Privacy Policy

Last updated: May 20, 2026

Brezza Labs LLC ("Travelle," "we," "us," or "our") is the data controller for the Travelle mobile application for iOS and Android. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our app. Please read this policy carefully. If you do not agree, please do not use the app.

1. Information We Collect

A. Information You Provide Directly

  • Account information: Name, email address, username, and password when you create an account. If you sign in with Apple or Google, we receive your name and email from those services.
  • Profile information: Profile photo, display name, and travel preferences (interests, budget, pace, dining preferences, accommodation preferences, transportation preferences, and accessibility needs).
  • Trip data: Trip names, dates, destinations, daily itineraries, activities (including notes, reservation times, flight numbers, and hotel details), locations, and cover photos.
  • Expense data: Expense descriptions, amounts, currencies, categories, dates, notes, and how expenses are split among trip members.
  • Search queries: Location and destination searches you perform within the app.
  • AI chat messages: Messages you send in conversations with Travelle AI, including questions about your trips, expenses, and travel plans. Conversation history is stored to maintain context across messages.
  • Communications: Feedback or support requests you send to us.

B. Information Collected Automatically

  • Device information: Device model, operating system, device name, and a device identifier generated on first app install for push notification delivery.
  • Usage data: Screens viewed, features used, and interactions within the app (collected via PostHog analytics).
  • App version and platform: The version of Travelle and operating system you are using.
  • IP address: Collected by our analytics and backend services for security and approximate location purposes.

C. Information from Third-Party Services

  • Authentication providers: When you sign in with Apple or Google, we receive an authentication token, your name, and email address. Apple allows you to hide your email using their private relay service.
  • Subscription data: Purchase history and subscription status from the Apple App Store or Google Play Store, processed through RevenueCat.

D. Location Data

Travelle uses geocoding (converting place names to coordinates) to display trip destinations on maps within the app. This is processed locally on your device. We do not continuously track your real-time GPS location, and we do not transmit your device's precise location to our servers.

E. Information We Do Not Collect

  • We do not use advertising identifiers (IDFA/GAID).
  • We do not track you across other apps or websites.
  • We do not sell your personal information.

2. How We Use Your Information

  • Provide, maintain, and improve the Travelle app
  • Create and manage your account
  • Generate AI-powered trip itineraries using your travel preferences (with your consent)
  • Provide AI chat assistance, including answering questions about your trips, expenses, balances, and travel history when you ask
  • Enable trip collaboration with other members you invite
  • Process subscriptions and manage your plan
  • Send push notifications about trip updates, invitations, and account activity (with your permission)
  • Analyze app usage to improve features and fix issues
  • Prevent fraud and enforce our terms
  • Comply with legal obligations

3. Legal Basis for Processing (EEA Users)

Under the GDPR, we process your data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Account creation, trip storage, subscription fulfillment, expense tracking, and trip collaboration.
  • Consent (Art. 6(1)(a)): Push notifications, AI trip generation and AI chat (your trip preferences and messages are sent to Google Gemini when you use AI features), and optional travel preferences.
  • Legitimate interests (Art. 6(1)(f)): Product analytics (via PostHog) to improve the app, fraud prevention, and security. You may object to processing based on legitimate interests by contacting us.
  • Legal obligation (Art. 6(1)(c)): Tax and accounting records for purchases, and responding to lawful requests from authorities.

4. AI Features

When you use our AI trip generation feature, your trip preferences (destination, dates, number of travelers, interests, budget, pace, dining preferences, accommodation types, transportation preferences, accessibility needs, and any additional notes you provide) are sent to Google's Gemini AI service to generate itinerary suggestions.

  • Your trip data is sent to Google Gemini only when you explicitly initiate trip generation by swiping to generate. No data is sent passively.
  • We use Google Gemini's paid API tier. Under the paid API terms, Google does not use your prompts or responses to train its AI models.
  • AI-generated itineraries are suggestions produced by an automated system, not a human travel agent. They may contain inaccuracies. You should independently verify all travel information.
  • The AI does not make decisions that produce legal or similarly significant effects on you. All AI output can be freely modified or discarded.
  • Once delivered, AI-generated itineraries become part of your trip data that you may freely use, modify, and share.

When you use the AI Chat feature, your messages are sent to Google's Gemini AI service to generate responses. When you ask about your expenses, balances, trip members, or travel history, the AI retrieves this data from our services to answer your question. This data retrieval happens only when you ask a question that requires it and is never performed passively or in the background.

Chat conversation history is stored on our servers to maintain context across messages. You may delete individual conversations at any time. The same data protection standards apply as with trip generation — under Google's paid API tier, your messages and responses are not used to train Google's AI models.

When you use AI to modify an existing trip, the AI accesses your current trip data to understand and apply your requested changes. Modifications are only applied when you explicitly approve them.

