PlanMyTrip24PlanMyTrip24Deutsch

Privacy Policy

Version 2026-07-03 · Effective July 3, 2026

This Privacy Policy explains how personal data is processed when you use the PlanMyTrip24 mobile app and the website planmytrip24.com (together, the “Service”). It is written to meet the EU/UK General Data Protection Regulation (GDPR), the Swiss FADP, the California Consumer Privacy Act (CCPA/CPRA), Japan’s APPI, South Korea’s PIPA, and Mexico’s data-protection law, and it also serves as our Mexican Aviso de Privacidad.

1. Controller (Responsable)

[FULL LEGAL NAME], an individual (persona física) residing in Mexico
[POSTAL ADDRESS]
Email: support@planmytrip24.com

We have not appointed a Data Protection Officer (not required at our current scale). Privacy inquiries: the email above.

2. What Data We Process, Why & on What Legal Basis

CategoryDataPurposeLegal basis (GDPR)
AccountEmail, username, first/last name, date of birth, gender (optional), home country/city, password (stored only as a salted hash), avatar photo, preferred language/currency/unitsCreate and operate your account; verify you are 18+; personalize contentArt. 6(1)(b) contract; age check: Art. 6(1)(c) legal obligation
Trips & planningDestinations, dates, itineraries, notes, reservations, tracked flights, preferences (e.g. interests, dietary), trip membersProvide the planning features you useArt. 6(1)(b) contract
Files & receiptsFiles you upload (tickets, confirmations, receipts, photos)Store and display them in your trips; malware scanningArt. 6(1)(b); scanning: Art. 6(1)(f) legitimate interest (security)
Secure vaultEnd-to-end encrypted files and metadataEncrypted storage. Zero-knowledge: we store only ciphertext and cannot read itArt. 6(1)(b)
ExpensesExpense amounts, splits, group members, receipt imagesExpense-splitting featuresArt. 6(1)(b)
AI featuresYour chat messages to the travel assistant, trip parameters, and content needed to generate itineraries/tips/translationsGenerate AI content you request (processed by the AI providers in Section 4)Art. 6(1)(b)
Device locationApproximate location (only if you grant the OS permission)Suggest your departure city. Not stored on our serversArt. 6(1)(a) consent (revocable in OS settings)
Security & audit logsIP address, device/user-agent, timestamps for logins, security-relevant changes (email/username changes), terms acceptancesSecurity, abuse and fraud prevention, rate limiting, legal evidence of consentArt. 6(1)(f) legitimate interest; Art. 6(1)(c)
Subscription statusApp-store transaction identifiers and entitlement status (no card data — payments are handled by Apple/Google)Activate and verify PremiumArt. 6(1)(b)
NotificationsPush token (if you enable push), notification preferencesSend the notifications you opted into (e.g. flight alerts)Art. 6(1)(a)/(b)
EmailsEmail address, delivery events for transactional mail (verification codes, password reset, account activity); marketing only per your opt-in settingsOperate the account; optional product newsArt. 6(1)(b); marketing: Art. 6(1)(a) consent
Support & feedbackMessages you send us, feedback textRespond to you; improve the ServiceArt. 6(1)(b)/(f)
Website waitlistEmail address submitted on planmytrip24.comNotify you at launchArt. 6(1)(a) consent

We do not use your data for automated decision-making with legal or similarly significant effects, and we do not process special categories of data on purpose (do not upload health or similar sensitive data outside the encrypted vault).

3. What We Deliberately Do Not Do

  • We do not sell or share personal data for cross-context behavioral advertising (CCPA: no “sale”/“sharing”).
  • We do not run third-party advertising or tracking SDKs inside the mobile app.
  • We do not store your GPS coordinates on our servers.
  • We do not read your encrypted vault — technically impossible without your passphrase.

4. Processors & Recipients

We use the following service providers (processors, or in some cases independent controllers) to run the Service:

ProviderPurposeData involvedLocation
Google Cloud (Google Ireland/LLC)Hosting: servers, database, file storage, task queues (region europe-west1, Belgium)All server-side dataEU (hosting); Google LLC US support
Google (Gemini / Vertex AI)AI content generation (itineraries, chat, tips, translations, deals)Chat messages, trip parameters, content to translateEU/US
xAI, OpenAI, GroqBackup/auxiliary AI providers for specific generation tasksSame categories as above (no account identifiers sent)US
Langfuse (Langfuse GmbH)Technical logging of AI requests (quality & cost monitoring); prompts/responses are recordedAI inputs/outputs, pseudonymous identifiersEU
Google Places / Distance MatrixPlace search, details, photos, travel timesSearch terms, place queriesUS/global
MapboxMaps and routingMap tiles requests, route coordinatesUS
Open-MeteoWeather forecastsDestination coordinates (no personal identifiers)EU
AeroDataBox (via MagicAPI)Flight status for flights you trackFlight numbers, datesUS/EU
MailerSendTransactional and (opt-in) product emailsEmail address, name, delivery eventsEU/US
Firebase Cloud Messaging (Google)Push notifications (if enabled)Push token, notification payloadsUS/global
Apple / Google PlayApp distribution, subscription billingPurchase/transaction data (they are independent controllers)US/global
CloudflareContent delivery (images)IP address, requested URLsGlobal
VirusTotal (Google) / self-hosted ClamAVMalware scanning of uploadsFile hashes / file content of uploads (not vault files)US / EU
exchangerate-api.comCurrency ratesNone (generic rate queries)US
submit-form.com (Formspark)Website waitlist form processingEmail addressUS/EU

