Effective May 27, 2026
Privacy Policy
This policy explains what TeamTrips (“we”, “us”) collects when you use the Service, how we store and protect it, who else can see it, and how to delete your account. It applies to the Service governed by our Terms.
1. What we collect
Information you provide directly:
- Account: email address, optional display name, optional phone number, optional profile photo, theme and notification preferences.
- Team & roster: team names, team membership, roles, family/parent contact info you enter, and information about minors that coaches or parents add to a roster (children's names, jersey numbers, positions, optional birth dates).
- Trips & logistics: trip titles, locations, dates, lodging details, game times, packing checklists, and equipment assignments.
- Carpools: pickup locations, departure times, seat assignments, and rider names.
- Communications: announcements, direct messages, comments, mentions, and any attachments you upload.
- Payments: when you initiate or receive a payment we record the amount, currency, status, and the Stripe identifiers needed to reconcile the transaction. We do not store full card numbers, CVVs, or bank account numbers — those go directly to Stripe.
Information collected automatically:
- Authentication: session cookies issued by Supabase Auth; the IP address that generated each request (used for rate limiting and abuse prevention).
- Activity: records of significant actions you take in the Service (e.g. creating a team, posting an announcement, submitting a payment) so the activity feed and audit logs work.
- Server logs: standard request logs, including paths, status codes, user agents, and error stack traces, retained for security and debugging.
We do not currently use third-party advertising cookies or web-tracking pixels.
2. Where it's stored
All application data is stored in a hosted Postgres database and object storage bucket provided by Supabase, in the United States region. The application itself runs on Vercel (also United States). Backups, encryption-at-rest, and TLS-in-transit are inherited from those providers.
3. Who can see what — Row-Level Security
TeamTrips uses Postgres row-level security (RLS) so the database itself enforces visibility rules. As a rule of thumb:
- Personal account data (your settings, profile, notification preferences) is visible only to you.
- Team-scoped data (trips, carpools, expenses, announcements, comments, activity feed entries, family/roster info) is visible only to members of that team. Different roles (owner, admin, member, viewer) get different write permissions.
- Direct messages are visible only to the participants of that thread.
- Pending invitations show the invited email, the team they were invited to, and who invited them.
- Payment records are visible to the payer, the payee, and team admins for the relevant team.
Operationally, a small number of TeamTrips engineers may access production data when investigating bugs or abuse reports. Such access is limited to what is necessary, logged, and not used for any other purpose.
4. How we use it
- To operate the features you signed up for.
- To send transactional emails (sign-in links, invitations, payment receipts, mention and announcement notifications).
- To rate-limit abuse, detect fraud, and protect the Service's availability and security.
- To debug issues you report and fix bugs that affect reliability.
- To comply with legal obligations (tax, accounting, law-enforcement requests under valid process).
We do not sell your personal information, and we do not share it with advertisers.
5. Third-party processors
We rely on a short list of vendors to actually run the Service. Each receives only the data needed to do its job:
- Supabase — hosts the database, object storage (profile photos), and authentication. Sees all data you enter into the Service. Supabase Privacy.
- Vercel — runs the Next.js application and serves traffic. Sees request metadata (IP, headers, paths) and may briefly hold request bodies in memory. Vercel Privacy.
- Stripe, Inc. — processes payments. Receives cardholder name, card / bank credentials, billing information, and the amount you charge. We receive back only Stripe IDs and status metadata. Stripe Privacy.
- Resend — sends transactional emails on our behalf. Receives recipient email addresses and the rendered email body. Resend Privacy.
- Upstash — provides the Redis store used for rate limiting. Receives short-lived rate-limit keys derived from your user ID or IP; no message contents. Upstash Privacy.
- Google — handles “Sign in with Google” OAuth if you choose to use it. Receives the authentication request; we receive your Google email and profile name. Google Privacy.
6. Children
The Service is not directed to children under 13, and we do not knowingly allow children to create their own accounts. Coaches and parents may, however, enter a minor's name, jersey number, position, and similar roster information into a team — that information is treated as the entering adult's submission, is visible only to that team, and should be removed by the entering adult (or via our deletion process below) when no longer needed.
7. Retention
We keep your account data for as long as your account is active. When you delete your account we remove your profile, direct messages, and personal settings; team-scoped content you created (announcements, comments, messages, payments) may remain visible to the team minus your identifying information, so the rest of the team's history is not destroyed. Database backups are retained for up to 30 days before being overwritten.
Payment, invoice, and tax records are retained for as long as applicable law requires (typically 7 years).
8. Your choices
- Access / correction: most personal info is editable directly from your Profile and Settings pages.
- Notification preferences: manage email and in-app notifications under Settings → Account.
- Theme: light/dark preference is stored in a cookie on your device and can be cleared anytime.
- Account deletion: email support@teamtrips.app from the email address on your account and we will delete or anonymize your data within 30 days, except where retention is legally required.
Depending on where you live (e.g. California, the EU/UK), you may have additional rights — to access a copy of your data, port it to another service, restrict processing, or lodge a complaint with a regulator. Email us using the address above and we'll work with you to honor those rights.
9. Security
We rely on industry-standard practices: TLS in transit, encryption at rest at our hosting providers, row-level security in the database, rate limiting and CSRF protections at the application layer, and limited access controls for engineering staff. No system is perfectly secure. If you believe your account has been compromised, contact us immediately.
10. Changes
We may update this policy as the Service evolves. Material changes will be announced via email or an in-app banner; the “Effective” date at the top of this page will always reflect the current version.
11. Contact
Questions, deletion requests, or rights requests: support@teamtrips.app.
