Privacy Policy

Effective Date: 5/28/2026

TripCatholic ("TripCatholic," "we," "our," or "us") respects your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what choices and rights you have. It applies to your use of the TripCatholic mobile application, our website at www.tripcatholic.com, and any related services (collectively, the "Services").

By using the Services you agree to this Privacy Policy. If you do not agree, please do not use the Services.

1. Who We Are and How to Contact Us

The Services are operated by TripCatholic.

Contact: team@tripcatholic.com

For purposes of the EU and UK General Data Protection Regulation ("GDPR"), TripCatholic is the controller of the personal data we collect through the Services.

If you live in the EU, UK, or another jurisdiction that requires us to do so, you can contact us at the email above to reach our privacy point of contact for any data-protection question, request, or complaint.

2. Information We Collect

We collect information in three ways: information you give us, information we collect automatically, and information we receive from third parties.

2.1 Information You Provide

Account information. When you create an account we collect your email address, password (if you choose email/password sign-in), and a display name. If you sign in with Apple, we receive your email address (which may be a private relay address you control) and, only on the very first sign-in, your first and last name. If you sign in with Google, we receive your email address and basic profile information from your Google account.

Profile information. You may optionally add your first name, last name, phone number, mailing address, and a profile photo. A mailing address is only requested if you sign up for a feature that requires shipment (for example, a postcard offer or gift promotion).

Onboarding answers. During onboarding you may answer questions about your religious tradition, devotions, pilgrimage interests, travel style, who you travel with, and which destinations interest you. These answers are stored on your profile and used to personalize the Services.

Your activity in the app. We store the sites you bookmark ("saved sites"), the sites you mark as visited (your "Pilgrim Passport"), the trips you create (including names, descriptions, dates, cities, cover photos, days, activities, notes, and budget figures you enter), and any people you invite to collaborate on a trip.

Community contributions. If you post a tip, comment, or reply on a site page, like another user's contribution, or report a post, we store that content and the fact that you created it. Community contributions are visible to other users of the Services.

Communications with us. If you email us, respond to a survey, or contact support, we keep the contents of those communications.

2.2 Information We Collect Automatically

Usage and product analytics. We use PostHog to understand how people use the Services. PostHog automatically records events such as taps, screen views, and navigation between screens, along with a session identifier, your account ID once you sign in, your device type, operating system version, app version, language, time zone, and approximate location derived from IP address. We use this information to improve the product, debug issues, and measure feature adoption. You can opt out of product analytics at any time in Settings → Privacy Settings, which stops further events from being sent and halts PostHog's automatic capture.

Device and log data. Our backend logs request data such as IP address, request paths, timestamps, error codes, and user-agent strings. We keep these logs to operate, secure, and troubleshoot the Services.

Push notification identifiers. If you allow push notifications, we (through OneSignal, our notifications provider) store a push token issued by Apple Push Notification service or Firebase Cloud Messaging so we can deliver notifications to your device.

Subscription state. When you subscribe to TripCatholic Plus, our subscription processor (RevenueCat) creates a customer record tied to your account and tracks your subscription tier, status, billing cycle dates, product identifier, and renewal/cancellation state. We do **not** receive or store your credit card number, debit card number, or other payment instrument details — those are handled by Apple or Google and processed under their own privacy policies.

Location data. If you grant the Services permission to use your device's location, we use your foreground (in-app) location only — we do not track your location in the background. Your live coordinates are used on your device to show your position on the map and to surface nearby sites. We do not transmit your live coordinates to our servers or store them in our database. You can turn location access off at any time in your device settings.

2.3 Information We Receive From Third Parties

Sign-in providers. When you use Sign in with Apple or Sign in with Google, the provider sends us a verified identity token that includes the information described in Section 2.1.

Subscription provider. RevenueCat shares your subscription status, product identifiers, billing-period dates, and entitlement information with us so we can unlock TripCatholic Plus features for you. Apple and Google share entitlement information with RevenueCat, which forwards it to us.

