Travolp.
Translation pending. Showing the English version. The localised text will appear here once published.

Privacy Policy

Effective date: 4 June 2026 Controller: Priorli Oy, Finland (the "Provider", "we", "us") Contact: contact@priorli.com

This is a plain-language draft prepared by the Provider. It is not legal advice and should be reviewed by a qualified privacy lawyer before going into production. Once finalised, please replace this notice and confirm the controller details.

Summary

We're Priorli Oy, the Finnish company behind Travolp. Travolp helps you plan trips and travel with a group, with the help of AI. To make that work, we collect things like your account info, the trip content you create, photos and location data when you choose to share them, and the messages you exchange inside the app. We use that data to run and improve the Service — and, only if you opt in, to measure app usage and how our ads perform — and we don't sell it.

This policy explains the details, in line with the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki 1050/2018).

Who is the controller of your data?

It depends on how you're using Travolp.

If you use travolp.priorli.com (or a successor domain operated by us directly), Priorli Oy is the controller of your personal data.

If you use a Travolp-powered app or website branded by a travel agency, the travel agency is typically the controller of the personal data they collect about their customers (you, the tourist). Priorli Oy acts as their processor for the platform's technical operation — we run the servers and the software, but the agency decides what to do with the data. Please consult that agency's own privacy notice for their specific practices.

Priorli Oy is the controller of operational data needed to run the platform itself (e.g., security logs, billing data with the agency).

What we collect

Account and identity

  • Email address, name, and avatar (provided by you or by your single-sign-on provider, currently Clerk).
  • Authentication tokens and session data.
  • Your tenant/agency membership and role (e.g., traveler, planner, agency admin).

Trip content

  • Trips, destinations, dates, stops, notes, and any other content you add.
  • Documents you upload to import trips (e.g., booking PDFs, itineraries).
  • Chat threads inside trips, including group and AI-assistant conversations.

Photos

  • Photos you upload (including their EXIF metadata such as GPS coordinates and timestamps), which we may use to sort them onto the right trip stop.
  • When you use our photo-matching or "Lens" identification features, a downscaled copy of the photo is sent to our AI providers to recognise the place or object (see "AI processing").

Location

  • Your device's location when you explicitly enable live location sharing inside a trip. If you turn this on, your location may continue to be shared with your trip group while the app is in the background, until you stop sharing.
  • If you opt in to automatic visit detection ("passive" location sampling), your device may detect when you arrive at and leave places so we can mark stops for you automatically. This is off by default, can be switched off at any time, and these visit records are kept for about 90 days.
  • Geofences around your trip's stops, used to detect arrivals (evaluated on your device).
  • Coarse location derived from your IP address for security and abuse-prevention.

Voice input (optional)

  • When you speak to the in-app AI guide instead of typing, your speech is converted to text by your device's or our speech-recognition service. We process the resulting text — not a stored recording of your voice.

Messaging channel identifiers (optional)

If you opt in to receive notifications through external messaging platforms, we store the handle you've provided for that channel:

  • Zalo phone number (Zalo OA / ZNS)
  • WhatsApp Business number
  • LINE user ID
  • SMS phone number
  • Facebook Messenger PSID

Bookings and payments

  • If you book a tour or accept a paid trip offer, we store the booking details (dates, number of travelers, price, currency) and the payment status.
  • Card payments are handled by our payment provider, Stripe. We never receive or store your full card number.

Usage and device data

  • Device type, operating system, app version, language preference.
  • Pages visited, features used, error logs, crash diagnostics, performance metrics.
  • Push notification tokens (issued by Apple or Google) so we can deliver notifications to your device.
  • IP address.

On iOS we do not use the advertising identifier (IDFA) and we show no App Tracking Transparency prompt. On Android, a device advertising identifier is used only if you opt in to analytics and ad measurement (below). We do not track you across other companies' apps or websites.

Analytics and advertising measurement (optional)

This is off by default. You can turn it on with the Analytics & ads toggle in Settings (mobile) or by accepting the cookie banner (web), and turn it off again at any time. When it's on, we collect:

  • Usage events — which screens you open and actions you take (for example, creating a trip, viewing a day briefing, or re-planning after a change) — via Google Analytics / Firebase Analytics.
  • Ad-install attribution — which ad or campaign led you to install or sign up. On the web this uses Google Analytics and Google Ads. On Android we read the Google Play Install Referrer and may use your device's advertising identifier. On iOS we use Apple's privacy-preserving SKAdNetwork and AdServices attribution — never the IDFA.

We use this to understand which features help travelers and to measure whether our ads reach the right people, so we can improve Travolp and spend our marketing budget wisely. The legal basis is your consent, which you can withdraw at any time. We don't use it to track you across other companies' apps or websites, and we don't sell it.

Cookies and similar technologies

We use a small number of strictly necessary cookies (e.g., for login sessions). On our website we also use analytics and advertising cookies from Google (Google Analytics and Google Ads) — but only after you accept them in the cookie banner. They stay off by default (Google Consent Mode is set to "denied" until you opt in), and you can change your choice at any time. We don't use cross-site tracking cookies for any other purpose.

Where we get your data

Mostly from you, when you sign up or use the Service. Some data comes from:

  • Clerk (our authentication provider), which gives us your verified email, name, and avatar.
  • Your device (location, photos, push tokens) — only with your OS-level permission.
  • Travel agencies, if a tour operator using Travolp adds you as a tourist on a trip they're building.

