Smart Trips AI — home Home

Legal

Privacy Policy

Last updated: June 14, 2026

This Privacy Policy explains how Smart Trips AI ("we", "us", or "the Service") collects, uses, stores, and protects information about you when you use smarttrips.cloud and related applications. We comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA) where applicable.

1. Who we are

The data controller is QBITZ AI (sole proprietor), based in Germany. You can reach us at qbitz.ai@gmail.com. We are a small business and have not appointed a Data Protection Officer as we do not process personal data on a large scale or special categories of data within the meaning of GDPR Article 37.

Early-stage notice: Smart Trips AI is in an early, maturing stage and is developed by a solo operator. Features may contain bugs. Please report issues to qbitz.ai@gmail.com. To the maximum extent permitted by law, the operator accepts no liability for any loss arising from the use of the Service.

2. What we collect

  • Account data — your email address and (if you sign in with Google) your display name and profile picture. Provided by you or your identity provider when you create an account.
  • Trip and preference data — origins, destinations, dates, travel modes, manual stops, deal watches, price alerts, and the signals used to compute your Travel DNA profile.
  • Billing data — if you subscribe, Stripe processes your payment details directly. We receive a customer ID, subscription status, and billing country, but we never see your full card number.
  • Technical data — IP address, browser type, and timestamps in our server logs, retained for up to 30 days for security and debugging.
  • Location data — only when you explicitly use the "Ask AI Now" feature, your browser shares your current coordinates with us for that request. Coordinates are not stored after the request completes.

3. How we use your data

  • To provide the trip planning, deal scouting, and price watching features you request (legal basis: contract, GDPR Art. 6(1)(b)).
  • To personalise itineraries and recommendations through your Travel DNA profile (legal basis: contract).
  • To send transactional emails such as account confirmations and price alerts (legal basis: contract).
  • To bill subscriptions and detect fraud (legal basis: contract and legitimate interest, Art. 6(1)(f)).
  • To comply with legal obligations such as tax record-keeping (legal basis: legal obligation, Art. 6(1)(c)).

4. Cookies and tracking

We use only strictly necessary cookies and local storage entries to keep you signed in and remember your interface preferences. These are exempt from the consent requirement under the ePrivacy Directive because they are essential for a service you explicitly requested. We do not use Google Analytics, Meta Pixel, advertising cookies, or third-party trackers. If this changes, we will add a consent banner that blocks non-essential cookies until you opt in.

5. Who we share data with

We share the minimum data needed with the following processors, each bound by a Data Processing Agreement:

  • Supabase (database and authentication, EU region where available).
  • Cloudflare (hosting, CDN, edge compute).
  • Stripe (payment processing).
  • Google Maps Platform (place data when you use planning features).
  • Mapbox (map rendering).
  • AI model providers reached through the Lovable AI Gateway to generate itineraries and recommendations.
  • Resend or our email provider for transactional emails.

We never sell your personal data. We do not share data with advertisers.

6. International transfers

Some processors above are based outside the European Economic Area. Transfers are protected by Standard Contractual Clauses, adequacy decisions, or equivalent safeguards under GDPR Chapter V.

7. How long we keep data

  • Account and trip data: until you delete your account, plus 30 days in backups.
  • Billing records: 10 years where required by tax law.
  • Server logs: up to 30 days.

8. Your rights

Under GDPR you have the right to:

  • access the personal data we hold about you,
  • correct inaccurate data,
  • delete your account and associated data ("right to be forgotten"),
  • export your data in a portable format,
  • object to or restrict certain processing,
  • withdraw consent at any time where processing is based on consent,
  • lodge a complaint with your local data protection authority.

To exercise any of these rights, sign in and use the Settings page, or email us at qbitz.ai@gmail.com. We respond within 30 days.

9. Security

All traffic is encrypted in transit (TLS 1.2+). Passwords are hashed by our authentication provider. Database access is restricted by Row Level Security so users can only read and write their own records.

10. Changes to this policy

We will post any material changes on this page and update the "Last updated" date. Significant changes affecting your rights will be announced by email.