1. Introduction

This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data when using the iOS app TravelAlly (hereinafter "the App") as well as the associated website at https://travelally.app and https://travelally.de (hereinafter "the Website").

TravelAlly is a travel planning and documentation app that allows you to organize trips, track expenses, plan activities, save places, and split costs with travel companions. We place the highest value on your privacy: the App is designed so that your travel data is stored primarily locally on your device. Data is only shared with third parties to the extent technically necessary for the provision of the respective features.

Your data is processed in accordance with the EU General Data Protection Regulation (GDPR), applicable national data protection laws, and other relevant data protection regulations.

2. Data Controller

The data controller within the meaning of Art. 4 No. 7 GDPR is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data:

Julian Abdallah
c/o IP-Management #8644
Ludwig-Erhard-Straße 18
20459 Hamburg
Germany

Website: https://travelally.app
Email: info@travelally.de

For any questions or concerns about data protection, please contact us at the email address above at any time.

3. General Information on Data Processing

Principles

We only process personal data to the extent necessary to provide a fully functional App, Website, and our content and services. Processing is carried out only on the basis of one of the following legal grounds under Art. 6 GDPR:

If you have consented to the storage of cookies or access to information in your end device (e.g. via device fingerprinting), data processing is additionally carried out on the basis of Β§ 25 para. 1 TDDDG (German law). Consent can be revoked at any time.

No User Account Required

Using TravelAlly requires no registration and no separate user account. Identification for iCloud synchronization and sharing is handled exclusively through the user's Apple ID, which is managed by Apple.

No Advertising, No Tracking

TravelAlly uses no advertising networks, no behavioral tracking, and no device fingerprinting techniques. No data is sold or passed on to third parties for advertising purposes.

4. Data Collection on the Website

Hosting by Cloudflare

This website is hosted externally. The personal data collected on this website is stored on the host's servers. This may primarily include IP addresses, contact requests, meta and communication data, website accesses, and other data generated via a website.

External hosting is carried out for the purpose of fulfilling contracts with our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of secure, fast, and efficient provision of our online offering by a professional provider (Art. 6(1)(f) GDPR).

We use the following host:

Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA

This website is delivered via Cloudflare Pages. Cloudflare may process technical data – in particular your IP address and metadata about your page visit. Cloudflare's servers are located in the United States and other countries worldwide. Cloudflare is certified under the EU-US Data Privacy Framework (DPF). For more information on Cloudflare's privacy practices, please visit: https://www.cloudflare.com/privacypolicy/.

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service.

Inquiry by Email

If you contact us by email, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for the purpose of handling your request. We do not pass on this data without your consent.

The processing of this data is based on Art. 6(1)(b) GDPR if your inquiry is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR); consent can be revoked at any time.

Local Storage (localStorage)

To save your preferred language setting (German or English), we use your browser's localStorage. This information is stored locally on your device. It is used exclusively for the technical provision of the website in your preferred language and does not constitute tracking. The legal basis for this is our legitimate interest in providing a user-friendly website (Art. 6(1)(f) GDPR) and technical necessity under Β§ 25(2) No. 2 TDDDG (German law).

5. App: Data You Enter and That Is Stored Locally

Description of Data

All travel data you enter in TravelAlly is initially stored locally on your device in a Core Data database. This includes:

Purpose and Legal Basis

This data is processed exclusively for the purpose of travel documentation and management – in other words, for the core purpose of the App, which you determine through your own inputs. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

6. App: iCloud Synchronization (CloudKit)

If you are signed in with an Apple ID in your iPhone settings and have iCloud Drive enabled, TravelAlly automatically synchronizes your travel data across your Apple devices via Apple CloudKit. Synchronization uses a private iCloud container, which only you can access.

Synchronization serves to keep your travel data available across devices (Art. 6(1)(b) and (f) GDPR). Storage and transmission in iCloud is carried out by Apple Inc. as a data processor.

You can disable synchronization by going to Settings β†’ Apple ID β†’ iCloud β†’ Apps Using iCloud and toggling off TravelAlly.

