Privacy Policy
Effective date: June 28, 2026
TripBoard ("the app") is developed by Nils Fragel. This policy explains how the app handles your data.
Data Storage and Sync
All data you create in TripBoard (trips, activities, expenses, and receipts) is stored on your device and synced to your personal iCloud account using Apple's CloudKit. This sync is handled entirely by Apple's infrastructure. We do not operate servers that store this data, apart from the optional mail-forwarding service described below.
Collaboration
When you share a trip with others, data is shared through iCloud using Apple's CloudKit sharing. Participant names and identifiers are managed by Apple. We do not collect or store this information separately.
Location
The app may request access to your location to help you find nearby places when adding activities or expenses. Your location is used on-device only and is not transmitted to any server. You can deny or revoke location access at any time in Settings.
No Tracking
TripBoard does not:
- Track you across apps or websites
- Use advertising identifiers
- Include any analytics or advertising SDKs
- Sell or share your data with third parties
App Store Analytics
TripBoard contains no analytics SDK of its own. However, Apple provides us with standard App Analytics through App Store Connect — aggregated, anonymised statistics such as downloads, app sessions, active devices, and crash reports. This data is collected and aggregated by Apple, cannot be used to identify you individually, and is only shared with us for users who have agreed to share analytics with app developers. You control this in Settings → Privacy & Security → Analytics & Improvements on your device, and it is governed by Apple's Privacy Policy.
Data on Your Device
The app stores your preferences (such as preferred currency and appearance mode) locally using UserDefaults. Receipt images are stored in the app's sandboxed file storage on your device and synced via iCloud.
Mail Forwarding Service
TripBoard offers an optional feature that lets you forward confirmation emails (for example flight or hotel bookings) into a trip. You enable it by registering and confirming your email address in the app. Registering is entirely voluntary; if you never enable it, none of the processing below takes place.
What we process
- Your email address — to recognise messages you forward and to send you a one-time confirmation link.
- The emails you forward and their attachments — the raw message is parked briefly so the TripBoard app on your device can fetch it. The app does the parsing and stores the result in your private iCloud account; our servers never see your trips and never write to iCloud.
- Routing metadata — sender, subject, date, size and the message identifier, used to deliver the message to the right account and to remove duplicates.
Processor and where data is stored
The forwarding service runs on Cloudflare, which acts as our processor (Auftragsverarbeiter) under a data-processing agreement. The service is configured for data residency in the European Union.
How long we keep it
- A forwarded message is stored for at most 3 days, or until your app retrieves it — whichever comes first. On successful retrieval it is deleted immediately.
- If you do not forward any email for one year, we email you a notice and delete your registration 30 days later unless you keep it active using the link in that notice.
- You can delete your registration — your email address, access token and any queued messages — at any time from Settings → Mail forwarding → Delete from our servers.
Legal basis
We process this data on the basis of your consent (Art. 6(1)(a) GDPR), which you give by registering your email address. You can withdraw it at any time by deleting your registration, with effect for the future.
Contact Form
Our website offers a contact form. If you use it, the name you optionally provide, your email address and your message are transmitted to us by email and used solely to handle your enquiry. We do not store these submissions in a database; the message lives in our mailbox like any other email, and your email address is set as the reply address so we can respond.
Spam protection (Cloudflare Turnstile)
To protect the form against automated abuse, it uses Cloudflare Turnstile. When you submit the form, Turnstile runs a verification challenge in your browser and may process technical information — including your IP address, browser characteristics and interaction signals — to distinguish humans from bots. Turnstile is designed to be privacy-friendly and, according to Cloudflare, is not used for cross-site advertising or tracking. This processing is carried out by Cloudflare as our processor; see Cloudflare's Privacy Policy. The legal basis is our legitimate interest in preventing spam and abuse (Art. 6(1)(f) GDPR).
To limit how many submissions come from a single source per day, we keep a short-lived counter keyed by a one-way hash of your IP address (not the IP itself). These counters are automatically deleted within a few days.
Where data is processed
The contact form and Turnstile verification run on Cloudflare's infrastructure. Cloudflare may process data outside the EU; appropriate safeguards (such as the EU Standard Contractual Clauses) apply.
Children's Privacy
The app does not knowingly collect personal information from children under 13.
Changes to This Policy
If this policy changes, the updated version will be posted at this URL with a new effective date.
Contact
If you have questions about this policy, contact privacy@tripboard.cloud.