Privacy Policy
Last updated: [DATE TO BE SET AT PUBLICATION] Effective from: [DATE TO BE SET AT PUBLICATION]
This Privacy Policy explains how Little Owl Media S.R.L. ("TWB", "we", "us", "our") collects, uses, shares, and protects personal data through:
- the website at www.tripswithbenefits.com (the "Website")
- the TWB mobile application for iOS and Android (the "App")
The Website and the App together form the "Service".
This Privacy Policy is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and applicable Romanian data protection law.
1. Who we are
Data controller: Little Owl Media S.R.L. Str. Nicopole 65, 500063 Brașov, România Registru Comerțului: [J08/... to add] VAT: [VAT number to add]
Contact:
- General privacy inquiries: privacy@tripswithbenefits.com
- Data Protection Officer (DPO): dpo@tripswithbenefits.com
- Security incidents: security@tripswithbenefits.com
Romanian supervisory authority: You have the right to lodge a complaint with the Romanian Data Protection Authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest www.dataprotection.ro
You may also lodge a complaint with the supervisory authority in your country of residence within the European Union.
2. Definitions
- "Personal data" — any information relating to an identified or identifiable natural person
- "Processing" — any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.)
- "Visitor" — someone browsing the Website without an account
- "Member" — someone with a registered account in the App
- "You" — a Visitor or Member, depending on context
3. Personal data we collect
3.1 Information you provide directly
Visitors of the Website:
- Contact form: name, email address, message subject, message body, language preference
- Newsletter signup: email address, language preference, source page
Members of the App:
- Account creation: email address or phone number (passwordless login via one-time code), display name, date of birth (used to confirm you are 18+ and to derive your age), gender, gender preference
- Profile details: city of residence, places you have visited, places you plan to visit, languages spoken, interests, looking-for preferences, biographical text ("about me")
- Photos: profile and gallery photos you upload, photos you choose to share privately with other Members
- Trips: planned destinations, travel dates, travel purpose, interest expressions on others' trips
- Communications: messages exchanged with other Members through the App's chat
- Reports: any reports you submit about other Members (including any evidence photos attached)
3.2 Information collected automatically
- Device information: device model, operating system, App version, language, time zone, country
- Identifiers: device identifier (Apple IDFV / Android Advertising ID, used only for App functionality, not for cross-app tracking), push notification tokens (FCM, APNS)
- Network information: IP address, approximate location derived from IP (country and city level)
- Usage information: features used, screens viewed, actions performed (likes, scrolls, messages sent), crash reports, performance metrics
- Aggregate Website analytics: page views, referrer, browser type (collected without setting cookies, no individual tracking)
3.3 Information from third parties
If you sign in with Apple or Google, we receive a limited identifier from those providers (their internal user ID for our App), and optionally your email if you choose to share it. We do not receive your password.
If you make a paid purchase, Apple or Google notifies us of:
- Your transaction ID
- The product purchased
- The status of your subscription (active, cancelled, expired)
We do not receive your payment card number, billing address, or any other payment instrument details. These are handled by Apple and Google directly.
3.4 Special category data (biometric-like data)
The liveness verification process involves submitting two photos of you performing predefined gestures. These photos and the data derived from them are considered biometric-like data and are subject to enhanced protection.
This data is:
- Used solely to verify that your profile is operated by a real, unique adult human
- Reviewed by our trained moderation team
- Stored encrypted on our servers
- Retained only for as long as your account remains active, plus a short period after deletion for fraud-prevention purposes (see Section 7)
- Never shared with third parties for marketing, profiling, or any purpose unrelated to verification
The legal basis for this processing is your explicit consent (Article 9(2)(a) GDPR), which you provide when starting the verification process.
4. Why we collect data and our legal bases
| Purpose | Categories of data | Legal basis (GDPR Article 6 / 9) |
|---|---|---|
| Creating and managing your account | Identity, contact, profile data | Contract (Art. 6(1)(b)) |
| Verifying you are a real adult human (liveness) | Photos, biometric-like data | Explicit consent (Art. 9(2)(a)) |
| Showing your profile to other Members and enabling communications | Profile, trips, communications | Contract (Art. 6(1)(b)) |
| Moderating photos and reported content | Photos, reports, communications subject to investigation | Legitimate interest in maintaining a safe community (Art. 6(1)(f)) |
| Processing payments via Apple/Google | Transaction identifiers and status | Contract (Art. 6(1)(b)) |
| Sending transactional emails (login codes, receipts, security alerts) | Contact data | Contract (Art. 6(1)(b)) |
| Sending push notifications (matches, messages) | Push tokens, activity | Contract (Art. 6(1)(b)) (with the option to opt out in App settings) |
| Sending the newsletter (Visitors who subscribed) | Email, language | Consent (Art. 6(1)(a)), revocable at any time |
| Responding to contact form submissions | Form data | Legitimate interest in responding (Art. 6(1)(f)) |
| Detecting and preventing fraud, abuse, illegal use | Account, device, IP, usage data | Legitimate interest in protecting the Service and users (Art. 6(1)(f)) |
| Complying with legal obligations | Various, as required | Legal obligation (Art. 6(1)(c)) |
| Aggregate analytics for product improvement | Usage data, aggregated | Legitimate interest (Art. 6(1)(f)) |
| Defending legal claims | Necessary records | Legitimate interest (Art. 6(1)(f)) |
5. Who we share data with
5.1 Other Members
Information you choose to make visible in your profile (photos approved as public, display name, age, city, trips, interests, biographical text) is visible to other Members of the App. Private photos are visible only to Members you explicitly grant access to.