7. App: Sharing Trips – CloudKit Sharing

TravelAlly offers a sharing feature that allows you to share individual trips with other people. A CloudKit Share is created and an invitation link is generated. The shared trip data is stored in Apple's shared CloudKit database.

People who accept the invitation link gain access to the shared data. An anonymous CloudKit user identifier generated by Apple is used to identify travel companions.

Important Notice: By sharing a trip, all data contained in that trip becomes visible to all invited persons. Do not share trips with people you do not trust. The legal basis is your consent through the deliberate act of sharing (Art. 6(1)(a) GDPR).

8. App: Location Data

TravelAlly can – with your explicit permission (Art. 6(1)(a) GDPR) – access your device's current location. This is used for displaying your location on the map view and assisting with address searches.

Access occurs only while the App is actively in use. Your location is not permanently stored and not transmitted to our servers. You can revoke permission at any time in iOS Settings.

9. App: Photos and Documents

TravelAlly can, with your permission (Art. 6(1)(a) GDPR), access your photo library or camera to add photos to activities. Selected photos and attached documents (e.g. receipts) are stored locally and, if CloudKit is enabled, synchronized to iCloud as encrypted assets. You can revoke permissions at any time in iOS Settings.

10. App: Exchange Rates – ExchangeRate API

For automatic currency conversion, TravelAlly fetches current exchange rates from the third-party provider ExchangeRate-API Ltd. Your IP address and request timestamp are transmitted to the API server. No travel data is transmitted. Retrieved rates are cached locally for 24 hours. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR).

11. App: Premium Subscription – RevenueCat and Apple

The technical processing of in-app purchases for the premium subscription is handled via Apple StoreKit in conjunction with the service RevenueCat (RevenueCat, Inc., USA). All payment transactions are processed exclusively by Apple. RevenueCat only receives technical transaction data (e.g. anonymized purchase receipts) from Apple to manage subscription status. The legal basis is Art. 6(1)(b) GDPR.

12. App: App Settings and iCloud Key-Value Store

Certain app settings (e.g. home currency) are stored locally. If iCloud is active, selected settings (e.g. your display name as a travel companion) are synchronized via the iCloud key-value store to ensure cross-device consistency (Art. 6(1)(f) GDPR).

13. App: Maps Integration – Apple Maps / MapKit

TravelAlly uses Apple MapKit and Apple Maps to display maps and for address search. When using the search function, search queries are transmitted to Apple. Apple's privacy policies apply. The legal basis is Art. 6(1)(f) GDPR.

14. App: App Intents and Siri Integration

TravelAlly supports App Intents for the Apple Shortcuts app and Siri. Captured data is stored in TravelAlly. Processing by Siri is subject to Apple's privacy practices. The legal basis is Art. 6(1)(a) and (b) GDPR.

16. Sharing Data with Third Parties

Your personal data is only shared with third parties in the following cases:

There is no sale of your data to third parties and no sharing for advertising purposes.

17. International Data Transfers

Some third-party providers (e.g. Apple, RevenueCat, Cloudflare) are based in the United States. Data transfers are carried out on the basis of appropriate safeguards pursuant to Art. 46 GDPR (e.g. EU Standard Contractual Clauses) or an adequacy decision (EU-US Data Privacy Framework).

18. Retention Periods and Deletion

Unless a more specific retention period has been stated, your personal data will remain with us or on your device until the purpose for data processing no longer applies.

19. Data Security

We implement technical and organizational measures to protect your data. These include local encryption by iOS (Data Protection API), transport and server encryption by Apple iCloud, the use of HTTPS/TLS for all network connections, and the omission of proprietary servers for storing travel data.

20. Your Rights as a Data Subject

As a data subject, you are entitled to the following rights under the GDPR:

Right to Object (Art. 21 GDPR): If data processing is based on Art. 6(1)(e) or (f) GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation.

To exercise your rights, please contact: info@travelally.de. To the extent we have no control over data processed by Apple or RevenueCat, we will direct you to these providers.

Right to Lodge a Complaint: In the event of violations of the GDPR, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).

21. Children and Minors

TravelAlly is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13.

22. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy in response to changes in legal requirements or changes to the App/Website. The current version is always available in the App and on the Website.

Parts of this privacy policy were created with the support of eRecht24.