Privacy Policy

Version: 1.0
Effective Date: 23 January 2026
Last Updated: 23 January 2026

1. Who We Are

Company Name: OKInvent Limited
Trading As: Tripsdock
ICO Registration: [Registration Number - To Be Added]
Contact Email: help@tripsdock.com
Address: [Company Registered Address]

Tripsdock is a Software-as-a-Service (SaaS) platform that helps clubs and groups organise and manage trips.

2. What This Policy Covers

This Privacy Policy explains how we collect, use, store, and protect your personal information when you:

• Create an account on Tripsdock
• Join a club or group that uses our platform
• Register for trips
• Provide emergency contact information
• Use any features of our platform

This policy applies to all users, including club organisers, administrators, and trip participants.

3. What Personal Data We Collect

3.1 Account Information

When you create an account (either yourself or when invited by a club), we collect:

• Full name
• Email address
• Password (stored encrypted—we never see your actual password)
• Phone number
• Home address

3.2 Emergency Contact Information (ICE - In Case of Emergency)

For trip safety, you provide emergency contact details that will be shared with your assigned ICE holder on each trip:

• Emergency Contacts: Up to 3 contacts (e.g., spouse, family member, friend) with name, phone number, and relationship to you
• Travel Insurance: Insurance company name and emergency contact number
• Breakdown Cover: Company name and emergency contact number
• Trip Notes: Optional free-text field for any information you want your ICE holder or trip organiser to know

ICE Holder Assignment: For each trip, the trip organiser assigns you an ICE holder (another trip participant). Your ICE holder can view all your emergency information ONLY when you're both registered on the same trip. This ensures someone physically present knows how to contact your next of kin and insurers if you're injured or in an accident.

Important: We do NOT collect medical information, health conditions, medications, allergies, or insurance policy numbers. Your insurance company already has your complete medical records - your ICE holder just needs to know how to contact them with your name.

3.3 Trip Participation Data

When you register for trips:

• Trip registration: Which trips you're attending
• Vehicle details (optional): Make, model, registration (for group coordination, if applicable)
• Payment records: Transaction IDs from Stripe (we don't store card details)

3.4 Financial Information (Group Owners Only)

For groups receiving participant payments:

• Bank account name
• Sort code
• Account number

Note: This is stored securely to transfer participant trip fees directly to groups. Tripsdock only collects a small platform fee via Stripe.

3.5 Photos

• Profile photos: Optional photo for your account
• Trip gallery images: Photos you upload as part of trip reviews

Photo Ownership: When you upload photos to trip galleries, you transfer ownership of those photos to the group. This allows groups to maintain complete trip documentation and memories. By uploading, you confirm you have the right to transfer ownership and that the photos don't infringe anyone else's rights.

Appearing in Photos: By participating in trips, you consent to appearing in group photos taken by other participants. Trip photos are owned by the group and may remain in their gallery even after you leave. If you have concerns about appearing in specific photos, contact privacy@tripsdock.com and we'll work with the group organiser to address your request.

3.6 Technical Information

We automatically collect:

• IP addresses
• Browser type and version
• Device information
• Pages visited and actions taken
• Login times and session duration

This is standard for all websites and helps us keep the platform secure and running smoothly.

4. Why We Collect This Data (Purpose)

4.1 Service Delivery

Legal Basis: Contract necessity (GDPR Article 6(1)(b))

We need your information to:

• Create and manage your account
• Let you register for trips
• Enable club organisers to plan trips (headcount, vehicle details where applicable)
• Process payments
• Send you notifications about trip updates

4.2 Emergency Coordination

Legal Basis: Vital interests (GDPR Article 6(1)(d)) and Contract necessity

Your emergency contact information allows:

• Your ICE holder on each trip to contact your next of kin if you're injured or in an accident
• Emergency services to reach your insurance company with your name (they already have your medical records)

Privacy by Design: Only your assigned ICE holder can see your emergency contact details—not club admins, not platform admins, not other participants. ICE holders are assigned by trip organisers and can only view your emergency information when you're both registered on the same trip.

