mandatory breach notification: we will notify the Thai PDPC and affected users within 72 hours of becoming aware of a notifiable breach (PDPA Sec. 37; GDPR Art. 33–34).

9. Your rights

Wherever you are, you have the right to:

  • Access a copy of your data.
  • Rectify inaccurate data.
  • Erase your account and associated personal data (subject to legal retention).
  • Restrict or object to processing based on legitimate interests.
  • Withdraw consent at any time, without affecting prior lawful processing.
  • Portability — export your trips, tickets, and tips in a machine-readable format.
  • Lodge a complaint with a supervisory authority — the Thai PDPC (pdpc.or.th) or your local EU DPA. UK residents may contact the ICO.

To exercise any right, email passbyte@pm.me. We respond within 30 days (extendable once under GDPR / PDPA).

10. Asia-Pacific specifics

  • Thailand (PDPA B.E. 2562): we identify ourselves, our lawful basis, retention period, and data-subject rights in this policy as required by Sec. 23. Sensitive data (Sec. 26) is only processed with explicit consent.
  • Singapore (PDPA 2012, as amended): we honor Do-Not-Call requests and provide a clear withdrawal mechanism.
  • Malaysia (PDPA 2010): processing is limited to the purposes disclosed at collection.
  • Indonesia (PDP Law 2022): we treat Indonesian residents' data per the PDP Law's controller obligations and respond to data-subject requests in Bahasa Indonesia on request.
  • Vietnam (PDPD 2023): we obtain consent before sensitive processing and provide a domestic point of contact on request.
  • Philippines (Data Privacy Act 2012): we have appointed a contactable Data Protection Officer.
  • Japan (APPI): we identify the purpose of use and obtain consent for cross-border transfer where required.
  • South Korea (PIPA): minors under 14 require legal-guardian consent.

11. Children

TripTribe is not directed at children under 16. We do not knowingly collect data from a child under 16 (EU/UK) or under 13 in jurisdictions with a lower threshold, without verifiable parental consent. If you believe a child has provided us data, contact us and we will delete it.

12. Marketing

We only send transactional emails by default. Marketing emails require your opt-in (PDPA & GDPR soft opt-in does not extend to non-customers in the EU). You can unsubscribe at any time via the link in every email or by emailing us.

13. Automated decisions & AI

Trip predictions, ETAs, and operator scores are produced by automated models. They are informational and do not produce legal effects on you. We do not perform Art. 22 GDPR “solely automated” decisions with legal effect.

14. Changes

We will email registered users at least 14 days before material changes take effect. Continued use after the effective date constitutes acceptance.

Questions? Email privacy@triptribe.io for privacy & data requests, or legal@triptribe.io for terms questions.
Privacy PolicyTerms & ConditionsCookies