Legal
Information about which data Triplio processes and which rights you have.
The controller responsible for data processing on this website is: WhyNot Digital Marcel Gorgolewski und Tobias Meyer GbR Graf-Bernhard-Ring 19A 21481 Lauenburg Germany Email: info@homeiswhereyourbagis.com Privacy contact: info@homeiswhereyourbagis.com Website: https://triplio.co
No data protection officer has been appointed because there is no legal obligation to do so.
We process personal data only to the extent necessary to operate this website, provide our features, secure the application, communicate with users, or based on consent.
The legal bases include Art. 6(1)(b) GDPR for account and feature use, Art. 6(1)(f) GDPR for legitimate interests such as security, troubleshooting and abuse prevention, and Art. 6(1)(a) GDPR for consent-based services such as analytics cookies or external media.
This website is hosted by ALL-INKL.COM - Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany. We have concluded a data processing agreement with the hosting provider.
When you access the website, the server processes technically necessary data, including IP address, date and time of access, requested URL, referrer URL, browser type, operating system, user agent and transferred data volume. This data is required to deliver the website, ensure stability and security, and analyze errors. The retention period depends on the technical and security requirements of the hosting; log data is not stored longer than necessary for these purposes.
This website is provided via SSL/TLS encryption. You can recognize an encrypted connection by “https://” in your browser address bar. This helps protect data transmitted to us from being read by third parties during transmission.
We use cookies and similar technologies. Some cookies are technically necessary; others are only set or loaded after your consent. Your selection is stored in the cookie “triplio_cookie_consent” for up to 180 days.
Currently relevant cookies and similar technologies: - Session/security cookies: technically required for login, session handling, CSRF protection and form security; sessions expire by default after 120 minutes of inactivity. - “triplio_cookie_consent”: stores your cookie choice for up to 180 days. - “route_rating_visitor_id”: optional anonymous visitor identifier for route ratings, only after consent to Functional, lifetime up to 365 days. - Google Analytics 4: only after consent to Analytics. - Google Maps: only after consent to External media or actively loading the map.
Consent management is implemented as a custom-built solution. If additional cookies, analytics tools or third-party services are added in the future, this privacy policy will be updated accordingly.
You can change your cookie selection at any time via “Cookie settings” in the footer.
For an account, we store your first name, email address, email verification timestamp and technical account data. Login is available via magic link or optionally through your Google account. Magic link tokens are stored only in hashed form, are valid for 15 minutes and are regularly deleted after expiry.
If you use Google Login, authentication is handled through Google OAuth/OpenID Connect. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. We receive in particular your Google account ID, name or first name, email address, email verification status and, where available, your profile picture. In Triplio, we store the Google account ID, the profile image URL if available, and the time the Google account was connected. We do not store Google access or refresh tokens and do not access other Google services such as Drive, Gmail or Calendar.
We use SMTP via ALL-INKL to send magic links and verification or double opt-in emails. The data required for email delivery is processed, including email address, email content and technical delivery data.
You can delete your account. Your account data will then be deleted unless statutory retention obligations apply. Publicly created routes may continue to exist because they are not intended to publish personal data.
Generated itineraries contain travel parameters such as country, duration, month, budget, pace and travel style. These routes are publicly visible and are not intended to contain personal data. In the database, routes may be assigned to an account for management purposes; first name and email address are not displayed publicly.
If you save favorites, this relation is stored with your account. If you use private route notes, those notes are stored in your account and are not publicly displayed. Please do not enter sensitive personal data there.
For route ratings, we store the rating. For logged-in users, the rating may be assigned to the account. For guests, hash values derived from technical identifiers such as visitor ID, IP address or user agent may be used to limit duplicate ratings. The underlying values are not stored in plain text as part of the rating.
In the code, IP address and user agent are stored only as hash values for ratings. Technical sessions may contain IP address and user agent during session handling; server log files may be created technically by the hosting provider.
We use the OpenAI API to automatically generate itineraries. For users in the European Economic Area, the provider under OpenAI’s terms is OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland.
For itinerary generation, the selected travel parameters and the context required for generation are transmitted to OpenAI. There are no free-text fields where you need to enter personal data. Please nevertheless avoid entering personal data into travel parameters.
