Legal

Privacy Policy

Effective May 16, 2026

Travel2Gather is a group-travel app operated by softWHOOP, LLC, a Florida limited liability company ("Travel2Gather," "we," "us," or "our"). This policy explains what personal information we collect when you use our mobile app or visit travel2gather.app, how we use it, who we share it with, and the choices you have.

The short version

  • We collect only what we need to run the app — account info, the trips and content you create, and basic technical data.
  • We don't sell your data. We don't run ads. We don't share your content with advertisers.
  • We share the minimum necessary with the service providers that host the app (listed below).
  • You can delete your data from inside the app, or email us to request an export. Deleted accounts enter a 30-day recovery window, then are permanently removed within 90 days.
  • Travel2Gather is for users 18 years of age and older.

1. Information we collect

Account information

When you sign up, we receive:

  • Your email address and the display name on your Google or Apple account (if you sign in that way)
  • Your profile photo URL (only if your Google/Apple profile includes one)
  • A unique user identifier issued by Firebase Authentication

Profile details you provide

  • Display name
  • Phone number (optional)
  • Profile photo you upload
  • Friend code (generated for you; you can rotate it)

Content you create inside a trip

  • Trip details (name, destination, dates, privacy setting)
  • Activities, flights, carpools, shopping lists, to-do lists
  • Expenses and split allocations
  • Chat messages and poll responses in trip channels
  • Photos you upload to trip albums
  • Members, groups, and roles you assign

Relationships

  • Friend connections you accept
  • Trips you're invited to or a member of

Technical data

When you use the app or visit the website, we automatically receive some technical information through Firebase and our hosting provider:

  • IP address
  • Device type, operating system, and app version
  • Two hashed device identifiers used to enforce account bans and prevent abuse: a vendor-scoped install ID (Apple's Identifier for Vendor on iOS, an equivalent on Android) and a UUID we generate and persist in your device's secure storage. We never store the raw values — only one-way hashes — and we use them only to detect when an already-banned device tries to create a new account.
  • A push notification token (if you enable notifications) — used to deliver alerts via Apple's APNs and Google's FCM.
  • Timestamps for account creation, last login, and session activity
  • Error and crash diagnostics

Purchase and subscription data

If you buy a premium subscription or a premium trip credit (see our Terms §7), we receive purchase metadata from the platform store via our payment processor RevenueCat: subscription status, expiration date, auto-renewal state, store (Apple App Store or Google Play), product identifier, and original transaction identifier. We do not receive your payment card details — those are handled entirely by the platform store.

Product analytics

When product analytics are enabled in a given build, we send pseudonymous event metadata (screen views, feature interactions, error reports) keyed to your Firebase user identifier to PostHog so we can understand how the app is used and prioritize fixes. PostHog never receives the contents of your trips, messages, or photos. We do not operate any advertising or cross-app-tracking SDK.

Waitlist (website only)

If you submit your email on our waitlist form, we store that address so we can notify you when Travel2Gather launches. We don't use it for any other purpose. You can ask us to remove it at any time.

2. How we use your information

We use the information above to:

  • Create and maintain your account and let you sign in
  • Show you your trips and the content other trip members share with you
  • Deliver features like expense splitting, chat, and photo albums
  • Fetch place details and weather forecasts (Google Maps Platform — Places, Geocoding, and Weather APIs) for destinations you enter
  • Process premium subscription purchases and trip credits through Apple App Store, Google Play, and RevenueCat, and unlock the corresponding features on your account
  • Keep the service secure — detect abuse, throttle bad actors, recover from outages
  • Understand how the app is used (in aggregate) so we can prioritize features and fix bugs
  • Troubleshoot issues you report and improve the product based on what's broken
  • Comply with legal obligations

3. Who we share it with

Other trip members

When you add someone to a trip, the content you create in that trip (activities, expenses, messages, photos) is visible to the other members based on the trip's privacy setting and each person's role. If you don't want someone to see something, don't put it in a trip you've invited them to.

Service providers (sub-processors)

We use the following companies to operate Travel2Gather. They process your data on our behalf and are contractually limited to that use.