Messages you send to another Member are visible to that Member.
5.2 Service providers (data processors)
We use the following third-party providers, who process data on our behalf under strict contractual obligations:
| Provider | Role | Location | Data shared |
|---|---|---|---|
| Apple Inc. | iOS App distribution, in-app purchases, Sign in with Apple, push notifications (APNS) | USA | Transaction data, push tokens, user identifiers |
| Google LLC | Android App distribution, in-app purchases, push notifications (FCM), Sign in with Google | USA | Transaction data, push tokens, user identifiers |
| Amazon Web Services (AWS) | Cloud hosting (S3 storage, CloudFront CDN) | USA / EU | All Member content including photos |
| Brevo (Sendinblue) | Transactional emails and newsletter delivery | France (EU) | Email addresses, name, message content for emails sent |
| Google Analytics (cookieless mode) | Aggregate Website analytics, no individual tracking, no cookies set | USA / EU | Aggregate page views, no personal identifiers |
| Cloudflare | API edge protection, DDoS mitigation | USA | IP addresses, basic request metadata (no PII content) |
| Image moderation provider (planned: Sightengine / AWS Rekognition) | Automated initial review of uploaded photos | USA / EU | Photos submitted for moderation |
Each provider is bound by a data processing agreement consistent with Article 28 GDPR, including limits on retention and onward transfer.
5.3 Legal and safety disclosures
We may disclose your personal data without your consent when:
- required by valid legal process (court order, subpoena, lawful government request)
- necessary to comply with laws or regulations
- necessary to enforce these Terms, our Privacy Policy, or other agreements
- necessary to protect the rights, property, or safety of TWB, our Members, or the public
- necessary to investigate and respond to suspected fraud, abuse, or illegal activity
- required by reporting obligations relating to child safety (see our Child Safety Policy)
5.4 Business transfers
If TWB is involved in a merger, acquisition, financing, or sale of assets, your personal data may be transferred to the acquiring entity. You will be notified of any such transfer with at least 30 days' advance notice via email and a notice posted in the App, and you will have the opportunity to delete your account before the transfer takes effect.
5.5 What we never do
- We never sell your personal data
- We never rent or trade your personal data
- We never share your personal data for third-party advertising, profiling, or analytics
- We never share your liveness verification photos or biometric-like data outside our moderation team
6. International transfers
Some of our service providers are located outside the European Economic Area, principally in the United States (Apple, Google, AWS, Cloudflare). When personal data is transferred to these providers, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Supplementary measures including encryption in transit (TLS 1.3) and encryption at rest
- Provider-specific certifications (SOC 2, ISO 27001, EU-US Data Privacy Framework where applicable)
You may request a copy of the safeguards in place by contacting privacy@tripswithbenefits.com.
7. Data retention
We keep personal data only as long as necessary for the purposes for which it was collected.
| Data category | Retention period |
|---|---|
| Active Member account | Until account deletion |
| Liveness verification photos | Until account deletion + 90 days (for fraud prevention) |
| Photos (approved or rejected) | Until account deletion |
| Messages | Until either party deletes them, or account deletion of one of the participants |
| Reports submitted | 24 months after resolution (to enable detection of repeat behavior) |
| Banned accounts | Account credentials retained indefinitely to prevent re-registration; other personal data deleted within 30 days |
| Contact form submissions | 12 months after last interaction, then deletion |
| Newsletter subscriptions | Until you unsubscribe + 12 months (for proof of consent) |
| Transactional records (payment confirmations) | 10 years (Romanian tax law) |
| Server logs (IP, user agent, requests) | 90 days |
| Backups | 30 days rolling, then overwritten |
When you delete your account:
- Your profile becomes immediately invisible to other Members
- Your photos are deleted within 30 days
- Your messages are deleted from your inbox immediately, but copies retained in the recipients' inboxes until they delete them
- Your liveness verification photos are deleted after 90 days
- Anonymized aggregate data may be retained indefinitely for analytics
8. Your rights
Under GDPR, you have the following rights regarding your personal data:
8.1 Right of access (Art. 15)
You may request confirmation of whether we process your data, and a copy of the data we hold about you.
8.2 Right to rectification (Art. 16)
You may request correction of inaccurate or incomplete data. Most profile information can be edited directly in the App.