4.3 Platform Improvement

Legal Basis: Legitimate interests (GDPR Article 6(1)(f))

We use anonymised usage data to:

• Improve features
• Fix bugs
• Understand which features are most valuable
• Make the platform easier to use

4.4 Legal Compliance

Legal Basis: Legal obligation (GDPR Article 6(1)(c))

We keep financial records for 7 years to comply with HMRC requirements.

4.5 Photos and Trip Documentation

Legal Basis: Legitimate interests (GDPR Article 6(1)(f))

Trip photos serve the club's legitimate interest in documenting activities and building community. Your interest in privacy is balanced by:

• Photos being used only for club documentation and memories (not commercial purposes)
• Photos requiring admin review before publication
• Your ability to request removal of photos where you appear
• Photos being accessible only to club members

5. How Long We Keep Your Data

After 12 months of inactivity, we'll email you to ask if you want to keep your account. If you don't respond within 30 days, we'll automatically delete your account and anonymise your trip history.

You can delete your account anytime via Account Settings → Delete Account.

6. Who Can Access Your Data

6.1 You

You can view and edit all your data anytime via your Account Settings.

6.2 Club Organisers and Trip Admins

Can see (for their club only):

• Your name, email, phone number
• Trip registrations and preferences
• Vehicle details (if provided)
• Cannot see: Your emergency contacts, insurance details, home address

6.3 Your ICE Holder (Assigned by Trip Organiser)

Only when you're both registered on the same trip:

• Can view all your emergency contact information (contacts, insurance details, trip notes)
• Every view is logged in an audit trail
• Assignment is controlled by trip organiser, not by you

Note: Your ICE holder changes for each trip based on organiser assignments. You cannot choose your own ICE holder.

6.4 Tripsdock Team

Very limited access:

• Platform administrators can view account data only when necessary for support requests or technical issues
• Emergency contact (ICE) data is NOT accessible through admin interfaces
• Database-level access to ICE data only in exceptional technical circumstances (e.g., data corruption, disaster recovery) and is fully logged
• All admin actions are logged in an audit trail

6.5 Third-Party Service Providers

We use trusted services to run the platform. All have Data Processing Agreements (DPAs) with GDPR compliance guarantees:

Important: These providers only process data according to our instructions and cannot use your data for their own purposes.

Data Processing Agreements: We have Data Processing Agreements (DPAs) in place with all third-party processors, ensuring they handle your data in compliance with GDPR and only according to our instructions. Copies of these agreements are available upon request.

7. Your GDPR Rights

You have the following rights under UK GDPR:

7.1 Right to Access (Article 15)

Request a copy of all your data.

How: Account Settings → Export Data (JSON format) or email privacy@tripsdock.com

7.2 Right to Rectification (Article 16)

Correct inaccurate or incomplete data.

How: Account Settings → Edit Profile, or contact your club admin

7.3 Right to Erasure / “Right to be Forgotten” (Article 17)

Delete your account and personal data.

How: Account Settings → Delete Account

What Happens:

• If you have upcoming trip registrations, they'll be automatically cancelled and trip organisers will be notified
• Your personal data is deleted immediately
• Financial records are retained for 7 years but anonymised (name replaced with “User_[ID]”)
• Your past trip participation history is anonymised (name replaced with “Former Member”)
• Trip photos you uploaded remain with the club (ownership transferred at upload)

7.4 Right to Data Portability (Article 20)

Export your data in a machine-readable format.

How: Account Settings → Export Data (JSON format)

7.5 Right to Object (Article 21)

Object to processing based on legitimate interests.

How: Email privacy@tripsdock.com with specific objection

7.6 Right to Restrict Processing (Article 18)

Temporarily freeze your data.

How: Email privacy@tripsdock.com

7.7 Right to Withdraw Consent

For any processing requiring consent, you can withdraw it anytime.

How: Account Settings or email privacy@tripsdock.com

Response Time: We'll respond to all requests within 30 days (or explain why we need more time).

