Trip Riff Privacy Policy

Last Updated: March 13, 2026

1.1 Scope

This Privacy Policy explains how Good Work Dojo LLC, doing business as Trip Riff and TripRiff ("Trip Riff," "we," "us," or "our"), collects, uses, discloses, and protects personal data when you use:

• https://tripriff.com and related pages, subdomains, and public profile URLs;
• Trip Riff public profile embeds, QR-based sharing flows, and social-sharing surfaces;
• Trip Riff transactional emails and invite features; and
• any related mobile applications, if and when made available.

1.2 Data Controller

For purposes of applicable privacy law, the data controller and operator of the Platform is:

Good Work Dojo LLC d/b/a Trip Riff Texas, United States Email: hello@tripriff.com

1.3 Important Note About Public Sharing

Trip Riff is designed to let users publish travel maps and connect with other travelers. If you enable a public profile or otherwise share your content, some of your information becomes visible to other users or the public as described in this Privacy Policy.

2.1 Account and Authentication Data

We collect account and login information, including:

• email address;
• password credentials submitted during sign-up or sign-in, which are processed through Supabase Auth rather than stored by us in plaintext;
• display name;
• authentication provider details, such as your name, email address, and profile image if you use Google OAuth, and if enabled on a supported client, Apple Sign In;
• account identifiers, profile identifiers, and session/authentication tokens;
• password reset and sign-in email workflow metadata.

2.2 Profile and Preference Data

We collect profile and settings information, including:

• avatar image and avatar URL;
• whether your avatar is custom;
• share slug or public profile URL;
• profile visibility status;
• map display mode;
• color scheme selections;
• auto-accept friend settings;
• public sharing preferences for trip details;
• notification settings, including group invite preferences.

2.3 Travel and Map Data

We collect the travel history and map data you choose to add, including:

• countries and U.S. states you mark as visited, lived in, or want to visit;
• trip type;
• trip start dates and end dates;
• trip ratings and written reviews;
• trip notes and journal-style text;
• activity tags attached to trips;
• visited-place counts, area coverage, population coverage, continent counts, streaks, and related travel statistics;
• achievements and badge history generated from your trip activity;
• recommendation inputs and outputs derived from your travel history and, where applicable, accepted-friend travel histories;
• photo map settings, such as selected place photo, focus point, and zoom.

2.4 Photos and Media

If you upload media, we collect:

• original photo files;
• compressed display versions of photos;
• storage paths and display paths for uploaded media;
• optional photo captions;
• avatar uploads.

Important: Trip Riff currently uses public-read object storage for trip photos and avatars. We control how photo records are surfaced inside the product, but if a public media URL is exposed through a shared profile, embed, friend feature, or export, the file may be accessible to anyone who has the URL.

2.5 Social and Community Data

We collect information needed to run friend and group features, including:

• friend requests and friendship status;
• profile referrals and invite-link activity;
• invite and referral identifiers;
• leaderboards, overlap comparisons, and group overlays;
• friend group names, group membership, and invite status;
• group invite timestamps;
• email address of a person you ask us to invite by email.

2.6 Communications Data

We collect data related to communications with you or communications you ask us to send, including:

• transactional emails for authentication, password reset, invitations, and service-related notices;
• invitation recipient email addresses entered by users;
• support or privacy inquiries you send to us;
• records needed to enforce invite rate limits and prevent abuse.

Trip Riff currently uses email for transactional and account-related messages. We do not currently operate a general marketing newsletter through the Platform.

2.7 Usage, Device, and Log Data

We automatically collect certain technical and usage information, including:

• IP address;
• approximate location inferred from IP at the network level;
• browser type, browser version, and operating system;
• device type and app/platform context;
• referring URL;
• pages viewed, features used, and timestamps;
• interaction data and analytics events;
• error and diagnostic information;
• request logs for hosted pages, APIs, and generated assets such as Open Graph images.

2.8 Cookies, Local Storage, and Mobile Secure Storage Data

We use and store the following device-side data:

• strictly necessary cookies for authentication and session continuity on the web app;
• local storage entries for cookie consent preferences;
• local storage entries for unauthenticated map-builder and explore selections;
• local storage entries for referral tracking so a public-profile visit can be associated with a later sign-up;
• secure token storage on supported mobile clients using device-level secure storage.

2.9 Device Permissions

If you use a mobile application, we may request device permissions, including:

• camera access to scan Trip Riff QR codes or invite links; and
• photo library access to upload travel photos.

We do not collect those contents unless you choose to grant permission and use the related feature.

2.10 Information We Receive From Other Sources

We may receive information from:

• authentication providers such as Google and, where enabled, Apple;
• other users who invite you, connect with you, or add you to a group;
• our service providers that host, deliver, secure, and analyze the Platform;
• publicly available or licensed geographic, demographic, and country-level datasets used for map, stats, and recommendation features. These datasets are not used to identify you directly.

2.11 Payment Data

Trip Riff does not currently process paid subscriptions through the Platform and does not currently collect or store payment card numbers or similar payment credentials.

