TripFlash · Effective date: June 6, 2026 (v2.1). Local-first trip storage, hashed sign-in codes, zero analytics SDKs, in-app GDPR / UK GDPR controls, and EU AI Act transparency.
TripFlash is designed with privacy as a core principle. Your trips and bookings live on your device — local-first. Guest-mode users keep everything on-device, period. Signed-in users get an opt-in cloud backup of their trips so a lost device doesn't lose itineraries; you can delete that copy any time from Settings → Account.
As of v2.0, AI generation runs exclusively through TripFlash Cloud — our managed backend on AWS. No API key, no payment, no provider account on your side. When you generate a trip, a small amount of data is stored on our servers — listed in full below. The AI request body itself is never persisted — only token-count and cost metrics. The trip inputs you typed (city, base camp, points of interest) are saved as part of your trip — on your device always, and on TripFlash Cloud for signed-in users as part of the auto-cloud-backup. We collect no third-party advertising data, no behavioural analytics SDK, and no automatic crash telemetry. We do compute anonymized aggregate destination analytics on synced trips (see the Aggregated Analytics section).
UIDevice.identifierForVendor — an OS-provided value scoped to our Apple Developer Team ID (not the advertising identifier, not shared with other developers, explicitly sanctioned by Apple for fair-use / anti-fraud fingerprinting). Cached in the iOS Keychain (AfterFirstUnlockThisDeviceOnly, never iCloud-synced). On Android, Settings.Secure.ANDROID_ID — a 64-bit hex string scoped by Android to our app-signing key (NOT the advertising ID, no Google Play Services required, no runtime permission needed). Both persist across app reinstall (intentional — prevents resetting the 3-trip guest free quota by reinstalling). Sent to TripFlash Cloud on each signup, sign-in, and guest generation so rate-limit and guest counters stay accurate.The following is stored in AWS DynamoDB in the US East (N. Virginia) region. Free TripFlash — 3 free guest trips with no account, then sign in with email for 10 trips/day · 25/week · 50/month. Each trip counts as one credit no matter how many days it covers; reordering days locally is always free.
| Email address | So we can issue your one-time sign-in code and let you sign back in later. |
| 6-digit email sign-in codes | Never in plaintext. Only SHA-256(salt ‖ code) is stored, with a fresh random salt per code. Single-use, auto-deleted after ~10 minutes by DynamoDB native TTL. 5-attempt cap, 60-second resend throttle. Plaintext travels exactly once — from AWS SES to your inbox. |
| Per-device id | Used to prevent rate-limit reset abuse and to gate the 3-trip guest free quota. On iOS, a UUID seeded from UIDevice.identifierForVendor and cached in the iOS Keychain (Team-ID-scoped, not the advertising identifier). On Android, Settings.Secure.ANDROID_ID (signing-key-scoped, not the advertising id). Comes with a 30-day cooldown if you delete your account. |
| Guest-mode trip counter | Number 0–3 on the device-fingerprint row that caps free trips before sign-in. Reset to 0 once you sign in and claim your guest trips. |
| Rate-limit counters | Atomic daily / weekly / monthly counts per user. Auto-deleted at end of each window via DynamoDB TTL. |
| Per-call usage log | Timestamp, token counts, cost in USD, model used, IP address, refund flag. Used for fair-usage accounting and multi-year cost / usage analytics. Retained for 3 years (configurable via a server parameter). |
| Synced trips (Signed-in mode only) | Auto-uploaded to TripFlash Cloud right after every generation and edit. Each trip is stored as a collection of items (header, day cards, spots, packing list, AI summary) plus the latitude/longitude of the city and base camp. Auto-deleted 3 years after the trip's last edit. Guest-mode users have no trips stored server-side. |
| Server-side version history | When you edit a synced trip, a snapshot of the previous state is kept for 30 days (or the last 10 versions per item, whichever cap hits first). Lets you restore a recent edit. |
| Report-a-Problem submissions | Only if you write one. Includes your message, app version, OS version, device id, IP address, and (if signed in) your account id and email. Auto-deleted after 90 days. |
Your prompts are not stored. When you generate an itinerary, the prompt (destination, dates, base camp, points of interest, bookings) is forwarded to Google Gemini for the duration of the call. We log only token counts and cost, not the prompt text.
