What stays on this phone, and what doesn't.
Effective May 23, 2026 · Version 1.1
The short version
Your photos stay on your phone. OTrip reads only their dates and locations to suggest trips, and only after you grant Photos access in iOS. Approved trips, goals, and stamps sync to your account so they survive a new phone. Nothing trains a model. We share only with the named service providers below, and only as needed to run the app.
If anything in this policy is unclear, write to privacy@otrip.app and a human will reply.
Who we are
OTrip ("OTrip", "we", "our") is a personal travel journal for iPhone. For the purposes of the EU and UK General Data Protection Regulation, the OTrip team is the data controller of the personal data processed through the app and this website (together, the "Service"). Contact details are at the bottom of this page.
What OTrip accesses on your device
OTrip works inside the iOS sandbox, which means we can only see what you explicitly grant through system permissions or what you type into the app. Specifically:
- Photos (optional). When you grant Photos access through iOS, OTrip uses Apple's PhotoKit framework to read the capture date, capture location (latitude/longitude, when present in the photo's metadata), and the local identifier of each photo. The photo files themselves are never copied off your device. The metadata index is held in OTrip's on-device database and is used solely to suggest possible trips. You can revoke this access at any time in iOS Settings → Privacy & Security → Photos → OTrip.
- Location History (optional, one-time imports). If you choose to import your iOS or Google location history, the app reads the file you provide and indexes it locally on the device. OTrip does not use Core Location, does not request background location, and does not record any new location data on its own. Nothing about where you are right now is ever observed.
- Sign-in providers. When you choose to create an account, OTrip uses Sign in with Apple, Sign in with Google, or an email address you provide. The chosen provider returns an authentication token that we exchange for a Firebase user identity. We do not see your provider password.
- Push notifications (optional). If you opt in, we use Apple Push Notification service to deliver reminders and milestone alerts you've enabled. Notification payloads are not used for advertising.
Information we collect
Account information
- Your email address (from your sign-in provider or as you enter it for email sign-in).
- The name of the sign-in provider you used (Apple, Google, or email) and the user identifier returned by that provider.
- An optional display name, country code, language preference, and home base if you add them.
Travel content you create
- The trips, visits, goals, stamps, notes, and tags you save in OTrip — including destination labels, dates, optional photos you attach to a trip, transport modes, and free-text notes.
- Any artifacts you generate inside the app such as trip postcards or year-in-review videos. These are composed on your device. They are only uploaded if you choose to share them through a system Share Sheet that requires server-side processing.
Device and usage information
- Basic technical information such as iPhone model class, iOS version, app version, time zone, locale, and a Firebase-issued install identifier. This is used to render the right UI and to debug crashes.
- Coarse, IP-derived country for the request, used for routing and abuse prevention. We do not store your IP address with your travel content.
Diagnostics
- Crash reports and non-fatal error events via Firebase Crashlytics. Each report includes stack traces, the screen you were on, and anonymised device characteristics — no trip content, no notes, no photo metadata.
- Performance traces via Firebase Performance Monitoring (request latency, startup time). Aggregated, not tied to individual users.
- Server-side request logs in our Cloud Functions backend (timestamp, function name, status, latency, derived country). Retained for up to 30 days for debugging and abuse prevention.
How we use information
We use the information described above to:
- Provide the core features of the app — creating an account, saving trips, syncing your record, restoring it on a new device.
- Suggest possible trips when you ask OTrip to scan your photo library or run the AI trip-detection flow.
- Compose share artifacts (postcards, videos) on your device when you ask for one.
- Keep the Service reliable and secure — diagnosing crashes, monitoring performance, detecting abuse.
- Respond to your account or support requests.
- Comply with applicable law and respond to lawful requests.
Under the GDPR, the legal bases we rely on are contract (to provide the Service you asked for), consent (for optional features such as Photos access or Location History import — withdrawable at any time), legitimate interest (to keep the Service stable, secure, and abuse-free, balanced against your interests), and legal obligation where the law requires us to process certain data.
AI features and what we send to OpenAI
OTrip uses AI to help draft trips from your photos, run the assistant, and compose year-in-review summaries. These features call OpenAI through a backend we host on Firebase Cloud Functions.
What is sent to OpenAI: a structured summary of only the metadata you have approved — IATA airport codes, ISO country codes, dates, destination labels, and short text fields you have written into a trip note. What is not sent: your photo files, GPS traces, sign-in credentials, push tokens, or anything from photos you have not approved.
We use OpenAI's API with the default setting that prompts and outputs are not used to train OpenAI's models. OpenAI may retain inputs and outputs for up to 30 days for abuse and safety monitoring, after which they are deleted, in line with their API data-handling commitments.
AI suggestions are probabilistic. They can be incomplete or wrong. You decide what is saved to your travel record. You can avoid AI features entirely by using the manual entry flow (Type it in) instead of the photo-flow or assistant.