8.3 Right to erasure ("right to be forgotten", Art. 17)
You may request deletion of your data. Most data is deleted when you delete your account. For specific deletion requests beyond account closure (e.g., specific messages, partial deletion), contact privacy@tripswithbenefits.com.
8.4 Right to restriction of processing (Art. 18)
You may request that we limit the processing of your data in specific circumstances.
8.5 Right to data portability (Art. 20)
You may request a copy of your data in a machine-readable format (typically JSON), which you may transfer to another service.
8.6 Right to object (Art. 21)
You may object to processing based on legitimate interest. You may also opt out of marketing communications at any time.
8.7 Right to withdraw consent (Art. 7)
For processing based on consent (such as the newsletter or liveness verification), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
8.8 Right not to be subject to automated decision-making (Art. 22)
Our discovery algorithm uses automated processing to suggest profiles. This processing does not produce legal or similarly significant effects on you. You always retain control over who you interact with, and human moderators review all sanction decisions (bans, content removal, etc.).
8.9 Right to lodge a complaint (Art. 77)
You may lodge a complaint with ANSPDCP (Romania) or the supervisory authority in your country of residence.
8.10 How to exercise your rights
Send an email to privacy@tripswithbenefits.com with your request. We respond within 30 days (extendable by 2 months for complex requests, with notice). We may ask for identity verification before fulfilling requests, to protect your data from unauthorized access.
There is no fee for reasonable requests. For excessive or repetitive requests, we may charge a reasonable administrative fee or refuse to act, as permitted by GDPR.
9. Cookies
The Website uses only essential cookies required for basic operation (language preference, security tokens). We do not use advertising cookies. Our Website analytics (Google Analytics in cookieless mode) collects aggregate data without setting cookies on your device.
Full details are in our Cookies Policy.
10. Push notifications and marketing communications
You may receive:
- Transactional notifications (login codes, payment receipts, security alerts, important policy updates) — these cannot be disabled while your account is active
- In-App notifications (new matches, messages, profile views) — manageable in App settings and your device's notification settings
- Promotional emails or notifications (new features, occasional promotions) — opt out at any time in App settings or via the unsubscribe link in emails
- Newsletter (Website subscribers) — unsubscribe link in every email
11. Profile visibility and discovery
Your profile is visible:
- To other Members of the App who view your profile in the discovery feed or via direct profile access
- Not on the public internet (your profile is not indexed by search engines)
- Not on the Website (the Website never displays Member profiles publicly)
You can:
- Control which photos are public and which are private
- Block specific Members
- Choose privacy-related options (First Class membership offers anonymous browsing)
12. Security
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.3) for all communications
- Encryption at rest for sensitive data including the liveness verification photos
- Hashed and salted password equivalents (we use passwordless authentication, so no passwords are stored)
- Access controls for our team (least-privilege principle)
- Logging and monitoring of administrative access
- Regular backups (encrypted, with rolling 30-day retention)
- Vendor due diligence and data processing agreements with all service providers
No method of transmission or storage is 100% secure. We cannot guarantee absolute security.
13. Data breaches
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will:
- Notify ANSPDCP within 72 hours of becoming aware of the breach (as required by Article 33 GDPR)
- Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (as required by Article 34 GDPR)
- Document and investigate the breach
14. Children's privacy
The Service is restricted to adults aged 18 and over. We do not knowingly collect personal data from anyone under 18.
If we discover that we have collected data from a person under 18, we will delete the account and all associated data without delay.
If you believe a child under 18 has provided personal data through the Service, contact privacy@tripswithbenefits.com.
See our Child Safety Policy for more detail on how we protect minors and respond to suspected violations.
15. Region-specific rights
15.1 European Economic Area, United Kingdom, and Switzerland
You have the rights described in Section 8. You may lodge a complaint with your local supervisory authority. For Romania, this is ANSPDCP (see Section 1).
15.2 California (CCPA / CPRA)
If you are a California resident, in addition to the rights above you have the right to:
- Know what categories of personal information we collect and the purposes for collection
- Request deletion of personal information
- Opt out of "sales" or "sharing" of personal information — note that we do not sell or share personal information as defined by California law
- Non-discrimination for exercising your rights
To exercise these rights, email privacy@tripswithbenefits.com.
15.3 Other jurisdictions
If your jurisdiction grants you additional rights, please contact us at privacy@tripswithbenefits.com and we will respond in accordance with applicable law.
16. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The date of the last update appears at the top. Material changes will be communicated:
- By email to Members
- Via an in-App notice
- On the Website with a clear notice
Continued use of the Service after material changes constitutes acceptance, except where consent is required for new processing (in which case we will seek your consent before applying the change to you).
17. Contact
For any privacy-related questions, requests, or complaints:
Email: privacy@tripswithbenefits.com DPO: dpo@tripswithbenefits.com Postal mail: Little Owl Media S.R.L. Attn: Data Protection Officer Str. Nicopole 65, 500063 Brașov, România
18. Language
This Privacy Policy is made available in multiple languages. The English version is the canonical version and prevails in case of any discrepancy with translations.
Document version: 1.0