Every change to a synced trip is streamed (via DynamoDB Streams) to a separate analytics store in AWS S3. Before any record is written, the pipeline strips and hashes the data:
| Dropped entirely | Nickname · Base camp address · User notes · Photo URLs · Free-text descriptions · Device id |
| Hashed with rotating salt | User id (the salt rotates monthly, so the same user shows up under a different hash each month — defeats long-horizon re-identification) |
| Kept as-is | City name · Latitude/longitude · Trip dates · Attraction name + category |
| Used for | "Top destinations this month", "Most-saved attractions in city X", aggregate trip-length distribution. Never queried per-user. |
| Retention | Raw analytics events auto-expire from S3 after 365 days. |
The analytics store is internal and never shared with third parties.
Every time you generate, re-generate, or update a trip itinerary, TripFlash shows a data-sharing notice and asks your explicit permission before sending any data. You can cancel at any point — no data is sent until you tap Allow.
What the notice shows you each time:
| Sent to | TripFlash Cloud, which forwards the request to Google Gemini |
| Destination | The city you entered |
| Travel dates | Your start and end dates |
| Base camp | Hotel / accommodation name (if entered) |
| Interests | Your typed points of interest |
| Bookings | Flights, hotels, restaurants you've added (if any) — so the AI weaves them into the schedule |
Data flow: your prompt → TripFlash Cloud (AWS Lambda + Secrets Manager) → Google Gemini → response back the same way. The Gemini API key lives in AWS Secrets Manager and is never exposed to your device. The prompt is not stored on our servers — only token counts and cost are logged.
From Settings → Account:
You also have the right to rectification (Art. 16 — fix your email in Settings), restrict processing (Art. 18 — email support@navakriya.app), object to processing based on our legitimate interests (Art. 21 — email us), and not be subject to solely automated decisions with legal effects (Art. 22 — we do not make any such decisions). We respond to written requests within 30 days (GDPR Art. 12(3)).
Your local trips on the device are independent — Delete My Account does not touch them. Use the in-app Clear All Trips if you also want to remove them.
Data controller: Navakriya (the developer of TripFlash). For any privacy question, data-subject request, or breach inquiry, contact support@navakriya.app. Postal correspondence: see the developer contact details on our Google Play and Apple App Store pages, which are kept up to date.
This policy governs personal data processed for users in the European Economic Area (EEA) under the EU General Data Protection Regulation (GDPR), in the United Kingdom under the UK GDPR and Data Protection Act 2018, in Switzerland under the Federal Act on Data Protection (FADP), and in California under the CCPA/CPRA. Where these laws grant stronger rights than each other, we apply the strongest applicable standard to your data.
Navakriya does not have an establishment in the European Union or the United Kingdom and does not currently appoint an Art. 27 representative. We rely on the exemption in GDPR Art. 27(2)(a) (and the corresponding UK GDPR Art. 27(2)(a) provision), having assessed that our processing meets each of its three conditions:
EEA and UK users can exercise every data-subject right — Art. 15 access, Art. 16 rectification, Art. 17 erasure, Art. 18 restriction, Art. 20 portability, Art. 21 objection, Art. 22 no-automated-decisions — directly with us at support@navakriya.app, in any official EU language or in English. We respond within the GDPR Art. 12(3) 30-day window.
You also retain the right to lodge a complaint with your local supervisory authority (see Your data rights above for the relevant authorities and links). If our processing footprint or establishment status changes such that the Art. 27(2)(a) exemption no longer applies, we will appoint a representative and update this section before that change takes effect.
Under Regulation (EU) 2022/2065 (Digital Services Act), Navakriya is identified as a trader on the Apple App Store and Google Play for EU users. The following contact point applies for matters covered by the DSA — notice-and-action submissions, orders from authorities under Art. 9 / Art. 10, and general inquiries — in addition to the privacy contact above.
| Trader / Service provider | Navakriya (developer of TripFlash). App Store and Play Store listings carry our verified developer name and address. |
| Single point of contact | support@navakriya.app — monitored for DSA notices and authority requests. We accept communications in English; messages in other EU official languages will be machine-translated and answered. |
| Notice-and-action submissions | Email the address above with subject line beginning [DSA Notice]. Include: the URL or in-app identifier of the content, your reasons for considering the content unlawful, your contact details, and a statement of good faith. We acknowledge receipt and act on valid notices without undue delay. |
| Orders from EU authorities | Authority orders under DSA Art. 9 / Art. 10 should be sent to the same address with subject line beginning [DSA Authority], signed by the issuing authority. We confirm receipt without undue delay and respond within the deadlines set by the order. |
| Internal complaint-handling | If you disagree with a content decision we make against your trip-share file or account, reply to our decision email within 6 months to open an internal complaint. We review complaints individually, not by automated means, and respond within 30 days (DSA Art. 20). |
Languages. Our single contact point is operated in English. Notices, orders, and complaints sent in any official EU language are machine-translated upon receipt and answered in the same language. If our EEA usage grows to a level where a localised contact point becomes appropriate (or if a supervisory authority requests one), we will publish per-language contact details here and update this section before that change takes effect.