Service providers we share data with
We do not sell your personal information and we do not share it for cross-context behavioural advertising. We share data with the providers below ("subprocessors") only as needed to operate the Service. Each acts under a written agreement that restricts how they may use your data and requires them to apply appropriate security measures.
| Provider | What they do for OTrip | Processed in |
|---|---|---|
| Google LLC — Firebase Authentication | Account sign-in, identity tokens, session management. | US / EU regions |
| Google LLC — Cloud Firestore | Stores your approved trips, goals, stamps, profile, and settings. | US / EU regions |
| Google LLC — Cloud Storage for Firebase | Stores user-uploaded profile photo and trip cover images, if any. | US / EU regions |
| Google LLC — Cloud Functions for Firebase | Runs the OTrip backend, including the AI proxy that calls OpenAI. | US / EU regions |
| Google LLC — Firebase Crashlytics & Performance Monitoring | Crash reports, non-fatal errors, performance traces. | US |
| Google LLC — Firebase Hosting | Hosts this website (the marketing pages and these legal pages). | Global CDN |
| OpenAI, L.L.C. | Language model behind AI trip-detection, the assistant, and summaries. Receives only the structured metadata described in the AI section above. | US |
| Apple Inc. | App Store distribution, Sign in with Apple, Apple Push Notification service. Aggregated App Store analytics. | US |
| Google LLC — Sign in with Google | Optional sign-in method, if you choose it. | US / EU regions |
We may add or change subprocessors as the Service evolves. When we do, we'll update this list and, for material additions, surface a notice in the app or this page before the change takes effect.
Beyond subprocessors, we may also disclose information when required by law, to enforce our Terms, to protect the rights, property, or safety of OTrip, our users, or others, or in connection with a merger, acquisition, or sale of assets (in which case we will use reasonable efforts to notify you in advance).
International data transfers
OTrip is built on cloud infrastructure that may store and process your data in countries other than your own, including the United States. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that is not the subject of an adequacy decision, we rely on the Standard Contractual Clauses approved by the European Commission and, where applicable, the UK International Data Transfer Addendum, together with supplementary measures (encryption in transit and at rest, scoped access controls, audit logging).
You can request a copy of the safeguards in place by writing to privacy@otrip.app.
Retention and deletion
We keep your information for as long as your account is active and only as long as we need it.
- Account and travel content. Kept until you delete the relevant item or your account. When you delete your account in Settings → Account → Delete account, your trips, goals, stamps, profile, and settings are removed from our active systems within 30 days. Encrypted backups may persist for up to a further 60 days before they are overwritten on rotation.
- On-device photo index. Lives on your iPhone only. Removed when you delete the app or revoke Photos access.
- Crashlytics & Performance traces. Retained by Firebase for up to 90 days, then aggregated or deleted.
- Cloud Functions request logs. Retained for up to 30 days for debugging and abuse prevention.
- AI request logs at OpenAI. Up to 30 days, then deleted in line with the OpenAI API agreement we operate under.
- Legal & tax records. Retained for the period required by applicable law (typically up to 7 years for invoicing and tax).
Security
We use technical and organisational measures designed to protect your data, including TLS encryption in transit, encryption at rest in Firebase's managed services, Firestore security rules that enforce per-user authorisation on every read and write, scoped service-account access, audit logging, and least-privilege principles for internal access. Authentication is handled by Firebase Authentication; we do not store passwords for email sign-in ourselves.
No system is perfectly secure. If we become aware of a security incident that affects your personal data, we will notify you and the appropriate regulators where required by law.
Your privacy rights
Subject to local law, you have the following rights in relation to your personal data, and many of them you can exercise directly in the app:
- Access. Ask for a copy of the personal data we hold about you. Most of it is visible in the app; for the rest, write to us.
- Rectification. Correct inaccurate data — for trip and profile data, you can do this directly in the app.
- Erasure. Delete trips and goals from inside the app at any time. Delete your account (which deletes everything associated with it) from Settings → Account → Delete account.
- Restriction. Ask us to limit how we use your data in certain circumstances.
- Portability. Export your trips and goals as a structured JSON file from Settings → Export trips.
- Objection. Object to processing we carry out on the basis of our legitimate interests.
- Withdraw consent. Revoke Photos access in iOS Settings, disable push notifications, or stop using AI features at any time.
- Lodge a complaint. If you are in the EEA, UK, or Switzerland, you may complain to your local data-protection authority — we would appreciate the chance to address your concerns first.
If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you the right to know what personal information we have collected, the right to delete it, the right to correct it, the right to opt out of the sale or sharing of personal information (we do neither), the right to limit use of sensitive personal information, and the right not to be discriminated against for exercising these rights. Residents of Colorado, Connecticut, Virginia, Utah, and other US states with comparable laws have similar rights and may exercise them through the same contact channel.
To exercise any of these rights, write to privacy@otrip.app. We may need to verify your identity before responding and will reply within the timeframe required by applicable law (one month under GDPR, extendable by two further months for complex requests).
Children
OTrip is not directed to children under 13, or the equivalent minimum digital-consent age in your jurisdiction (for example, 16 in parts of the EEA, 14 in some EU member states). We do not knowingly collect personal information from children below that age. If you believe a child has provided us with personal information without parental consent, please write to us and we will delete it.
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes to our practices, the Service, or applicable law. When we make material changes we will surface a notice inside the app and update the "Effective" date at the top of this page before the changes take effect. Continued use of the Service after that date means you accept the updated policy.
For privacy questions, subprocessor inquiries, or data-subject requests, write to privacy@otrip.app. For general questions, the in-app support channel is also fine.
If you are located in the EEA, the UK, or Switzerland, you have the right to lodge a complaint with your local supervisory authority.