  • Google LLC — Firebase Authentication, Firestore (our database), Cloud Run (our backend), Cloud Storage (for uploaded photos), Google Sign-In, and Google Maps Platform (Places, Geocoding, and Weather APIs for location and forecast lookups). Google's privacy practices are described at policies.google.com/privacy.
  • Apple Inc. — Sign in with Apple. Apple's privacy practices are described at apple.com/legal/privacy.
  • Cloudflare, Inc. — Hosts the marketing website and waitlist form, and serves uploaded photos from the edge cache.
  • RevenueCat, Inc. — Subscription and in-app-purchase processing. Receives transaction events from Apple App Store and Google Play (subscription status, expiration, product id, transaction id) and relays them to our backend so we can keep your entitlements in sync. RevenueCat's privacy policy is at revenuecat.com/privacy.
  • PostHog, Inc. — Product analytics. Receives pseudonymous event metadata (screen views, feature interactions, error reports) keyed to your Firebase user identifier. Never receives the contents of your trips, messages, or photos. PostHog's privacy policy is at posthog.com/privacy.
  • Expo, Inc. — Mobile app build and update delivery, and push-notification relay (Expo Push forwards to Apple APNs and Google FCM). Expo's privacy policy is at expo.dev/privacy.

Legal requests

We'll disclose your information if we're required to by law (subpoena, court order, etc.) or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Travel2Gather, our users, or the public.

Business transfers

If Travel2Gather is acquired, merges with another company, or sells assets, your information may transfer to the acquirer. We'll notify you before your information becomes subject to a different privacy policy.

We do not sell your information.

We don't share your personal information with third parties for their own marketing purposes.

4. How long we keep your information

  • While your account is active: we keep your account and content as long as your account exists.
  • After you delete your account: your account is soft-deleted for 30 days. You can recover it in that window by signing back in — the app will show a "Recover" banner that undoes the deletion. After 30 days, your personal data and content are hard-deleted from our live systems within 90 days of the original deletion request.
  • Backups: copies may persist in encrypted backups for a short additional period until those backups rotate out (typically 30 days). We don't restore individual data from backups except for disaster recovery.
  • Content shared with others: messages and items you created inside a trip may continue to be visible to the remaining trip members after you leave the trip or delete your account. We attribute such content to "Former Member" once your account is removed.
  • Waitlist emails: kept until we send the launch notification, then deleted.
  • Legal or security reasons: we may keep certain records longer when required by law or to investigate fraud or abuse.

5. Your choices and rights

You can:

  • Edit your profile information inside the app
  • Leave any trip at any time from the trip's Members screen
  • Delete your account from Settings — this triggers the deletion timeline described below
  • Email legal@travel2gather.app to request an export, correction, or deletion

Deleting your account

To delete your Travel2Gather account and the personal information associated with it, open the app, go to Settings, and tap Delete Account. Your account is soft-deleted for 30 days — sign back in within that window to recover it. After 30 days, your personal information is hard-deleted from our live systems within 90 days of the original deletion request, with copies in encrypted backups rotating out within approximately 30 additional days. Content you shared inside a trip may remain visible to other trip members, attributed to "Former Member." See Section 4 above for the full retention timeline.

If you can no longer access the app — for example, you've uninstalled it or lost access to your sign-in credentials — email legal@travel2gather.app from the address associated with your account and we'll process the deletion on your behalf.

California residents (CCPA / CPRA)

If you are a California resident, you have the right to (1) know what personal information we have collected about you, (2) request deletion of that information, (3) correct inaccurate information, and (4) not receive discriminatory treatment for exercising these rights. You can exercise these rights by emailing legal@travel2gather.app. We verify requests using the email address associated with your account. We do not sell personal information and do not share it for cross-context behavioral advertising.

Users in the EU, EEA, or UK (GDPR / UK GDPR)

If you are in the EU, EEA, or UK, you have rights to access, correct, delete, restrict, and port your personal information, as well as to object to processing. Our lawful bases for processing are:

  • Contract — to provide the app after you sign up
  • Legitimate interests — to keep the service secure and improve it
  • Consent — where required by law (e.g., optional device permissions)
  • Legal obligation — when we must comply with the law

You can lodge a complaint with your local data-protection authority. We act as the controller of your personal information.

6. Security

We use TLS to encrypt data in transit. Data at rest is stored in Google-managed infrastructure with industry-standard encryption. We restrict access to production data to a small number of authorized personnel, and we enforce authentication on all API endpoints.

That said, no internet service is 100% secure. If we detect a data breach that affects your personal information, we will notify you as required by applicable law.

7. International data transfers

Our servers are operated by Google Cloud in the United States. If you access Travel2Gather from outside the United States, your information will be transferred to and processed in the United States, which may have different data-protection laws than your home country.

8. Children

Travel2Gather is for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has given us personal information, contact us at legal@travel2gather.app and we'll delete it.

9. Links to other services

The app and website may link to third-party services (Google Maps, airline websites, etc.). We aren't responsible for their privacy practices — when you click out, you're on their terms.

10. Changes to this policy

We may update this policy from time to time. If the change is material, we'll notify you in the app or by email before it takes effect. The "Effective" date at the top of this page always reflects the current version.

11. Contact us

softWHOOP, LLC
Email: legal@travel2gather.app