Privacy
This page summarises the personal data this Trapla deployment processes. The full GDPR-shaped template, including lawful bases and your rights, lives in docs/PRIVACY.md on GitHub.
What we process
- Account: email, optional name + avatar, bcrypt password hash, optional 2FA secret + recovery code hashes, the per-user ingest token.
- Trip content: everything you enter — trips, destinations, transport segments, accommodations, journal entries, expenses, share links.
- Inbound email: the RFC 822 source of mails you forward to your private alias, plus the parsed structured payload.
- Audit log: authentication and administrative events with IP and user-agent, retained for security forensics.
What we don’t collect
No analytics, no advertising trackers, no third-party scripts. No marketing emails. No location data beyond what you enter into a trip. No data sold or shared.
Your rights
You have the GDPR rights of access, rectification, erasure, restriction, portability and objection. The in-app surfaces cover the common cases:
- Settings → Account → Export your data for an Article 15 / 20 data subject access request.
- Settings → Profile to rectify name or email.
- Settings → Account → Delete account for Article 17 erasure (30-day grace, then hard purge).
Cookies
We set exactly one cookie — the Auth.js session cookie — which is strictly necessary and does not require consent under the ePrivacy Directive. Full list at /cookies.
Contact
The deployment owner is the data controller. Reach them at the address listed in their full notice on GitHub.
Last updated when this deployment last shipped a privacy change. See Cookies · Terms.