Travolp.Sign in

Privacy Policy

Effective date: 22 May 2026 Controller: Priorli Oy, Finland (the "Provider", "we", "us") Contact: contact@priorli.com

This is a plain-language draft prepared by the Provider. It is not legal advice and should be reviewed by a qualified privacy lawyer before going into production. Once finalised, please replace this notice and confirm the controller details.

Summary

We're Priorli Oy, the Finnish company behind Travolp. Travolp helps you plan trips and travel with a group, with the help of AI. To make that work, we collect things like your account info, the trip content you create, photos and location data when you choose to share them, and the messages you exchange inside the app. We use that data only to run the Service, and we don't sell it.

This policy explains the details, in line with the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki 1050/2018).

Who is the controller of your data?

It depends on how you're using Travolp.

If you use travolp.priorli.com (or a successor domain operated by us directly), Priorli Oy is the controller of your personal data.

If you use a Travolp-powered app or website branded by a travel agency, the travel agency is typically the controller of the personal data they collect about their customers (you, the tourist). Priorli Oy acts as their processor for the platform's technical operation — we run the servers and the software, but the agency decides what to do with the data. Please consult that agency's own privacy notice for their specific practices.

Priorli Oy is the controller of operational data needed to run the platform itself (e.g., security logs, billing data with the agency).

What we collect

Account and identity

  • Email address, name, and avatar (provided by you or by your single-sign-on provider, currently Clerk).
  • Authentication tokens and session data.
  • Your tenant/agency membership and role (e.g., traveler, planner, agency admin).

Trip content

  • Trips, destinations, dates, stops, notes, and any other content you add.
  • Documents you upload to import trips (e.g., booking PDFs, itineraries).
  • Chat threads inside trips, including group and AI-assistant conversations.

Photos

  • Photos you upload (including their EXIF metadata such as GPS coordinates and timestamps), which we may use to sort them onto the right trip stop.

Location

  • Your device's location when you explicitly enable live location sharing inside a trip.
  • Coarse location derived from your IP address for security and abuse-prevention.

Messaging channel identifiers (optional)

If you opt in to receive notifications through external messaging platforms, we store the handle you've provided for that channel:

  • Zalo phone number (Zalo OA / ZNS)
  • WhatsApp Business number
  • LINE user ID
  • SMS phone number
  • Facebook Messenger PSID

Usage and device data

  • Device type, operating system, app version, language preference.
  • Pages visited, features used, error logs, performance metrics.
  • IP address.

Cookies and similar technologies

We use a small number of strictly necessary cookies (e.g., for login sessions). We don't use advertising or cross-site tracking cookies on the Travolp product surfaces.

Where we get your data

Mostly from you, when you sign up or use the Service. Some data comes from:

  • Clerk (our authentication provider), which gives us your verified email, name, and avatar.
  • Your device (location, photos, push tokens) — only with your OS-level permission.
  • Travel agencies, if a tour operator using Travolp adds you as a tourist on a trip they're building.

Why we use your data and our legal bases

What we doWhyLegal basis (GDPR Art. 6)
Create and operate your accountProvide the Service you signed up forContract (6(1)(b))
Generate AI itineraries, suggestions, summariesProvide the ServiceContract (6(1)(b))
Sort photos to stops, show maps, share locationsProvide the ServiceContract (6(1)(b))
Send notifications via email and messaging channelsProvide the Service; honor your opt-insContract / Consent (6(1)(a))
Detect and prevent abuse, fraud, and security incidentsKeep the Service safe for everyoneLegitimate interests (6(1)(f))
Improve the product (aggregate usage analytics, error monitoring)Make Travolp betterLegitimate interests (6(1)(f))
Comply with laws and respond to legal requestsLegal obligationLegal obligation (6(1)(c))

We do not use your trip content or photos to train AI models. We do not sell or rent your personal data.

AI processing

When you use AI features (chat, smart-import, itinerary generation, etc.), the relevant content is sent to our AI providers — currently Anthropic (Claude models) and OpenAI — for processing. These providers act as our processors and are contractually prohibited from using your content to train their models. The content is processed in their cloud regions (typically the United States) under appropriate transfer safeguards (see "International transfers" below).

Who we share data with

We share personal data only with parties that need it to help us run the Service:

Sub-processors (current list — subject to change with notice):

  • Clerk Inc. — user authentication (US, with EU data-residency options)
  • Anthropic, PBC — AI model inference (US)
  • OpenAI, L.L.C. — AI model inference (US)
  • Fly.io — application hosting and database (regional)
  • Email-delivery provider for transactional emails
  • Messaging-channel providers you opt in to: Meta Platforms (WhatsApp Business, Messenger), LINE Corporation (LINE Messaging API), Zalo / VNG (Zalo OA), Twilio or similar (SMS)

We may update this list. We'll publish updates here and, where appropriate, notify customers of material changes.

Other recipients:

  • Travel agencies you've chosen to work with, for the trips you share with them.
  • Other users you've invited or who have invited you, for the trip content you've shared with them.
  • Authorities, when we're legally required (court order, subpoena, etc.).

International transfers

Some of our processors operate outside the European Economic Area (notably in the United States). Where we transfer personal data outside the EEA, we rely on the European Commission's Standard Contractual Clauses and the additional safeguards required under GDPR Article 46.

How long we keep your data

  • Account data: for as long as you have an active account.
  • Trip content, photos, messages: until you delete it, or until you close your account (after a short grace period of typically 30 days for accidental deletion recovery).
  • Security and audit logs: up to 12 months.
  • Aggregated or anonymised statistics: indefinitely (no longer personal data).
  • Backups: rolling backups for up to 30 days from the deletion event.

If law requires us to keep data longer (e.g., accounting records), we'll keep it for the required period.

Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data ("right to be forgotten"), subject to legal retention requirements.
  • Restrict or object to certain processing.
  • Data portability — get your data in a machine-readable format.
  • Withdraw consent where processing is based on consent (e.g., messaging-channel opt-ins).
  • Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you. (We don't currently make such decisions.)

To exercise any of these rights, email contact@priorli.com from the address on your account. We'll respond within 30 days.

If a travel agency is the controller of your data (white-label scenario), please contact that agency directly. We'll forward requests we receive when the right controller is the agency.

Right to complain

If you believe we've handled your personal data unlawfully, you can complain to the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) — https://tietosuoja.fi — or to the supervisory authority in your EU country of residence.

Children

Travolp is not directed at children under 16. If you're under 16, please don't create an account. If we learn we've collected data from a child below the consent age in their country, we'll delete it.

Security

We use industry-standard measures to protect your data — encryption in transit (TLS), encryption at rest where supported by our infrastructure providers, access controls, and audit logs. No system is perfectly secure; if a breach affects you, we'll notify you and the relevant authorities as required by GDPR.

Changes to this policy

We may update this policy from time to time. We'll post the new version here with a fresh effective date. For material changes, we'll also notify you by email or in-app notice before the changes take effect.

Contact

For privacy questions or to exercise your rights:

Priorli Oy Email: contact@priorli.com

Priorli Oy · Helsinki, Finland

Version 1 · Effective May 22, 2026