When you open a booking partner’s site or app through a link in the Service (e.g. Expedia, Trip.com, Check24, GetYourGuide, Viator, Klook, Tiqets, Civitatis), that partner processes your data as an independent controller under its own privacy policy. Outbound links may carry an affiliate identifier so the partner can attribute the referral; we do not receive your booking details from partners.

5. International Transfers

Our servers are in the EU (Belgium). Some providers above process data in the United States or globally. Where data leaves the EU/UK/Switzerland, we rely on European Commission adequacy decisions (including the EU–US Data Privacy Framework for certified providers) and/or Standard Contractual Clauses with supplementary measures. The Operator, based in Mexico, accesses the systems for administration; Mexico’s data-protection law (and our contractual safeguards) apply to that access.

6. Retention

  • Account data and content: kept while your account exists. When you delete your account in the app, your trips, files, expenses, push tokens, invite links, avatar, and vault are permanently deleted (owned shared trips are transferred or deleted as you choose during deletion).
  • What survives account deletion: (a) your stated deletion reason with your email, kept for product analytics; (b) security audit logs of identity changes (IP, user-agent) and (c) records of your terms/privacy acceptances — kept as legal evidence, then erased when no longer needed (at most the applicable limitation period); (d) short-lived encrypted backups (rotated automatically).
  • Deactivation (as opposed to deletion) keeps your data so you can return; you can request full deletion at any time.
  • Email delivery logs and server logs are retained for short technical periods.

7. Your Rights

EU/UK/Switzerland (GDPR/FADP): you have the right of access, rectification, erasure, restriction, data portability, and objection (including to legitimate-interest processing), and the right to withdraw consent at any time with future effect. You may lodge a complaint with your local supervisory authority.

California (CCPA/CPRA): you have the rights to know, delete, correct, and to non-discrimination. We do not sell or share personal information, so there is nothing to opt out of; we also do not use sensitive personal information beyond what is necessary to provide the Service.

Japan (APPI) / South Korea (PIPA) / Mexico (derechos ARCO): you have equivalent rights of access, correction, deletion, and objection/revocation under your local law. Mexican users may exercise ARCO rights via the email below; if unsatisfied, you may contact the competent Mexican data-protection authority.

How to exercise: most rights are self-service in the app (edit profile; Account → Delete Account). For anything else email support@planmytrip24.com; we will verify your identity and respond within the statutory deadline (one month under GDPR, extendable as permitted).

8. Security

Measures include: TLS for all transport (with certificate pinning in the app), bcrypt password hashing, encrypted storage, EU data residency, strict access controls, rate limiting and brute-force lockout, malware scanning of uploads via an isolated quarantine pipeline, append-only audit logs, and a zero-knowledge encrypted vault (AES-256-GCM, argon2id key derivation on your device). No internet service is 100% secure; keep your password unique and confidential.

9. Children

The Service is for adults (18+). We do not knowingly process children’s data; the signup flow rejects dates of birth under 18. If you believe a minor has an account, contact us and we will delete it.

10. Cookies & the Website

The mobile app does not use cookies or third-party advertising trackers.

The website planmytrip24.com uses only technically necessary processing plus: Google Fonts (loaded from Google servers — your IP is transmitted to Google), the waitlist form (submit-form.com), and a partner-verification script. We do not set advertising cookies. If that changes, we will add a consent banner first.

11. Aviso de Privacidad (Mexico)

Para usuarios en México: el responsable del tratamiento es [FULL LEGAL NAME], con domicilio en [POSTAL ADDRESS]. Los datos personales descritos en la Sección 2 se tratan para las finalidades primarias de crear y operar su cuenta y prestar las funciones de planificación de viajes, y — solo con su consentimiento — para comunicaciones promocionales. Las transferencias descritas en las Secciones 4 y 5 se realizan con proveedores de servicios (encargados) necesarios para operar el Servicio. Usted puede ejercer sus derechos ARCO (acceso, rectificación, cancelación y oposición), limitar el uso o divulgación de sus datos y revocar su consentimiento escribiendo a support@planmytrip24.com. Los cambios a este aviso se publicarán en esta página.

12. Changes to This Policy

We will update this policy as the Service evolves. The version and effective date appear at the top; material changes will be announced in the app. Records of the version you acknowledged are kept.

13. Contact

support@planmytrip24.com — [FULL LEGAL NAME], [POSTAL ADDRESS]

Home · Terms of Service · Privacy Policy · Deutsch

© 2026 PlanMyTrip24 · [FULL LEGAL NAME], [POSTAL ADDRESS] · support@planmytrip24.com