TripBudget – Privacy Policy

Last Updated: February 16, 2026

This Privacy Policy describes the manner in which TripBudget (“TripBudget”, “we”, “our”, “us”) processes personal data relating to users of the TripBudget mobile application and associated web-based services (collectively, the “Service”). It explains the categories of personal data we collect or receive, the purposes for which such data are processed, the legal bases that justify the processing, the rights granted to data subjects under applicable data protection laws—including Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”)—and the measures we implement to protect personal data.

TripBudget is designed with a privacy-first approach. We apply data minimization and purpose limitation principles and process only what is necessary to provide the Service.

By installing, accessing, or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, you must not use the Service.

1. Identity of the Data Controller

TripBudget is operated by:

Louis Breyne, operating under the trade name “Breyne Engineering”
Independent entrepreneur registered in Belgium
VAT number: BE1008.222.750

Email: support@tripbudget.app
Website: https://tripbudget.app

For the purposes of applicable data protection law, Breyne Engineering acts as the data controller with respect to personal data processed in connection with the Service.

2. Scope of the Policy

This Privacy Policy applies to all personal data processed in connection with the Service.

It does not apply to third-party services that are not under our control, including external websites accessed via links, or services and infrastructure operated independently by third parties (including authentication and hosting providers), except to the extent that such third parties act as our processors in providing the Service.

3. Definitions

For purposes of this Policy:

“Personal data” refers to any information relating to an identified or identifiable natural person, as defined under the GDPR.

“Processing” refers to any operation performed on personal data, including collection, storage, transmission, alteration, and deletion.

“Controller” refers to the entity that determines the purposes and means of processing personal data, which is Breyne Engineering for personal data processed by the Service.

4. Principles of Data Processing

We adhere to the following core principles:

– Data minimization and purpose limitation;
– Storage limitation;
– Integrity and confidentiality;
– Transparency and accountability.

In particular:

– We do not sell personal data.
– We do not engage in behavioral profiling for advertising purposes.
– We do not perform cross-app tracking.
– We do not use third-party advertising SDKs.

5. Categories of Personal Data Processed

TripBudget processes personal data primarily in the context of providing trip budgeting and collaboration features, including synchronization across devices and shared access to trips.

5.1. Account and Authentication Data

When you create or use an account, we process authentication-related data, which may include:

– your email address;
– your display name (where applicable);
– a Firebase User ID and authentication tokens;
– security-related metadata necessary to authenticate and protect access.

We do not have access to your password. Password management is handled exclusively by Firebase Authentication using industry-standard hashing and security practices.

Provision of account-related personal data is required only for users who elect to use authenticated or synchronized features. The core functionality of the Service may otherwise be used without creating an account.

5.2. Trip, Participant, Expense, and Contribution Data

In order to provide the Service, we process trip data that you create or submit, which may include:

– trip information (titles, dates, base currency, budgets, stages and stage configurations);
– participant names and optional participant email addresses entered by users;
– expenses and contributions, including amounts, currencies, payment dates, application dates, categories, notes, and textual location fields (city and country);
– derived and technical data necessary for calculations and synchronization integrity, including normalized values, exchange-rate metadata, internal identifiers, timestamps, and synchronization state indicators.

5.3. Technical and Security Logs

To maintain system stability, prevent abuse, and ensure the integrity and security of the Service, we (and our infrastructure providers acting as processors) may process technical security logs and related operational data. Such logs are not used for advertising.

5.4. Location Data (Optional Feature)

Where the Service provides the ability to tag expenses with geographic information, location data may be processed solely for the purpose of enabling users to associate an expense with a city or country.

If device-level location permission is granted, such access is used exclusively at the time the user chooses to attach location information to an expense. The Service does not perform continuous location tracking, background geolocation, behavioral profiling, or location-based advertising.

Location data is not shared for marketing purposes and is processed solely in connection with user-requested functionality.

6. Purposes of Processing

Personal data are processed only to the extent necessary for the operation, maintenance, and improvement of the Service, including:

– to provide Service functionality, including calculation features and collaboration;
– to create and manage user accounts and authenticate access;
– to enable synchronization across devices;
– to allow collaborative access to shared trips;
– to ensure system integrity, prevent abuse, and maintain stability;
– to handle support requests and GDPR rights requests;
– to comply with legal obligations.

We do not process personal data for advertising, profiling, or resale purposes.

7. Legal Bases for Processing

We rely upon one or more of the following legal bases for the processing of personal data under Article 6 GDPR:

Performance of a contract (Art. 6(1)(b))
Processing necessary to provide the Service requested by the user, including account creation, synchronization, and collaborative functionality.