| Email address & sign-in codes | Contract performance — Art. 6(1)(b). We need these to give you an account and authenticate you. |
| Per-device id & guest-mode counter | Legitimate interest — Art. 6(1)(f). Preventing abuse of the free guest quota and rate-limit reset by repeated reinstalls. We use the minimum identifier each OS sanctions for this purpose (no advertising id). |
| Rate-limit counters & usage logs | Legitimate interest — Art. 6(1)(f). Operating a fair-use service, billing reconciliation, abuse and cost-overrun detection, multi-year cost analytics. |
| Synced trips (signed-in only) | Contract performance — Art. 6(1)(b). You asked us to back up and sync your itineraries across devices. |
| Aggregated analytics on synced trips | Legitimate interest — Art. 6(1)(f). Product improvement (top destinations, popular attractions). Identifiers are dropped or salt-rotated before write; never used per-user. You can opt out by not signing in (guest mode never enters the analytics pipeline). |
| Report-a-Problem submissions | Consent — Art. 6(1)(a). Captured only when you tap Send. Auto-deleted after 90 days. |
| AI prompt forwarding (data-sharing notice) | Consent — Art. 6(1)(a). Each generate / re-generate / update shows the in-app data-sharing notice and requires your explicit "Allow" before any data leaves the device. |
You can object to any processing relying on legitimate interest by emailing support@navakriya.app. We will weigh your specific situation against our interest and either stop or explain why we cannot.
TripFlash Cloud runs on Amazon Web Services in the US East (N. Virginia) region. If you use TripFlash from the EEA, UK, or Switzerland, personal data is transferred to the United States to be processed.
We rely on the following safeguards for that transfer, individually and cumulatively:
Sub-processors involved in the transfer:
You can request a summary of our transfer impact assessment by emailing support@navakriya.app.
If you believe we are processing your personal data unlawfully, you have the right to complain to a supervisory authority — in the EEA, the data protection authority of your country of residence or place of the alleged infringement (full list: edpb.europa.eu); in the UK, the Information Commissioner's Office (ico.org.uk); in Switzerland, the Federal Data Protection and Information Commissioner (edoeb.admin.ch). We would appreciate the chance to address your concern first — email support@navakriya.app.
TripFlash uses a large language model (Google Gemini, via TripFlash Cloud) to draft your itineraries. You are interacting with AI-generated output, not human-curated content.
AI-generated suggestions may contain inaccuracies — opening hours, ticket prices, addresses, transit times, restaurant availability, and similar factual details should be verified before you rely on them for booking or travel decisions. TripFlash is a planning aid, not an authoritative source.
We do not use AI for any decision producing legal or similarly significant effects about you (no eligibility, pricing, employment, credit, or law-enforcement decisions). The AI's role is limited to generating travel itinerary suggestions you can edit, accept, or discard.
Under our role classification in the EU AI Act, TripFlash is a deployer (not a provider) of a general-purpose AI model. The provider (Google) is responsible for foundation-model obligations; we are responsible for transparent disclosure to you (this section), instructing the model in line with its intended use, and providing meaningful human oversight (you review and edit every itinerary).
TripFlash aims to be usable by everyone, including users of assistive technologies. We target WCAG 2.1 Level AA as expressed in EN 301 549 for mobile applications: dynamic-type / text-scaling support (15% above the OS default by default), high-contrast theming in both light and dark modes, screen-reader labels on interactive controls, and respect for system reduced-motion settings.
If a part of the app is not accessible to you, please email support@navakriya.app with a description and we will treat it as a priority fix. Navakriya is a microenterprise as defined in EU Recommendation 2003/361/EC; certain EAA obligations are scaled accordingly, but we remain committed to addressing reported accessibility barriers.
The optional trip-sharing feature exports an encrypted file (AES-256-GCM) to your device's local storage or your chosen share target (AirDrop on iOS, Android share sheet, email, etc.). Navakriya does not have access to shared files or the passphrase used to encrypt them.
TripFlash is intended for users aged 13 and over. We do not knowingly collect data from children under 13. If you believe a child has provided data to us, email support@navakriya.app and we will delete the record.
If we make material changes to this policy, we will update the effective date above and post the revised policy at this URL. Continued use of the app after changes constitutes acceptance.
Questions about this policy or to exercise any of the rights above? Email us at support@navakriya.app.
Local-first, hashed codes, zero ad SDKs, one-tap export and delete. Try the app and see how it actually behaves.