How can we help?

Only what's needed to keep your account working: your email address (Signed-in mode only), a per-device id (UUID — on iOS seeded from identifierForVendor and cached in the Keychain; on Android, Settings.Secure.ANDROID_ID), and per-call usage logs (tokens, cost, timestamp — retained for 3 years for cost analytics). Sign-in codes are stored only as hashes with a 10-minute TTL. The AI request body itself isn't persisted — only token/cost metrics. The trip inputs you typed are saved as part of your trip: on your device always, and on TripFlash Cloud for signed-in users (auto-cloud-backup).

For Signed-in users, every trip auto-uploads to TripFlash Cloud right after generation and after every edit — you don't need to do anything. The Sync icon in the library is for the reverse direction: pulling cloud-only trips down to this device, resolving conflicts, and forcing an immediate retry if an auto-push failed. Synced trips are retained for 3 years from last edit. Server-side version history kept for 30 days (or last 10 versions). Guest-mode users have no cloud copy — uninstall = trips lost.

They upload to your new account automatically — you'll see a toast like "Claimed 3 guest trips" the first time you open the library after sign-in. The 3 guest generations count against that month's quota of 50, so you'd have 47 trips remaining for the rest of the month. The same physical device can't reset the 3-trip free quota by reinstalling — the device id is kept in the Keychain (iOS) / Keystore-protected store (Android).

If you edit the same trip on two devices and they each auto-push, the next manual Sync surfaces a side-by-side sheet showing "this trip changed in 2 places" with both versions. You pick one whole side to keep. v2.0 conflicts resolve at the trip level; per-day or per-spot conflicts are a future refinement.

AWS us-east-1 (Northern Virginia, United States). DynamoDB for metadata, AWS Secrets Manager for the AI provider key (never leaves the server). All traffic is HTTPS with JWT auth.

If Gemini returns a 5xx error, hits MAX_TOKENS (response truncated), times out, or returns something the client can't decode, the credit is automatically refunded. Two paths: if the AI provider errors out server-side, the counter rolls back before the response leaves our backend; if the response was returned but the app can't decode it, the app silently requests a refund with an ownership-gated request_id. A single generation can only be refunded once.

Before every generation (new plan, re-generate, or edit), TripFlash shows a data-sharing notice listing exactly what will be sent: your destination city, travel dates, base camp (if entered), and points of interest. Nothing is sent until you tap Allow & Generate. The request goes to TripFlash Cloud which then forwards it to the AI provider; the response comes back the same way.

Google Gemini 2.5 Flash, called from our backend. Configurable server-side per app so we can rotate models without an app update. Per-call cost is logged so the per-user fair-usage limits stay accurate.

Yes — on iOS today, and on Android when it ships. We resolve the destination city to its IANA time zone via on-device geocoding (no permission needed) and generate all activity times in that zone. Live Trip mode shows the destination wall clock so a user in NYC running a Tokyo trip sees Tokyo time. Departure reminders fire at the correct local time.

Yes — both rights are first-class buttons in Settings → Account. Export My Data downloads a JSON of everything TripFlash Cloud holds about your account (GDPR Article 15). Delete My Account permanently erases your record, devices, usage logs, and refund flags (GDPR Article 17). A 30-day cooldown prevents any email from registering this device, to defeat the delete-and-resignup loophole.

Open Settings → Help → Report a Problem. Describe what happened and tap Send. The report (plus your platform/OS version/app version/device id) lands in our backend with a 90-day TTL. You can submit reports even when signed out (or in guest mode), so problems with sign-in itself can still reach us.

Use Settings → Data → Clear All Trips for trips, or Sign Out if you just want to detach this device from your account. Delete My Account wipes both local and server-side data in one go.