Privacy Policy
Last updated : July 12, 2026
Courtesy translation — the French version prevails.
Data controller: SharingTrip Group, SASU — 45 rue Paul Bert, 92600 Asnières-sur-Seine, France.
GDPR contact: privacy@sharingtrip.com
1. Who are we?
SharingTrip (sharingtrip.com) is a French platform for coordinating group trips between friends. We facilitate the sharing of existing bookings and the search for travel services from partners. SharingTrip acts as a technical intermediary and is not a travel agency.
2. Data collected, purposes and legal bases
2.1 User account
- Email, first name, last name — account management — performance of the contract (Art. 6.1.b GDPR) — kept for the life of the account + 3 years.
- Profile photo (optional) — personalisation — consent (Art. 6.1.a) — for the life of the account.
- Hashed password — authentication — performance of the contract — for the life of the account.
2.2 Group trip data
- Group name, destination, dates, shared listings, expenses — operation of the service — performance of the contract — for the life of the group + 1 year.
- Group members and cost split — coordination between co-travellers — performance of the contract.
2.3 Payment data (cost-sharing)
Payments relating to cost-sharing are processed by our licensed payment provider, Stripe. SharingTrip never holds your funds and has no access to your full banking details, which are collected and stored directly by Stripe. We process only the data needed to track the sharing (amounts, status). Legal basis: performance of the contract.
2.4 Browsing data
- IP address, user-agent, pages viewed — security, debugging, measurement — legitimate interest (Art. 6.1.f) — approximately 90 days.
2.5 Search criteria (including the presence of children)
The search engine lets you specify trip criteria, including the possible presence of children and their age bracket (the “child-friendly” criterion). When used in the search engine, these criteria are used solely to filter the results displayed and are not stored for that purpose. The group composition you declare in order to join a trip is covered by section 2.6 below. The Service is reserved for adults (see the Terms): no account is created for a minor.
2.6 Group composition (occupants)
When you join a trip, you declare the number of occupants you are bringing (number of adults and number of children). These counters are stored on your trip participation. Purpose: calculating your share at actual cost and checking the accommodation's capacity. Legal basis: performance of the contract (Art. 6.1.b). Duration: for the life of the trip, then archived with the trip data. These are simple counters attached to your account (an adult): no name or identity data of a minor is collected. This data is included in your GDPR export (Art. 20).
2.7 Identity verification (Stripe Identity)
As part of the protected payment (Pillar 1), an identity verification may be required. It is triggered only once the trip is full and paid, before the stay. The identity document and the selfie are processed exclusively by Stripe (our payment provider, acting as a processor), through its Stripe Identity service: SharingTrip never receives nor stores identity documents. We keep only: the verification status, a technical session identifier, the verified first name and an adulthood indicator (18 or over). The documents are deleted at Stripe via the Redact API after verification (“zero retention” principle). Legal bases: performance of the contract (Art. 6.1.b) and legitimate interest (fraud prevention, Art. 6.1.f).
3. Partners and processors
- Vercel Inc. (hosting, USA) — governed by standard contractual clauses (SCC).
- Supabase Inc. (database, EU region eu-west-3 Paris) — no transfer of user data outside the EU.
- Stripe (payment and, where applicable, identity verification via Stripe Identity) — certified provider.
- Anthropic (AI search — search queries expressed in natural language are sent to the Claude API, USA) — governed by the EU-US Data Privacy Framework (DPF) and standard contractual clauses (SCC).
- Sentry (error monitoring — IP address, user-agent; session replays are masked) — DPF / SCC.
- OVH (sending of transactional emails, France) — no transfer outside the EU.
- Affiliate partners (Booking.com, GetYourGuide, Viator, Expedia…) — a cookie may be set by the partner when you click, if you have consented to the “Affiliation” category.
4. Transfers outside the European Union
- Vercel (USA) — standard contractual clauses (SCC) / EU-US Data Privacy Framework.
- Supabase — data hosted in France (eu-west-3), no transfer outside the EU.
- Anthropic (USA) — AI search queries — EU-US Data Privacy Framework (DPF) / standard contractual clauses (SCC).
- Sentry (USA) — technical error-monitoring data — DPF / SCC.
- Stripe (USA) — payment and identity verification — DPF / SCC.
5. Cookies and trackers
Three categories: essential (exempt from consent: session, security, preferences), analytics (consent required) and affiliation (consent required, partner tracking cookies). You can accept, decline or configure each category, and change your choice at any time via the “Manage my cookies” link. Consent is not stored for more than 13 months.
6. Your rights (GDPR, Art. 15 to 22)
- Access (Art. 15) — obtain a copy of your data.
- Rectification (Art. 16) — correct your data, from your account or by email.
- Erasure (Art. 17) — delete your account (self-service feature in the settings).
- Portability (Art. 20) — export your data (JSON/CSV format).
- Objection (Art. 21) — object to processing based on legitimate interest.
- Withdrawal of consent — via “Manage my cookies” or by email.
To exercise your rights: privacy@sharingtrip.com. Response within 1 month at most (Art. 12 GDPR). You may lodge a complaint with the CNIL, the French data-protection authority (3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — cnil.fr).
7. Security
- Encryption in transit (HTTPS / TLS) and at rest.
- Row Level Security (RLS) enabled on all database tables.
- Hashed passwords; restricted access to sensitive functions.
8. Changes
In the event of a substantial change, you will be informed at least 30 days before it takes effect. Continued use of the service constitutes acceptance.