Skip to content
Safe Trip
Get Pro
Legal
Effective 7 May 2026 · v1.0

Privacy Policy

Safe Trip (“Safe Trip,” “we,” “our”) is committed to a privacy-first product. This policy explains what we collect, why, how long we keep it, and your rights. Safe Trip is operated from Portugal; the EU GDPR applies to all visitors regardless of where you are.

The short version

  • No account is required to read the site. The current product is read-only.
  • No third-party tracking pixels, no advertising cookies.
  • Anonymous analytics only. We use Plausible, cookieless, privacy-first, hosted in the EU.
  • We do not collect your name, address, passport number, or health data.
  • Affiliate clicks are passed to partner sites, which have their own privacy policies.

1. Data we collect

1.1 Anonymous web analytics

We use Plausible Analytics to count visits and understand which pages are useful. Plausible does not use cookies and does not track individual users across visits. The data collected is aggregate and anonymous: page URL, referrer, country (city-level for some EU countries), browser, OS, device size, and whether the visit was outbound to an external link. IP addresses are processed in-memory to derive country and a daily-rotating salted hash for de-duplication, then immediately discarded (not stored).

1.2 Server logs

Our hosting provider (Railway) keeps standard request logs (IP address, user-agent, request URL, timestamp, status code) for security, abuse-prevention, and operational debugging. Logs are retained for up to 7 days unless an incident requires longer retention.

1.3 What we do not collect

  • Real names
  • Date of birth
  • Passport, ID, or driver’s licence numbers
  • Health-condition specifics
  • Payment-card details (when payment launches, Stripe will handle this directly, we never see card numbers)
  • Browsing history outside this site
  • Biometric or facial data

2. Legal bases (GDPR Art. 6)

Our processing is based on:

  • Legitimate interests, for security logs, abuse prevention, and aggregate, anonymous analytics that don’t identify you.
  • Consent, not currently required because we do not set non essential cookies. If we add features that require it (e.g., personalised analytics), we will ask first.
  • Contract, will apply when you sign up for an account, take a paid subscription, or sign a B2B agreement (none of which exist on the site today).

3. Subprocessors

A live, public list of every vendor that processes data for us is at /legal/subprocessors. As of 7 May 2026 the list is short:

  • Railway, web hosting (EU region: europe-west4)
  • Cloudflare, DNS + edge caching + WAF
  • GitHub, source-code repository (no visitor data)
  • Plausible, anonymous analytics (EU-hosted)

4. International transfers

All listed subprocessors store visitor-related data in the EU. Where any subprocessor is established outside the EU/EEA (e.g., parent companies), transfers are governed by the European Commission’s Standard Contractual Clauses or equivalent safeguards.

5. Retention

DataRetention
IP address (transient, for analytics de-dup hash)Discarded same request
Server access logs7 days
Aggregate Plausible analyticsIndefinite (no personal data)
Security incident recordsUp to 24 months

6. Your rights

Under GDPR Articles 15 to 22 you have the rights of access, rectification, erasure, restriction, portability, and objection. Because the current site does not collect personal data tied to an account, most of these rights are not actionable today, there is no profile or trip history to retrieve. If we ever process personal data linked to you, we will provide a one-click data export and account deletion flow.

You also have the right to lodge a complaint with the Portuguese supervisory authority, CNPD, or with the supervisory authority in your country of residence.

7. Children

Safe Trip is not directed to children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact [email protected].

8. Security

Traffic is served over HTTPS. We follow defence-in-depth practices and publish a vulnerability disclosure policy at /security and /.well-known/security.txt. Reports are welcomed at [email protected].

9. Changes

Material changes to this policy will be announced on the changelog. The effective date and version above will reflect the latest revision.

10. Contact

Privacy enquiries: [email protected].

This is the v1.0 baseline aligned with the static, read-only state of the site. It will be revised before any feature that requires personal data (account signup, trip planner, alerts) launches.