2.4 What We Do Not Collect

We do not currently collect your IDFA (Apple Identifier for Advertisers), Android Advertising ID, contacts, calendar entries, microphone audio, health data, financial account numbers, or government-issued identifiers. We do not knowingly collect any "special category" personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health, sex life, or sexual orientation) except to the extent your voluntary onboarding answers (such as your religious tradition or devotions) reveal information about your religious beliefs. By providing those answers you explicitly consent to our processing of them for the purpose of personalizing the Services to you under Article 9(2)(a) of the GDPR. You can edit or clear these answers at any time in Settings.

3. How We Use Your Information

We use the information we collect to:

- create and maintain your account, authenticate you, and keep you signed in;
- provide the core features of the Services, including saving sites, tracking visits, planning trips, generating shareable trip links, and showing you community contributions;
- personalize the content we surface to you based on your stated preferences and your activity;
- process subscriptions, restore purchases, and enforce paywall entitlements;
- send you transactional and account-related communications (such as password resets, subscription receipts, trip collaboration invitations, and replies to your community posts);
- send you optional product, content, and marketing communications you have opted into, and let you opt out at any time;
- moderate community content, investigate reports, and enforce our Terms of Service;
- secure the Services, prevent fraud, debug errors, and improve performance;
- comply with our legal obligations, respond to lawful requests from public authorities, and defend our legal rights.

4. Legal Bases for Processing (EU/UK Users)

If you are in the EU, EEA, UK, or Switzerland, we rely on the following legal bases under the GDPR:

Performance of a contract — to create your account, deliver Services you have asked for, process your subscription, and provide customer support.

Legitimate interests — to operate, improve, secure, and promote the Services; to perform product analytics; to prevent fraud and abuse; and to enforce our terms. We balance these interests against your rights and freedoms and you can object at any time (see Section 9).

Consent — to use your foreground location, send you push notifications and marketing emails, process voluntary onboarding answers that may reveal religious beliefs, and place any cookies or similar technologies on our website beyond those that are strictly necessary. You can withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

Legal obligation — to comply with applicable law, court orders, tax and accounting rules, and lawful government requests.

5. How We Share Your Information

We do not sell your personal information. We share information only as described below.

5.1 Service Providers

We share information with vendors who process data on our behalf, under written agreements that restrict them to that purpose:

| Provider | Purpose | Data shared |

| Supabase (Supabase, Inc.) | Authentication, database, file storage | Account credentials, profile, content, activity, uploaded photos |

| RevenueCat (RevenueCat, Inc.) | Subscription management | Account ID, email, subscription state |

| OneSignal (OneSignal, Inc.) | Push notifications and transactional email | Account ID, email, push tokens, notification preferences |

| PostHog (PostHog, Inc.) | Product analytics | Account ID once signed in, event data, device and session metadata, approximate location from IP |

| Mapbox (Mapbox, Inc.) | Maps and geocoding | Search queries you type, approximate location, session tokens; not linked to your account by us |

| Google (Google LLC) | Sign-in, Google Maps tiles, Street View imagery | Sign-in identity tokens; map-tile requests from your device |

| Apple (Apple Inc.) | Sign in with Apple, in-app purchases | Apple identity tokens; subscription transactions |

| Unsplash (Unsplash Inc.) | Trip cover photo library | Photo selection requests |

5.2 Other Users

Information you choose to make public — community posts and replies, your display name and avatar where shown alongside contributions, trips you mark public or share via link — is visible to other users of the Services and may be visible to anyone with a trip share link. Do not include information in public contributions that you do not want others to see.

5.3 Trip Collaborators

When you invite someone to a trip as an editor or viewer, or generate a share link, the people who use that invitation can see the trip's contents (including its name, description, days, activities, notes, and any locations you added) and the display name and avatar of the trip's members.

