Effective date / Gültig ab: 2026-05-01 Last updated / Zuletzt aktualisiert: 2026-05-01
Welcome to Trevio ("we", "us", "our"). We are committed to protecting your personal data and processing it in accordance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), the German Federal Data Protection Act (BDSG), and applicable telecommunications law.
This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have.
The controller responsible for the processing of your personal data is:
Andor Plotár
Schönbachstr 14
86154, Augsburg
Germany
E-Mail: andor@trevio.world
Website: https://trevio.world
We are not legally required to appoint a Data Protection Officer at our current scale. For all data protection enquiries, please contact us directly at:
Data collected: Full name, email address, password (hashed), profile photo (optional), home city (optional), travel preferences (optional), subscription tier.
Purpose: To create and manage your account, provide personalised features, and communicate with you about your account.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract (the Trevio Terms of Service).
Retention: For the duration of your account. After account deletion, data is permanently removed within 30 days, except where we are legally required to retain it longer (e.g. payment records: 10 years under German commercial law — §§ 238, 257 HGB).
Data collected: Trip names, destinations, dates, itineraries, transport legs, bookings, packing lists, participant information, uploaded documents (stored on Cloudflare R2), and any other content you create within Trevio.
Purpose: To provide the core trip planning service.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.
Retention: Retained for the lifetime of your account. Deleted within 30 days upon account deletion.
Data collected: Subscription tier, billing history, payment method type (e.g. card last four digits). We do not store full card numbers — all payment processing is handled by Stripe, Inc.
Purpose: To process your subscription payment and manage your billing relationship.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(c) GDPR — legal obligation (tax and accounting records).
Third-party processor: Stripe, Inc. (USA). Data transfer covered by Stripe's Standard Contractual Clauses. See Stripe's Privacy Policy: https://stripe.com/privacy
Retention: Billing records retained for 10 years in accordance with §§ 238, 257 HGB (German commercial law).
Data collected: Messages you send to Tria, trip context (destination, dates, travel style, budget, group size), and the AI-generated responses.
Purpose: To provide AI-powered travel planning suggestions.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(f) GDPR — our legitimate interest in improving the service.
Third-party processor: Anthropic, PBC (USA). Your messages are transmitted to Anthropic's API to generate responses. Anthropic's API usage data handling is governed by their Data Processing Agreement. See: https://www.anthropic.com/legal/privacy
Retention: Conversation history is stored for the lifetime of your account and permanently deleted within 30 days of account deletion.
Data collected: Files you upload (PDFs, images) and associated metadata (file name, type, size, upload date).
Purpose: To store your travel documents (tickets, passports, insurance) securely on your behalf.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.
Third-party processor: Cloudflare, Inc. (USA) — R2 object storage. Data transfer covered by Standard Contractual Clauses. See: https://www.cloudflare.com/privacypolicy/
Retention: Files are deleted within 30 days upon account deletion or manual file removal.
Data collected: Location searches you perform (e.g. destination autocomplete, route queries), map viewport position.
Purpose: To display maps, calculate routes, and power destination search.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.
Third-party processor: Mapbox, Inc. (USA). See: https://www.mapbox.com/legal/privacy
Note: We do not collect or store your device's GPS location. Any location input is provided voluntarily by you (typed search).
Data collected: Flight numbers or route queries you submit.
Purpose: To look up flight information (departure/arrival times, airline) for transport legs in your itinerary.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.
Third-party processor: AviationStack (apilayer GmbH). See: https://aviationstack.com/privacy
Data collected: Your email address, email delivery logs.
Purpose: To send account-related emails (registration confirmation, password reset, subscription receipts).
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.
Infrastructure: Emails are sent via SMTP through our hosting provider (IONOS SE, Germany). No third-party marketing platform is used.
Data collected: Pages visited, session duration, browser type, operating system, approximate geographic location (country/region level), referral source, anonymised IP address.
Purpose: To understand how users interact with Trevio in order to improve the product.
Legal basis: Art. 6(1)(a) GDPR — your consent (provided via the cookie consent banner).
Third-party processor: Google LLC (USA). Data transfer covered by Google's Standard Contractual Clauses. See: https://policies.google.com/privacy
IP anonymisation: We have enabled IP anonymisation in Google Analytics 4 so that your full IP address is never stored by Google.
Opt-out: You may withdraw consent at any time via the cookie settings link in the website footer, or by installing the Google Analytics Opt-out Browser Add-on.
Retention in Google Analytics: Data retention is set to 14 months.
Data collected: IP address, browser type, operating system, date/time of request, pages accessed, HTTP status code.
Purpose: Security monitoring, debugging, and preventing abuse.
Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in maintaining the security and stability of the platform.
Retention: Server logs are retained for a maximum of 30 days and then automatically deleted.
When you click affiliate links (e.g. to Booking.com, GetYourGuide, Travelpayouts partners, or Airalo), you are redirected to third-party websites. Trevio does not place any tracking pixels or cookies in connection with these links. The destination website's own privacy policy and cookie settings apply from the point of redirect.
Please refer to our separate Cookie Policy for a full breakdown of cookies used, their purpose, and how to manage your preferences.
We do not sell your personal data. We do not share your data with third parties for their own marketing purposes.
We share data only with the processors listed in Section 4 above, under Data Processing Agreements (DPAs), solely to deliver Trevio's services.
Summary of processors:
| Processor | Country | Purpose | Safeguard |
|---|---|---|---|
| Stripe, Inc. | USA | Payment processing | SCC |
| Anthropic, PBC | USA | AI (Tria) responses | DPA / SCC |
| Cloudflare, Inc. | USA | Document storage (R2) | SCC |
| Mapbox, Inc. | USA | Maps + geocoding | SCC |
| AviationStack (apilayer) | EU/AT | Flight data | DPA |
| IONOS SE | Germany | Hosting + email | DPA (EU) |
| Neon, Inc. | USA | Database hosting | SCC |
| Google LLC | USA | Analytics (GA4) | SCC |
SCC = EU Standard Contractual Clauses (Art. 46(2)(c) GDPR)
Several of our processors are based outside the EU/EEA (primarily the USA). In each case, data transfers are protected by:
You may request a copy of the relevant transfer safeguards by contacting us at request@trevio.world.
You have the following rights regarding your personal data:
| Right | What it means |
|---|---|
| Access (Art. 15) | Request a copy of all data we hold about you |
| Rectification (Art. 16) | Correct inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your data ("right to be forgotten") |
| Restriction (Art. 18) | Limit how we process your data in certain circumstances |
| Portability (Art. 20) | Receive your data in a machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interests |
| Withdraw consent (Art. 7(3)) | Withdraw any consent given at any time (e.g. analytics cookies) |
To exercise any of these rights, contact us at: request@trevio.world
We will respond within 30 days as required by Art. 12 GDPR.
For a detailed explanation of each right, see our GDPR Rights Notice.
If you believe we have processed your data unlawfully, you have the right to lodge a complaint with a supervisory authority. The competent authority for Germany is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) Graurheindorfer Str. 153 53117 Bonn Deutschland https://www.bfdi.bund.de
Note: You may also contact the supervisory authority of the EU member state where you reside or work.
Trevio is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us immediately at request@trevio.world and we will delete it.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by displaying a prominent notice on the website. The "Last updated" date at the top of this page will always reflect the most recent version.
Continued use of Trevio after changes are posted constitutes acceptance of the updated policy.
For any questions about this Privacy Policy or your data:
Andor Plotár
E-Mail: andor@trevio.world
Website: https://trevio.world
© 2026 Trevio. All rights reserved.