Consent (Art. 6(1)(a))
Where users voluntarily provide optional information or submit requests that require such consent. Where consent is relied upon, it may be withdrawn at any time with effect for the future.

Legitimate interests (Art. 6(1)(f))
Processing necessary for ensuring security, preventing abuse, maintaining system stability, and safeguarding the Service, provided such interests are not overridden by the rights and freedoms of data subjects.

Compliance with legal obligations (Art. 6(1)(c))
Where processing is required by applicable law.

8. Data Retention

We retain personal data for as long as necessary to provide the Service and for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

8.1. Account and Service Data

Personal data associated with your account and synchronized Service data is retained for as long as you maintain an active account, or until you delete data or request deletion.

When you submit an account deletion request via the in-app deletion function:

– personal data directly associated with the user account is permanently deleted;
– shared trip data that cannot be removed without affecting other participants is irreversibly anonymized;
– confirmation of deletion is sent via email.

Deletion may take from a few minutes up to several days depending on data complexity.

8.2. Security and Authentication Logs; Backups

Authentication and security logs retained by Firebase or other infrastructure providers may be stored for limited periods (typically up to 90 days) for fraud prevention, security monitoring, and reliability purposes, in accordance with the providers’ internal retention policies.

Backups, where applicable, are retained only for operational continuity and are automatically overwritten within a limited period not exceeding 30 days.

9. Data Sharing, Processors, and International Transfers

TripBudget does not sell or rent personal data.

9.1. Processors Used for Service Provision

TripBudget relies on third-party infrastructure providers to deliver core Service functionality. These providers act as data processors and process personal data under contractual safeguards.

In particular:

– Google Firebase (Authentication and Firestore) is used to enable secure authentication and synchronization features.
– Google Cloud Platform provides infrastructure hosting related to synchronized data.

9.2. Collaborative Trip Sharing

When users collaborate on shared trips, trip data becomes accessible to authorized participants. Users are responsible for the personal data they choose to include in shared content.

9.3. International Transfers

Personal data processed through our infrastructure providers may be processed outside the European Economic Area, including in the United States.

Where such transfers occur, they are safeguarded through appropriate mechanisms such as Standard Contractual Clauses (SCCs) approved by the European Commission, as well as the providers’ binding corporate rules and technical safeguards.

10. Data Security Measures

TripBudget implements appropriate technical and organizational measures designed to protect personal data, including (where applicable):

– encryption of data in transit using TLS;
– encryption at rest for cloud-stored data (e.g., AES-256 within Firebase’s infrastructure);
– secure authentication mechanisms;
– strict access control rules and security rules limiting access to authorized users;
– monitoring and logging for security purposes.

While no digital system can guarantee absolute security, we take reasonable measures proportionate to the risks involved.

11. Data Subjects’ Rights

Under the GDPR, users have the right to:

– access their personal data;
– rectify inaccurate data;
– request erasure (“right to be forgotten”);
– restrict processing in certain circumstances;
– object to processing where permitted by law;
– receive data portability in a structured, commonly used format;
– lodge a complaint with a supervisory authority.

Users may exercise these rights by contacting support@tripbudget.app. We may request verification of identity where necessary to protect user data.

Data portability for trip content is facilitated through the built-in CSV export function.

TripBudget does not conduct automated decision-making producing legal or similarly significant effects.

12. Children’s Data

The Service is not directed toward individuals under sixteen (16) years of age.

We do not knowingly process personal data of minors. If such data is identified, we will take appropriate steps to delete it without undue delay.

13. External Links

The Service may contain links to external websites. TripBudget is not responsible for the privacy practices of third-party services, and users are encouraged to review the privacy policies of any external services they access.

14. Amendments to This Policy

We reserve the right to update or amend this Privacy Policy from time to time in response to changes in legal obligations, technological developments, or modifications to the Service.

Updated versions will be published at https://tripbudget.app/privacy-policy and the “Last Updated” date will be revised accordingly. Continued use of the Service following publication constitutes acknowledgment of the updated Policy.

15. Contact and Supervisory Authority

For questions, requests, or complaints regarding this Privacy Policy or our data processing practices, contact:

Email: support@tripbudget.app
Website: https://tripbudget.app

Users located in Belgium may contact the Belgian Data Protection Authority (Autorité de Protection des Données / Gegevensbeschermingsautoriteit) if they believe their data protection rights have been violated.