1. Introduction
This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data when using the iOS app TravelAlly (hereinafter "the App") as well as the associated website at https://travelally.app and https://travelally.de (hereinafter "the Website").
TravelAlly is a travel planning and documentation app that allows you to organize trips, track expenses, plan activities, save places, and split costs with travel companions. We place the highest value on your privacy: the App is designed so that your travel data is stored primarily locally on your device. Data is only shared with third parties to the extent technically necessary for the provision of the respective features.
Your data is processed in accordance with the EU General Data Protection Regulation (GDPR), applicable national data protection laws, and other relevant data protection regulations.
2. Data Controller
The data controller within the meaning of Art. 4 No. 7 GDPR is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data:
Julian Abdallahc/o IP-Management #8644
Ludwig-Erhard-StraΓe 18
20459 Hamburg
Germany
Website: https://travelally.app
Email: info@travelally.de
For any questions or concerns about data protection, please contact us at the email address above at any time.
3. General Information on Data Processing
Principles
We only process personal data to the extent necessary to provide a fully functional App, Website, and our content and services. Processing is carried out only on the basis of one of the following legal grounds under Art. 6 GDPR:
- Art. 6(1)(a) GDPR β Consent: You have explicitly consented to the processing (e.g. access to location, photos, or camera).
- Art. 6(1)(b) GDPR β Performance of a contract: Processing is necessary for the use of the App, the management of a subscription, or to process inquiries.
- Art. 6(1)(c) GDPR β Legal obligation: Processing is necessary to fulfill a legal obligation (e.g. tax retention periods).
- Art. 6(1)(f) GDPR β Legitimate interests: Processing serves legitimate interests (e.g. security, technical operation, retrieval of exchange rates).
If you have consented to the storage of cookies or access to information in your end device (e.g. via device fingerprinting), data processing is additionally carried out on the basis of Β§ 25 para. 1 TDDDG (German law). Consent can be revoked at any time.
No User Account Required
Using TravelAlly requires no registration and no separate user account. Identification for iCloud synchronization and sharing is handled exclusively through the user's Apple ID, which is managed by Apple.
No Advertising, No Tracking
TravelAlly uses no advertising networks, no behavioral tracking, and no device fingerprinting techniques. No data is sold or passed on to third parties for advertising purposes.
4. Data Collection on the Website
Hosting by Cloudflare
This website is hosted externally. The personal data collected on this website is stored on the host's servers. This may primarily include IP addresses, contact requests, meta and communication data, website accesses, and other data generated via a website.
External hosting is carried out for the purpose of fulfilling contracts with our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of secure, fast, and efficient provision of our online offering by a professional provider (Art. 6(1)(f) GDPR).
We use the following host:
Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USAThis website is delivered via Cloudflare Pages. Cloudflare may process technical data β in particular your IP address and metadata about your page visit. Cloudflare's servers are located in the United States and other countries worldwide. Cloudflare is certified under the EU-US Data Privacy Framework (DPF). For more information on Cloudflare's privacy practices, please visit: https://www.cloudflare.com/privacypolicy/.
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service.
Inquiry by Email
If you contact us by email, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for the purpose of handling your request. We do not pass on this data without your consent.
The processing of this data is based on Art. 6(1)(b) GDPR if your inquiry is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR); consent can be revoked at any time.
Local Storage (localStorage)
To save your preferred language setting (German or English), we use your browser's localStorage. This information is stored locally on your device. It is used exclusively for the technical provision of the website in your preferred language and does not constitute tracking. The legal basis for this is our legitimate interest in providing a user-friendly website (Art. 6(1)(f) GDPR) and technical necessity under Β§ 25(2) No. 2 TDDDG (German law).
5. App: Data You Enter and That Is Stored Locally
Description of Data
All travel data you enter in TravelAlly is initially stored locally on your device in a Core Data database. This includes:
- Trip data: Trip name, description, start and end dates, currencies, payment methods
- Activities: Name, description, date, time, time zone, linked URLs
- Places: Name, address, coordinates (latitude/longitude), city, country
- Expenses: Amount, currency, date, description, category, notes, payment method
- Cost splitting: Allocation to travel companions, settlement payments (amounts and dates)
- Travel companions: Display name, role (owner, editor, viewer), status, optional group name
- Photos: Images saved as activity attachments
- Documents: Files attached to expenses and activities (e.g. receipts, PDFs)
- Categories: Custom expense categories
Purpose and Legal Basis
This data is processed exclusively for the purpose of travel documentation and management β in other words, for the core purpose of the App, which you determine through your own inputs. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).
6. App: iCloud Synchronization (CloudKit)
If you are signed in with an Apple ID in your iPhone settings and have iCloud Drive enabled, TravelAlly automatically synchronizes your travel data across your Apple devices via Apple CloudKit. Synchronization uses a private iCloud container, which only you can access.
Synchronization serves to keep your travel data available across devices (Art. 6(1)(b) and (f) GDPR). Storage and transmission in iCloud is carried out by Apple Inc. as a data processor.
You can disable synchronization by going to Settings β Apple ID β iCloud β Apps Using iCloud and toggling off TravelAlly.
7. App: Sharing Trips β CloudKit Sharing
TravelAlly offers a sharing feature that allows you to share individual trips with other people. A CloudKit Share is created and an invitation link is generated. The shared trip data is stored in Apple's shared CloudKit database.
