Trust Centre
Your data is safe with Trippi
We handle mileage data that feeds into real HMRC claims. That's why security, privacy, and transparency aren't afterthoughts — they're foundational to everything we build.
Verified partners and protections
Microsoft 365 Verified
Publisher-verified by Microsoft for Outlook Calendar integration
Google OAuth Verified
Approved by Google for secure Calendar API access
TLS/HTTPS Everywhere
All data encrypted in transit with TLS 1.3 — no exceptions
GDPR Compliant
UK GDPR and Data Protection Act 2018 — ICO registered
Security
Built to protect your data at every layer
From the infrastructure up, Trippi is designed with security as a first-class requirement — not bolted on afterwards.
Encryption at rest
All stored data is encrypted using AES-256 encryption. Database backups are encrypted with the same standard.
Encryption in transit
TLS 1.3 encrypts every connection between your browser and our servers. HSTS headers prevent downgrade attacks.
OAuth 2.0 only
We never see or store your Google or Microsoft passwords. Access is granted via scoped OAuth tokens that you can revoke at any time.
Minimal data access
We request only the calendar scopes needed to read event locations and times. We never access email, contacts, or files.
Infrastructure security
Hosted on SOC 2 Type II certified infrastructure with automated vulnerability scanning, WAF protection, and DDoS mitigation.
Regular security reviews
We conduct regular penetration testing and code reviews. Dependency vulnerabilities are patched within 48 hours of disclosure.
Compliance
Standards we meet and maintain
Trippi is designed for users who claim real money from HMRC. We take the regulatory and compliance landscape seriously.
UK GDPR & Data Protection Act 2018
Registered with the ICO. Lawful basis documented for all processing activities. Data protection impact assessments completed for high-risk processing.
Google API Services User Data Policy
Trippi's use of Google Calendar data complies with Google's Limited Use requirements. We access only what's needed and never share it with third parties for advertising.
Microsoft App Compliance Programme
Publisher-verified for Microsoft 365 integration. Trippi has completed Microsoft's publisher attestation for Outlook Calendar access.
HMRC-compliant calculations
Mileage rates align with HMRC approved rates (45p first 10,000 miles, 25p thereafter). Advisory fuel rates for company cars are applied where required. Reports are formatted for Self Assessment submission.
Data retention policy
Trip data is retained for the current tax year plus six years to align with HMRC record-keeping requirements. You can delete your data at any time.
Data practices
What we access, and what we don't
Transparency is the backbone of trust. Here's exactly what Trippi does — and doesn't do — with your data.
What we access
- Calendar event titles, locations, and times (to calculate mileage)
- Your base postcode (to determine journey start point)
- Your name and email (for account and billing)
- Payment information via Stripe (we never see full card numbers)
What we never do
- Sell, share, or trade your personal data with third parties
- Access your emails, contacts, files, or drive
- Use your data for advertising or profiling
- Store your Google or Microsoft passwords
- Track your real-time location or GPS
Subprocessors
Third parties that process data on our behalf
We carefully vet every subprocessor and hold them to the same data protection standards we follow ourselves. All subprocessors have appropriate data processing agreements in place.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Google Cloud Platform | Calendar API & infrastructure | Calendar events, locations, times | US |
| Microsoft Azure | Outlook Calendar integration | Calendar events, locations, times | UK |
| Netlify | Application hosting & CDN | Request metadata, IP addresses | US |
| Stripe | Payment processing (via Stripe Payments Europe, Ltd) | Payment details, billing address | IE |
| Supabase | Database & authentication (London, eu-west-2) | User accounts, trip data, settings | UK |
| Resend | Transactional email | Email address, name | US |
| Google Maps Platform | Distance calculation & geocoding | Postcodes, addresses | US |
For US-based subprocessors, data transfers are protected under UK International Data Transfer Agreements (IDTAs), the UK Extension to the EU-U.S. Data Privacy Framework, and/or EU Standard Contractual Clauses (SCCs) as applicable. Stripe's contracting entity for UK users is Stripe Payments Europe, Limited (Ireland); some processing may occur in the US under the UK-US Data Privacy Framework. We will notify users by email at least 30 days before adding a new subprocessor.
Common questions
Yes. You can delete your account and all associated data from Settings at any time. Deletion is permanent and completed within 30 days. We retain no backups of deleted data beyond this window.
In the event of a personal data breach, we will notify the ICO within 72 hours and affected users without undue delay, as required under UK GDPR Article 33 and 34. We maintain an incident response plan that is reviewed quarterly.
You can request a full export of your personal data from Settings, or email us at privacy@trippi.co.uk. We respond to all DSARs within 30 days as required by UK GDPR.
Absolutely. You can disconnect your Google or Microsoft calendar from Trippi at any time via Settings. You can also revoke access directly from your Google Account or Microsoft Account security settings. Trippi will stop receiving calendar data immediately.
No. Your data is never used to train machine learning or AI models. It is used solely to provide you with the Trippi mileage tracking service.
Have a question about our security practices?
We're happy to answer. Reach out to our team or review our full privacy policy.