Why we use your data and our legal bases

What we doWhyLegal basis (GDPR Art. 6)
Create and operate your accountProvide the Service you signed up forContract (6(1)(b))
Generate AI itineraries, suggestions, summariesProvide the ServiceContract (6(1)(b))
Sort photos to stops, show maps, share locationsProvide the ServiceContract (6(1)(b))
Send notifications via email and messaging channelsProvide the Service; honor your opt-insContract / Consent (6(1)(a))
Detect and prevent abuse, fraud, and security incidentsKeep the Service safe for everyoneLegitimate interests (6(1)(f))
Monitor errors and crashes, keep aggregate operational metricsKeep the Service workingLegitimate interests (6(1)(f))
Measure app/web usage and ad performance (analytics, install attribution)Improve the Service and our marketing — only if you opt inConsent (6(1)(a))
Comply with laws and respond to legal requestsLegal obligationLegal obligation (6(1)(c))

We do not use your trip content or photos to train AI models. We do not sell or rent your personal data.

AI processing

When you use AI features (chat, smart-import, itinerary generation, photo matching, and the "Lens" place/object guide), the relevant content — which may include your trip details, messages, dictated questions, and a downscaled copy of a photo — is sent to our AI providers — currently Anthropic (Claude models) and OpenAI — for processing. These providers act as our processors and are contractually prohibited from using your content to train their models. The content is processed in their cloud regions (typically the United States) under appropriate transfer safeguards (see "International transfers" below).

Who we share data with

We share personal data only with parties that need it to help us run the Service:

Sub-processors (current list — subject to change with notice):

  • Clerk Inc. — user authentication (US, with EU data-residency options)
  • Anthropic, PBC — AI model inference (US)
  • OpenAI, L.L.C. — AI model inference (US)
  • Google LLC / Google Ireland Ltd. — push notifications (Firebase Cloud Messaging), crash diagnostics (Firebase Crashlytics), maps, places, and directions (Google Maps Platform), and — only if you opt in — usage analytics (Google Analytics / Firebase Analytics) and ad-campaign measurement (Google Ads)
  • Apple Inc. — push notification delivery to iOS devices (Apple Push Notification service) and, for our iOS ad campaigns, privacy-preserving install attribution (Apple Search Ads / AdServices and SKAdNetwork)
  • Mapbox, Inc. — interactive map rendering. On iOS, the Mapbox SDK also collects de-identified map-usage and location telemetry by default; you can opt out from any map via the ⓘ attribution control. On Android we disable this telemetry.
  • Stripe, Inc. — payment processing for tour bookings and paid offers (US)
  • Fly.io — application hosting and database (regional)
  • Email-delivery provider for transactional emails
  • Messaging-channel providers you opt in to: Meta Platforms (WhatsApp Business, Messenger), LINE Corporation (LINE Messaging API), Zalo / VNG (Zalo OA), Twilio or similar (SMS)

We may update this list. We'll publish updates here and, where appropriate, notify customers of material changes.

Other recipients:

  • Travel agencies you've chosen to work with, for the trips you share with them.
  • Other users you've invited or who have invited you, for the trip content you've shared with them.
  • Authorities, when we're legally required (court order, subpoena, etc.).

International transfers

Some of our processors operate outside the European Economic Area (notably in the United States). Where we transfer personal data outside the EEA, we rely on the European Commission's Standard Contractual Clauses together with the additional safeguards required under GDPR Article 46. Some US providers (including Google and Apple) are also certified under the EU–US Data Privacy Framework, which we rely on where applicable.

How long we keep your data

  • Account data: for as long as you have an active account.
  • Trip content, photos, messages: until you delete it, or until you close your account (after a short grace period of typically 30 days for accidental deletion recovery).
  • Security and audit logs: up to 12 months.
  • Aggregated or anonymised statistics: indefinitely (no longer personal data).
  • Backups: rolling backups for up to 30 days from the deletion event.

If law requires us to keep data longer (e.g., accounting records), we'll keep it for the required period.

Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data ("right to be forgotten"), subject to legal retention requirements.
  • Restrict or object to certain processing.
  • Data portability — get your data in a machine-readable format.
  • Withdraw consent where processing is based on consent (e.g., messaging-channel opt-ins).
  • Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you. (We don't currently make such decisions.)

To exercise any of these rights, email contact@priorli.com from the address on your account. We'll respond within 30 days.

If a travel agency is the controller of your data (white-label scenario), please contact that agency directly. We'll forward requests we receive when the right controller is the agency.

Right to complain

If you believe we've handled your personal data unlawfully, you can complain to the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) — https://tietosuoja.fi — or to the supervisory authority in your EU country of residence.

Children

Travolp is not directed at children under 16. If you're under 16, please don't create an account. If we learn we've collected data from a child below the consent age in their country, we'll delete it.

Security

We use industry-standard measures to protect your data — encryption in transit (TLS), encryption at rest where supported by our infrastructure providers, access controls, and audit logs. No system is perfectly secure; if a breach affects you, we'll notify you and the relevant authorities as required by GDPR.

Changes to this policy

We may update this policy from time to time. We'll post the new version here with a fresh effective date. For material changes, we'll also notify you by email or in-app notice before the changes take effect.

Contact

For privacy questions or to exercise your rights:

Priorli Oy Email: contact@priorli.com

Priorli Oy · Helsinki, Finland

Version 2 · Effective June 4, 2026 · en-US (fallback)