Photo Appearance: If you have concerns about appearing in specific trip gallery photos (e.g., safety reasons, privacy concerns), email help@tripsdock.com with details. We'll work with the club organiser to address your request where reasonably possible, though removal cannot be guaranteed for all historical group photos.

8. Data Security Measures

We take security seriously:

8.1 Encryption

• In transit: All data encrypted with TLS/HTTPS
• At rest: Database encryption for all stored data
• Passwords: Hashed using industry-standard algorithms (we can't see your password)

8.2 Access Controls

• Row Level Security (RLS): Database policies enforce who can see what
• Subdomain isolation: Each club has its own URL, preventing cross-org data leaks
• Role-based access: Members, admins, and owners have different permission levels

8.3 Audit Logging

• All ICE data views logged with timestamp and viewer identity
• All admin actions logged
• All authentication events logged

8.4 Infrastructure Security

• EU region hosting (Supabase eu-west-2, London)
• Regular security updates
• Automated backups
• DDoS protection

8.5 Human Security

• Staff trained on GDPR and data protection
• Access to production data requires justification and is logged

No system is 100% secure. If we experience a data breach, we'll notify you and the ICO within 72 hours as required by law.

9. International Data Transfers

Primary hosting: All data stored in the United Kingdom (Supabase, London region - AWS eu-west-2).

UK Adequacy: The UK has been granted an adequacy decision by the EU Commission, meaning UK data protection standards are recognised as equivalent to GDPR. Data stored in the UK benefits from the same protections as EU-stored data.

Third-party services: Some providers (Stripe, Vercel, Resend) may process data globally but have Standard Contractual Clauses (SCCs) and GDPR compliance guarantees ensuring adequate protection for international transfers.

We do NOT transfer data to countries without adequate data protection laws unless we have specific safeguards in place.

10. Cookies and Tracking

We use essential cookies to:

• Keep you logged in
• Remember your preferences
• Prevent security issues (CSRF protection)

No advertising or tracking cookies. We don't sell your data or track you across other websites.

Cookie Settings: You can disable cookies in your browser, but this will break login functionality.

11. Children's Privacy

Tripsdock is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has created an account, email privacy@tripsdock.com and we'll delete it immediately.

12. Changes to This Policy

We may update this policy from time to time. When we do:

1. Minor changes (clarifications, typos): Version number incremented (e.g., 1.0 → 1.1), no re-consent required
2. Material changes (new data collection, new purposes): Version number incremented (e.g., 1.0 → 2.0), you'll be asked to review and consent again

You'll be notified via:

• Email to your registered address
• In-app notification on next login
• Notice on homepage

Effective date is shown at the top of this document. Continued use after the effective date means you accept the changes.

Previous versions are archived at https://tripsdock.com/privacy/archive/[version]

13. Data Breach Notification

If we experience a data breach that affects your rights and freedoms, we will:

1. Notify the ICO within 72 hours (legal requirement)
2. Notify you without undue delay via email if high risk to you
3. Explain what happened, what data was affected, and what we're doing about it
4. Provide advice on protecting yourself (e.g., changing passwords)

You have the right to lodge a complaint with the ICO if you're unhappy with how we handle a breach.

14. Contact Information

For privacy questions, data requests, or concerns:

Email: privacy@tripsdock.com
Response Time: Within 5 business days

For general support:

Email: hello@tripsdock.com

Postal Address:
OKInvent Limited
[Registered Company Address]

ICO Registration: [Registration Number - To Be Added]

To lodge a complaint with the UK regulator:

Information Commissioner's Office (ICO)
Website: ico.org.uk/make-a-complaint/
Phone: 0303 123 1113

15. Legal Entity Information

Data Controller:
OKInvent Limited
[Company Registration Number]
[Registered Address]

Governing Law:
This Privacy Policy is governed by the laws of England and Wales.

Jurisdiction:
Any disputes will be subject to the exclusive jurisdiction of the courts of England and Wales.