5.4 Legal and Safety

We may disclose information when we have a good-faith belief that doing so is necessary to comply with applicable law, a lawful request from a public authority, or legal process; to enforce our Terms of Service; to protect the security, rights, property, or safety of TripCatholic, our users, or the public; or to investigate or prevent fraud or abuse.

5.5 Business Transfers

If TripCatholic is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its assets, your information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have.

5.6 With Your Direction

We share information with third parties when you direct us to do so — for example, by tapping a link that opens an external map application for directions.

6. International Data Transfers

We are based in the United States and our service providers may be located in the United States and other countries. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States and other jurisdictions whose data-protection laws may differ from the laws of your country.

When we transfer personal data of EU, EEA, UK, or Swiss residents outside of those regions, we rely on lawful transfer mechanisms, including the European Commission's Standard Contractual Clauses and, where applicable, the UK Addendum to those clauses. You can contact us at team@tripcatholic.com to request more information about these safeguards.

7. Data Retention

We keep your information for as long as your account is active and for as long as we need it to provide the Services and for the other purposes described in this Privacy Policy.

- Account and profile data is retained while your account exists.
- Trips, saved sites, visited sites, and community contributions are retained while your account exists, except that community contributions you delete are removed from public view promptly and from backups within a reasonable period.
- Analytics events in PostHog are retained for up to twenty-four (24) months.
- Backend logs are retained for up to ninety (90) days, except where a longer period is needed for security, fraud-prevention, or legal purposes.
- Subscription records are retained for as long as required by tax, accounting, and audit obligations, which is typically at least seven (7) years after the transaction.
- Communications with our support team are retained for up to three (3) years after the last interaction.

Deleting your account. You can permanently delete your account and its associated data at any time:

In the app: open TripCatholic → Profile → Settings → Edit Profile, scroll to the bottom, tap Delete Account, and confirm. Deletion is immediate and cannot be undone.

By email: if you cannot access the app, write to team@tripcatholic.com and we will delete your account after verifying your identity.

What is deleted. Deleting your account permanently removes your login credentials and authentication identity; your profile (name, phone number, mailing address, and any profile photos you uploaded); your onboarding answers; your saved sites, visited sites (Pilgrim Passport), and saved cities, collections, and itineraries; the trips you own and all of their days, activities, and notes; your membership in other users' trips; and your community posts, replies, likes, reports, and site suggestions. We complete this deletion or de-identification, including from backups, within thirty (30) days.

What we may retain, and why. After deletion we keep, only as long as needed: transaction and billing records held by our payment processors (Apple, Google, and RevenueCat) and by us for tax, accounting, and audit obligations (typically up to seven years); short-lived backend security logs (up to ninety days); de-identified or aggregated analytics that can no longer be associated with you; and any information we are required to keep to comply with law or to establish, exercise, or defend legal claims. Retained data is limited to these purposes and is not used to re-identify you.

8. Security

We use administrative, technical, and physical safeguards designed to protect the information we collect, including transport-layer encryption (HTTPS) for data in transit, encryption at rest for stored data where supported by our infrastructure providers, hashed-and-salted password storage, role-based access controls, and database row-level security policies. No system is perfectly secure. You are responsible for keeping your account credentials confidential and for notifying us promptly if you believe your account has been compromised.

9. Your Rights and Choices

Depending on where you live, you may have some or all of the following rights with respect to the personal data we hold about you:

Access — receive confirmation of whether we are processing your personal data and a copy of it.

Rectification — correct inaccurate or incomplete personal data. You can edit most of your profile fields directly in the Settings screen.

Erasure ("right to be forgotten") — ask us to delete your personal data when one of the legal grounds applies.

Restriction — ask us to limit our processing of your personal data in certain circumstances.

Portability — receive your personal data in a structured, commonly used, machine-readable format and ask us to transmit it to another controller where technically feasible.

Objection — object to our processing that is based on legitimate interests, including profiling, on grounds relating to your particular situation.