5. How We Share Your Information

We do not sell or share your personal information for advertising or cross-context behavioral profiling. We share your data only with the following service providers to operate the app:

ServiceRolePurposeData Shared
SupabaseData ProcessorAuthentication, database, file storageAccount data, trip data, profile photos, email
Google Gemini AIData ProcessorAI trip generation, AI chat conversations, and trip modificationsTrip preferences, destinations, dates, traveler count, chat messages, trip data
PostHogData ProcessorProduct analyticsUsage events, device identifiers, IP address
RevenueCatData ProcessorSubscription managementPurchase history, app user ID, subscription status
UnsplashIndependent ControllerCover photo suggestionsSearch queries (no personal data)
Google PlacesData ProcessorActivity location photosLocation names and addresses
ExpoData ProcessorPush notification deliveryDevice push tokens, notification content (transient)
WhereeData ProcessorLocation search suggestionsSearch queries (no personal data)
Apple / GoogleIndependent ControllersAuthentication, payment processingAuth tokens, purchase receipts

We may also share information when required by law, to protect our rights, or in connection with a merger or acquisition.

6. Data Shared Between Users

When you collaborate on a trip, other trip members can see:

  • Your name, username, and profile photo
  • Trip details, itineraries, activities, and locations for shared trips
  • Expense amounts, descriptions, and split details for shared trips

Your email address may be visible to other members of trips you collaborate on. Other users can find you by searching your username.

7. Data Retention

  • Account and trip data: Retained while your account is active. You can delete your account at any time from inside the app (Settings → Account → Delete Account); your data is removed immediately. If you cannot access the app, email support@travelle.app and we will process the request within 30 days.
  • Shared trips on account deletion: When you delete your account, shared trips that you own are automatically transferred to a co-member so the trip remains usable for the rest of the group. Trips you are a member of (but do not own) continue to exist for the other members; you are simply removed from the trip.
  • Push notification tokens: Removed from our servers when you sign out. Stale tokens are automatically cleaned up after 90 days of inactivity.
  • Trip invitations: Expired invitations are deleted automatically. Accepted or declined invitations are deleted after 30 days.
  • AI generation job data: Deleted after 30 days.
  • AI chat conversations: Retained while your account is active. Older messages may be summarized to manage conversation context. Deleted when you delete a conversation or your account.
  • Analytics data: Retained by PostHog per their data retention policies.
  • Subscription records: Retained as required by tax and accounting law.

8. On-Device Storage

Travelle stores data locally on your device to provide offline access and improve performance:

  • Secure storage: Authentication tokens are stored in your device's secure keychain (iOS Keychain / Android Keystore).
  • App preferences: Theme preference, notification settings, and trip display preferences.
  • Offline cache: Trip data, expense data, and images are cached locally so you can access them without an internet connection.

No browser cookies are used. Local data is cleared when you sign out or delete the app.

9. Data Security

We implement appropriate technical and organizational measures to protect your information:

  • Encryption in transit via HTTPS/TLS for all data transmission
  • Secure token storage using platform-native secure storage (iOS Keychain / Android Keystore)
  • Application-level authorization ensuring users can only access their own data and trips they are members of
  • Authentication tokens that automatically expire and refresh

No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users within 30 days of discovery and notify the relevant supervisory authorities within 72 hours as required by applicable law.

11. Your Rights

All Users

  • Access, update, or delete your profile information within the app
  • Delete your account and all associated data directly from inside the app at Settings → Account → Delete Account, or by emailing support@travelle.app if you cannot access the app
  • Manage push notification preferences within the app
  • Contact us at support@travelle.app for data requests

European Economic Area (EEA) Residents

Under the GDPR, you have the right to:

  • Access a copy of your personal data
  • Correct inaccurate personal data
  • Request erasure of your personal data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability (receive your data in a structured, machine-readable format)
  • Withdraw consent at any time (without affecting the lawfulness of prior processing)
  • Object to automated decision-making (AI trip generation is an assistive tool only; it does not make binding decisions)
  • Lodge a complaint with your local data protection authority

We will respond to GDPR requests within 30 days.

California Residents

Under the CCPA/CPRA, you have the right to:

  • Know what personal information we collect and how it is used
  • Delete your personal information
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information (we do not sell or share your data for advertising)
  • Non-discrimination for exercising your rights

We will respond to CCPA requests within 45 days.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States. Our service providers may process data in the United States or other jurisdictions. For transfers from the EEA, we rely on Standard Contractual Clauses and the EU-US Data Privacy Framework.

13. EU Representative

As a small company that does not engage in large-scale processing of personal data or special categories of data, we are not required to appoint a Data Protection Officer or EU representative under GDPR Articles 27 and 37. For all privacy inquiries from EEA residents, please contact us at support@travelle.app.

14. Children's Privacy

Travelle is not directed to children under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a person under 18, we will promptly delete that information and terminate the associated account. If you believe a child has provided us with personal data, please contact us at support@travelle.app.

15. Push Notifications

We send push notifications for trip updates, collaboration invitations, expense activity, and trip generation status. Notifications require your explicit opt-in consent through your device's operating system permission prompt. You can disable notifications at any time through the app settings or your device settings. When you sign out, your push notification token is removed from our servers. Tokens from uninstalled apps are automatically cleaned up within 90 days.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy in the app and updating the "Last updated" date. Your continued use of Travelle after changes constitutes your acceptance of the updated policy.

17. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Brezza Labs LLC
119 Eastwick Court
Hillsborough, New Jersey 08844
support@travelle.app