We use the OpenAI API with response storage disabled where technically possible (“store=false”). In the system, this is intended for both itinerary generation and the route chat. According to OpenAI, API content is not used for training unless this is explicitly enabled. OpenAI may also process data for abuse and security monitoring for a limited time, currently by default up to 30 days.
A data processing agreement or Data Processing Addendum with OpenAI will be concluded.
Logged-in users can use an AI chat for a route. Your chat message, a limited amount of recent chat history and the context of the respective route are transmitted to OpenAI to generate the answer.
Chat messages and answers are stored in your account for the respective route so the conversation can be displayed and continued. You can delete the chat history yourself via the “Clear chat history” function. In addition, we regularly delete stored chat messages within 180 days.
Please do not enter sensitive or unnecessary personal data in the chat. We do not automatically block personal data.
Where Google Analytics 4 is integrated now or in the future, we use it for audience measurement only if you consent to the “Analytics” category in the cookie banner. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The Google Analytics property or measurement ID is: G-8WLQKJRZKY.
Google Analytics 4 processes usage data such as page views, interactions, technical browser and device data, and approximate location data. According to Google, Google Analytics 4 does not log or store IP addresses; IP data from EU users is discarded before storage. We do not use Google Signals, remarketing or demographic advertising features.
The data retention period in Google Analytics will be set to 14 months where this setting is available. The legal basis is your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. You can withdraw your consent at any time via the cookie settings.
If Google Tag Manager is used, it serves to technically manage website tags. Tags for analytics or external services are only triggered according to your cookie selection.
Route pages may include an interactive map from Google Maps. The provider is Google Ireland Limited. The Google Maps integration in your browser is only loaded after you consent to the “External media” category or actively load the map.
To prepare the map feature, route stops may be converted into coordinates server-side via the Google Maps Geocoding API. Under the current implementation, only place/country information from the route and technical server data are transmitted to Google, not your email address, first name or browser IP address as an end user.
When the interactive Google Maps integration is loaded in your browser, personal data such as IP address, browser data, device information and location/map usage data may be transferred to Google and processed by Google, including outside the EU. The legal basis for loading the map is your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. The legal basis for server-side geocoding is our legitimate interest in a functional route display under Art. 6(1)(f) GDPR.
Our website contains partner links, including links to Booking.com and Stay22. These links are marked as advertising or affiliate links where they appear in context.
For accommodation recommendations, we may generate affiliate links through Stay22 Allez. The provider is Stay22 Technologies Inc., Canada. These links are rendered server-side as ordinary external links; merely viewing the page does not load a Stay22 script in your browser.
If you click such a link, you will be redirected through Stay22 or directly to a participating booking provider such as Booking.com. From that point onward, Stay22, the respective booking provider or participating partners may process technical data such as IP address, browser and device data, viewed page, referrer, link clicks, location inferences, language/currency information and affiliate or campaign parameters, set cookies or use similar technologies. The legal basis for linking and marking these links is our legitimate interest in financing and improving our service under Art. 6(1)(f) GDPR. Where providers use cookies or tracking technologies after the click, those providers are responsible for their respective processing.
The share function uses normal links or a copy function. Merely viewing the page does not transmit data to social networks. If you actively click a share link, for example to WhatsApp, Telegram, Facebook or email, the respective service or your email program opens; from that point onward, the privacy terms of the respective provider apply.
The web fonts used by this website are hosted locally. No connection to Google Fonts is established when loading these fonts.
Some static media, such as logos or images, may be loaded through Bunny.net/BunnyCDN domains or related blog/media domains such as homeiswhereyourbagis.com. Technically necessary access data such as your IP address may be transmitted to the respective provider. Where possible, we reduce external media to what is necessary.
Under the GDPR, you have in particular the right of access, rectification, erasure, restriction of processing, data portability and objection to certain processing activities. Where processing is based on consent, you can withdraw that consent at any time with effect for the future.
You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority may be the authority of your place of residence, workplace or the place of the alleged infringement.
This privacy policy will be updated when features, service providers or legal requirements change. Last updated: June 7, 2026.