Withdraw consent — where we rely on your consent, withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Lodge a complaint — file a complaint with your local data-protection authority. A list of EU authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may contact the Information Commissioner's Office at ico.org.uk.

To exercise any of these rights, email us at team@tripcatholic.com. We will respond within thirty (30) days, or sooner where required by law. We may need to verify your identity before acting on your request and may decline a request that is excessive, unfounded, or that we are not required by law to fulfill, in which case we will explain why.

In-app controls. You can also exercise certain rights directly inside the app:
- Edit your profile in Settings → Edit Profile.
- Reset your password in the sign-in screen or change it in Settings → Edit Profile → Change Password.
- Toggle push notifications, email notifications, and marketing communications in Settings → Notification Preferences.
- Turn location access on or off in your device's operating-system settings.
- Delete individual community posts you have created from the site detail screen.
- Turn product analytics on or off in Settings → Privacy Settings.

10. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA (collectively the "CCPA"), gives you the right to:

- know what personal information we have collected about you and how we use and share it;
- request a copy of that personal information;
- request that we delete personal information we collected from you;
- request that we correct inaccurate personal information;
- opt out of the "sale" or "sharing" of personal information; and
- not receive discriminatory treatment for exercising any CCPA right.

We do not sell your personal information and we do not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA. We do disclose personal information to service providers for the business purposes described in Section 5.

In the preceding twelve (12) months we have collected the categories of personal information listed in Section 2 of this policy for the business purposes listed in Section 3, and we have disclosed those categories to the categories of recipients listed in Section 5.

To exercise your CCPA rights, email us at **team@tripcatholic.com** with the subject line "CCPA Request." You may use an authorized agent; we will require written proof of the agent's authorization and may also need to verify your identity directly. We do not knowingly collect the personal information of California residents under the age of 16.

11. Children's Privacy

The Services are intended for users aged 16 and older. We do not knowingly collect personal information from anyone under 16. If you are under 16, please do not use the Services or send us any personal information. If we learn that we have collected personal information from a child under 16 without verified parental consent, we will delete that information promptly. If you believe we may have collected information from a child under 16, please contact us at team@tripcatholic.com.

For users in jurisdictions where the minimum age of digital consent is higher than 13 (such as the EU, where it ranges between 13 and 16 depending on the member state), the age in the preceding paragraph adjusts to match the local minimum.

12. Notifications

Push notifications and emails we send you fall into one of two categories:

Transactional — required to operate your account or deliver something you asked for (for example: password resets, subscription receipts, trip collaboration invitations, and replies to your community posts). You will receive these as long as you have an account, unless you turn off the corresponding channel.

Marketing and product — optional communications about new content, features, recommendations, and promotions. You can opt in or out at any time in Settings or by using the unsubscribe link in any marketing email.

You can disable push notifications entirely in your device's operating-system settings.

13. Cookies and Similar Technologies

The TripCatholic mobile app does not use browser cookies. Our third-party SDKs use standard mobile platform APIs and identifiers (such as installation IDs assigned by PostHog and OneSignal) to perform analytics and notification delivery as described in this policy.

Our website at www.tripcatholic.com may use a small number of cookies and similar technologies for basic site operation and, where you consent, for analytics. Where required by law (including the EU ePrivacy Directive), the website will request your consent before placing non-essential cookies.

14. Third-Party Links and Content

The Services may contain links to third-party websites, apps, or services (for example, when you tap "Get Directions" and we open your device's map application). We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy notices before providing them with information.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email, in the app, or by other reasonable means before the changes take effect. The "Effective Date" at the top of this policy indicates when it was last revised. Your continued use of the Services after the effective date of a revised Privacy Policy constitutes your acceptance of it.

16. Contact Us

If you have any questions, comments, or requests regarding this Privacy Policy or our handling of your personal data, please contact us:

Email: team@tripcatholic.com