# Privacy Policy — TripBuddies
**Effective date**: 2026-05-09
**Last updated**: 2026-05-09
TripBuddies is a privacy-first travel expense tracker. We are designed so that **your travel data never leaves your devices in unencrypted form**. This document describes what data the app handles and how.
---
## 1. Data we do NOT collect
We do **not** collect, store, or have access to:
- Your name, email address, phone number, or any account credentials (TripBuddies has no login/registration).
- Your trip names, expenses, members, photos, notes, or any travel records.
- Your location.
- Any analytics, usage statistics, or behavioural tracking.
There is no account system. There is no central database holding your data.
---
## 2. Data stored on your device
All travel data is stored locally on your device using:
- **op-sqlite** — local SQLite database for trip metadata, expenses, members.
- **Yjs CRDT documents** — append-only encrypted change logs per trip.
- **expo-secure-store** — device keychain (iOS Keychain / Android Keystore) for shared encryption keys.
- **Photo files** — receipt and cover photos stored in app sandbox; never uploaded to any external server.
You can delete all data at any time from the app's Settings page or by uninstalling the app.
---
## 3. Peer-to-peer sync (optional)
When you invite another device to a trip, TripBuddies establishes a peer-to-peer connection through a public **relay server** (deployed on Cloudflare Workers).
The relay server only sees:
- An opaque "room ID" (a SHA-256 hash of the trip ID and shared key — not reversible).
- Encrypted payload bytes (AES-secretbox via TweetNaCl).
The relay server **cannot read** any of your trip content. The encryption key is never transmitted; it is shared between devices only via QR code or invite link, scanned in person.
If you do not invite another device, no data leaves your device at all.
---
## 4. Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| **open.er-api.com** | Daily exchange rates | None — only fetches public rates; sends no user data. |
| **Cloudflare Workers (relay)** | P2P signaling | Encrypted blobs + opaque room ID only. |
| **Google AdMob** *(if enabled)* | Free-tier banner ads | Device advertising ID (IDFA on iOS / GAID on Android). On iOS 14.5+, you'll see an App Tracking Transparency prompt; you may decline and ads will be contextual only. |
| **Apple StoreKit / Google Play Billing** | In-app purchases | Apple/Google handle all payment data; we never see card details. |
---
## 5. In-app purchases
TripBuddies offers an optional one-time purchase ("TripBuddies Pro", HK$38) to unlock additional features. Transactions are processed entirely by Apple StoreKit or Google Play Billing. We do not receive your payment information.
Purchase verification happens locally on your device using Apple/Google's APIs. There is no server-side receipt validation.
---
## 6. Children's privacy
TripBuddies is not directed at children under 13. We do not knowingly collect data from children.
---
## 7. Your rights
Because we hold no data about you on our servers, you do not need to make a deletion or access request. You have full control:
- **Delete a trip** — Trip detail → … → Delete
- **Delete all data** — Uninstall the app, or use Settings → reset (where available)
- **Stop syncing** — Settings → Relay server → leave blank
---
## 8. Changes to this policy
We may update this policy. Material changes will be reflected in the **Last updated** date above and announced in the app's Settings on next launch.
---
## 9. Contact
Questions or concerns about privacy: info@jwc-global.com.