3.1 To Provide the Platform

We use personal data to:

• create and administer accounts;
• authenticate users and maintain sessions;
• store and display travel maps, trip history, statistics, badges, and profile settings;
• host and display uploaded photos and avatars;
• generate public profile pages, embeddable maps, QR codes, and share links;
• support friend requests, group invites, leaderboards, overlays, and comparison features;
• send sign-in, password reset, invite, and other service emails.

3.2 To Personalize and Improve the Service

We use personal data to:

• generate automated travel insights and recommendations;
• calculate achievements, statistics, rankings, and group overlays;
• analyze product usage and improve the Platform;
• troubleshoot bugs, investigate incidents, and maintain performance and reliability.

3.3 To Protect Users and the Platform

We use personal data to:

• detect abuse, fraud, scraping, spam, and other misuse;
• enforce our Terms & Conditions;
• maintain security controls, logging, and access restrictions;
• comply with legal obligations and respond to valid legal process.

3.4 To Communicate With You

We use personal data to:

• send transactional or administrative emails;
• answer support and privacy requests;
• notify you of material service, security, or legal changes when required.

If you are in the EEA, UK, or another jurisdiction that requires a lawful basis for processing, we generally rely on the following:

4.1 Contract

We process personal data as necessary to provide the Platform and perform our contract with you, including account creation, authentication, map tracking, travel data storage, social features, exports, and transactional emails.

4.2 Legitimate Interests

We process personal data where it is necessary for our legitimate interests, including:

• running and improving Trip Riff;
• securing the Platform and preventing abuse;
• understanding product usage through privacy-friendly analytics;
• enforcing our agreements;
• operating invite, friend, and community features;
• generating recommendations, statistics, and travel insights.

4.3 Consent

We rely on consent where appropriate, including when you choose to:

• publish a public profile or share link;
• upload optional content such as photos or avatars;
• use certain device permissions;
• allow optional local storage preferences on your device.

You can withdraw consent for optional processing by changing your settings, removing the relevant content, revoking device permissions, or contacting us. Withdrawal does not affect processing that was lawful before withdrawal.

4.4 Legal Obligations

We process personal data where necessary to comply with applicable law, court orders, lawful requests, tax or accounting rules, and enforcement obligations.

4.5 Automated Processing

Trip Riff uses automated logic to generate travel statistics, achievements, rankings, overlays, and recommendations. These features do not make decisions that produce legal or similarly significant effects about you.

5.1 Public Profiles

If you set a public share slug or public profile URL, your profile becomes public. Public profile pages and embeds may display:

• your display name;
• your avatar;
• your travel map;
• visited countries and states;
• aggregate travel statistics and achievements;
• Open Graph and social preview images generated from public profile information.

5.2 Public Trip Details

If you keep public trip-detail sharing enabled, your public profile or embed may also reveal:

• trip dates;
• trip ratings;
• trip reviews; and
• photo-based map fills or similar public media displays.

If you disable public trip-detail sharing, Trip Riff suppresses those details on public profile and embed views.

5.3 Accepted Friends and Groups

Accepted friends and group features may reveal more information than the public profile, including map comparisons, leaderboards, place-level friend activity, and associated trip photos. Even if you disable public trip-detail sharing, accepted-friend features may still expose certain trip-level details and photos to connected users where the feature is designed to show that information.

5.4 Public Links, Embeds, and Caching

Once content is public, it may be copied, cached, screenshotted, re-shared, embedded, indexed, or stored by search engines, social platforms, other websites, and other users. We cannot control third-party reuse of public content once it has been disclosed.

6.1 Strictly Necessary Cookies

We use strictly necessary cookies to:

• authenticate you;
• maintain your session;
• protect the Platform and preserve basic functionality.

6.2 Local Storage

We use browser local storage to remember:

• cookie consent choices;
• temporary explore and map-builder selections for unauthenticated users; and
• short-lived referral information so a public-profile visit can be associated with a sign-up flow.

6.3 Mobile Secure Storage

On supported mobile clients, session tokens may be stored in device-level secure storage.

6.4 Analytics

We use Vercel Analytics to collect aggregated, privacy-friendly web analytics. We do not currently use advertising cookies, tracking pixels, or cross-context behavioral advertising technologies.

6.5 Your Choices

You can manage cookies and local storage through your browser or device settings, but some Platform features may stop working correctly if you block or clear strictly necessary technologies.

We do not sell personal data. We also do not share personal data for cross-context behavioral advertising.

We may disclose personal data only in the following circumstances:

7.1 Service Providers and Processors

We share data with the following service providers as needed to operate the Platform:

• Supabase: authentication, database hosting, and file storage;
• Vercel: website hosting, serverless execution, analytics, and related logs;
• Postmark: transactional email delivery for invitations and service emails;
• Google: authentication services if you sign in with Google;
• Apple: authentication services if Apple Sign In is enabled in a supported client and you choose to use it.

7.2 Other Users and the Public

We share information with other users or the public when required by product design or your choices, including:

• public profiles, embeds, and shared map links;
• accepted-friend features and group features;
• invite and referral workflows you initiate or accept.