People who accept the invitation link gain access to the shared data. An anonymous CloudKit user identifier generated by Apple is used to identify travel companions.
Important Notice: By sharing a trip, all data contained in that trip becomes visible to all invited persons. Do not share trips with people you do not trust. The legal basis is your consent through the deliberate act of sharing (Art. 6(1)(a) GDPR).
8. App: Location Data
TravelAlly can β with your explicit permission (Art. 6(1)(a) GDPR) β access your device's current location. This is used for displaying your location on the map view and assisting with address searches.
Access occurs only while the App is actively in use. Your location is not permanently stored and not transmitted to our servers. You can revoke permission at any time in iOS Settings.
9. App: Photos and Documents
TravelAlly can, with your permission (Art. 6(1)(a) GDPR), access your photo library or camera to add photos to activities. Selected photos and attached documents (e.g. receipts) are stored locally and, if CloudKit is enabled, synchronized to iCloud as encrypted assets. You can revoke permissions at any time in iOS Settings.
10. App: Exchange Rates β ExchangeRate API
For automatic currency conversion, TravelAlly fetches current exchange rates from the third-party provider ExchangeRate-API Ltd. Your IP address and request timestamp are transmitted to the API server. No travel data is transmitted. Retrieved rates are cached locally for 24 hours. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR).
12. App: App Settings and iCloud Key-Value Store
Certain app settings (e.g. home currency) are stored locally. If iCloud is active, selected settings (e.g. your display name as a travel companion) are synchronized via the iCloud key-value store to ensure cross-device consistency (Art. 6(1)(f) GDPR).
13. App: Maps Integration β Apple Maps / MapKit
TravelAlly uses Apple MapKit and Apple Maps to display maps and for address search. When using the search function, search queries are transmitted to Apple. Apple's privacy policies apply. The legal basis is Art. 6(1)(f) GDPR.
14. App: App Intents and Siri Integration
TravelAlly supports App Intents for the Apple Shortcuts app and Siri. Captured data is stored in TravelAlly. Processing by Siri is subject to Apple's privacy practices. The legal basis is Art. 6(1)(a) and (b) GDPR.
15. External Links and Redirects
When opening external links (e.g. to the TravelAlly website, the App Store, or URLs you added), data (at minimum your IP address) is transmitted to the respective operators. This Privacy Policy does not apply to those external sites.
16. Sharing Data with Third Parties
Your personal data is only shared with third parties in the following cases:
- Apple Inc.: iCloud synchronization, CloudKit Sharing, StoreKit (in-app purchases), MapKit (maps/search).
- RevenueCat, Inc.: Subscription management (anonymized app user, purchase receipts).
- ExchangeRate-API Ltd.: Exchange rate retrieval (IP address).
- Cloudflare, Inc.: Website hosting (IP address, metadata).
- Travel companions: Shared trip data when using the sharing feature.
There is no sale of your data to third parties and no sharing for advertising purposes.
17. International Data Transfers
Some third-party providers (e.g. Apple, RevenueCat, Cloudflare) are based in the United States. Data transfers are carried out on the basis of appropriate safeguards pursuant to Art. 46 GDPR (e.g. EU Standard Contractual Clauses) or an adequacy decision (EU-US Data Privacy Framework).
18. Retention Periods and Deletion
Unless a more specific retention period has been stated, your personal data will remain with us or on your device until the purpose for data processing no longer applies.
- Trip data (local/iCloud): Until deleted by you in the App or until uninstalled.
- Shared trip data: Until the owner ends the share or deletes all data.
- Website contact requests: Until you request deletion, revoke consent, or the purpose ceases to apply (e.g. after completion of your request), provided there are no legal retention periods.
19. Data Security
We implement technical and organizational measures to protect your data. These include local encryption by iOS (Data Protection API), transport and server encryption by Apple iCloud, the use of HTTPS/TLS for all network connections, and the omission of proprietary servers for storing travel data.
20. Your Rights as a Data Subject
As a data subject, you are entitled to the following rights under the GDPR:
- Right of Access (Art. 15 GDPR): Right to request information about your stored personal data.
- Right to Rectification (Art. 16 GDPR): Right to have inaccurate data corrected or incomplete data completed.
- Right to Erasure (Art. 17 GDPR): Right to request deletion of your data. (You can delete travel data directly in the App).
- Right to Restriction of Processing (Art. 18 GDPR): Right to request that the processing of your data be restricted.
- Right to Data Portability (Art. 20 GDPR): Right to receive your data in a common format (the App provides an export feature).
- Right to Withdraw Consent (Art. 7(3) GDPR): You can withdraw granted consent at any time for the future.
Right to Object (Art. 21 GDPR): If data processing is based on Art. 6(1)(e) or (f) GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation.
To exercise your rights, please contact: info@travelally.de. To the extent we have no control over data processed by Apple or RevenueCat, we will direct you to these providers.
Right to Lodge a Complaint: In the event of violations of the GDPR, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).
21. Children and Minors
TravelAlly is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13.
22. Changes to This Privacy Policy
We reserve the right to update this Privacy Policy in response to changes in legal requirements or changes to the App/Website. The current version is always available in the App and on the Website.
Parts of this privacy policy were created with the support of eRecht24.