TripZen ("we", "our", or "the App") provides a child transport safety platform for parents, drivers, and schools. This Privacy Policy explains what information we collect, why we collect it, how we use it, and the choices you have. By using TripZen you agree to this policy.
1. Information We Collect
- Account info: name, email, phone number, role (parent / driver / admin), password (hashed).
- Student info: name, grade, photo, school, pickup/dropoff address — provided only by the parent, guardian, or authorized school administrator.
- Location data: precise GPS location of buses during active routes for live tracking. Driver devices may transmit location in the background only while a trip is active.
- Boarding logs: timestamp, bus, route, and student identifier when a QR or NFC badge is scanned.
- Payment data: processed by Stripe. We never store full card numbers. We retain only the last 4 digits and the Stripe transaction ID.
- Communications: in-app chat messages, incident reports, and photos you submit.
- Device data: device model, operating system, app version, push notification token, crash diagnostics.
2. How We Use Your Information
- Provide real-time bus tracking to authorized parents and admins.
- Authenticate users and prevent unauthorized access.
- Send push notifications, SMS, or email alerts about boarding events and trip status.
- Process bookings, subscriptions, and payments.
- Investigate incidents and improve service quality.
- Comply with legal obligations.
3. Children's Data (COPPA & GDPR-K)
4. Sharing & Third Parties
We do not sell your personal data. We share data only with:
- Stripe — payment processing (privacy policy)
- Apple Push Notification Service / Google FCM / Expo Push — delivering push notifications
- Twilio — SMS notifications, if enabled by your school operator
- Your school or bus operator — student records and ride history relevant to their service
- Law enforcement — only when required by valid legal process
5. Data Retention
- Active accounts: kept while you use the app.
- Trip and boarding logs: 12 months.
- Payment records: 7 years (legal requirement).
- Account deletion is processed within 30 days, except where law requires longer retention.
6. Your Rights
Under GDPR, CCPA, and similar laws, you can:
- Access a copy of your personal data.
- Correct inaccurate or incomplete data.
- Request deletion ("right to be forgotten").
- Export your data in machine-readable format (JSON).
- Withdraw consent for non-essential data uses.
- Lodge a complaint with your local data protection authority.
To exercise these rights, email info@tripzen.co.uk.
7. Security
- TLS 1.2+ encryption for all network traffic.
- Passwords hashed with bcrypt.
- JWT tokens with short expiry; refresh tokens stored securely.
- Sensitive data stored using Expo SecureStore (Keychain / Keystore).
- Regular security audits and dependency updates.
8. International Transfers
TripZen may process data outside your country of residence. We use Standard Contractual Clauses and equivalent safeguards to protect international data transfers.
9. Changes to This Policy
We may update this policy from time to time. The "Last updated" date will reflect the most recent changes. Material changes will be notified in-app and via email.
10. Contact Us
TripZen Privacy Team
Email: info@tripzen.co.uk
Support: info@tripzen.co.uk
Address: [Your registered company address]