7.3 At Your Direction

We disclose information when you ask us to do so, such as when you:

• send an invitation email;
• share your public profile or QR code;
• export or embed a map;
• connect with another user.

7.4 Legal and Safety Disclosures

We may disclose personal data if we believe in good faith that doing so is necessary to:

• comply with law or valid legal process;
• protect our rights, property, systems, or users;
• investigate fraud, abuse, or security incidents;
• prevent harm.

7.5 Business Transfers

If we are involved in a merger, financing, acquisition, reorganization, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction, subject to applicable law.

Third-party services operate under their own terms and privacy policies. We are not responsible for third-party practices once data is collected by the third party directly.

Current third-party integrations identified in the codebase include:

• Supabase;
• Vercel Analytics and hosting;
• Postmark;
• Google OAuth; and
• Apple Sign In only if enabled for a supported client build.

Trip Riff is operated from the United States. Your personal data may be transferred to and processed in the United States or other countries where we or our service providers operate.

If you are in the EEA, UK, or another jurisdiction with transfer restrictions, we will rely on recognized transfer mechanisms where required, such as contractual safeguards, and will take reasonable steps to ensure your data receives an adequate level of protection.

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Our general retention approach is:

10.1 Account and Profile Data

We retain account, profile, settings, friendship, group, and travel records for as long as your account remains active.

10.2 Travel Content and Media

We retain trips, notes, reviews, activities, map settings, photos, avatars, and related metadata until you delete them, close your account, or ask us to delete them.

10.3 Public Content

Public profile content remains public until you remove the public share slug, delete the content, make the profile private where available, or close the account. Copies cached or retained by third parties may persist beyond our control.

10.4 Invite, Email, and Security Records

We may retain invite logs, email-delivery records, fraud-prevention data, audit trails, and security logs for up to 24 months, or longer if reasonably necessary for legal, security, tax, accounting, or dispute-resolution purposes.

10.5 Deletion Timing

When you request deletion of your account or personal data, we generally delete or anonymize the relevant data within 30 days after verifying the request, except:

• where retention is required by law;
• where retention is necessary to establish, exercise, or defend legal claims;
• where backups or disaster-recovery systems require a limited additional retention period, which may last up to 90 additional days; or
• where data has already been shared publicly or retained by third parties outside our control.

We use administrative, technical, and organizational safeguards appropriate to the nature of the data we process, including:

• HTTPS/TLS encryption in transit;
• encryption at rest provided by our infrastructure providers;
• access controls and authentication safeguards;
• row-level security and scoped database/storage permissions;
• input validation and rate limiting in selected workflows;
• separation of privileged credentials from public client credentials;
• logging and monitoring for abuse and operational issues.

No system is perfectly secure, and we cannot guarantee absolute security.

12.1 EEA, UK, and Similar Rights

Depending on your location and subject to applicable law, you may have the right to:

• access the personal data we hold about you;
• correct inaccurate or incomplete personal data;
• request deletion of personal data;
• restrict certain processing;
• object to certain processing;
• receive a portable copy of certain personal data;
• withdraw consent where processing is based on consent; and
• lodge a complaint with your local data protection authority.

12.2 California and Other U.S. State Rights

Subject to applicable law, residents of California and certain other U.S. states may have the right to:

• know what personal data we collect, use, disclose, and retain;
• access specific pieces of personal data;
• correct inaccurate personal data;
• delete personal data;
• opt out of the sale or sharing of personal data; and
• receive equal service and pricing even if they exercise a privacy right.

Trip Riff does not sell personal data and does not share personal data for cross-context behavioral advertising, so there is no separate sale/share opt-out mechanism at this time.

You may also designate an authorized agent to make a request where permitted by law. We may ask for proof of authorization and verification of identity before fulfilling the request.

12.3 California Categories Disclosed in the Last 12 Months

In the last 12 months, we have collected the following California-style categories of personal information:

• identifiers and contact information;
• account credentials and authentication data;
• customer records and profile information;
• internet or network activity data;
• travel history, trip content, and user-generated content;
• photos, avatars, and other uploaded media;
• social graph and community data;
• inferences and recommendation signals derived from travel history and social data.

We disclose those categories to service providers, processors, other users, and the public as described in Sections 5 through 8.

12.4 How to Exercise Rights

To exercise a privacy right, contact us at hello@tripriff.com. We may need to verify your identity before completing your request. We will not discriminate against you for exercising a privacy right.

Trip Riff is intended only for adults age 18 and older. We do not knowingly collect personal data from anyone under 18.

If we learn that a person under 18 has provided personal data to us, we may delete the account and the related data without notice.

If you believe a person under 18 has provided personal data to us, contact us at hello@tripriff.com so we can investigate and take appropriate action.

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last Updated" date and, where required by law, provide additional notice such as an email or in-product notice.

For privacy questions, requests, or complaints, contact:

Good Work Dojo LLC d/b/a Trip Riff Email: hello@tripriff.com